i’ve just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).

if this is true, then i have a few questions:

-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.

-how to explain it to my friends who use signal because i recomended?

-what this means for other apps in general?

  • einkorn@feddit.org
    0·
    11 days ago

    The usual conspiracy theory is that Signal is funded by the CIA and therefore a honey pot.

    what menssaging app should i use for secure communications? i need an app that balances simplicity and security.

    Signal. I can do almost everything that i.e. WhatsApp or Telegram offer, is as easy to use as those and the client is verifiably encrypted and secure.

    how to explain it to my friends who use signal because i recomended?

    Explain what exactly? Why they should use it?

    • It offers the same functionality as other messengers while being verifiably secure and encrypted.
    • Signal collects only three datapoints of users
      1. Date of registration
      2. Date of last connection to the server
      3. Your encrypted backups if you enable cloud backups
    • Compare that to messengers such as WhatsApp and Telegram where it is not clear which information they collect, whether they store it in an encrypted format or not or who they share it with.
      • In the case of WhatsApp it is at least the US government as required by the Cloud Act.
      • In case of Telegram the data is unencrypted by default and cooperation with various governments has been reported.

    what this means for other apps in general?

    Please clarify the question.

    • m532@lemmy.ml
      0·
      10 days ago

      The epstein files have proven that conspiracy theories are true. Of course powerful gangsters conspire. We already knew that since forever.

      • mnemonicmonkeys@sh.itjust.worksEnglish
        0·
        10 days ago

        The epstein files have proven that conspiracy theories are true.

        So the Earth really is flat and run by lizard people?

        Be careful with your wording. Yes, some conspiracy theories are true to some degree. But there’s also ones that are complete bunk.

    • triplenadir@lemmygrad.ml
      0·
      10 days ago

      the part of the “conspiracy theory” about CIA funding is completely true: signal proudly say they get funding from the OTF, which at the time signal started was a subsidiary of Radio Free Asia, which started out as an open CIA project (before being relaunched as clearly still a CIA project but without the official acknowledgement).

      I’m 50:50 on whether signal is a literal honeypot, but even if not it seems pretty likely that the US government wouldn’t have funded an app that could be used by people breaking its laws - let alone people actively organizing against it (foreign spies, domestic revolutionaries and insurrectionists) unless they were getting something pretty big in return.

  • CactusEcho@piefed.socialEnglish
    0·
    11 days ago

    I’ll start by saying that i don’t use signal.

    if this is true

    There are some concerns that other people in the comments explained. It’s up to you to decide if the trade off is good enough for you. There’s no silver bullet for this.

    -what menssaging app should i use for secure communications? i need an app that balances simplicity and security.

    Signal is ok. Same as matrix, delta chat, xmpp, simplex. Avoid telegram, messenger, whatsapp, instagram, snapshat, max…

    -how to explain it to my friends who use signal because i recomended?

    Most people mess up the concepts of anonymity with privacy.

    -what this means for other apps in general?

    There’s no silver bullet. All the apps have ups and downs. Most people don’t realize that if a state actor (I’m not talking about police but for example NSA, CIA, mossad, mi6) is after you, they will get you. Usually from a side channel, or from some stupid mistake you made years ago.

      • Vegafjord eo@lemmy.ml
        0·
        10 days ago

        But that would mean that you shouldnt accept their claim, regardless of how conceivable the claim might appear to be. Otherwise, we loose our minds to common sense.

  • ReverendIrreverence@lemmy.mlEnglish
    0·
    10 days ago

    I am under the impression that Signal encrypts metadata so that is useless to sell. The only thing they can turn over to law enforcement after a lawful warrant is the phone number an account was opened with (and maybe the date that happened) and the date of the last time the account was used. That is all.

      • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
        0·
        10 days ago

        It’s open source, and it’s not tied to a single server the way Signal is. If the original people developing it started doing problematic things, it’s easy to fork. One of the worst parts about Signal is how it’s designed to lock you into using their official app and server making it effectively impossible to have a compatible fork.

  • Kkk2237pl@lemmy.world
    0·
    10 days ago

    I moved some chats to Threema and im satisfied… they have family options so paying for one license is for 6 people

  • Seefra 1@lemmy.zip
    0·
    10 days ago

    Like many said, signal is centralised and requires a phone number.

    Meaning it’s not anonymous and the server owners can technically sell your metadata, not the content of the messages but who talks to who, what time, the length of the chat/call etc.

    Either-way having to use a phone number to register an account, for me is not acceptable for several reasons besides privacy and metadata.

