People keep writing posts and comments like this that seem premised on the thought that nobody at Signal considered the downsides to centralization, and that they just rejected federation out of spite.
If you're reading HN, Signal's design goals are almost certainly not your design goals. Signal was designed to replace SMS and WhatsApp, the most widely-used messaging systems on the planet, with something end-to-end secure. Signal is not Telegram, Slack, Wire, or Matrix. They make decisions that are certain to upset orangey-types like us (phone numbers, no federation, tethering to phones, and so on) because HN people aren't their core user base.
If you want to understand why Signal went this way, look at Matrix. Matrix was designed for federation from the beginning; that's part of the point. Federation delayed the rollout of default E2EE on Matrix by over a year. It will probably delay the resolution of the Nebuchadnezzar vulnerabilities --- which are very bad --- by some material amount of time as well. You can't have Signal's use cases and accept those downsides, but you can with Matrix's use cases.
By all means: use Matrix. But the constant psychologizing and theorizing about Signal's federation decision is tiresome. "The Ecosystem Is Moving" post, where Moxie Marlinspike laid out his case, was received approximately as well at Steve Jobs open letter on Adobe Flash. And, like the Flash letter, it has been pretty conclusively vindicated. That doesn't mean everything, or even most things, should be centralized. But it does make clear why Signal needed to be.
But then who is Signal for? Yes, it has E2EE encryption, but who cares about that other than us orangey types?
And Signal makes plenty of user hostile moves: making backups is not supported. If your Android phone dies, you can kiss your previous conversations goodbye. That's working as intended according to the team.
If I receive a large number of photos via Signal, i have to long tap each of them and save them individually (several taps to do that).
So really, who is Signal for then? It's not for anonymity fans. It's not for people who care about long term discussions.
> But then who is Signal for? Yes, it has E2EE encryption, but who cares about that other than us orangey types?
Although I think people like us (?) were some of the original proponents of Signal, and it could never have spread without us, I believe Signal's intention is more about capturing the wider market while simultaneously changing that market to be more privacy-aware. I think that they believe they can make private, encrypted messaging to be a household idea, and I hope they're right.
>But then who is Signal for? Yes, it has E2EE encryption, but who cares about that other than us orangey types?
Me.
> If I receive a large number of photos via Signal, i have to long tap each of them and save them individually (several taps to do that).
No, you don't. You can select them all and export to Photos app (at least on Android, I have not tried on my iPhone).
> So really, who is Signal for then? It's not for anonymity fans. It's not for people who care about long term discussions.
My SO and I foster. New case, new numbers for everything. When I'm at the pediatrician and I can't remember an insurance number or a birth date, my SO can text it to me and after I say I have it, they can delete the message.
> Yes, it has E2EE encryption, but who cares about that other than us orangey types?
Signal is vulnerable to MITM attack. Our government has no problems with reading of my messages in Signal. I forced either to accept new certificate and be OK with wiretaping, or to lost communication channel with a friend.
Which MITM attack has a government used to read your Signal messages? I've heard people allude to government breaks of Signal for years, but always without evidence. Surely some Signal messages have been recovered from devices in the government's possession, but that's not a protocol problem. Are you saying a government has successfully spoofed safety number change messages from your contacts?
I believe they're saying that if the government (or another party) can read your received SMS messages, then your Signal account isn't secure. It could be taken over by anyone who can receive the SMS verification code. Your contacts would be notified that you'd changed your keys, and your own device would be locked out. So it's not the most quiet attack. But people replace their phones and forget account details so it may pass unnoticed by some of your contacts, particularly if you have no other channel to reach your contacts.
The number of countries where the government would do that to your SMS but won't also just arrest you arbitrarily and seize your device and/or beat/threaten you, seems small. But I imagine there are some people in some places, who feel physically and/or legally secure from arbitrary government action against their devices proper, but not with their cellular service.
> So it's not the most quiet attack. But people replace their phones and forget account details so it may pass unnoticed by some of your contacts, particularly if you have no other channel to reach your contacts.
So in other words, such attacks aren't viable for dragnet surveillance and must be targeted. But if you have reason to believe that you'll be targeted by the government for surveillance, you'd be on the lookout for signs like "your safety number has changed"?
