I appreciate that Signal keeps being committed to making a privacy friendly messaging app. Now if only more people were willing to start using it.
"Encrypted messaging service Signal is now testing usernames, which will offer people a more private way to share their contact details on the app.
The development is a big deal since Signal—an end-to-end encrypted messaging app—has long required users to sign up with a phone number. That same number also needs to be shared in order to message other users on the app.
This can be problematic since sharing your phone number exposes you to privacy and hacking risks. For example, a contact on Signal could choose to call and message your number over an unencrypted cellular network or pass off the number to someone else. "
I appreciate that Signal keeps being committed to making a privacy friendly messaging app. Now if only more people were willing to start using it.
It wasn't really a switch though. Phone chat apps like WhatsApp, Telegram, and Signal are replacements for SMS messaging where there never were usernames, just phone numbers. It's just that...
It wasn't really a switch though. Phone chat apps like WhatsApp, Telegram, and Signal are replacements for SMS messaging where there never were usernames, just phone numbers.
It's just that regular chat apps like MSN and ICQ died and nothing replaced those, so people started moving to chat apps on their phones.
There's a gap of several years between MSN and Discord though. Discord may have replaced Skype, but Skype was never really adopted at the same level as MSN was back in the day.
There's a gap of several years between MSN and Discord though. Discord may have replaced Skype, but Skype was never really adopted at the same level as MSN was back in the day.
I don't know. MSN and Skype were mostly 1-to-1, where Discord is all about the communities. What Discord really replaced is IRC, I think (and Mumble/TS). At least in my circles. Still sad about...
I don't know. MSN and Skype were mostly 1-to-1, where Discord is all about the communities. What Discord really replaced is IRC, I think (and Mumble/TS). At least in my circles. Still sad about that :/.
I guess being a nerd I skipped the entire process of needing to chat via SMS beyond very basic text communication (also the US has/had awful SMS fees and packages). Phone either didn't have data,...
I guess being a nerd I skipped the entire process of needing to chat via SMS beyond very basic text communication (also the US has/had awful SMS fees and packages). Phone either didn't have data, and I used ethernet or wifi on a laptop, or phone had rudimentary data and could run ssh at a minimum for IRC.
Growing up with BBSes, ICQ, IRC, and AIM just made needing a phone number to set up a chat account seem very bizarre.
Thank you for pointing out the reason though hadn't considered that some people might actually want the chat experience (UI) via SMS, and that's the reason.
SMS was awful in Europe too, which is why everyone jumped on WhatsApp immediately when it came around. WhatsApp let you send pictures too without having to use MMS which was even more awful (and...
SMS was awful in Europe too, which is why everyone jumped on WhatsApp immediately when it came around. WhatsApp let you send pictures too without having to use MMS which was even more awful (and expensive) than SMS.
Ah, I was under the impression that that SMS was cheaper in Europe and other countries because of the different service model. The US locked people into 2 year contracts in exchange for cheaper...
Ah, I was under the impression that that SMS was cheaper in Europe and other countries because of the different service model.
The US locked people into 2 year contracts in exchange for cheaper phones (mostly...momthly pre-pay packages were available but much more expensive), but the data and SMS costs were ludicrous. This also gave US providers little reason to upgrade their networks as everyone was locked in for 2 years, and would constantly start a new contract for a new phone (for "cheaper"). Whereas the EU had slightly better customer freedom because of the focus on monthly pay as you go service, which encouraged providers to keep upgrading their networks (and I assumed cheaper SMS pricing) in order to retain customers.
Either way I kinda skipped that whole SMS as a chat protocol that WhatsApp and others originally used, so the whole phone number as your username or account ID always seemed bizarre to me, and actually a step backward from the ease of use of a simple username and password.
In the earlier times of smartphones (10-15 years ago) I distinctly remember having to pay per SMS, as the only “unlimited” options were prohibitively expensive. Anecdotally, this has not been the...