    On top of that, the server side of signal isn’t free software (as in freedom), which means that the whole program requires non-free (as in freedom not beer) network services in order to work. Which isn’t acceptable for free software advocates.

    Alternatives:

    Simplex: If you don’t require voice calls there are more options available there are many text messages, but very few support calls, which for me is a critical feature.

    In theory Simplex is the best, it’s e2ee, quantum resistant, each chat (message queue) is it’s own “account”, each “account” is just a private key, and you can switch servers with the tap of a bottom, it also supports private routing, which from what I understand is like some sort of onion routing between simplex servers.

    Hosting your own server is also extremely easy, (tho note that running your own server can actually be detrimental to privacy depending on your threat model), supports calls, group chats and all the features I would ever need.

    Unfortunately at least for me and my contacts, SimpleX it’s terribly buggy, specially on phone, literally tonight I missed the opportunity to be with a friend because I only saw the message one hour late.

    Very often messages just stop being received until the app is restarted, usually I have my friend send me a message via other (centralised) app in order to warn me that he messaged me, I also do the same for him. After restarting the app it usually works fine for a while until it does it again. And needs restarting again.

    On top of it, it’s taking more and more time to get the first message when in background even during normal operation, tho I blame Samsung for this one and not Simplex, and understand that Simplex doesn’t use push notifications for improved privacy, but it has become a real problem, what used to take 5 minutes now sometimes takes more than half an hour. Maybe my phone is overloaded, idk.

    Calls could be improved too, takes several tries for it to actually work, and it doesn’t help when the other person calls me back and I call them at the same time.

    On top of it, the volume of a call seems very quiet compared to a normal phone call and it’s very hard to hear the other person, I’m guessing a simple compressor DSP could fix this.

    Unfortunately also has been news of Simplex planning to enshittify the app with cryptocurrency, something that I politically and morally oppose.

    Session:

    I’ve used it for a month years ago, before I knew about SimpleX, whatever technical merits it may or may not have, (and from what I understand it’s privacy is still below SimpleX) it relies on some cryptocurrency network in the background, so I won’t use it. Self-hosting it also seemed to me no easy task, but I could be wrong.

    Jami:

    Never got it to work.

    Matrix:

    I haven’t tried Matrix yet, I think I read long ago that calls aren’t e2ee tho that may have changed now. I also read that Matrix leaks a lot of metadata which can be a problem. Maybe not if you self-host, but self-hosting comes with it’s own privacy problems. Maybe I should research it again and try to self-host it and see how it goes.

    So as bad as Signal is, I can’t give you a working alternative, I put all with Simplex despite all the bugs but I don’t think most people are willing to go though it, however if you (and your contacts) have a high end phones maybe it works better. But it’s not something I can recommend.

    • Spacenut@lemmy.world
      0·
      10 days ago

      In regards to Signal, this is largely not true. Sealed sender has been signal’s metadata hiding protection for like 6 years or something. The only information signal has is your phone number, your account creation time, and the last time you contacted their servers.

      They also have a server implementation on github, so it seems to be open source to me. (I could be missing something though)

      You are right though, that it uses centralized servers and requires a phone number, which are sticking points for a lot of people.

      • Dessalines@lemmy.ml
        0·
        10 days ago

        Give me ssh access to their centralized server so I can verify this “sealed sender” idea is working.

        Otherwise this is a “trust me bro” claim.

        • Spacenut@lemmy.world
          0·
          10 days ago

          This doesn’t really make sense to me, what do you mean? Client-side you do different computation for sealed sender delivery/receipt. What’s your normal standard of trust that a hosted, open source project is running the same code that they’ve made public?

          I think if they store any metadata that we don’t know about, the lie runs very very deep, like to conspiracy theory levels that don’t really make sense for a registered nonprofit: https://signal.org/bigbrother/

          • Dessalines@lemmy.ml
            0·
            10 days ago

            What’s your normal standard of trust that a hosted, open source project is running the same code that they’ve made public?

            Its a centralized service, you have no idea what code they’re running. You can’t host your own.

            Also they went a whole year one time without publishing any server code updates until they got a lot of backlash for it. Still, since its centralized, it can’t be trusted to be running what they say they are.

    • GaumBeist@lemmy.ml
      0·
      9 days ago

      Just looked at Session, and holy shit is that a massive downside…

      From their own whitepaper:

      Through the integration of a blockchain network, Session adds a financial requirement for anyone wishing to host a server on the network, and thus participate in Session’s message storage and routing architecture.

