Signal is a centralized app, run by a company. If they are offered enough money or legal threat they will sell out or close.
I am sure people will make an argument that its FOSS and people will just fork it if it goes bad, but a new fork will have 0 users and Signal will still have all of your old contacts. Why not make a switch now? Before it is even more popular and you have more reasons to stay? Why fork it if there are already decentralized apps that use same encryption, like XMPP apps?
Sure you can find flaws in every app, including XMPP implementations, but if we will have to write code for a new Signal fork, why not just fix whatever is that bugs you in XMPP clients?
If you want to use Matrix, that is fine as well, we can always bridge the two open protocols. But you cant bridge Signal if their company doesn’t allow it.
Signal is operated by a nonprofit tax-exempt charity corporation in the United States.
Could you please be more clear about exactly what you are saying here?
Edited: The original poster has provided no evidence for their defamatory statements.
Signal has a single point of failure. If we really want a service that can’t be taken away, then we need a free, open source alternative that is impossible for a single entity to control
That single point of failure is to facilitate ease of use, with minimal reduction in security.
The messages are e2e encrypted and the server is designed in such a way that attempting to listen in would bring it down.
The signal org doesn’t even have your address book.If your concern is “I don’t like signal”, you’re not going to make much traction.
Briar is an app that is just as easy to use, plus you dont need a phone number, so it is easier. Yet it has no point of failure and it was simpler to write. It is P2P, uses tor, you dont get better privacy and security than that.
You dont know what their server is running, you cant prove that. They can release the code, but you have to trust them that they are running that exact code.
Ease of use is an excuse, they have a centralized model. That is a big flaw. There is more to security then E2E, xmpp clients have E2E as well, they use the same algorithm.
SimpleX also seems pretty promising and is more cross platform than briar. I’m self-hosting a server for my immediate family.
I think XMPP is more well-known than SimpleX, I simply mentioned Briar for the sake of possible ease of use argument over some XMPP clients.
I’m not goin to shit on Briar, I hope they build out their dream.
It’s fundamentally not as easy to use.
My Grandma already has a phone with a full addressbook.
If she’s told to install Signal, it’ll just work as a drop in replacement for iMessage.Briar meanwhile suggests sharing your contact info using another such as signal: https://briarproject.org/quick-start/#:~:text=When you choose “Add contact at a distance”%2C Briar,choose a nickname for them.
Briar is chasing different goals.
The only part that is easier to use on Signal is also a serious privacy concern of sharing your phone number.
With decentralized apps you always have an option to add that feature, while with centralized apps like Signal you have to accept that your privacy is damaged.
In short, this argument for phone number is another argument why decentralized apps can be as user friendly as centralized, but not the other way around.
I see your point, but what threat and their level of sophistication are you trying to avoid? The number is used just for registration. You can get a burner phone if you’re worried about sharing your number.
In less and less countries we are allowed to buy phones and sim cards without an ID. Phone network is a centralized system, controlled by governments, we can’t depend on that for privacy. The main treat to privacy has always been the current ruling government, they fear privacy, because they fear people organizing against them.
I’m not OP, I’m just explaining.
Okay. Which one are you building?
I’m not, I’m just explaining OP’s post.
We have that in XMPP and Matrix. The problem is then to talk to people on it they all have to join the server on which you host your build. What if that server goes down? If you pay for hosting you’re putting it into the hands of another corporation. If you self-host at home, what if your electricity goes out? Your internet gets cut off? Is everyone you convinced to ditch signal going to be happy and willing to sacrifice their convenience and ability to talk to people they want (or need) to talk to over ideology?
If we get hit by a big enough solar flare, everyone will be communicating by pigeon again. You make valid points. I haven’t actually used XMPP before and only just started with Matrix. I think OP is right that we should keep an eye on alternatives for when/if the time comes.
