159
What's the deal with Signal? (discuss.tchncs.de)
submitted 1 week ago* (last edited 1 week ago) by LGTM@discuss.tchncs.de to c/nostupidquestions@lemmy.world
58 comments fedilink hide all child comments

I don't know if I'm opening a can of worms here, and I'm still trying to backtrack a lot of history where I was tuning everything out. I keep seeing random swipes at Signal (or the representatives (?)), and I was wondering whether they are founded or just lies.Is it another situation like Lemmy where we just "take the technology and move on"? Thanks!

top 50 comments
sorted by: hot top controversial new old
[-] Matombo@feddit.org 13 points 6 days ago

my problem with signal is that they have a hard requirement to use a phone number for signup and that they don't want to do anything about federation or messenger intercompatibility.

Their resoning is that they only trust themself to keep the meta data safe and so need you. Leaves a little bit of a sour tast in my mouth that they don't even give their users the option to opt into federation.

[-] teolan@lemmy.world 19 points 6 days ago* (last edited 6 days ago)

they don’t want to do anything about federation or messenger intercompatibility.

Their reasoning is that they only trust themself to keep the meta data safe and so need you.

That's not their reasoning. Their reasoning is that it's much harder to evolve the protocol in a decentralized context than a centralized one. It's not that they only trust themselves with your metadata, it's that they can improve the protocol much faster in order to get rid of most metadata.

They have been able to deploy a ton of protocol updates with regards to minimizing the amount of metadata anyone has access to (including them), while other decentralized alternatives have essentially been stuck in limbo for a while:

  • Secure Value recovery
  • Groups V2
  • Sealed sender
  • Usernames
  • Post quantum resistance

On the other hand, Matrix, XMPP and email are very leaky with regards to metadata. I'm not going into email because that's pretty documented, but here it is for matrix:

  • Message reactions are not encrypted
  • Group membership are not encrypted (which lead to attacks)
  • Profile pic and Name are public (visible by everyone even people with whom you don't have any contact)
[-] salarua@sopuli.xyz 113 points 1 week ago

Different people don't like it for different reasons. Some people don't like it because they think it has CIA financial backing (nope), and some people don't like it because it requires your phone number, therefore it is not private (the privacy it provides is more than sufficient for anyone not actively being persecuted by a Five Eyes state), and some people don't like it because it feels corporate (it's a 501c3 nonprofit, and how corporate it feels is subjective).

[-] AtHeartEngineer@lemmy.world 9 points 6 days ago

Accurate. And if you are being targeted by 5 eyes, your phone is probably fucked, one app vs another probably won't make a difference

[-] boonhet@lemm.ee 1 points 6 days ago

If you ARE targeted by 5 eyes, you'd probably want to not be using your phone for communications, but Signal sorta requires you to, even if there's a desktop client.

However, I don't presume to know what would be the best option. SimpleX maybe, as the servers don't keep messages? Otherwise, I use Matrix because it's a lot more common and very easy to set up your own homeserver. However, again, if I had to hide something from a 5 eyes threat actor, they'd just find some vulnerability in my server config or, hell, maybe they can somehow sneakily get root access through the VPS provider itself, as I'm not hosting on my own hardware.

Honestly, meeting in person might be the most private solution if you've got that kind of a threat model.

[-] Irelephant@lemm.ee 3 points 6 days ago

Signal doesn't keep messages on their servers either. The only data they have on you is your phone number and the unix time you made your account in.

[-] boonhet@lemm.ee 2 points 6 days ago

How do you know that?

It's what happens in the publicized source code, yes, but how do you know that's what's running in their servers? How do you know that all requests aren't saved?

Luckily Signal has e2ee and client side code is easy to verify, so they'd only have access to encrypted messages anyway, but if you're talking state level actors of the highest caliber, they might be able to crack Signal's encryption eventually.

Look, I'll agree that Signal is probably secure enough. It's definitely secure enough for me, I only run Matrix as a hobby because I like decentralization, my Matrix server is probably less secure than Signal. But I'm just saying we can never know for sure what code is running in THEIR servers, therefore we can never trust is 100%.

[-] Irelephant@lemm.ee 1 points 6 days ago

https://signal.org/bigbrother/ Its all they claim to have at least.

[-] boonhet@lemm.ee 2 points 6 days ago

And I hope for sure that they're never quietly forced to change that.

But again, if there were 3 letter agencies and gag orders involved with Signal, they probably wouldn't give regular law enforcement or courts any of the data they have.

Really, my only problem is that with a centralized service, there's no way to ever know for sure. There's luckily no evidence of anything nefarious happening at least.

