out of the loop, what's the problem with signal?
i've just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).
if this is true, then i have a few questions:
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
-how to explain it to my friends who use signal because i recomended?
-what this means for other apps in general?
This entry was edited (1 week ago)
like this
Noodles4dinner [none/use any]
in reply to Nuvalon • • •frischkaesbagett
in reply to Nuvalon • • •Signal is alright IMO.
There is no perfect service. Thats why smarter people than me analyze this and talk about it:
messenger-matrix.de/messenger-…
I think deltachat is pretty cool. Decentralised, open source and quite easy to use and setup.For me it is something for friends willing to try out new stuff and as a fallback when signal fails.
Messenger-Matrix • Kuketz IT-Security Blog
www.messenger-matrix.deCount042
in reply to frischkaesbagett • • •Delta chat is the best. Especially with webxdc's.
webxdc.org/
Webxdc: mini apps shared in a chat
webxdc.orgultimate_worrier
in reply to Nuvalon • • •- SimpleX Chat
- Delta Chat
like this
Anomaly likes this.
sanpo
in reply to Nuvalon • • •like this
giantpaper likes this.
einkorn
in reply to Nuvalon • • •The usual conspiracy theory is that Signal is funded by the CIA and therefore a honey pot.
Signal. I can do almost everything that i.e. WhatsApp or Telegram offer, is as easy to use as those and the client is verifiably encrypted and secure.
... Show more...Explain what exactly? Why they should use it?
- It offers the same functionality as other messengers while being verifiably secure and encrypted.
- Signal collects only three datapoints of users
1. Date of registration
2. Date of last connection to the server
3. Your encrypted backups if you enable cloud backups
- Compare that to messengers such as WhatsApp and Telegram where it is not clear which information they collect, whether they store it in an encrypted format or not or who they share it with.
- In the case of WhatsApp it is at least the US government as requ
The usual conspiracy theory is that Signal is funded by the CIA and therefore a honey pot.
Signal. I can do almost everything that i.e. WhatsApp or Telegram offer, is as easy to use as those and the client is verifiably encrypted and secure.
Explain what exactly? Why they should use it?
- It offers the same functionality as other messengers while being verifiably secure and encrypted.
- Signal collects only three datapoints of users
1. Date of registration
2. Date of last connection to the server
3. Your encrypted backups if you enable cloud backups
- Compare that to messengers such as WhatsApp and Telegram where it is not clear which information they collect, whether they store it in an encrypted format or not or who they share it with.
- In the case of WhatsApp it is at least the US government as required by the Cloud Act.
- In case of Telegram the data is unencrypted by default and cooperation with various governments has been reported.
Please clarify the question.
like this
giantpaper likes this.
m532
in reply to einkorn • • •einkorn
in reply to m532 • • •Ok, because the thing, that everybody knew turned out to be true, every conspiracy theory is valid now?
I guess you should go visit the Nazis in New Swabia and discuss this revelation with them.
an area of Antarctica between 20°E and 10°W in Queen Maud Land, first explored by Nazi Germany in early 1939
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)mnemonicmonkeys
in reply to m532 • • •So the Earth really is flat and run by lizard people?
Be careful with your wording. Yes, some conspiracy theories are true to some degree. But there's also ones that are complete bunk.
triplenadir
in reply to einkorn • • •the part of the "conspiracy theory" about CIA funding is completely true: signal proudly say they get funding from the OTF, which at the time signal started was a subsidiary of Radio Free Asia, which started out as an open CIA project (before being relaunched as clearly still a CIA project but without the official acknowledgement).
I'm 50:50 on whether signal is a literal honeypot, but even if not it seems pretty likely that the US government wouldn't have funded an app that could be used by people breaking its laws - let alone people actively organizing against it (foreign spies, domestic revolutionaries and insurrectionists) unless they were getting something pretty big in return.
silasmariner
in reply to triplenadir • • •Eager Eagle
in reply to Nuvalon • • •Nuvalon
in reply to Eager Eagle • • •Eager Eagle
in reply to Nuvalon • • •The problem is that you didn't bring much, and it sounds like you're trying to spread FUD yourself:
Nuvalon
in reply to Eager Eagle • • •davel
in reply to Nuvalon • • •This is long, but answers your questions: Why Not Signal?
Okay it doesn’t answer that one. But also, whether they should use Signal or not depends on their threat models. Many people don’t see the US police state as a threat.
process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)like this
giantpaper likes this.
Sims
in reply to davel • • •kn33
in reply to Nuvalon • • •Given what you've said, Signal is still what you want and is good for it.
There are two main issues people have with Signal:
First is that it requires a phone number to sign up. That makes some people who want it to be truly anonymous unhappy. It's not meant to be anonymous, though. It's meant to be private. Those aren't the same thing.
Second is that it runs on AWS. This isn't a problem in the sense that it's possible for it to still retain privacy while running on AWS. Some people don't like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.