Every non-profit organization I know of was run as a company. Non-profit is for organization, not for people, you can still pay yourself a nice salary and trips around the world, expensive dinners and so on. A lot of non-profits I know of extract every cent from the donors, which are often big companies like Google, by making an invoice for a clearly overpriced service at company owned by their friends, that send them the money back.
Being a nonprofit tex-exempt charity corporation in United States is no defense of their character, their interests, nor their capability to provide a quality service or withstand a legal pressure.
I will be perfectly clear then, you cant trust them and you cant depend on them. Reddit was a good open service once, now its dying, we need to move to Lemmy. Same will go for Signal. They still work with police, still give data such as phone numbers, when you created your account and we have no proof that they are not storing your IP, when you are sending and getting messages (so they can do a timing attack to figure out who you are talking to, if they don’t give that info directly).
I don’t need proof that they have done something wrong to prove a point that no single entity should be trusted when we have the technology for over 20 years now that makes that unnecessary.
How do I trust a random XMPP server more or as much as I trust Signal to protect my data? You’re telling me if the government comes knocking for metadata on some user on a small server that the owner isn’t going to just give it away? What about anyone else on other connected servers?
You’re asking me to trust someone who hasn’t shown that they’re actively working towards privacy goals vs a centralized solution from a company that’s shown they care about privacy?
Either way, you have to trust someone to take care of your data and I do not trust a small server owner more than an entity that’s proven they do not give information to governments. Gotta pick one of two evils, I guess.
I never claimed that you should pick a random server. You can pick servers run by groups that have just as good record of privacy or even better or are run by the person you know or yourself.
When you have a decentralized service you can choose who you trust, you are not stuck with one corporation. Picking a completely random server is the worst possible example you could have chosen.
Maybe I’m misunderstanding XMPP but does it not federate? Does it not mean that on top of trusting my home server I have to trust the choice other people made with theirs?
Why would you need to trust their choice? The only data that is sent from your server to theirs is your username (called JID in xmpp terms) and E2E encrypted message. The worst thing their server can do to yours is to send you a message, if your server decides to pass it on.
Wouldn’t you have to trust that they’re not logging your IP and/or storing your messages?
XMPP clients support end to end encryption, so the servers only get encrypted messages. Also unlike Signal, XMPP clients support use of Tor to hide your IP.
Signal doesn’t store your contacts or messages; it’s end to end encryption. What are you suggesting they’ll “sell out” if offered enough money?
I was referring for them taking the bribe and letting the app die. At which point switching to another app will be unavoidable. It is better to make a switch now, then wait longer until possibly even more users depend on it.
That’s a terrible line of thinking. Why not just use it till the end, if it ever comes?
Your title uses far too active a verb to be referring to a hypothetical situation.
I get that you want to promote XMPP but accusing others of corruption is not how to do it, unless you have solid proof of it. Do you have any sources suggesting Signal has sold data?
I dont know why I cant reply to any of you in this thread. EDIT: I will do it here:
That’s a terrible line of thinking. Why not just use it till the end, if it ever comes?
It is perfectly reasonable to sail on a solid boat instead of jumping from one sinking ship to another.
I get that you want to promote XMPP but accusing others of corruption is not how to do it, unless you have solid proof of it. Do you have any sources suggesting Signal has sold data?
I never mentioned in my main post that Signal is selling data and I also clarified in this post what I was exactly referring to. It is unreasonable to put words in my mouth
Either you have some centralization to help facilitate its ease-of-use for customers, or it becomes more difficult to setup and use. Much like the rest of life, there are trade-offs.
I disagree. There are many decentralized apps that are easier to use than centralized apps, including Signal. It is simpler to create an account on a P2P app like Briar then a centralized app that requires a phone number like Signal.
See the difference is, you need to convince non-technical people to use xmpp. Most of my non-technical friends already have Signal, no convincing required.
Every XMPP server gets as much as data from your private messages as Signal does and since XMPP clients have an option for using Tor, unlike Signal, it requires even less trust with data.