[-] Irelephant@lemm.ee 1 points 6 days ago

Yeah, on an ideal world, the matrix spec would be fixed and everyone would be on that.

[-] boonhet@lemm.ee 2 points 6 days ago

In an ideal world we also wouldn't have to worry about communications being listened in on lol

[-] AtHeartEngineer@lemmy.world 1 points 6 days ago

The code is open source, people look at the code, I've dug through their code a fair bit. It wouldnt be quiet, and it would take major code rewrites, it would be pretty obvious

[-] boonhet@lemm.ee 1 points 4 days ago

Okay, so if you've dug through it a fair bit, you're probably more familiar than I am. How do they prove conclusively that the server software running on their servers is from the exact source that's publicly visible and not a patched version?

[-] Lumisal@lemmy.world 1 points 6 days ago

If you're being targeted by 5 eyes and you and your group don't know enough about tech to set up your own local communication servers or going serverless / not using internet, you're already caught or known about

[-] lars@lemmy.sdf.org 1 points 5 days ago

Signal likely does not have

CIA financial backing

But this is the kind of information that can be only dispositive.

That is, because we cannot prove a negative, and the only time you can be certain about whether an organization—especially one like the CIA—has provided funding for something, is after it has been proven.

[-] adespoton@lemmy.ca 68 points 1 week ago

And some people don’t like it because it used to handle SMS on Android, and they removed that feature for security reasons.

[-] bg10k@lemmy.dbzer0.com 22 points 1 week ago

That was a pretty wild decision

[-] zergtoshi@lemmy.world 36 points 1 week ago

Handling SMS and handling secure/encrypted messages could've made people think they communicate securely while relying on text messages instead.
Not handling SMS fixes this source of confusion and I applaud their decision.

[-] bg10k@lemmy.dbzer0.com 3 points 6 days ago

There were ways to make it clear that it was insecure that didn't alienate an arguable majority of their casual userbase.

[-] AFKBRBChocolate@lemmy.world 22 points 1 week ago

The problem is that most people don't want multiple text apps, they just want one. I had gotten a number of people using signal, and it was secure when we talked, but when signal dropped SMS, almost every one of them stopped using it, so then none of their conversations were secure.

[-] zergtoshi@lemmy.world 3 points 1 week ago

Yeah, the never-ending weighting between convenience and security.
But are you going to tell me that those people don't have Whatsapp, Threema, Telegram or any other IM installed and just use plain SMS instead?

[-] FinnFooted@lemmy.world 1 points 5 days ago

Americans do a lot of SMS.

[-] AFKBRBChocolate@lemmy.world 2 points 6 days ago

Yep, just the default messaging app on their phone.

[-] Acamon@lemmy.world 11 points 1 week ago

I think the number of people who care deeply about privacy and cannot tell the difference between an sms or signal message is minimal. There were plenty of ways signal could have highlighted DANGER UNSECURE CHANNEL if they had wanted to, or made it an off-by-default option, rather than drop SMS entirely. For myself and many other people it meant that family members dropped Signal rather than have an extra messaging app, and so I'm still stuck with WhatsApp on my phone...

[-] guy@piefed.social 8 points 1 week ago

If only the was some indicator for unsecure messages, such as a grey send button and an open padlock. 🙄

[-] Landless2029@lemmy.world 4 points 1 week ago

I think having an unlocked symbol for standard SMS would've helped that...

[-] zergtoshi@lemmy.world 4 points 1 week ago

And you seriously think most people would look at and act on such an icon instead of just ignoring it?

[-] voracitude@lemmy.world 4 points 1 week ago* (last edited 6 days ago)

Or just accept that not everyone will be having a secure conversation every time at first, but more will be secured as more and more people like me convince our family members to use it and eventually we transition everyone away from SMS?

No, of course not, why would we build a critical mass of users like that?

Since they removed SMS support almost my entire family and my friends uninstalled signal, except a few who keep it to talk to me, and my half dozen friends privacy-conscious enough to care. Dozens of people, down to eight if you don't count me, in my circles alone. Objectively, removing SMS support harmed Signal's popularity and made everyone less secure. The argument for why they did it was at best myopic and also, in my opinion, utter bullshit.

[-] kn33@lemmy.world 6 points 1 week ago

It was very unpopular with my girlfriend, who I had just gotten into using Signal a few months prior.

[-] guy@piefed.social 6 points 1 week ago

This was such a dumb decision

load more comments (7 replies)
[-] felixwhynot@lemmy.world 9 points 1 week ago

Some people don’t like that they attached a crypto wallet to the app. I couldn’t care less and use the messenger daily!