Personally, I know these risks and still find it to be the best balance between privacy, security, and ease of use.
like this
warm likes this.
wildbus8979
in reply to kn33 • • •Let's not pretend the hypervisor doesn't have full access to the VMs memory and execution. The only thing protecting the Signal server is Intel SGX.
someacnt
in reply to wildbus8979 • • •wildbus8979
in reply to someacnt • • •pkjqpg1h
in reply to wildbus8979 • • •The only data they store are account creation time and last connection time.
signal.org/bigbrother/district…
Grand jury subpoena for Signal user data in the United States District Court for the District of Columbia
Signal Messengerwildbus8979
in reply to pkjqpg1h • • •The thing if someone has memory access Signal doesn't need to store anything, transiting data is now available. For example all of your contacts when doing contact discovery. It used to be a simple hash, something for which you could build a rainbow table in a few hours, at the worst. It's lightly better now, but still.
Don't take it from me, take it from Moxie:
signal.org/blog/private-contac…
It also doesn't really matter if the software itself can easily be tampered with in memory by the hypervisor. Like I said, they are putting a lot of trust in Intel SGX.
And let's not even get into the digital sovereignty issues, and financing of right wing billionaires. Yes, running on AWS is an issue. It's multiple issues even.
Technology preview: Private contact discovery for Signal
Signal Messengerpkjqpg1h
in reply to wildbus8979 • • •signal.org/blog/private-contac…
Technology preview: Private contact discovery for Signal
Signal Messengerwildbus8979
in reply to pkjqpg1h • • •pkjqpg1h
in reply to wildbus8979 • • •😃
conspiracy begins...
wildbus8979
in reply to pkjqpg1h • • •Ontimp
in reply to wildbus8979 • • •Count042
in reply to wildbus8979 • • •I don't take anything from someone I don't trust that also explicitly doesn't use warrant canaries because he says they don't work in contradiction to every legal authority.
It's also an issue that they run the signal server on one single AWS region.
It isn't hard or even all that expensive to run on multiple regions.
wildbus8979
in reply to Count042 • • •Heyla
in reply to kn33 • • •And what about suspicion of intrusions in some accounts of european imlrtznts poeple by the FSB recently ?
I don't know if it's a social ingeneering
But now, i think "good enough" attitude is not the good idéal, we are not in 2000' it's finish....
Another app exists :
Session
simpleX
Anonymous messenger
Briar
Twinme
But it' always better to use a verified and audited app, need to have a safe team
fr.euronews.com/2026/03/12/des…
Des pirates informatiques liés à la Russie ciblent les applications de messagerie de responsables européens, avertissent les services de renseignement
João Azevedo (Euronews)Fluffy Kitty Cat
in reply to Nuvalon • • •Nothing, it's good. There's FUD to get you not robust it
There was one instance of the white house using signal on the down low to evade records retention and then got caught because they accidentally invited a journalist to the houthi bombing group chat, bit that's a user error
Undertaker
in reply to Nuvalon • • •It's not. Can be closed
RobotToaster
in reply to Nuvalon • • •like this
giantpaper likes this.
kn33
in reply to RobotToaster • • •The Signal Clone the Trump Admin Uses Was Hacked
Joseph Cox (404 Media)sakuraba
in reply to kn33 • • •parzival
in reply to kn33 • • •innocentz3r0
in reply to parzival • • •parzival
in reply to innocentz3r0 • • •superglue
in reply to Nuvalon • • •solrize
in reply to Nuvalon • • •I'm put off by the centralized server. I'd want to self host without having to build a special client, something like nextcloud. That the company chose to prevent that gives me a bad impression. So I haven't been using it so far.
I've played with GNU Jami a little but it was flaky when I tried it last year. Maybe it's better now.
Creat
in reply to solrize • • •You can't have it both ways. It's hard enough to get people to switch to signal, or least also use it next to other messengers. Now imagine they'd have to connect to multiple servers to talk to multiple people. Possibly everyone connection details. Even if that's done in the background, you have to somehow get the connection registered once, discovered if you will.
Anything and everything you send through their server is end-to-end encrypted. Some people hate on the phone number being required to create an account, but it's also the reason it works at all: anyone in your contacts who also has signal you can talk to. Phone numbers are an international standard. If course this also has downsides...
Finally what you're asking for exists. NextCloud has "talk". Which is essentially a messenger app, it's built in. Go use it. I have a NextCloud instance and I don't use it either. What's the point of having an app I can only use to talk with people so close to me that they're in my NextCloud with an account already?
solrize
in reply to Creat • • •Of course I can. Jitsi Meet lets you do it both ways. I don't know if Nextcloud has an official hosted server but they could if they wanted. I use it self-hosted and it works, the Talk app is just not very good. Jami uses a DHT instead of a centralized server which is another approach, though it might be part of its flakiness. Linphone (a regular VOIP client, not a secure chat thing) is set up by default to point to Linphone's own SIP servers but you can change that in Settings. No reason Signal can't do similar. Heck, even Lemmy works that way (you choose your server).
