i’ve just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).
if this is true, then i have a few questions:
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
-how to explain it to my friends who use signal because i recomended?
-what this means for other apps in general?
You must log in or # to comment.
Did you ask the commenter what the issue was? Seems like the logical place to start.
You’d think so, but sometimes they just angrily rant with no clear point or references.
But that would mean that you shouldnt accept their claim, regardless of how conceivable the claim might appear to be. Otherwise, we loose our minds to common sense.
The usual conspiracy theory is that Signal is funded by the CIA and therefore a honey pot.
what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
Signal. I can do almost everything that i.e. WhatsApp or Telegram offer, is as easy to use as those and the client is verifiably encrypted and secure.
how to explain it to my friends who use signal because i recomended?
Explain what exactly? Why they should use it?
- It offers the same functionality as other messengers while being verifiably secure and encrypted.
- Signal collects only three datapoints of users
- Date of registration
- Date of last connection to the server
- Your encrypted backups if you enable cloud backups
- Compare that to messengers such as WhatsApp and Telegram where it is not clear which information they collect, whether they store it in an encrypted format or not or who they share it with.
- In the case of WhatsApp it is at least the US government as required by the Cloud Act.
- In case of Telegram the data is unencrypted by default and cooperation with various governments has been reported.
what this means for other apps in general?
Please clarify the question.
the part of the “conspiracy theory” about CIA funding is completely true: signal proudly say they get funding from the OTF, which at the time signal started was a subsidiary of Radio Free Asia, which started out as an open CIA project (before being relaunched as clearly still a CIA project but without the official acknowledgement).
I’m 50:50 on whether signal is a literal honeypot, but even if not it seems pretty likely that the US government wouldn’t have funded an app that could be used by people breaking its laws - let alone people actively organizing against it (foreign spies, domestic revolutionaries and insurrectionists) unless they were getting something pretty big in return.
In return they get an actually secure messing app they can use without having to support it themselves. Which is pretty big.
The epstein files have proven that conspiracy theories are true. Of course powerful gangsters conspire. We already knew that since forever.
The epstein files have proven that conspiracy theories are true.
So the Earth really is flat and run by lizard people?
Be careful with your wording. Yes, some conspiracy theories are true to some degree. But there’s also ones that are complete bunk.
Ok, because the thing, that everybody knew turned out to be true, every conspiracy theory is valid now?
I guess you should go visit the Nazis in New Swabia and discuss this revelation with them.
Given what you’ve said, Signal is still what you want and is good for it.
There are two main issues people have with Signal:
First is that it requires a phone number to sign up. That makes some people who want it to be truly anonymous unhappy. It’s not meant to be anonymous, though. It’s meant to be private. Those aren’t the same thing.
Second is that it runs on AWS. This isn’t a problem in the sense that it’s possible for it to still retain privacy while running on AWS. Some people don’t like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.
Personally, I know these risks and still find it to be the best balance between privacy, security, and ease of use.
And what about suspicion of intrusions in some accounts of european imlrtznts poeple by the FSB recently ?
I don’t know if it’s a social ingeneering
But now, i think “good enough” attitude is not the good idéal, we are not in 2000’ it’s finish…
Another app exists :
Session
simpleX
Anonymous messenger
Briar
Twinme
But it’ always better to use a verified and audited app, need to have a safe team
Second is that it runs on AWS. This isn’t a problem in the sense that it’s possible for it to still retain privacy while running on AWS. Some people don’t like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.
Let’s not pretend the hypervisor doesn’t have full access to the VMs memory and execution. The only thing protecting the Signal server is Intel SGX.
I don’t think Signal trusts the AWS server either, that’s the point of E2EE encryption.
I’m not claiming the contents of the messages are at risk here. You’re social graph and metadata though is another story.
deleted by creator
The thing if someone has memory access Signal doesn’t need to store anything, transiting data is now available. For example all of your contacts when doing contact discovery. It used to be a simple hash, something for which you could build a rainbow table in a few hours, at the worst. It’s lightly better now, but still.
