I love Signal and use it as much as I can, but I'm thinking of switching to Matrix solely because the desktop client is pretty bad. It won't show me messages until it syncs everything (so I can't even see old messages while things sync), and, what's worse, it skips messages, and multi-device just doesn't work. My laptop just shows "Message could not be decrypted" until I delete everything and reset.<p>I'm not sure why it works so poorly after years of existence, but unfortunately I'm losing hope that it'll be fixed. I sometimes feel like the Signal team doesn't use their product, or they would have noticed this. Meanwhile, yes, Matrix took years to add encryption, but it works much better than Signal, even with quite a few small bugs.
> how we think about concepts like privacy, security, and trust<p>I was disappointed to see that a mobile number is needed and that this number is shown by default in groups. Mobile numbers are much more trackable then email addresses in my opinion. And I do not understand at all why others should be able to see them so easily.<p>So I now prefer Telegram because at least it hides numbers in groups by default.
What happens to Signal when the EARN It Act passes? I assume that eventually the Apple App Store and Google Play Store will just stop allowing it to be downloaded if they do not add the backdoor in? Is there a workaround that will allow people to use it still? I've heard people mention locating the servers in other countries, but wouldn't the various App stores be bound by US law and still not allow them?
I'm glad to see the discussion about what privacy should look like progress, with increasingly big actors treat data as something too delicate to play warden until the next breach.<p>But it just feels cheap and detrimental to LARP as a tool for revolutionaries. I want a clear concept of privacy for a stable society to rely upon. That even the most trustworthy authority be kept out by design as a security principle. I don't want my messaging app to be opinionated, pick sides or declare themselves part of the ongoing "progress". Will they sing the same tune when it's other group taking the streets? Because everyone has a different idea of the kind of revolution that is needed, and certainly my phone should not have a say.
I love Signal. I've convinced a multitude of people to switch and some use it day to day currently, but mostly to talk to me. So i feel my contacts do it out of respect and `compatibility` of communication.<p>What baffles me is the the incompatible feature matrix.<p>First of all, for some reason iOS users get the updates faster than the Android. I was exploring emoji reactions yesterday while my Android contact admitted the feature was not yet available for his device. I had to double check with Play Store to confirm.<p>I've found peace with the sync issues for the desktop client though, it got much more stable compare to 8 months ago. What still feels like a massive UX problem is inability to forward messages on the desktop. Given, i have lots of people coming from different places that do not know each other but share same interests it's just painstaking to copy/paste the same URL five time in a row.<p>And at the same time, there's no support for the Android tablets as secondary devices.<p>For a person deep in Apple ecosystem it felt weird to learn that Android users don't share the same experiences i do. That makes the sales pitch to try Signal way less appealing for the Android folk.
Lately I've been wishing Signal had a bridgefy type mesh mode that enabled operation peer to peer over wifi direct or bluetooth, either directly or via a mesh of such devices.<p>First I think it would be useful at protests, to preserve privacy (and whatever side of the political divide you are on, I hope we agree that covert government surveillance and tracking of people at a protest is wrong, here, in HK, or wherever).<p>But it would also be nice to have when outside the reach of cellular or wifi internet. Think camping, traveling, people living with intermittent power, or those who lost power in some sort of disaster or emergency.<p>I'm honestly not sure if this would be feasible, as I don't grok the signal protocol fully, but the signal protocol does support async messaging.
Is it worth trying to move my friends from WhatsApp to Signal? As I understand it, they're both e2e encrypted.<p>I'm also trying to move my chats from SMS and Gchat to something encrypted, but am torn between WhatsApp and Signal. The former has more of a buy-in with my contacts already.<p>I realize WhatsApp is owned by Facebook, but isn't the whole point of e2e encryption that you don't have to trust the intermediate infrastructure? And if you enable the setting to warn if the key changes, there's no danger, right?