Signal is simply being evil and your defending them is unconvincing. I could opt to self-host Signal and build a special client for my users, at the cost of hassle for everyone but no serious technical drawbacks. Signal chooses to create that hassle because they want to funnel users through their servers, not incidentally collecting metadata about ALL the user conversations.
There's actually a configurable Signal client called Amanda or some
... Show more...Of course I can. Jitsi Meet lets you do it both ways. I don't know if Nextcloud has an official hosted server but they could if they wanted. I use it self-hosted and it works, the Talk app is just not very good. Jami uses a DHT instead of a centralized server which is another approach, though it might be part of its flakiness. Linphone (a regular VOIP client, not a secure chat thing) is set up by default to point to Linphone's own SIP servers but you can change that in Settings. No reason Signal can't do similar. Heck, even Lemmy works that way (you choose your server).
Signal is simply being evil and your defending them is unconvincing. I could opt to self-host Signal and build a special client for my users, at the cost of hassle for everyone but no serious technical drawbacks. Signal chooses to create that hassle because they want to funnel users through their servers, not incidentally collecting metadata about ALL the user conversations.
There's actually a configurable Signal client called Amanda or something like that, though I haven't tried it. Someone here mentioned it last time this came up.
Also, Signal's own client isn't on F-droid, which raises more potential questions. I haven't cared enough to look into it.
Added: oh re Nextcloud, I see what you mean, account creation is an obstacle, though that could be handled like Hipchat used to. You could generate a randomized URL to invite someone to your private chat without their needing an account. Nextcloud has that too, though just for file access, not for chat for some reason. Come to think of it, Signal could also work that way: it shouldn't need accounts at all.
When I've invited people to my Nextcloud I've just enrolled the account for them myself and told them "please log in with username X password Y".
Law Abiding VPN User
in reply to Nuvalon • • •No one can break the encryption, so even though it routes through AWS sometimes it's still completely E2EE with quantum resistant encryption that not even the feds could break
the only way it can be "hacked" is with phishing
like this
giantpaper likes this.
NuXCOM_90Percent
in reply to Nuvalon • • •Define "secure communications".
Do you just not want to have all of your conversations to go into the pool of training data for LLMs? Signal is probably fine for that. You can also consider Matrix, although that has a LOT of caveats.
Do you want to commit crimes? Are they the "everyone does them" kind? Or are they the kind that can get you executed like "speaking out against the regime"? If the former? Signal is, again, probably fine. If the latter?
This is where you need to learn: The moment you rely on someone else to handle your privacy for you, you have none. What does that mean in this context? That means that if some company is exchanging keys for you then they inherently have those keys. And you can only trust them as far as they have been audited... and how recent that audit is.
So take a lesson from journalists. Exchange your keys ahead of time. This might be a proper public/private key pair or it could be as
... Show more...Define "secure communications".
Do you just not want to have all of your conversations to go into the pool of training data for LLMs? Signal is probably fine for that. You can also consider Matrix, although that has a LOT of caveats.
Do you want to commit crimes? Are they the "everyone does them" kind? Or are they the kind that can get you executed like "speaking out against the regime"? If the former? Signal is, again, probably fine. If the latter?
This is where you need to learn: The moment you rely on someone else to handle your privacy for you, you have none. What does that mean in this context? That means that if some company is exchanging keys for you then they inherently have those keys. And you can only trust them as far as they have been audited... and how recent that audit is.
So take a lesson from journalists. Exchange your keys ahead of time. This might be a proper public/private key pair or it could be as simple as a cipher (I suggest avoiding hotel bibles, but you do you). And then you communicate using that encryption/cipher. At which point it doesn't matter what you use (but maybe avoid google and facebook for obvious reasons...).
Nuvalon
in reply to NuXCOM_90Percent • • •uuj8za
in reply to Nuvalon • • •like this
giantpaper likes this.
neutronst4r
in reply to uuj8za • • •Your quote is wrong. The actual quote is: "Perfect is the enemy of good enough."
But the point is still valid. For me personally, if it is good enough for Edward Snowden, its good enough for me.
pkjqpg1h
in reply to neutronst4r • • •Source?
uuj8za
in reply to neutronst4r • • •aphorism commonly attributed to Voltaire
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)ozoned
in reply to Nuvalon • • •They don't allow third party clients.
They are open source, and you can run your own, but it won't ever be allowed to connect to the standard signal server.
Signal has a piece they say is for fighting spam so they can't release the code to it. So you just have to trust them.
signal.org/blog/keeping-spam-o…
"We build Signal in the open, with publicly available source code for our applications and servers. To keep Signal a free global communication service without spam, we must depart from our totally-open posture and develop one piece of the server in private: a system for detecting and disrupting spam campaigns"
Signal is not perfect. It's better than most.
I personally use Matrix as I can go to another server or run my own. I run multiple clients. It is NOT perfect and has it's own issues.