I use Signal to be able to communicate with those members of my family who don't have iPhones. It's a compromise between my privacy expectations and their usability expectations.
For me and my converted familie. It is the same as WA but not FB. Well, except for that everybody just leaves that message for a PIN code verification open all the time and never do anything with it.
> "The Ecosystem Is Moving" post, where Moxie Marlinspike laid out his case, was received approximately as well at Steve Jobs open letter on Adobe Flash. And, like the Flash letter, it has been pretty conclusively vindicated.
The Flash letter was vindicated, but I do not see how the Moxie blog post was vindicated.
Unless you claim that federated E2EE is impossible, I believe you cannot claim that it has been vindicated. But I could be wrong.
Federated E2EE can work. Matrix did it. But it took lots of extra time, a time cost imposed structurally on the project by being open to third parties who had to coordinate to get things deployed. It's especially painful when you run up against protocol vulnerabilities, doubly so when the fixes for those vulnerabilities involve policy decisions that are their own coordination problems, which is a jam I think Matrix is in right now. All of this is stuff Moxie Marlinspike more or less predicted in his post.
Again: you can get past this stuff, and Matrix will. But Matrix is going to get through this because their use cases (more or less: replace IRC and Slack) are forgiving. Signal's aren't.
My gripe isn't that HN users refuse to tough out Signal's rough edges; I certainly don't ask my own family to use Signal to talk to me (I use Signal for things that matter, and little else). My gripe is that HN people who should know better don't seem to respect, or at least understand, the painful decisions that Signal made to support its use cases, and instead write weird little essays about how Moxie Marlinspike, the "brilliant cryptographer", built Signal this way because it was fun. It doesn't look super fun to me.
Claiming that Matrix did it is even a stretch. Only a few core features are covered and just about every new feature ships without E2EE. Room topics aren't encrypted, sticker packs aren't encrypted, reactions aren't encrypted...
The devs will tell you that requiring every feature to be E2EE will slow down adoption too much, that can always be added later as another MSC (Matrix Spec Change).
This is not true :| We do everything to encrypt new features - eg voice messages, polls, location share etc are all encrypted. It’s the old features which predate e2ee (state events like topics or sticker packs and aggregations like reactions) which need to be brought in line, and MSC3414 is addressing that.
> The devs will tell you that requiring every feature to be E2EE will slow down adoption too much, that can always be added later as another MSC (Matrix Spec Change).
I assume you’re talking about https://github.com/matrix-org/matrix-spec-proposals/pull/254.... There is nobody from the spec core team or for that matter the matrix core team on that thread; Sorunome, deepbluev7 and Cadair are community contributors. You can spot the folks who actually are project members (ie core team) by the “member” label next to their names in Github. It is unlikely that the MSC will pass review (when we finally get to it) unless it’s e2ee… unless MSC3414 automatically handles it.
Well that's good to hear. Maybe it would be good to drop an "official" note on the RFC to make it clear that it is unlikely to be accepted without E2EE since I seem to be the only voice mentioning that and was quickly dismissed.
I understand that the core team is busy but if big problems like this could be pointed out early it could save a lot of time all around.
Do you mean that they send it unencrypted or that it isn't end-to-end encrypted?
Please be precise.
This is probably the most annoying thing about HN lately, the insistence on pretending that only end to end encryption matters.
Meanwhile we see end-to-end encrypted solutions like WhatsApp being cheered forward but ultimately failing badly because all incentives are aligned against security.
> But if your friends aren’t on it, i guess that means nothing.
Well... yes, actually. Governments use a lot of things that don't have widespread adoption outside of governmental use cases.
If your goal is to build for that market -- for environments with very specific needs -- then you're doing a great job. But governmental use isn't the ringing endorsement that you seem to think, because it has no bearing on actual widespread adoption.
Back in the day, I used to use BBSes via local dial-up. Everyone did, so you could expect BBSes were on the rise from so much usage. Meanwhilr, governments were stuck on ArpaNet and futzing around with some newfangled "TCP/IP" protocol. What good does government support even provide???
His entire point is that Matrix went for and is in the process of getting the larger goal right for the sake of long-term adoption at the cost of development time -- whereas Signal opted for worst-is-better limited-scope pragmatism for the sake of near-term adoption.