The benefits of decentralized network compared to centralized are very significant and worth trying to convince your friends. There is no single point of failure. If Signal closes due to government pressure, you will need to convince them to another app anyway and at that time there might be another popular centralized app that will again close after certain amount of pressure. The only way out of this is by pushing decentralized apps and pushing them now, rather then latter.
Signal launched in 2014 and is open source. It is literally impossible for them to “sell out”. If the main developers want to stop developing it, it will simply be forked. Do you even understand what open source software is?
I understand what open source is and I fully understand the dangers of centralized apps as well. I have addressed these arguments in my main post already. If it gets forked we will need to again develop a new app and grow the userbase from scratch. It is far more reasonable to make a switch now to decentralized services. I am simply trying to explain to people the dangers of centralized apps, just like I did for reddit (which was also open source centralized app until 2017 and here we are on decentralized lemmy now). Seeing people fighting for decentralization, out of no possible personal goal, while defending centralized system run by small group of people that gain funding for it, should never sicken you. You should encourage people like me that try to warn you in time and let you know about alternatives instead of booing me off, like people did lemmy advocates on reddit before this recent scandal.
As you can see I spent a lot of time trying to teach people about this stuff to make an actual social change that will benefit us all, so please read about XMPP and think about it. Spread the word, because I can’t possibly reach everybody.
I suppose. You’re still putting trust into something. To make sure they’re doing the right thing and making the right decisions in regards to security and privacy, and that they wouldn’t be pressured by a government or third-party to violate that.
We don’t need trust in P2P networks. Companies are always trying to spread the idea that you always have to trust someone, so it might as well be them. Politicians do that too. P2P networks exist, so does direct democracies. Don’t let them make you a pessimist.
What are you talking about? I mean trust in the sense of doing the right thing from a security aspect. Maybe whoever is setting up the server isn’t as adept with security and doesn’t do all that is required.
They don’t need to be. I am talking about the security being in your hands, it is end to end encrypted and you can hide your IP behind tor, since unlike Signal, XMPP clients support use of Tor.
Signal was the first app of its kind that I actually found “real” people using it. Most other protocols its coworkers wanting to try out a new app or service. But signal i found a big chunk of my address book already had accounts. Sadly i doubt I’ll ever find an app like this with so much non-techie acceptance.
I was successful in getting about 20 people now to use XMPP and that is the only way of contact between us now.
Once nobody used lemmy, now it’s growing. We should all do our part to be on XMPP so others that want to make a full switch from centralized services can do so. We should use it and encourage others to do so as well.
I think the difficult part is justifying the move from a “working service”. My parents still use SMS as their main mode of communication. Going to something else “just like SMS” doesnt do much for them. Getting someone who is on Reddit to use a new Reddit that wont have a blackout means you’re getting an upgrade.
Old people are hard to change, but you can always try. Still at very least we should motivate young people to use this decentralized alternatives and not trying to promote centralized ones like Signal.
Oh i finally hit the point of “being old” this year so I don’t have young friends.
It might be a good idea to ask local schools to talk to every class about digital privacy, teacher might be into that. Telling them about examples, such as XMPP, might be very useful.
In theory yes that’s a good idea but sadly most teachers wouldn’t understand why we’d have the discussion and therefore not be super keen on randos wanting to talk to classes. And you need kids to actually want privacy when they post their entire lives online.
See the difference is, you need to convince non-technical people to use xmpp. Most of my non-technical friends already have Signal, no convincing required.
Combined with the fact that Signal has an extremely reduced risk profile in terms of data stored by Signal and the hassle of either setting up my own xmpp server or trying to vet one that is trustworthy for the increased amount of data that is entrusted to server operators with xmpp compared to signal just makes it a non-starter unless I want to use it with other techies who are already game.
Sure I could also convince all my non-techie friends, but that’s a lot of work for practically very little privacy benefit.
