As Signal get your phone number. Can we considerate this application as private ? What’s your thoughts about it ? I’m also using SimpleX, ElementX, Threema, but not much people using it…
Cheers
This is kind of useless fear-mongering suited to no one’s threat model.
Are messages truly E2EE and they don’t share meta data? Yes? Then you’re fine. It needs a phone number for registration? OK, well buy a burner SIM card (you of course have several, right?) to register it if you’re that worried. Because if you’re already at a level where you’re THAT concerned about your phone number pinging for using a widely popular messaging app, then you have lost the game by even having a phone or sending messages to other humans who are the weakest link in the security chain anyway.
Considering that the Feds tried to make some government-compliant front end for Signal for idiot Hegseth to use to talk about national security stuff with the Vice President, I’d say that it’s probably fine for you to buy weed or whatever.
OK, well buy a burner SIM card
Illegal in many countries. SIM cards are attached to your real world identity.
Signal has too many red flags, but the biggest one is phone numbers and SIM cards. No application that wants to be secure against nation state spying relies on these.
Right now, for the wider population, it it a heaven sent option compared to Whatsapp, FB messenger etc. Break those bonds first and keep the wheel turning.
Depends on your threat model, as always. If you require absolute anonymity, it’s tricky, because it uses phone number during the onboarding process, so get an anonymous pre-paid number and discard it after registration. After onboarding you don’t need the number.
For the rest, it’s about as “private” as you make it. It supports group messaing, calls and video, so obviously you need to be careful while using it. Everything is e2e encrypted and stays on your local device, the source is available and has been extensively audited. The company itself is non-profit and has sensible privacy policy.
But yeah, your threat model is the key answer to your question
so get an anonymous pre-paid number
That’s not something that exists in many countries. SIM-cards have to be attached to a real world identity by law.
crazy that no one’s posted the dessalines article yet https://github.com/dessalines/essays/blob/main/why_not_signal.md
EDIT: just to have it here in case anyone even cares, i put my thoughts on the essay later on in the thread
hi. Do you have any suggestions for an app to replace it?
unfortunately not. matrix is probably a no because of this thread. i hear a lot of people saying briar is good but idk anything about it
Ok. Thanks anyway!
Since we are on the topic of signal… im not tech saviie but i have read lots of blogs and people about how secure is the signal protocol. My question is … how can i be sure that the protocol is implemented as the open source code shows? Please correct me if im wrong but from what i read on their website the apk they provide has the capability to update itself at anytime. So what stops them to change how it works with an update? is it posible to build the apk yourself and stop the ability to update?
Just like any foss project, there some level of trust if you are going with the main distribution. In theory you are correct that not much is stopping them from releasing a malicious update, but because it is open source, soon enough people would notice that either they released new code that is malicious, or that the new version does not match the source code. That kind of scenario is known as a supply chain attack.
Since the code is open, you can literally read it for yourself to see exactly what the apk does. You can also fork it and modify it however you like, just like the creator of Molly did (Molly is a fork of the Signal client that adds some security features)
It’s a centralized, US-based service running on AWS, that’s not self-hostable, requires phone numbers, and you have no idea what code their server is running.
Whether the app you use for it is open source, is entirely irrelevant for them building social network graphs, considering they have your real identity via phone numbers.
If the answer is “I just trust them”, then you’re not doing security correctly.
It is not as good as a decentralized system, and even though the server is open source, it isn’t self hostable (technically in an intranet you could but not easily)
But the signal foundation is a non profit with external audits and a proven track record with law enforced requesting data and getting basically nothing (If i remember correctly they only have your user to phone number relation and the last time you were online)
So although it is imperfect, it is an amazing solution that is almost the only 1:1 competitor to whatsapp/messenger/imessage that is privacy respecting, so I am very grateful for it’s existence.
100% this, there is matrix, but that was a pain when I used it (this was a few years ago, granted). Signal just works.
even though the server is open source, it isn’t self hostable
Since its a centralized server that isn’t self hostable, you have no idea whats running on their server. Signal even went a whole year once without publishing any server back end code updates, until it raised a lot of hackles so they started adding to it again.
But the signal foundation is a non profit with external audits and a proven track record with law enforced requesting data and getting basically nothing (If i remember correctly they only have your user to phone number relation and the last time you were online)
You have no idea what they give to authorities: in fact with NSL’s, its illegal for them to tell you. Signal’s response to this is “just trust us”.