I want to love Signal, but it's just so meh.<p>* Message sync is like non-existent. Messages on my phone or laptop aren't kept in sync at all. Delete one one place, they don't delete in both.<p>* Let me edit messages, like every other message platform. I also want to be able to delete messages from the group. When I delete it deletes locally but not for the group, not even between my own devices I don't think. This sucks because deleting the message implies to anyone who has used a message system that the messages are deleted from everyone, but they aren't. Oof.<p>* When you set messages to expire, you can't make them expire. It only applies to future messages. I want to set this at the conversation level, not on a weird message-by-message basis with no way to change it globally after.<p>* I want to be able to sign in without using a cell phone number. Let me sign up with anything else, don't tie it to a cell phone line that can be hijacked.<p>* Let me add emoji responses to messages. Like every other message platform.<p>* Bonus, be peer-to-peer somehow. Dunno, like Blockchain magic it or something. Don't make me rely on some server somewhere. Just makes me feel uneasy that there's a middle man with all my messages.<p>How unrealistic is all this? (=
Somewhat tangential, I got into an argument about Signal last night. The other guy claimed that Signal was insecure because:<p>* It's "Custodial E2EE"<p>* Needs a phone number<p>(I'm not going to bother with his complaints about the crappiness of the desktop client or convenience of the design because those are non-sequiturs to the security of the app)<p>I asked him to define "Custodial E2EE". His words: "They have ownership of my keys, use phone number auth to access them and I cant expatriate them"<p>I managed to suppress my xkcd-386 instinct and go to bed, but my intuition is still that he's quite wrong about that. I may or may not resume my arguement with him; I got the impression that his disagrements were rooted in a Matrix fanboyism, but I'd like to be equipped to refute such arguments in the future.<p>I can somewhat sympathize with the phone number argument, and I think it comes from a concern about metadata leaks or opsec. I think that concern ultimately stems from a wrong threat model, but I'm not sure how to refute that. I have however, come across a number of tutorials which cover how to register a Signal account without using your phone numbers, so I feel confident I can refute the argument that signal must have <i>your</i> phone number, even if I can't refute the underlying wrong thinking.<p>Regarding the "Custodial E2EE" argument, I'm not sure where to begin. Anyone have any suggestions?
Been a big fan of whisper systems since the redphone project. Great to see them maturing.<p>However, given the topic title it would have been nice to see some actual documentation on how signal actually works rather than just claims that it doesnt work like the others.
Signal is open source; I'm wondering, has anyone here ever built the service and one or more clients and run it on-prem, or even as a white-labelled competing service?
The anti-Signal rhetoric has already started. News articles about Antifa specifically mention that they communicate via Signal.<p>If Antifa is designated as a terrorist organization, then we'll see all the counter-terrorism tools brought to bear against them. If the state can't break Signal encryption, then you'll see renewed energy for anti-encryption / anti-privacy policies.
Signal is a walled garden. They refuse to allow federation and even prohibit any modified client to use their servers.<p>It's the least open "open source" model, and once (if) they gain significant market share they can easily close down the app and lock-in the users.<p>Please use and spread federated alternatives. Donate and contribute.
Really nice design, in the future I see a market for "privacy tools that also happens to ..." kind of software, for example a Privacy tool that also happens to browse websites, or a Privacy tool that also happens to help you to send messages (like Signal); in summary, privacy aware services.
iCloud contacts is not e2e encrypted. Apple, as well as FBI/DHS and the US military intelligence apparatus can access your entire contacts list and infer your whole social graph.<p>This is why a messenger needs an e2e contacts sync, whether Moxie wants to be responsible for it or not.
Anyone have a link to Signal’s 2019 IRS Form 990?<p>Most recent I was able to find was this 2018 version:
<a href="https://news.ycombinator.com/item?id=23431076" rel="nofollow">https://news.ycombinator.com/item?id=23431076</a>
Or use something that you (or someone you trust) can self-host, so then even the company/CEO/TLA-with-subpoenas are out of the picture.<p>Not only do I get to get Moxie out of the picture, I also get my phone and the phone companies out of it.