      So you have to pay to self-host, and that’s somehow an upside???

      This staking system provides a defence against Sybil attacks by limiting attackers based on the amount of financial resources they have available.

      Which is a fine explanation in a world where everyone has a relatively equal amount of wealth. This is the epitome of dunning-kruger economics: a little knowledge is a dangerous thing.

      Firstly, the need for attackers to buy or control Session Tokens to run Session Nodes creates a market feedback loop which increases the cost of acquiring sufficient tokens to run large portions of the network. That is, as the attacker buys or acquires more tokens and stakes them, removing them from the circulating supply, the supply of the Session Token is decreased while the demand from the attacker must be sustained. This causes the price of any remaining Session Tokens to increase, creating an increasing price feedback loop which correlates with the scale of the attack

      So the more nodes a single entity holds, the harder it becomes for other entities to buy nodes and break the monopoly? Did you take 3 seconds to think this through???

      Secondly, the staking system binds an attacker to their stake, meaning if they are found to be performing active attacks, the underlying value of their stake is likely to decline as users lose trust in the protocol, or could be slashed by the network, increasing the sunk cost for the attacker.

      “Assuming every user is a perfectly rational actor, malicious actors would be shunned. This is somehow due to the economic incentive, and not just how humans operate when they’re assumed to be perfectly rational.”

      Also: malicious actors when they find out they might lose their money if they get caught: “welp, I better not do that then. Thanks laissez-faire capitalism!”

      Jesus christ fucked on a pike, these dipshits really drank the crypto kool-aid, huh?

    • GaumBeist@lemmy.ml
      0·
      9 days ago

      Matrix very recently has had e2ee calling since at least last april

      I don’t host a server currently, so I can’t fully recommend it without knowledge of the backend, but i’m liking the experience as a user

      • Seefra 1@lemmy.zip
        0·
        9 days ago

        Delta Chat doesn’t support calls, same with Briar so I haven’t tried them since calls are as important as messages for me.

        • Gluek@lemmy.world
          0·
          9 days ago

          They do support it (Settings -> Advanced ->enable Debug calls or wait a few days for the latest release). Also chatmail servers provide turn/stun for calls if they couldn’t established as p2p.

          • Seefra 1@lemmy.zip
            0·
            8 days ago

            Interesting, didn’t know this, nice, may be a gamechanger, but I couldn’t find information on either calls are e2ee or not.

    • Bomnam@discuss.tchncs.de
      0·
      10 days ago

      Those reports do NOT show active zero days in signal. The pieces of spyware talked about in those are capable of reading messages once already having compromised a device which isn’t insane as if you have access to read storage from a device arbitrarily, of course you can just read the messages. If you want to solve this, A: Use GrapheneOS or an iPhone on lockdown mode with data over USB disabled or B: Use Molly with local encryption.

  • NuXCOM_90Percent@lemmy.zip
    0·
    11 days ago

    -what menssaging app should i use for secure communications? i need an app that balances simplicity and security.

    Define “secure communications”.

    Do you just not want to have all of your conversations to go into the pool of training data for LLMs? Signal is probably fine for that. You can also consider Matrix, although that has a LOT of caveats.

    Do you want to commit crimes? Are they the “everyone does them” kind? Or are they the kind that can get you executed like “speaking out against the regime”? If the former? Signal is, again, probably fine. If the latter?

    This is where you need to learn: The moment you rely on someone else to handle your privacy for you, you have none. What does that mean in this context? That means that if some company is exchanging keys for you then they inherently have those keys. And you can only trust them as far as they have been audited… and how recent that audit is.

    So take a lesson from journalists. Exchange your keys ahead of time. This might be a proper public/private key pair or it could be as simple as a cipher (I suggest avoiding hotel bibles, but you do you). And then you communicate using that encryption/cipher. At which point it doesn’t matter what you use (but maybe avoid google and facebook for obvious reasons…).

  • Matt@lemmy.ml
    0·
    9 days ago

    Requires you to use a phone number, your phone app needs to be online 24/7 to be connected, and hosted in a questionable jurisdiction with questionable human rights. Try Matrix. It’s selfhostable, doesn’t need a phone number to sign up and the foundation is British, which while this country from what I know has gone down the water, they still have some niceities from time they were in the EU, like GDPR.

    • ImitationLimitation@lemmy.ml
      0·
      9 days ago

      Among other problems, Matrix is not a replacement for a messaging app. It’s more of a community message board with 1:1 private messages with the possibility of encryption. It is way more than most want or need.