SMS and MMS have been unlimited with almost any subscription I've come across for many years in my European country
In the earlier times of smartphones (10-15 years ago) I distinctly remember having to pay per SMS, as the only “unlimited” options were prohibitively expensive. Anecdotally, this has not been the case anymore – at least in my contracts – since about 2016 or 2017, when they gradually increased the maximum number of free SMS per month until eventually arriving at unlimited (probably due to less network traffic as more and more people stopped using SMS, at least at past intensities).
and have worked just fine
Maybe in the past. As an example, in at least Germany, the telco companies shut off the MMS system I believe earlier this year, either middle or beginning of it. It’s completely gone as far as I know.
That's not always been the case and it certainly hasn't been the case in all of Europe, which is why we jumped on WhatsApp when it was launched. SMS and phone minutes used to be limited. MMS used...
That's not always been the case and it certainly hasn't been the case in all of Europe, which is why we jumped on WhatsApp when it was launched.
SMS and phone minutes used to be limited. MMS used to be even more limited and/or expensive and it was annoying to use.
I still remember trying to get everyone to use WhatsApp so we could finally text and send pictures whenever we wanted.
Telegram always had usernames, in fact, by default, people can't even find you on telegram by your phone number unless you also have their number added. People usually share their Telegram...
Phone chat apps like WhatsApp, Telegram, and Signal
Telegram always had usernames, in fact, by default, people can't even find you on telegram by your phone number unless you also have their number added. People usually share their Telegram username rather than phone.
No, although what you said is also true, but what I meant is that even if someone has your phone number added as a contact they won't be able to find your Telegram account unless the contact is...
No, although what you said is also true, but what I meant is that even if someone has your phone number added as a contact they won't be able to find your Telegram account unless the contact is mutual (you have their phone number in your contacts as well)
Part of Signal's early success, at least in the United States, was being usable as a standard SMS app (I believe this is no longer the case). They also don't care as much about privacy in so much...
Part of Signal's early success, at least in the United States, was being usable as a standard SMS app (I believe this is no longer the case). They also don't care as much about privacy in so much as they care about security.
Privacy and anonymity are not necessarily the same thing. I think by requiring a phone number Signal has probably reduced spam and improved platform reputation compared to some other tools. It's...
Privacy and anonymity are not necessarily the same thing. I think by requiring a phone number Signal has probably reduced spam and improved platform reputation compared to some other tools. It's not a huge barrier to someone wanting to use Signal for some sort of socially unacceptable purpose - but it is a barrier. Platforms like Wickr and Session seem to have seedier reputations and ecosystems compared to Signal.
I'm still happy with the change to enable usernames though.
Over 2 billion people use Whatsapp every month, which uses Moxie's Signal Protocol underneath. That's insane. Encrypted personal messaging has been one of the most successful tech innovations in...
Now if only more people were willing to start using it.
Over 2 billion people use Whatsapp every month, which uses Moxie's Signal Protocol underneath. That's insane. Encrypted personal messaging has been one of the most successful tech innovations in history.
I do somewhat hate to be that person, but... what makes that necessarily true? As far as I'm aware, the Whatsapp clients and servers are both closed-source, which means (as far as I'm aware)...
I do somewhat hate to be that person, but... what makes that necessarily true? As far as I'm aware, the Whatsapp clients and servers are both closed-source, which means (as far as I'm aware) there's no way to know that Whatsapp is really using the Signal protocol.
Telegram doesn't encrypt messages by default, but their clients are at least open source, so messages going out are verifiably encrypted, even if the server is closed source.
Nothing really I guess. Seems a strange thing to lie about but then Signal (and anyone else) could be doing the same. They could easily publish one set of code and run another on their servers....
Nothing really I guess. Seems a strange thing to lie about but then Signal (and anyone else) could be doing the same. They could easily publish one set of code and run another on their servers.
For whatever it's worth, one of my oldest friends works with the Whatsapp team at Meta so I have it direct from there. Also Moxie said they did it
I think the fuss various prying governments make about the need to backdoor Whatsapp (looking at you, UK) is another good indicator too.
Well, the point is Signal can't do the same. Their apps are open source and by necessity with end-to-end encryption, if you can verify the clients are encrypting as intended, you don't need to...
Well, the point is Signal can't do the same. Their apps are open source and by necessity with end-to-end encryption, if you can verify the clients are encrypting as intended, you don't need to trust the server.
I generally think governments and particularly the United States government are ridiculously good at backdooring systems: even systems considered to be cryptographically solid, so "ah yes we definitely implement this protocol perfectly" / "can we see it?" / "no" from companies does worry me.