Improving first impressions on Signal
Signal Messengerlike this
giantpaper likes this.
Feyd
in reply to ozoned • • •Software list
GitHubozoned
in reply to Feyd • • •That's a third party software list created by someone not Signal and basically tells you it's a work around to Signal:
"Signal does not have an official API, and the published code requires additional effort to be used outside of the official signal clients."
So I'm not certain the point of the link. There are still clients for Reddit and YouTube and others that are third party and aren't official. Signal doesn't support those.
Feyd
in reply to ozoned • • •The point is this statement is pointless because they exist anyway.
ozoned
in reply to Feyd • • •Feyd
in reply to ozoned • • •ozoned
in reply to Feyd • • •I'm not upset. So maybe a good question to ask yourself?
And I didn't give misinformation. Signal doesn't allow it. Yes, they exist, and can break at any time.
I personally have Signal. I use Matrix more, but in wouldn't turn away Signal.
OP asked for information on what gives people pause about Signal. I have gave it. Where is my misinformation? I'd like to know so I can learn as well.
What you personally view as pointless, matters to some people.
That's for each to decide. If this is a community focused on privacy, as you said, shouldn't we give everyone the information they asked and not make decisions on what is or is not pointless to them?
It is a fact that Signal is a centralized service. They do not allow federation. They do not allow third party clients. They could decide in the future to turn people accounts off for using third party clients.
I have lived through this numerous times. I don't trust a centralized service as much as one I can run myself. That's for each to decide.
Schlemmy
in reply to ozoned • • •ozoned
in reply to Schlemmy • • •Yes. My whole family uses Matrix. Including my parents. And no, they're not technical at all. Father, step mother, sister, wife.
And yes I can give someone a link to join me on matrix.
Installing Element has become super easy IMO.
Schlemmy
in reply to ozoned • • •And are you selfhosting and have them join you or how and where do they get their accounts? When the encryption keys don't sync, who's doing tech support?
I mean, my mother is 78. It's all kind of challenging.
ozoned
in reply to Schlemmy • • •At the moment I'm happily on matrix.org and donating monthly to them. Most of my community is on their own Matrix servers. Outages happen, but most of the time it's matrix.org that has an issue and the self-hosters are still able to chat and make fun of me. :) In a friendly way.
Encryption keys not syncing also happens. But it seems to be getting less and less. There are different steps for different devices and platforms. Normally leaving a room and rejoining works to resolve. Sucks, but the Matrix group are ACTIVELY trying to hunt these down.
My father is 71. The Element phone install basically walks you through the process. Including which server to connect to. You'd give them yours if you want them on just yours.
Everyone's situation is different. if you're interested, try it. See if it works. Maybe it doesn't. Then stick with Signal. Signal is awesome, but it is far from perfect.
Matrix is awesome, and it's nowhere near perfect.
Use the tool that works best for you. Some security and encryption is worth it than 0 security and encryption.
Zoldyck
in reply to Nuvalon • • •CactusEcho
in reply to Nuvalon • • •I'll start by saying that i don't use signal.
There are some concerns that other people in the comments explained. It's up to you to decide if the trade off is good enough for you. There's no silver bullet for this.
Signal is ok. Same as matrix, delta chat, xmpp, simplex. Avoid telegram, messenger, whatsapp, instagram, snapshat, max...
Most people mess up the concepts of anonymity with privacy.
There's no silver bullet. All the apps have ups and downs. Most people don't realize that if a state actor (I'm not talking about police but for example NSA, CIA, mossad, mi6) is after you, they will get you. Usually from a side channel, or from some stupid mistake you made years ago.
Willoughby
in reply to Nuvalon • • •You, yes you, scrolling.
Here.
XMPP
I see you.
IndustryStandard
in reply to Nuvalon • • •☆ Yσɠƚԋσʂ ☆
in reply to IndustryStandard • • •DrFunkenstein
in reply to ☆ Yσɠƚԋσʂ ☆ • • •monovergent
in reply to ☆ Yσɠƚԋσʂ ☆ • • •Would love to use SimpleX too, but the plan fell apart while trying to use it with family. Surprisingly many people fail to grasp the concept of anything other than a phone number, social media profile, or email address. It fell apart among my more tech-savvy friends because we missed calls and had delayed notifications despite SimpleX eating through the battery like no other messaging app.
No doubt, SimpleX is the concept of a messaging app done right and could be better than any other. It's just the implementation that needs work. But I'd be happy to hear if there's any optimizations I could try and revisit it.
Schlemmy
in reply to ☆ Yσɠƚԋσʂ ☆ • • •My contact coulds find me by phone number. I changes my status on WhatsApp and half of the regular contacts decided to use Signal.
If I want to use SimpleX I would have to invite them all and just hope they'll adopt.
I don't need my phone number to be private. I want my communication to be private.
☆ Yσɠƚԋσʂ ☆
in reply to Schlemmy • • •Schlemmy
in reply to ☆ Yσɠƚԋσʂ ☆ • • •Hominine
in reply to Nuvalon • • •like this
huskerDude likes this.