Don’t take it from me, take it from Moxie:
https://signal.org/blog/private-contact-discovery/
It also doesn’t really matter if the software itself can easily be tampered with in memory by the hypervisor. Like I said, they are putting a lot of trust in Intel SGX.
And let’s not even get into the digital sovereignty issues, and financing of right wing billionaires. Yes, running on AWS is an issue. It’s multiple issues even.
I don’t take anything from someone I don’t trust that also explicitly doesn’t use warrant canaries because he says they don’t work in contradiction to every legal authority.
It’s also an issue that they run the signal server on one done AWSv region.
It isn’t hard or even all that expensive to run on multiple regions.
It’s not me you need to tell this though.
deleted by creator
… Providing you trust Intel SGX (and AWS for giving them access to actual SGX and not just emulating a compromised instruction set)
if this is true
It’s not. Can be closed
I hadn’t heard that but you should install:
- SimpleX Chat
- Delta Chat
Nothing, it’s good. There’s FUD to get you not robust it
There was one instance of the white house using signal on the down low to evade records retention and then got caught because they accidentally invited a journalist to the houthi bombing group chat, bit that’s a user error
And they didn’t use a trusted Signal app, it was an Israeli clone app IIRC
not to shit on you specifically but I see this over and over, folks asking how to be “secure”. secure against what?
if you’re into this, you need to set up a “threat model” i.e. what are your threat vectors and then you build your defenses against that model. a defense against blanket surveillance doesn’t handle targeted threats. a successful defense against your government doesn’t preclude other nation-state actors getting at you.
like, if your threat vector is e.g. your SO “inspecting” your phone, you set up a passcode and you’re safe against that threat. but, if there’s a toddler going around smashing stuff, your defense isn’t valid. defense against that vector is placing your phone high up. but that defense isn’t effective against SO.
I am sure any messenger recommended here can be successfully red-teamed, be it design flaws, operator error, the famous wrench comic, or whathaveyou. but that doesn’t mean it’s ineffective in your specific case.
Yes, i hate this in these kinds of discussions. It so often devolves into how you’ll be safe from surveillance by world governments (spoiler: you won’t be, if they really care).
And here I am, just not wanting to hand data over to giant corporations that have been proven to use it for no good.
Heck, even if there was no good actor/solution, not giving all your data to the same bad actor is already a step up.
It’s fine as long as you don’t do something silly like invite a journalist to your top secret government group chat.
Or use a third party client that doesn’t have as much scrutiny on the source code and will Leak your message s
man imagine trusting in an israeli signal fork lmao
Would you say Molly is big/trustworthy enough for this to be negligible, or is it a huge risk?
Molly basically is a fork of the signal client that switches out some notification based things (such as your notifications going through fcm and such) and instead lets you use unifiedpush and/or a molly websocket. Apart from this they’re both the same. Molly uses signal’s codebase.
Molly also supports full database encryption and replaces all proprietary blobs in signal iirc
The only secure communication involves a dead drop and one time pad. Everything else is Mossad.
I’m put off by the centralized server. I’d want to self host without having to build a special client, something like nextcloud. That the company chose to prevent that gives me a bad impression. So I haven’t been using it so far.
I’ve played with GNU Jami a little but it was flaky when I tried it last year. Maybe it’s better now.
You can’t have it both ways. It’s hard enough to get people to switch to signal, or least also use it next to other messengers. Now imagine they’d have to connect to multiple servers to talk to multiple people. Possibly everyone connection details. Even if that’s done in the background, you have to somehow get the connection registered once, discovered if you will.
Anything and everything you send through their server is end-to-end encrypted. Some people hate on the phone number being required to create an account, but it’s also the reason it works at all: anyone in your contacts who also has signal you can talk to. Phone numbers are an international standard. If course this also has downsides…
Finally what you’re asking for exists. NextCloud has “talk”. Which is essentially a messenger app, it’s built in. Go use it. I have a NextCloud instance and I don’t use it either. What’s the point of having an app I can only use to talk with people so close to me that they’re in my NextCloud with an account already?
You can’t have it both ways.