You and everyone else in the fediverse needs to stop with this fanaticism that anything centralized is automatically a bad thing.
I get your point that having anything related to privacy or security under the control of one organization is not ideal. However, risk will always exist and trusting Signal, at this point, seems like a good risk to take. Particularly since there are no practical alternatives right now.
Also, not all organizations are bad or will turn bad eventually. We all have to trust a lot of people for all kinds of purposes. Civilization is built on it. They key is making good decisions about who those people will be.
I disagree, both about alternatives and about trust. I outlined XMPP (and even matrix) as alternatives in my post. If only popularity is an issue with these alternatives than we have to work on that, to make it popular, that is what this post is for. Just like Lemmy had few users once, XMPP and matrix are not as big as Signal. But their design is better and their use should be encouraged. I don’t think that trusting a single entity, such as Signal is something we have to do. Trust should be only depended on if there is no way to build a system without or less of it. It is better to fight for it now, since Signal use can eventually grow and make it harder to switch. We can debate over likeliness of this corporation being good forever, even when it’s current members are replaced (due to old age if nothing else), but I think it is easier to debate over their capability to be good if they are under pressure of US security agencies. Even if they are willing to risk their freedom (and their lives) for their users, they can’t stop the government of shutting them down. The state has killed people for far less over the years.
You can use Molly. I think its a fork of signal and used by many. Its on Droidify , not sure which repo.
XMPP is there for more than 20 years, we shouldn’t need to make a switch everytime a new app comes along. If there are some problems with how clients look, its FOSS and open protocol, instead of forking centralized apps, you can fork an already used services.
You don’t understand how FOSS works. If signal “sells out” we just take a fork of the repo before the sell out and continue building the private app we love. Also signal uses no central server for your content. It’s device to device, if they sold out right now all they would have is a list of users, but no conversations.
I have already explained this in my post, it’s a second paragraph. I will quote it for you:
“I am sure people will make an argument that its FOSS and people will just fork it if it goes bad, but a new fork will have 0 users and Signal will still have all of your old contacts. Why not make a switch now? Before it is even more popular and you have more reasons to stay? Why fork it if there are already decentralized apps that use same encryption, like XMPP apps?”
From what I’ve seen of the people in charge of Signal- they’d probably close before they sell out.
That said, you make a very good point. Having all the registered users in one place, is a vulnerability. A great many of us have non technical friends/partners/siblings/coworkers/etc; and encouraging them to use ANYTHING new is pulling teeth. So Signal is great, but it’s still eggs in one basket- if they do something user-unfriendly or sell out or close, we are back to square one in begging/pleading/cajoling people to (please) try this (much better) app.
I’ve also lost a few people who used Signal over one stupid problem- the iOS version has no backup/restore function. If you lose your phone, or uninstall the app, all your saved chats are gone and there’s no way to get them back. Android version at least has a useful backup/restore.
Exactly my point is that if it closes we will have to push for new apps anyway and it is better to do it now, before more users potentially use SIgnal and are left without their app.
Personally I don’t think it’s likely that signal will close, or that they will sell out. I think the more likely problem is the sort of thing I mentioned, that having a single dev team will be a bottleneck or will reduce user choice. The iOS backup thing I mentioned is one example of that. Usernames rather than phone numbers is another one. Having only one code base does make it easier to audit. And having one foundation in charge does mean there’s an easy path to pay for those audits. But it is still a single point of failure.
To be clear- as single point of failure go, I trust Signal more than the next 10 put together. What I don’t trust is the whole using phone numbers and SMS verification for sign up. And I would prefer their architecture was a bit more open/federated.
I disagree. There are many FOSS decentralized projects that are still running today, including XMPP, that are doing fine and make even better and more secure software than Signal. All centralized privacy apps so far closed or started sharing data with governments. Statistically that is far more likely scenario then a popular FOSS app to lack devs.