☆ Yσɠƚԋσʂ ☆
in reply to Hominine • • •f3nyx
in reply to ☆ Yσɠƚԋσʂ ☆ • • •I got around it by registering a new number with phreeli.
granted, this is not something most people can go and do, phone numbers are hard to separate from. however, you might agree that privacy minded individuals are more likely to find that workaround acceptable.
I do like Dessalines post regarding alternatives, I'll have to do more research.
Dessalines
in reply to Nuvalon • • •Why not Signal?
essaysthe rizzler
in reply to Dessalines • • •Against XMPP+OMEMO - Dhole Moments
Dhole MomentsCount042
in reply to the rizzler • • •IndustryStandard
in reply to Dessalines • • •pkjqpg1h
in reply to Dessalines • • •Dessalines
in reply to pkjqpg1h • • •Something being easy to use has nothing to do with privacy or security. Apple, just like signal, also sold it's products as secure, yet they also were forwarding all communications to the US government as part of the prism program.
Signal is not a stepping stone, it's a honey pot. Best to avoid US services that require your identity entirely.
mnemonicmonkeys
in reply to Dessalines • • •Dessalines
in reply to mnemonicmonkeys • • •You have no idea what code their server is running, and its impossible to host your own signal since its a centralized service.
They went a whole year without publishing server code updates also, until they got a lot of backlash for it. Still, even publishing those is moot since its a centralized service.
☆ Yσɠƚԋσʂ ☆
in reply to Nuvalon • • •SimpleX Chat: private and secure messenger without any user IDs (not even random)
simplex.chatcurious_dolphin
in reply to ☆ Yσɠƚԋσʂ ☆ • • •a Kendrick fan
in reply to curious_dolphin • • •☆ Yσɠƚԋσʂ ☆
in reply to curious_dolphin • • •Dr. Moose
in reply to Nuvalon • • •Schlemmy
in reply to Dr. Moose • • •They offer encrypted messaging, not anonimity. They offer a way to keep your conversations private. It's not an opsec tool, it's not a tool to be used by the military. It's a platform for regular people that don't want to get spyed on or don't want their conversations to be used agains them when legislation changes.
"Nullum crimen sine lege, nulla poena sine lege''
Dr. Moose
in reply to Schlemmy • • •Schlemmy
in reply to Dr. Moose • • •pkjqpg1h
in reply to Dr. Moose • • •Could you suggest alternative verification methods?
drayva
in reply to Nuvalon • • •Signal does have your phone number, which is a problem.
On the other hand, the only information linked to that phone number is, "the person with this phone number uses signal". AFAIK your phone number is not linked to your contacts, your message content, etc.
So in practice, the fact that Signal has your phone number is probably only a problem insofar as you don't want anybody to know that you use Signal.
But to be fair, why have that issue if you don't have to. Signal is actually good, still, but there are even better alternatives.
CandleTiger
in reply to drayva • • •drayva
in reply to CandleTiger • • •darklamer
in reply to CandleTiger • • •signal.org/blog/private-contac…
Technology preview: Private contact discovery for Signal
Signal Messengerxthexder
in reply to drayva • • •... Would you care to list some of these alternatives and how they are better?
Every alternative I've looked at has some major drawbacks that would prevent me from getting any of my friends to move. Having to selfhost my own chat service isn't really a positive in my mind due to the maintenance required and the higher possibility of outages.
drayva
in reply to xthexder • • •Probably the ones you're already thinking of (SimpleX, Session, XMPP).
They're better in terms of privacy. When I said they're better, I mean specifically in terms of privacy.
Of course they're less convenient, as you're alluding to.
xthexder
in reply to drayva • • •Signal gets me all the privacy I need. I don't care if they know my phone number uses Signal, I don't use it as anonymous chat, I use it with friends and family.
As others in this post have said, Signal handles privacy perfectly fine, it does not provide anonymity.
Unlike several other users here, I actually view Signal's contact discoverability as a feature, not a security flaw. All it means is if someone I know installs Signal, they can easily send me a message without a complicated back and forth through some other medium.
drayva
in reply to xthexder • • •I myself said "Signal is actually good", so there's no need to argue with me about it.
Nevertheless:
Of course it can be both. Many things are both features in one domain, and flaws in another domain. Obviously it's a feature or else they wouldn't have purposely developed it.
icedaemon0
in reply to Nuvalon • • •masterspace
in reply to Nuvalon • • •There is none. Theres like 0.1% of people who complain about it who have a valid point.
And those points are always meaningless in light of the alternative's drawbacks.
a Kendrick fan
in reply to masterspace • • •Being tied to US infrastructure isn't a valid concern?
What then is the difference between it and Whatsapp? Both claim to use the Signal secure protocol but you can never confirm that since their codebases are closed source and proprietary.