      I’ve also run a Matrix server in the past, and it’s not simple. The vast majority of people do not have the technical acumen, hardware infrastructure, or time necessary to even begin this endeavor.

      Joining a public server where they don’t have control of the data requires a lot of trust in that instance and their owners. To expect them to vet those owners first, verify the servers are in a trusted country, … 10 more steps, before they begin is asinine.

      Matrix is not an alternative to any messaging apps mainly intended for 1:1 communication.

  • kn33@lemmy.worldEnglish
    0·
    11 days ago

    Given what you’ve said, Signal is still what you want and is good for it.

    There are two main issues people have with Signal:

    First is that it requires a phone number to sign up. That makes some people who want it to be truly anonymous unhappy. It’s not meant to be anonymous, though. It’s meant to be private. Those aren’t the same thing.

    Second is that it runs on AWS. This isn’t a problem in the sense that it’s possible for it to still retain privacy while running on AWS. Some people don’t like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.

    Personally, I know these risks and still find it to be the best balance between privacy, security, and ease of use.

    • wildbus8979@sh.itjust.works
      0·
      11 days ago

      Second is that it runs on AWS. This isn’t a problem in the sense that it’s possible for it to still retain privacy while running on AWS. Some people don’t like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.

      Let’s not pretend the hypervisor doesn’t have full access to the VMs memory and execution. The only thing protecting the Signal server is Intel SGX.

        • wildbus8979@sh.itjust.works
          0·
          11 days ago

          I’m not claiming the contents of the messages are at risk here. You’re social graph and metadata though is another story.

            • wildbus8979@sh.itjust.works
              0·
              10 days ago

              The thing if someone has memory access Signal doesn’t need to store anything, transiting data is now available. For example all of your contacts when doing contact discovery. It used to be a simple hash, something for which you could build a rainbow table in a few hours, at the worst. It’s lightly better now, but still.

              Don’t take it from me, take it from Moxie:

              https://signal.org/blog/private-contact-discovery/

              It also doesn’t really matter if the software itself can easily be tampered with in memory by the hypervisor. Like I said, they are putting a lot of trust in Intel SGX.

              And let’s not even get into the digital sovereignty issues, and financing of right wing billionaires. Yes, running on AWS is an issue. It’s multiple issues even.

              • pkjqpg1h@lemmy.zipEnglish
                0·
                10 days ago

                https://signal.org/blog/private-contact-discovery/

                Since the enclave attests to the software that’s running remotely, and since the remote server and OS have no visibility into the enclave, the service learns nothing about the contents of the client request. It’s almost as if the client is executing the query locally on the client device.

                • wildbus8979@sh.itjust.works
                  0·
                  10 days ago

                  … Providing you trust Intel SGX (and AWS for giving them access to actual SGX and not just emulating a compromised instruction set)

              • Count042@lemmy.mlEnglish
                0·
                10 days ago

                I don’t take anything from someone I don’t trust that also explicitly doesn’t use warrant canaries because he says they don’t work in contradiction to every legal authority.

                It’s also an issue that they run the signal server on one done AWSv region.

                It isn’t hard or even all that expensive to run on multiple regions.

    • Heyla@quokk.auEnglish
      0·
      10 days ago

      And what about suspicion of intrusions in some accounts of european imlrtznts poeple by the FSB recently ?

      I don’t know if it’s a social ingeneering

      But now, i think “good enough” attitude is not the good idéal, we are not in 2000’ it’s finish…

      Another app exists :

      Session

      simpleX

      Anonymous messenger

      Briar

      Twinme

      But it’ always better to use a verified and audited app, need to have a safe team

      https://fr.euronews.com/2026/03/12/des-pirates-informatiques-lies-a-la-russie-ciblent-les-applications-de-messagerie-de-respo

  • Fluffy Kitty Cat@slrpnk.netEnglish
    0·
    11 days ago

    Nothing, it’s good. There’s FUD to get you not robust it

    There was one instance of the white house using signal on the down low to evade records retention and then got caught because they accidentally invited a journalist to the houthi bombing group chat, bit that’s a user error

  • Dessalines@lemmy.ml
    0·
    10 days ago

    PRODUCT PITCH: Hey everyone, I have a great idea for a secure / private messaging service.

    It’s hosted in the US, subject to its pervasive spying laws including national security letters.

    Also I need all your phone numbers.

    Also no you can’t host this yourself, I run the only server.

    Everyone who uses signal and supports it, is falling for this pitch.