Thanks for the explanation!
you have to register with your phone number.
But you dont have to give your phone number out to friends or peopole you meet.
Some family members use Molly-Foss and have no issues.
I use signal-foss from the Twin helix repo, A fork of Signal with proprietary Google binary blobs removed…
https://www.twinhelix.com/apps/signal-foss/
Signal from the F-droid - The guardian project repo, is just signal.
I read that the issue was with signal using google firebase, and that it was easier for the fascist piglets to track your messages through notifications.
I have found that you can actually delete a contact via molly but cannot do it via signal.
With signal you can only block a contact, which for me, is a privacy issues.
If I meet a random person, say on holiday, and we swap details, I want to delete them, not block them, where they remain in my block list forever.
I swap between Signal-FOSS and Molly if I want to delete a contact.
With the phone number, no; and since there’s no Signal usage without a phone number, well…. Also, I think somewhere on their website (or some place) they talked about burner phones as if it’s a universal phenomena.
Signal has felt “out of place” to me. Odd. It doesn’t fit in, doesn’t make sense if I think a bit farther about it.
I hope something decentralised comes out of Signal protocol minus the need for a phone number.
SimpleX uses Signal tech AFAIK but without requiring phone number or email address.
You are talking about session. Session is a signal fork, and you don’t need phone number. But there is some concerns about its security as, in order to properly work, it removed some signal features, I’m not qualified enough to understand if it’s truly a security risk or not. But the option to use it is there.
I used it for a couple years, but came back to signal because I had so many issues with media sharing.
Imo signal protocol is mostly fairly robust, signal service itself is about the best middle ground available to get the general public off bigtech slop.
It compares favorably against whatsapp while providing comparable UX/onboarding/rendevous, which is pretty essential to get your non-tech friends/family out of meta’s evil clutches.
Just the sheer number of people signal’s helped to protect from eg. meta, you gotta give praise for that.
It is lacking in core features which would bring it to the next level of privacy, anonymity and safety. But it’s not exactly trivial to provide ALL of the above in one package while retaining accessibility to the general public.
Personally, I’d be happier if signal began to offer these additional features as options, maybe behind a consent checkbox like “yes i know what i’m doing (if someone asked you to enable this mode & you’re only doing it because they told you to, STOP NOW -> ok -> NO REALLY, STOP NOW IF YOU ARE BEING ASKED TO ENABLE THIS BY ANYONE -> ok -> alright, here ya go…)”.
All the signal fans here should give me your phone number if you think its a secure service. All of them are hosted on AWS btw.
I don’t use Signal to talk to people I know only pseudonymously through the internet. I use it to talk to people with whom I would already share my phone number. That social graph can be ascertained a thousand ways already. I think it is worth pointing out as you do, however. If I wanted to attempt to hide the fact that I was contacting someone from the state, I’m not sure where I would start, but it wouldn’t be Signal.
No, and they are supported by US gov (last check), so no good can come of that.
Do you’ve reference about it ?
Quick googling comes up with only people refuting this claim.
Sure, we had signal gate, but the way that was received should make it pretty clear that it’s not supported for official use.
Not supported for official use because it leaves no trace for the formal record. Not because Signal is insecure.
Relatively popular, supposedly secure, based in usa, haven’t been raided by gestapo. There is a contradiction in here.
Anything that touches greed-incentivizing cr*ptocurrencies turns to shit. Use Matrix, XMPP, or Tox instead.
✍︎ arscyni.cc: modernity ∝ nature.
deleted by creator
I couldn’t find any sources regarding this topic
I dislike Signal because they are many google play services, and do not try to distribute their app beyond Google Play Store.
https://signal.org/android/apk/
and if you want, you can use molly-foss to remove google notification services
Just switched to molly-foss and am using mollysocket and have no issues
Was it just a simple switch or would I have to convince everyone to use Molly instead of Signal all over again? Like can I just get Molly and transfer over my contacts and history and all that?
Molly was easy enough, switching the notifications was a bit more painful. I found that the airgapped solution worked more seamlessly than the web server though
I agree that there are workarounds, but I find it frustrating that Signal devs are ignoring very obvious security and privacy issues like this. It erodes trust and my enthusiasm to use Signal.
