• chiefstorm@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    4
    ·
    edit-2
    3 years ago

    I appreciate and admire your motivation @dessalines@lemmy.ml

    However, Signal is like the one application that’s user friendly and is NOT compromised

    I don’t trust the US, but I do trust Moxie Marlinspike to be a privacy advocate, he has spent his entire career being an advocate for privacy.

    Signal went a whole year without publishing server source code because they were being subtle about introducing mobilecoin crypto-asset support, and they didn’t want people to jump hog wild into mobilecoin. Now, they have released the server source code, so… unless they are not actually running that code, then this argument is invalid.

    Not to mention their website makes it sound like they will introduce support for more privacy friendly crypto, such as Monero. Perhaps the mobilecoin was just a test implementation to begin with.

    • Dessalines@lemmy.mlOP
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      3 years ago

      How do you feel about marlinspikes ruthlessly banning all third party clients and server implementations? Or his choice of phone # identifiers?

      • tomtom@lemmy.ml
        link
        fedilink
        arrow-up
        7
        arrow-down
        2
        ·
        3 years ago

        Yes I do not see why we should trust any system which forbids self-hosting, especially when alternatives exist.

      • chiefstorm@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        3 years ago

        I appreciate your critique and well written essay, as well as your motivation. Thank you again for writing this, and I will heed your advice and be more skeptical of signal foundation. However, but I have followed Marlinspike for years, and was an early signal adopter, so I do have some trust that the project is not compromised.

        comment from lobster also makes some good points here, and I tend to agree with this guy

        This take comes up every so often, e.g. in some of the linked articles. I’m sympathetic to many of the concerns raised, but I’ve yet to see serious engagement with some of the deeper issues raised. For example: A significant number of security and privacy-enhancing technologies (PET) have received US military funding or other support. See: Tor from the Naval Research Lab, OpenBSD from DARPA. SELinux comes from the NSA. The Open Technology Fund has also support Ricochet, WireGuard, ? Delta.chat, and Briar (that the author recommends), etc. (link). Are all these tools suspect? As an aside, the EU also funds a significant number of PETs. While not as egregious as the US, the EU is no enemy of mass surveillance, either. One reason for Signal’s centralization is, in short, that it’s hard to update federated protocols, including their security features. E2E encryption in XMPP or email is still a pain, and far from usable for most people. I hope that e.g. Matrix can pull it off, but they face challenges that centralized services don’t. With a centralized service, you know that you can handle unforeseen security developments quickly. Shouldn’t this be a key priority for a security tool? Using phone numbers as identifiers has its benefits: you don’t need to store users’ contacts on your servers. A service like Wire, that does allow you to sign up without a phone number, has to store your full social graph on their end. Avoiding this sort of metadata is a hard problem — Signal has opted for minimizing the amount they store. It’s hard to overstate how much ease of use matters when it comes to gaining mass adoption for these tools. For a long time, privacy & security tools were super user-unfriendly, reserved only for a small technical elite (see PGP). If we want to combat mass surveillance, we need tools that the masses want to install (in my experience, it’s hard enough to convince activist groups to migrate off Discord or Slack — the alternatives need to be similarly easy to use).

        How do you feel about the guy who donated 50 million to Signal? He probably has the most influence on the project second only to Marlinspike.

        • Dessalines@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          Thanks for linking Libresignal, read over its readme.

          But really 3rd party clients are beside the point: the main thrust of the article is about signal being a single, us domiciled, centralized service. They don’t let you self host a server, and you also have no way of verifying their server code. You just have to “trust them”.

      • Dreeg Ocedam@lemmy.ml
        link
        fedilink
        arrow-up
        4
        arrow-down
        3
        ·
        3 years ago

        Or his choice of phone # identifiers?

        See my first comment: https://lemmy.ml/post/81033/comment/78905

        How do you feel about marlinspikes ruthlessly banning all third party clients and server implementations

        I do agree that it is somewhat of an issue, but there was only one instance of this happening, where a fork of Signal was about to be added to fdroid. It’s not like they haven’t justified themselves. Anyway the features of LibreSignal (no hard requirement on Google Play services), was implemented in the official app. There are still two third party clients that exist: Axolotl and signal-cli. They don’t want to deal with third party client that they can’t update and thus need to keep support for outdated versions of the protocols that would introduce a lot of complexity and risks introducing downgrade attacks.

        It also allows them to roll out “quality of life” features faster such as stickers, video calls, groups v2, and more recently groups where only admins can post, which would be harder to keep backward compatible.

        The openness of Signal has already been fruitful. The protocol has been implemented in many other platforms, such as Matrix, WhatsApp and even Messenger.

    • Dreeg Ocedam@lemmy.ml
      link
      fedilink
      arrow-up
      7
      arrow-down
      5
      ·
      3 years ago

      However, Signal is like the one application that’s user friendly and is NOT compromised, and you seem to be completely attacking it.

      That’s what annoys me the most here. We have one FLOSS project that is very high quality, secure and gained significant popularity, and we start shooting it down ourselves…

      • Halce@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        3 years ago

        We have one FLOSS project that is very high quality, secure and gained significant popularity, and we start shooting it down ourselves…

        This would be a truly problematic sentiment in some other cases. But the point here, is that unlike Matrix, Signal is not really ours.

        • Dreeg Ocedam@lemmy.ml
          link
          fedilink
          arrow-up
          2
          arrow-down
          2
          ·
          3 years ago

          What do you mean by that?

          I know matrix, and it’s much lower overall quality, significantly less secure and popular, and is very unlikely to ever become popular until they really rethink their UX.

          • Halce@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            3 years ago

            What I mean is that Signal is more of a code dump rather than a truly free software project, it’s developed mostly internally, in that way Matrix is much more a true community project.

            • Dreeg Ocedam@lemmy.ml
              link
              fedilink
              arrow-up
              3
              ·
              3 years ago

              Fair point, but having a smaller team of highly competent devs (their job requirements are quite high if you look on their website) does allow them to innovate quicker and keep an overall high level of quality.

              And it’s not like telegram were there code is completely unusable and the server is propretary. There are already a bunch of forks of Signal that exists (session being one of the main).