[-] guy@piefed.social 2 points 1 week ago

I don't care or use it either, but I haven't seen a single use case for that wallet nor mobilecoins. Does people actually use it and for what?

[-] Irelephant@lemm.ee 1 points 6 days ago

Its honestly very hidden away, I had to dig around in settings to find it.

[-] felixwhynot@lemmy.world 1 points 6 days ago

My friend sent me some MOB coins mainly because he could attach messages with the transactions. So no idea what it’s really used for

[-] wildbus8979@sh.itjust.works 4 points 1 week ago* (last edited 1 week ago)

I don't think I've ever seen people say it has CIA financial backing. It did however until only a couple of years ago have strong ties to the State Department's Open Tech Fund (from the same financial envelope that brings you RFA/RFE/VOA).

[-] SnotFlickerman 23 points 1 week ago

The main developer of Lemmy seems to think there's a solid connection. I'm not jumping in that fight, I got no dog in that fight, I don't have that kind of threat model.

https://dessalines.github.io/essays/why_not_signal.html#cia-funding

However, considering he's openly Marxist, he may be just slightly biased.

I suspect OP of this post actually saw the recent /c/Privacy thread over at lemmy.ml where Dessalines was proselytizing against Signal while not seeming to have a problem with SimpleX chat being funded by a group of Venture Capital investors, including Jack Dorsey.

[-] LibertyLizard@slrpnk.net 18 points 1 week ago

Openly Marxist is just the start of it. Dude is utterly unhinged, so his theories don’t mean a lot to me unless they’re backed by evidence.

[-] wildbus8979@sh.itjust.works 5 points 1 week ago

Nothing in there is incorrect.

load more comments (1 replies)
[-] WolfLink@sh.itjust.works 78 points 1 week ago

Signal is an open-source privacy-focused end-to-end encrypted texting platform (so competing with SMS, WhatsApp, iMessage, Telegram, and similar). It’s developed by a donation-funded non-profit organization.

Signal is quite good compared to the competition, but it faces a lot of scrutiny because they make big promises about privacy and security so the people who care will really get into the details on that. Also IIRC there was a period when one of their competitors was trying to slander them more or less.

In general there’s nothing wrong with Signal and it’s quite a good option. If you really care about the privacy details you can always host your own instance (but that would require you to convince your friends to use your instance … it’s not federated).

[-] zergtoshi@lemmy.world 48 points 1 week ago

The deal is that they run their program in a very transparent and wherever possible verifiable way.
More details here: https://lemmy.world/comment/14775870

[-] BlastboomStrice@mander.xyz 30 points 1 week ago* (last edited 1 week ago)

This is a good comparison of messengers here:

https://eylenburg.github.io/im_comparison.htm

Btw, an imprtant aspect of privacy is how metadata are handled/leaked. Signal trues to minimize metadata leak to near zero (there are some other messengers that do that, like simplex)

[-] teolan@lemmy.world 2 points 6 days ago

This comparison makes some questionnable choices. It puts the presence of a web client as green, when actually this breaks the thread model of end-to-end encryption.

[-] False@lemmy.world 13 points 1 week ago

It's mostly minor shit, it's better than the alternatives unless you self-host (which has a boatload of other issues).

[-] Hawke@lemmy.world 11 points 1 week ago

The thing is I have yet to see any reasonable alternatives.

Threema is the closest but it’s not free-of-charge, so a non-starter for most of my friends.

The others are controlled by Russia (telegram) or Meta. What else even is viable?

[-] baltakatei@sopuli.xyz 4 points 1 week ago* (last edited 1 week ago)

Session, an Australian fork of Signal with onion routing and no phone number requirement, seems promising.

[-] evujumenuk@lemmy.world 6 points 1 week ago

Session disables forward secrecy for no reason.

Personally, I assume it's a honeypot.

[-] BNE 3 points 6 days ago* (last edited 6 days ago)

And it's Australian - which means all it's staff are obligated by law to place backdoors into their software for essentially whoever asks provided they flash a badge. If you don't, it's a one way trip to gaol.

If you trigger a canary in the coalmine somewhere, gaol.

Speaking as one - don't trust Australians with your security. Ever.

load more comments (1 replies)
load more comments (1 replies)
[-] jupiter2643@lemmy.ml 6 points 1 week ago

How does simplex compare?

load more comments
view more: next ›
this post was submitted on 30 Jan 2025
159 points (100.0% liked)

No Stupid Questions

36818 readers
598 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 2 years ago
MODERATORS
ja2@lemmy.world
_MoveSwiftly@lemmy.world
Rooki@lemmy.world
Thekingoflorda@lemmy.world
automodbeta@lemmy.world
L3s@lemmy.world