I agree that there’s plenty of FOSS projects as good as or better than Signal from a crypto POV.
NONE of them are anywhere close to signal when it comes to number of users. And if your friends don’t have it, then you can’t talk to anyone on it.
And if your friend loses their phone and finds out they just lost all their chats too, they’re gonna say ‘fuck that, I’ll just use iMessage so next time I don’t lose anything’.
Why would you trust Signal more than XMPP that uses same encryption? I think people are just afraid of things they haven’t heard of, even if they have been there for longer and have a better reputation. This is why marketing is the biggest business in the world, google and facebooks only revenue is selling ad space and they are richest companies in the world. Fight that marketing, learn a bit about XMPP and you will see it is far better than Signal.
I tried hard to push XMPP back in its day. Little success sadly, that was when IM was going out of style in favor of SMS. I kept using Trillian and watching as more and more contacts went offline never to return. Then Google announced they were killing their XMPP gateway and that was a nail in the coffin.
The bigger problem with XMPP was varying support of various XEPs leading to an uneven user experience with mismatched clients. That in itself was fixable, and not a problem for people like us, but it became a problem when trying to get ‘normies’ interested. Tell someone like us ‘you can’t video chat that guy, his client doesn’t have calling capability’ and that makes perfect sense. Tell an average person that, and they hear ‘this system sucks and I can’t count on it to do what I want, I should stop using it’. Then they go on Discord or iMessage or whatever, and it works right the first time every time, and they stay.
And therein lies the real problem. You and I can wax poetic about the pros and cons of this or that system and its security, but if I can’t get my non-cryptohead friends to use it, then it’s worthless.
And THAT is why Signal succeeded and XMPP failed. Because it’s dead fucking simple to set up. Download the app, punch in the SMS security code, and you’re online. Questions like ‘choose which client software you want’ or ‘pick which instance you want to sign up with’ kill adoption for average non-techie people. They say ‘I don’t know what to choose, I don’t want to choose wrong and cause a bigger problem, so I’ll just not choose and close this’.
Doesn’t XMPP collect hella metadata unlike Signal?
There is no one to “collect” this data. You do have to trust the servers that others are on, since its federated, which is the issue with all services.
I think that’s where I’m icky about it. I don’t know that I trust other servers more than I trust Signal. Which, I mean, is not great to say given that in a perfect world I would rather not rely on one organization to keep my “data” private - but hey.
I don’t mind so much on Lemmy or Mastodon because I’m not looking for privacy but if encryption is the main selling point of something, a random XMPP instance doesn’t really inspire confidence at the moment. But hey maybe that’ll change in the future and XMPP will require less metadata to work.
You can pick servers run by groups that have just as good record of privacy or even better or are run by the person you know or yourself.
When you have a decentralized service you can choose who you trust, you are not stuck with one corporation. Picking a completely random server is the worst possible example you could have chosen.
That is THE ISSUE with email. I can secure my server all i want but when you use Gmail and they hand over the keys to whomever they want i get screwed.
As for XMPP security, you have to do e2e a layer above. Use XMPP or any other protocol and encrypt the messages you send. The catch is that you need to always encrypt everything so that your Happy Birthday to your Grandma is just as unintelligible as your secret bank pin yoh send me to get you bail money. At that point the meta data is useless as we don’t really know who gets important messages and who doesn’t.
XMPP is decentralized, you can run your own server. In open decentralized protocols, such issues are resolved by design. Further more most XMPP servers don’t require a phone number, why would they, unlike Signal.
Are you suggesting any alternatives? Most of the ones I have tried are either too technical or too much effort for everyone I know so I have nobody to talk to outside of signal and plain sms
I suggested XMPP in my original post. It is hard, but still will take just few minutes, for a lifetime of solved privacy and centralization issues. Unlike centralized apps, decentralized networks don’t really die, just look at email. XMPP is over 20 years old and will live for 20 more, few minutes spent to set it up is well worth it.