I believe strictly speaking Signal is potentially vulnerable to man in the middle attacks if you have control of the server, although it's not easy and at some point you have to rely on clients...
I believe strictly speaking Signal is potentially vulnerable to man in the middle attacks if you have control of the server, although it's not easy and at some point you have to rely on clients not noticing stuff about compromised keys. Although having seen the general public's ability to notice stuff, I'm not sure an attacker needs to worry too much. Also Signal keeps hiding away the fingerprint verification stuff more and more, which does make it easier for would-be attackers.
State-level actors will almost certainly just remotely take control of the client device - all crypto has to be undone before the user's eyes and endpoint compromise gets you everything, not just messages in one app. It's pretty much a freebie these days.
Don't forget Zuck is a massive lolbertarian and he doesn't want the gubmint able to read his messages any more than you or I do. E2E crypto is 100% on-brand for him.
Yeah, what was that hard drive encryption software that magically disappeared at one point? Veracrypt or something? If I remember one of the main "secure" algorithms it offered turned out to have...
Yeah, what was that hard drive encryption software that magically disappeared at one point? Veracrypt or something? If I remember one of the main "secure" algorithms it offered turned out to have a backdoor because it was based on some other algorithm kindly researched for the publics use by ......the NSA?
It was TrueCrypt. As far as I know there were never any major problems found with it. Veracrypt is an active project and is afaik considered safe to use. It's unclear why TrueCrypt disappeared....
It was TrueCrypt. As far as I know there were never any major problems found with it. Veracrypt is an active project and is afaik considered safe to use. It's unclear why TrueCrypt disappeared.
You may be thinking of the Dual_EC_DRBG algorithm which was not included in Truecrypt. It was included in OpenSSL but not used by default. This is basically the only known truly backdoored cipher out of the NSA.
An aside--DES is another interesting story. The NSA took a cipher submitted by IBM. They then reduced its key size to 56 bits but also increased the strength of its sboxes. The result was DES, a cipher that could only be broken by brute force with the computational power available to the NSA and few others at the time. Brute force is really the front door of a cipher. So not really in the same class as Dual_EC_DRBG.
Open Whisper Systems did audit WhatsApp and help install the protocol, so take that as you will. But I guess you can't really know if they have some kind of backdoor.
Open Whisper Systems did audit WhatsApp and help install the protocol, so take that as you will. But I guess you can't really know if they have some kind of backdoor.
Switching to using usernames may actually get me to use signal now depending on how this is implemented. I loath services that require a phone number (and generally use of a smart phone) to use as...
Switching to using usernames may actually get me to use signal now depending on how this is implemented. I loath services that require a phone number (and generally use of a smart phone) to use as I do not consider my phone anything close to a primary device.
This will still require a phone number just as every other leading messaging service does. You just won't have to provide your phone number to someone else to chat with them on the service.
This will still require a phone number just as every other leading messaging service does. You just won't have to provide your phone number to someone else to chat with them on the service.
On WhatsApp everyone added to a group chat will see everyone's number - which is extra stupid considering you can just make a group by adding random people in it without them accepting any...
On WhatsApp everyone added to a group chat will see everyone's number - which is extra stupid considering you can just make a group by adding random people in it without them accepting any invites.
Also on Signal I can see everyone's actual phone number when I add them.
I can chat with people on Telegram without them knowing my phone number, they only see my username. The only bit where a phone number is required is account creation.
This is why I'm sticking with Telegram. I need people to not know my phone number (which can be used to semi-trivially track down my actual home address) more than I need super secure End to End Encryption.
Yeah, when I had dual sims I basically used one for randos to set up phone number accounts and use data, while the other was for calls only. Felt kinda stupid having two sims for the same country...
Yeah, when I had dual sims I basically used one for randos to set up phone number accounts and use data, while the other was for calls only. Felt kinda stupid having two sims for the same country just in case someone turned out to be crazy.
I appreciate that Signal keeps being committed to making a privacy friendly messaging app. Now if only more people were willing to start using it.
It blows my mind how we ever switched from usernames to fucking personal phone numbers. It's an absolutely terrible idea.