Whatever lesson you want to derive from this technical trade-off is up to you, but yeah the psychobabble about Moxie is absolutely tiresome.
I don't understand why you use Signal only for things that matter. If you use Whatsapp, all your metadata is available to Facebook, which can learn a lot about you and your personal networks and use that information for personal advertising.
Your constant dismissiveness of criticism wrt Signal remains pretty darkly amusing.
>They make decisions that are certain to upset orangey-types like us (phone numbers, no federation, tethering to phones, and so on) because HN people aren't their core user base.
These decisions upset other people beyond your elitist dismissive "orangey-types", but upsetting "orangey-types" has its own cost. Nobody in my family, friends, or client organizations use Signal, because I advised them all against it. Sure that's <200 people but for network effect stuff it adds up.
>And, like the Flash letter, it has been pretty conclusively vindicated
Huh? It's successfully replaced SMS completely? It's replaced email? It's beaten out iMessage and Whatsapp etc worldwide? Oh. I mean sure, tens of millions of users worldwide is nothing to sniff at. But that's not a story of domination and "we won so all of you are wrong and also stupid".
> Like Larry Page and Serguei Brin before him, Moxie Marlinspike built the oppression tool he was initially trying to fight
This hyperbole exposes that the author is out of touch with the real world stakes of mass surveillance which Signal is intended to address.
You are not being oppressed because you can't run Signal on a quirky e-ink phone. Signal isn't broken on your phone because the Signal Foundation wants to exploit you, it's broken because building software is hard and sometimes requires pragmatic compromises.
Yes, decentralization is an important principle, both technically and politically. It's worth advocating for. But it's not the answer to every question ever.
The common criticisms of Signal to me often come down to letting perfect be the enemy of good. Yes, I want a perfectly secure and private messaging app, but Signal is an incredibly important stepping stone in that direction. It's moving the Overton window.
Except that it doesn't seem to be better than existing Whatsapp in any way? They even use the same protocol and it barely made a dent in WhatsApps market share.
Outside the small % that rejects Meta... Who is it for and how exactly is it reaching it's objectives?
Projecting from personal anecdote here, but... my social circles have almost no intersection with my life in tech. They are not "tech people". Yet I have only a single contact that still messages me via WhatsApp. Everyone else and all of the groups I'm in moved to Signal.
Its for those who reject Meta. No one else. People who want to disconnect from the surveillance-advertisement network of Meta. Remember that Meta likely uses your Whatsapp contacts web for its advertisements elsewhere. Signal does not.
Even if Whatsapp was as good as Signal, Signal would have been the stepping stone. Signal developed the protocol first and assisted Whatsapp in adopting it.
Well said. While its good to surface the challenges diverse people face and hopefully think about patterns that will solve them in efficient, systemic ways, the availability of Signal at the moment of time is of vital importance.
Same, e.g. with Mastodon as a Twitter replacement. It something working, that normal people can migrate to and break the stanglehold of the true oppressive platforms. No harm to keep expectations high for those "alternatives", but lets keep a sense of proportion.
> I hate captcha. I consider the premises of captcha completely broken, stupid and an insult to all the people with disabilities. But those were the worst I had ever seen. I was asked to look on microscopic blurry pictures, obviously generated by AI, and to select only "fast cars" or "cows in their natural habitat" or "t-shirt for dogs" or "people playing soccer".
I wholeheartedly agree. I think I have pretty good vision and fine cognitive abilities I'd say but over and over again I find myself unable to correctly enter the alphanumeric characters shown to me as part of those "are you human?" flows. It's very frustrating.
The most obnoxious and frustrating captchas are the ones that make you count the dice and to choose the image with the dice that adds up to a specific number. You're given three images, but if you take too long solving, it gives you 10. I spent nearly 30 minutes trying to log into my Airbnb account. After having to deal with this, I said screw and closed my Airbnb account entirely (for this experience, as well as other reasons). I understand Airbnb is using a 3rd party CAPTCHA system, but trying to solve a math problem seems like something for a computer, not a human.
I don't think the captcha algorithm only wants to verify you can complete it accurately either. There are times where it seems like Google's captcha, and now CloudFlare also, have predetermined that you are a bot and they will make you complete challenges indefinitely to no avail. What's the point of a captcha if they are using some other metric anyway? Mobile nets, Tor, and proxies are pretty much unusable in certain places now.