9488fcea02a9
in reply to a Kendrick fan • • •One is run by an advertising company that has been proven in court to be a bad actor and a strong motive to log and track anything they can
The other is a non-profit without any real motive to sell you out, or any history of doing so
Thats good enough for me and most others unless you're an extreme "trust no one" level of paranoia
m532
in reply to 9488fcea02a9 • • •rekabis
in reply to m532 • • •Considering that all other alternatives are either
I consider Signal to be the best option out there. It’s not perfect, but nothing is. It simply is the best general option out there, by far, for a general audience.
Yes, you can be totally secure, untraceable, and ultimately unfindable. But being cut into pieces, with each separate piece entombed in its own barrel of concrete, and each barrel dropped into a different oceanic trench, tends to be a bit beyond what I consider to be reasonable to achieve that.
9488fcea02a9
in reply to rekabis • • •everyone around here talking about the CIA and nation states as part of their threat model...
bro... you're worried about the CIA and mossad, and you think spinning up your own chat servers (simplex, matrix, etc.) as an amateur sysadmin is going to be MORE secure?
masterspace
in reply to m532 • • •Chais
in reply to a Kendrick fan • • •Signal
GitHubphase
in reply to masterspace • • •racoon
in reply to masterspace • • •partofthevoice
in reply to Nuvalon • • •It was on the leaked Paragon Solutions selfie (containing the Graphite surveillance tool), indicating there are actively exploited zero days? Just a guess.
Edit: open.substack.com/pub/ahmedeld…
The Israeli Spyware Firm That Accidentally Just Exposed Itself
Ahmed Eldin (Out Loud with Ahmed)Bomnam
in reply to partofthevoice • • •Vegafjord eo
in reply to Nuvalon • • •recklessengagement
in reply to Vegafjord eo • • •Vegafjord eo
in reply to recklessengagement • • •glitching
in reply to Nuvalon • • •not to shit on you specifically but I see this over and over, folks asking how to be "secure". secure against what?
if you're into this, you need to set up a "threat model" i.e. what are your threat vectors and then you build your defenses against that model. a defense against blanket surveillance doesn't handle targeted threats. a successful defense against your government doesn't preclude other nation-state actors getting at you.
like, if your threat vector is e.g. your SO "inspecting" your phone, you set up a passcode and you're safe against that threat. but, if there's a toddler going around smashing stuff, your defense isn't valid. defense against that vector is placing your phone high up. but that defense isn't effective against SO.
I am sure any messenger recommended here can be successfully red-teamed, be it design flaws, operator error, the famous wrench comic, or whathaveyou. but that doesn't mean it's ineffective in your specific case.
JustTesting
in reply to glitching • • •Yes, i hate this in these kinds of discussions. It so often devolves into how you'll be safe from surveillance by world governments (spoiler: you won't be, if they really care).
And here I am, just not wanting to hand data over to giant corporations that have been proven to use it for no good.
Heck, even if there was no good actor/solution, not giving all your data to the same bad actor is already a step up.
hexagonwin
in reply to Nuvalon • • •LiamBox
in reply to hexagonwin • • •The signal protocol is end-to-end encrypted, not even signal themselves knows what is being sent to what.
en.wikipedia.org/wiki/Signal_%…
privacy-focused encrypted messaging app
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)deprecateddino
in reply to LiamBox • • •zemo
in reply to deprecateddino • • •Dessalines
in reply to zemo • • •hexagonwin
in reply to zemo • • •Schlemmy
in reply to zemo • • •tangonov
in reply to hexagonwin • • •Dessalines
in reply to tangonov • • •CerebralHawks
in reply to Nuvalon • • •It's always gonna be a moving target. Wife and I started using Telegram because it wasn't monitored like Facebook Messenger (which I don't have an account for) or WhatsApp. Now people are saying Telegram isn't good enough, use Signal. It's still good enough for us. I also have Signal. No one I know uses it, but I have it in case they wanna start using it.
Honestly though, iMessage is secure enough for most people. Basically texting through Apple servers.
But any security or privacy expert will tell you that you need to determine your own threat model. No one else can tell you what that is.
thermogel
in reply to CerebralHawks • • •deprecateddino
in reply to thermogel • • •FuyuhikoDate
in reply to CerebralHawks • • •That is an interesting statement regarding the fact its centralized and deletes accounts / channel all the time.
axx
in reply to CerebralHawks • • •Telex
in reply to CerebralHawks • • •CerebralHawks
in reply to Telex • • •What's the one mistake? Telegram? Or Signal?
The way I see it, the goalposts keep moving because Telegram was the private alternative to FB Messenger and WhatsApp. Then Signal was the private alternative to those, and Telegram. Now people are saying Signal is a problem (I'm guessing because of the cock up the US government had last year?). The goalposts keep moving, but Telegram is still fine for what I need. I keep both as alternatives to texting for people who want to reach me however they're comfortable doing. I also have one called Session. I don't use Twitter/X, Facebook/Instagram/WhatsApp, or Reddit. I have a Discord because I have a couple things that are only available up there, but it's not a good way to reach me as I have notifications disabled on it.
ivn
in reply to CerebralHawks • • •Telegram never was the private alternative to anything, unless you took their advertisement at face value. It was always known to not use e2ee by default.