Of course I can. Jitsi Meet lets you do it both ways. I don’t know if Nextcloud has an official hosted server but they could if they wanted. I use it self-hosted and it works, the Talk app is just not very good. Jami uses a DHT instead of a centralized server which is another approach, though it might be part of its flakiness. Linphone (a regular VOIP client, not a secure chat thing) is set up by default to point to Linphone’s own SIP servers but you can change that in Settings. No reason Signal can’t do similar. Heck, even Lemmy works that way (you choose your server).
Signal is simply being evil and your defending them is unconvincing. I could opt to self-host Signal and build a special client for my users, at the cost of hassle for everyone but no serious technical drawbacks. Signal chooses to create that hassle because they want to funnel users through their servers, not incidentally collecting metadata about ALL the user conversations.
There’s actually a configurable Signal client called Amanda or something like that, though I haven’t tried it. Someone here mentioned it last time this came up.
Also, Signal’s own client isn’t on F-droid, which raises more potential questions. I haven’t cared enough to look into it.
Added: oh re Nextcloud, I see what you mean, account creation is an obstacle, though that could be handled like Hipchat used to. You could generate a randomized URL to invite someone to your private chat without their needing an account. Nextcloud has that too, though just for file access, not for chat for some reason. Come to think of it, Signal could also work that way: it shouldn’t need accounts at all.
When I’ve invited people to my Nextcloud I’ve just enrolled the account for them myself and told them “please log in with username X password Y”.
Perfect is the enemy of good.
Your quote is wrong. The actual quote is: “Perfect is the enemy of good enough.”
But the point is still valid. For me personally, if it is good enough for Edward Snowden, ots good enough for me.
deleted by creator
Its not what I would use while communicating with someone else who values anonymity, but, its probably the best out there for communicating with people that dont care about any of that and just want something easy that works. Its easier to onboard people on to it.
I’ll start by saying that i don’t use signal.
if this is true
There are some concerns that other people in the comments explained. It’s up to you to decide if the trade off is good enough for you. There’s no silver bullet for this.
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
Signal is ok. Same as matrix, delta chat, xmpp, simplex. Avoid telegram, messenger, whatsapp, instagram, snapshat, max…
-how to explain it to my friends who use signal because i recomended?
Most people mess up the concepts of anonymity with privacy.
-what this means for other apps in general?
There’s no silver bullet. All the apps have ups and downs. Most people don’t realize that if a state actor (I’m not talking about police but for example NSA, CIA, mossad, mi6) is after you, they will get you. Usually from a side channel, or from some stupid mistake you made years ago.
It was on the leaked palantir screneshot, indicating there are actively exploited zero days? Just a guess.
Those reports do NOT show active zero days in signal. The pieces of spyware talked about in those are capable of reading messages once already having compromised a device which isn’t insane as if you have access to read storage from a device arbitrarily, of course you can just read the messages. If you want to solve this, A: Use GrapheneOS or an iPhone on lockdown mode with data over USB disabled or B: Use Molly with local encryption.
Requires you to use a phone number, your phone app needs to be online 24/7 to be connected, and hosted in a questionable jurisdiction with questionable human rights. Try Matrix. It’s selfhostable, doesn’t need a phone number to sign up and the foundation is British, which while this country from what I know has gone down the water, they still have some niceities from time they were in the EU, like GDPR.
I don’t know what the current reputation is but Matrix wasn’t always perfectly trustworthy either: https://hackea.org/notas/matrix.html
The 5 eyes CCTV GCHQ British? The rabid USSA, Shitrael bootlickers?
No thanksAmong other problems, Matrix is not a replacement for a messaging app. It’s more of a community message board with 1:1 private messages with the possibility of encryption. It is way more than most want or need.
I’ve also run a Matrix server in the past, and it’s not simple. The vast majority of people do not have the technical acumen, hardware infrastructure, or time necessary to even begin this endeavor.
Joining a public server where they don’t have control of the data requires a lot of trust in that instance and their owners. To expect them to vet those owners first, verify the servers are in a trusted country, … 10 more steps, before they begin is asinine.
Matrix is not an alternative to any messaging apps mainly intended for 1:1 communication.