> What's the point of a captcha if they are using some other metric anyway?
It's all about not letting scrapers or bots know that they have been blocked, similarly to something like always failing SSH attempts after a certain amount of failures to prevent brute-force attacks. By the way I should say I hate CAPTCHA too, not defending the practice.
> What is interesting with corporatish marketing blog posts is how they usually say the exact opposite of what they mean. Signal blog post about differences is exactly that. They acknowledge the fact that there’s no way a single centralised authority could account for all the differences in the world. Then proceed to say they will do.
Honestly, this is the truth of it. We are so paid in to the idea that walled gardens are the only way that we forget all the things that actually do federate properly and the ergonomics of those.
Imagine not being able to send someone an SMS that was on another provider or phone manufacturer. That's absurd. Yet we put up with exactly that with iMessage/Signal and Whatsapp et al.
I don't have any constructive answers, I know that email is the last federated system that didn't suck and.. well, now it sucks.
Short of Matrix taking off and having a lot of different servers to choose from I suppose our only real answer is legislation. Why does Signal need to be centralised exactly? OMEMO security protocols used to work perfectly fine with pidgin across dozens of providers.
meta: anybody else seeing the "I" merged with the next word in the text?
OK, but that puts you in the 0.0001th percentile of Signal users. Don't expect them to spend a lot of time debugging issues with your very exotic phone.
> Signal is for everyone but you need to answer those idiocy first. It should be noted that I have a very good eyesight. I cannot imagine those with even minor disabilities.
Captchas pretty much always have audio alternatives for blind users.
> That’s also why I’ve always fought for the right to differences, why I’ve always been utterly frightened by "normalisation". Because I know nobody is immune. Think about it: I’m a white male, cis-gendered, married with children, with a good education, a good situation and no trauma, no disability. I’m mostly playing life with the "easy" setting.
Right. And if a bug in the Signal app convinces you that you've finally experienced oppression, you really need to read up on what oppression means.
Watch out, big brother, for ignoring the fact that this user experience is not from the unique phone, but is about universal for all those not running Google Play Services.
Your regurgitation of dogma without having honest context - it's oppressive.
Couple questions: how does the audio play without JavaScript? Who serves that? How about the fact that the standard workflow just failed? If that is a bug, it would be fixed - right now, it's a feature, no?
Sometimes I wonder — is it the internet, or did people overall became much too concerned about minor things in life?
In the comments, I see a thread about hating captchas and closing an AirBnB account for it. I see people bashing Signal for being a walled garden, when they are free not to use it. Some are extrapolating political statements from a choice of a company to offer a centralized service, even if the centralized approach is simply enough for their goals. Another commenter says they'll be moving their family off of Signal because of the blog article.
The author of the text piece connects white cis privilege to a problem caused by an unusual phone, and talks how a centralized service makes them feel hopeless — a very strong emotion! And HN leans into the conversation even though many people on HN probably have some understanding of how edge case support is de-prioritized in products, and that it's just that.
The problems raised by the article and a lot of discussions here feel concerningly neurotic. Have people run out of big problems to address or lost focus? Is it just the internet, or have people in general become more tunnel-visioned on micro-problems and unaware of the broader context? Does this mean that we expect so much comfort in life now that we're becoming deeply affected by such inconsequential inconveniences?
I'd wager it's because moderate/pragmatic viewpoints don't really make for interesting discussions.
There wouldn't be much interest in "signal doesn't run on my very niche phone but it runs okay on another phone" but "signal developers are the worst because they don't support every possible niche device" attracts attention.
Imagine how much calmer our lives would be, and how much head space we'd have to focus on real, big problems, if we weren't so neurotically outraged by these small issues.
Having a messaging app that works well and is secure on a bunch of supported platforms is hard. Having a messaging app that works well and is secure on random exotic OSs is even harder. And having a messaging app that works well and is secure with third party software and federation has not yet proven to be feasible AFAIK.
Signal seems to have choosen challenge #1 and making a good job at it. I'm not sure they should be blamed for not choosing challenge #2 and even less challenge #3.