Signal is not a problem, the US gov things were very dumb users issues. It was not caused by Signal itself.
So the goalpost has not moved in years, Signal was and is still good, Telegram is only fine if you do not care about privacy.
thermogel
in reply to Nuvalon • • •deprecateddino
in reply to thermogel • • •I used Session for a couple of years, but switched back to Signal because it did a poor job with media sharing.
It's been a while since I switched back, so maybe it's fixed now?
CaptainSpaceman
in reply to deprecateddino • • •Signal is closest to WhatsApp but in a open source format.
Is there anything else as close?
communism
in reply to Nuvalon • • •Signal is fine for normal/social chatting. It is centralised which makes it much harder to obscure identifying conversation metadata, and I wouldn't recommend it for comms with a state threat model. I like SimpleX for addressing those issues.
If you just want to chat to friends and nothing else, I probably would recommend Signal for the most polished experience and most widely adopted open-source private messenger.
Kkk2237pl
in reply to Nuvalon • • •Seefra 1
in reply to Nuvalon • • •Like many said, signal is centralised and requires a phone number.
Meaning it's not anonymous and the server owners can technically sell your metadata, not the content of the messages but who talks to who, what time, the length of the chat/call etc.
Either-way having to use a phone number to register an account, for me is not acceptable for several reasons besides privacy and metadata.
On top of that, the server side of signal isn't free software (as in freedom), which means that the whole program requires non-free (as in freedom not beer) network services in order to work. Which isn't acceptable for free software advocates.
Alternatives:
Simplex:
If you don't require voice calls there are more options available there are many text messages, but very few support calls, which for me is a critical feature.
In theory Simplex is the best, it's e2ee, quantum resistant, each chat (message queue) is it's own "account", each "account" is just a private key, and you can switch servers with the tap of a bottom, it also supports private routing, which f
... Show more...Like many said, signal is centralised and requires a phone number.
Meaning it's not anonymous and the server owners can technically sell your metadata, not the content of the messages but who talks to who, what time, the length of the chat/call etc.
Either-way having to use a phone number to register an account, for me is not acceptable for several reasons besides privacy and metadata.
On top of that, the server side of signal isn't free software (as in freedom), which means that the whole program requires non-free (as in freedom not beer) network services in order to work. Which isn't acceptable for free software advocates.
Alternatives:
Simplex:
If you don't require voice calls there are more options available there are many text messages, but very few support calls, which for me is a critical feature.
In theory Simplex is the best, it's e2ee, quantum resistant, each chat (message queue) is it's own "account", each "account" is just a private key, and you can switch servers with the tap of a bottom, it also supports private routing, which from what I understand is like some sort of onion routing between simplex servers.
Hosting your own server is also extremely easy, (tho note that running your own server can actually be detrimental to privacy depending on your threat model), supports calls, group chats and all the features I would ever need.
Unfortunately at least for me and my contacts, SimpleX it's terribly buggy, specially on phone, literally tonight I missed the opportunity to be with a friend because I only saw the message one hour late.
Very often messages just stop being received until the app is restarted, usually I have my friend send me a message via other (centralised) app in order to warn me that he messaged me, I also do the same for him. After restarting the app it usually works fine for a while until it does it again. And needs restarting again.
On top of it, it's taking more and more time to get the first message when in background even during normal operation, tho I blame Samsung for this one and not Simplex, and understand that Simplex doesn't use push notifications for improved privacy, but it has become a real problem, what used to take 5 minutes now sometimes takes more than half an hour. Maybe my phone is overloaded, idk.
Calls could be improved too, takes several tries for it to actually work, and it doesn't help when the other person calls me back and I call them at the same time.
On top of it, the volume of a call seems very quiet compared to a normal phone call and it's very hard to hear the other person, I'm guessing a simple compressor DSP could fix this.
Unfortunately also has been news of Simplex planning to enshittify the app with cryptocurrency, something that I politically and morally oppose.
Session:
I've used it for a month years ago, before I knew about SimpleX, whatever technical merits it may or may not have, (and from what I understand it's privacy is still below SimpleX) it relies on some cryptocurrency network in the background, so I won't use it. Self-hosting it also seemed to me no easy task, but I could be wrong.
Jami:
Never got it to work.
Matrix:
I haven't tried Matrix yet, I think I read long ago that calls aren't e2ee tho that may have changed now. I also read that Matrix leaks a lot of metadata which can be a problem. Maybe not if you self-host, but self-hosting comes with it's own privacy problems. Maybe I should research it again and try to self-host it and see how it goes.
So as bad as Signal is, I can't give you a working alternative, I put all with Simplex despite all the bugs but I don't think most people are willing to go though it, however if you (and your contacts) have a high end phones maybe it works better. But it's not something I can recommend.