Now what I really don't understand is why they made signal open source. They clearly don't want third party redistribution/packaging of their software, so they should really have chosen a "source available" licence for code audit, which would have better set expectations
Digital stoics should not complain that their stoicism presents hurdles. It’s dissonant. Instead they should revise their stance. Absolute idealism is counterproductive.
Either be a digital stoic without complaining that your lifestyle choice limits your access OR have a more average “digital stance” and have no reason to complain.
Session (https://getsession.org/) would be a good alternative for someone like the author. No captcha, no SIM/phone no. needed, decentralized protocol.
I'd been using Signal for a few years when I discovered Session. Yes, it doesn't have all the nice-to-have features that Signal seems to be adding recently, but it does secure messaging well.
> Something like Signal, with this amazingly sad paragraph opening in TFA:
> "Signal asked for my phone number..."
> simply cannot compete with Sessions' tagline.
Plus: you can have the same Session conversations on as many Android devices as you want - something that's impossible with Signal, due to its reliance on a SIM.
Unlike competitors like iMessage, Signal makes a good faith effort to be available on commonly used platforms. Sucks to be left out. But if I send a message on Signal, I expect the receiving end to uphold some guarantees, such as that it won't be backed up in an unencrypted form on the other side. To me that is by some margin more important than any of the considerations raised in that post.
FYI:
> Moxie Marlinspike built the oppression tool he was initially trying to fight
Including statements like this makes people take you less seriously. There is no oppression going on here.
> So long as federation means stasis while centralization means movement, federated protocols are going to have trouble existing in a software climate that demands movement as it does today.
IMO if federation could be aligned with "movement", we wouldn't have this issue.
Over a bug? What will you me moving off to? I feel like there isn't anything that's better in terms of privacy and still accessible enough to be explained to parents and even grandparents. Does signal reliance on phone numbers, crypto garbage, SMS removal all suck for some people? Totally. But what else is there? Matrix? The fediverse? I don't know.
And it has first party support for bridges so that you can continue to mostly interoperate with other systems without too much hassle, should you care to go that route. I've got my Matrix homeserver running with various bridges to Signal, Google, Facebook, etc, and while I talk to people "Matrix native" if I can, I'm also not actively locking myself out of other systems. Yet...
No he's right - Signal is currently a worse copy of Whatsapp that offers almost nothing better than that product. It seems to be outright failing with it's strategy at being better.
No, WhatsApp - in the hands of Zuckerberg - can never be better when it comes to the things which matter for those who choose Signal for its privacy-preserving traits. This is why I assume there should be <sarcasm/> tags around the claim of it being better.
> No, WhatsApp - in the hands of Zuckerberg - can never be better when it comes to the things which matter for those who choose Signal for its privacy-preserving traits.
It already is better for the 2B+ people that still use WhatsApp over something that is demonstrably worse, hence why little to almost no-one bothered to switch to Signal in the first place.
Given that you still need a phone number to use Signal, your privacy is out of the window since it sends that phone number to a third party (Twilio).
At this point, you might as well use WhatsApp. Signal is a worse version of WhatsApp.
If you're reading HN, Signal's design goals are almost certainly not your design goals. Signal was designed to replace SMS and WhatsApp, the most widely-used messaging systems on the planet, with something end-to-end secure. Signal is not Telegram, Slack, Wire, or Matrix. They make decisions that are certain to upset orangey-types like us (phone numbers, no federation, tethering to phones, and so on) because HN people aren't their core user base.
If you want to understand why Signal went this way, look at Matrix. Matrix was designed for federation from the beginning; that's part of the point. Federation delayed the rollout of default E2EE on Matrix by over a year. It will probably delay the resolution of the Nebuchadnezzar vulnerabilities --- which are very bad --- by some material amount of time as well. You can't have Signal's use cases and accept those downsides, but you can with Matrix's use cases.
By all means: use Matrix. But the constant psychologizing and theorizing about Signal's federation decision is tiresome. "The Ecosystem Is Moving" post, where Moxie Marlinspike laid out his case, was received approximately as well at Steve Jobs open letter on Adobe Flash. And, like the Flash letter, it has been pretty conclusively vindicated. That doesn't mean everything, or even most things, should be centralized. But it does make clear why Signal needed to be.