Gluek
in reply to Seefra 1 • • •Seefra 1
in reply to Gluek • • •Gluek
in reply to Seefra 1 • • •Seefra 1
in reply to Gluek • • •Gluek
in reply to Seefra 1 • • •Yes, p2p or via turn server, always encrypted the same way as messages.
Full topic is here:
support.delta.chat/t/help-test…
The latest version also got much nicer calls interface: deltachat.github.io/deltachat-…
Help testing upcoming Delta Chat release with calls 📞!
Delta ChatSpacenut
in reply to Seefra 1 • • •In regards to Signal, this is largely not true. Sealed sender has been signal's metadata hiding protection for like 6 years or something. The only information signal has is your phone number, your account creation time, and the last time you contacted their servers.
They also have a server implementation on github, so it seems to be open source to me. (I could be missing something though)
You are right though, that it uses centralized servers and requires a phone number, which are sticking points for a lot of people.
Dessalines
in reply to Spacenut • • •Give me ssh access to their centralized server so I can verify this "sealed sender" idea is working.
Otherwise this is a "trust me bro" claim.
Spacenut
in reply to Dessalines • • •This doesn't really make sense to me, what do you mean? Client-side you do different computation for sealed sender delivery/receipt. What's your normal standard of trust that a hosted, open source project is running the same code that they've made public?
I think if they store any metadata that we don't know about, the lie runs very very deep, like to conspiracy theory levels that don't really make sense for a registered nonprofit: signal.org/bigbrother/
Government Communication
Signal MessengerDessalines
in reply to Spacenut • • •Its a centralized service, you have no idea what code they're running. You can't host your own.
Also they went a whole year one time without publishing any server code updates until they got a lot of backlash for it. Still, since its centralized, it can't be trusted to be running what they say they are.
GaumBeist
in reply to Seefra 1 • • •Just looked at Session, and holy shit is that a massive downside...
From their own whitepaper:
So you have to pay to self-host, and that's somehow an upside???
... Show more...Which is a fine explanation in a world where everyone has a relatively equal amount of wealth. This is the epitome of dunning-kruger economics: a little knowledge is a dangerous thing.
Just looked at Session, and holy shit is that a massive downside...
From their own whitepaper:
So you have to pay to self-host, and that's somehow an upside???
Which is a fine explanation in a world where everyone has a relatively equal amount of wealth. This is the epitome of dunning-kruger economics: a little knowledge is a dangerous thing.
So the more nodes a single entity holds, the harder it becomes for other entities to buy nodes and break the monopoly? Did you take 3 seconds to think this through???
"Assuming every user is a perfectly rational actor, malicious actors would be shunned. This is somehow due to the economic incentive, and not just how humans operate when they're assumed to be perfectly rational."
Also: malicious actors when they find out they might lose their money if they get caught: "welp, I better not do that then. Thanks laissez-faire capitalism!"
Jesus christ fucked on a pike, these dipshits really drank the crypto kool-aid, huh?
GaumBeist
in reply to Seefra 1 • • •Matrix very recently has had e2ee calling since at least last april
I don't host a server currently, so I can't fully recommend it without knowledge of the backend, but i'm liking the experience as a user
End-to-end encrypted voice and video for self-hosted community users
Steve Loynes (Element Blog)ReverendIrreverence
in reply to Nuvalon • • •just_an_average_joe
in reply to ReverendIrreverence • • •Flipper
in reply to just_an_average_joe • • •Arthur Besse
in reply to Flipper • • •Flipper
in reply to Arthur Besse • • •Dessalines
in reply to Nuvalon • • •PRODUCT PITCH: Hey everyone, I have a great idea for a secure / private messaging service.
It's hosted in the US, subject to its pervasive spying laws including national security letters.
Also I need all your phone numbers.
Also no you can't host this yourself, I run the only server.
Everyone who uses signal and supports it, is falling for this pitch.
National Security Letters: FAQ
Electronic Frontier Foundationals
in reply to Nuvalon • • •Matt
in reply to Nuvalon • • •United States federal law enforcement agency
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)IjonTichy
in reply to Matt • • •hackea.org/notas/matrix.html
Matrix? No, thanks. — Hackea documentació
hackea.orgBloomcole
in reply to Matt • • •No thanks
ImitationLimitation
in reply to Matt • • •Among other problems, Matrix is not a replacement for a messaging app. It’s more of a community message board with 1:1 private messages with the possibility of encryption. It is way more than most want or need.
I’ve also run a Matrix server in the past, and it’s not simple. The vast majority of people do not have the technical acumen, hardware infrastructure, or time necessary to even begin this endeavor.
Joining a public server where they don’t have control of the data requires a lot of trust in that instance and their owners. To expect them to vet those owners first, verify the servers are in a trusted country, … 10 more steps, before they begin is asinine.
Matrix is not an alternative to any messaging apps mainly intended for 1:1 communication.