It wasn't really a switch though. Phone chat apps like WhatsApp, Telegram, and Signal are replacements for SMS messaging where there never were usernames, just phone numbers.
It's just that regular chat apps like MSN and ICQ died and nothing replaced those, so people started moving to chat apps on their phones.
Discord replaced msn, skype etc. imo
There's a gap of several years between MSN and Discord though. Discord may have replaced Skype, but Skype was never really adopted at the same level as MSN was back in the day.
I don't know. MSN and Skype were mostly 1-to-1, where Discord is all about the communities. What Discord really replaced is IRC, I think (and Mumble/TS). At least in my circles. Still sad about that :/.
Side note, I still use Skype at work 😅.
I guess being a nerd I skipped the entire process of needing to chat via SMS beyond very basic text communication (also the US has/had awful SMS fees and packages). Phone either didn't have data, and I used ethernet or wifi on a laptop, or phone had rudimentary data and could run ssh at a minimum for IRC.
Growing up with BBSes, ICQ, IRC, and AIM just made needing a phone number to set up a chat account seem very bizarre.
Thank you for pointing out the reason though hadn't considered that some people might actually want the chat experience (UI) via SMS, and that's the reason.
SMS was awful in Europe too, which is why everyone jumped on WhatsApp immediately when it came around. WhatsApp let you send pictures too without having to use MMS which was even more awful (and expensive) than SMS.
Ah, I was under the impression that that SMS was cheaper in Europe and other countries because of the different service model.
The US locked people into 2 year contracts in exchange for cheaper phones (mostly...momthly pre-pay packages were available but much more expensive), but the data and SMS costs were ludicrous. This also gave US providers little reason to upgrade their networks as everyone was locked in for 2 years, and would constantly start a new contract for a new phone (for "cheaper"). Whereas the EU had slightly better customer freedom because of the focus on monthly pay as you go service, which encouraged providers to keep upgrading their networks (and I assumed cheaper SMS pricing) in order to retain customers.
Either way I kinda skipped that whole SMS as a chat protocol that WhatsApp and others originally used, so the whole phone number as your username or account ID always seemed bizarre to me, and actually a step backward from the ease of use of a simple username and password.
SMS and MMS have been unlimited with almost any subscription I've come across for many years in my European country and have worked just fine
In the earlier times of smartphones (10-15 years ago) I distinctly remember having to pay per SMS, as the only “unlimited” options were prohibitively expensive. Anecdotally, this has not been the case anymore – at least in my contracts – since about 2016 or 2017, when they gradually increased the maximum number of free SMS per month until eventually arriving at unlimited (probably due to less network traffic as more and more people stopped using SMS, at least at past intensities).
Maybe in the past. As an example, in at least Germany, the telco companies shut off the MMS system I believe earlier this year, either middle or beginning of it. It’s completely gone as far as I know.
That's not always been the case and it certainly hasn't been the case in all of Europe, which is why we jumped on WhatsApp when it was launched.
SMS and phone minutes used to be limited. MMS used to be even more limited and/or expensive and it was annoying to use.
I still remember trying to get everyone to use WhatsApp so we could finally text and send pictures whenever we wanted.
Telegram always had usernames, in fact, by default, people can't even find you on telegram by your phone number unless you also have their number added. People usually share their Telegram username rather than phone.
Did you mean to say that people can't see your phone number if they added you by username or in a group?
No, although what you said is also true, but what I meant is that even if someone has your phone number added as a contact they won't be able to find your Telegram account unless the contact is mutual (you have their phone number in your contacts as well)
Part of Signal's early success, at least in the United States, was being usable as a standard SMS app (I believe this is no longer the case). They also don't care as much about privacy in so much as they care about security.
Privacy and anonymity are not necessarily the same thing. I think by requiring a phone number Signal has probably reduced spam and improved platform reputation compared to some other tools. It's not a huge barrier to someone wanting to use Signal for some sort of socially unacceptable purpose - but it is a barrier. Platforms like Wickr and Session seem to have seedier reputations and ecosystems compared to Signal.
I'm still happy with the change to enable usernames though.
Over 2 billion people use Whatsapp every month, which uses Moxie's Signal Protocol underneath. That's insane. Encrypted personal messaging has been one of the most successful tech innovations in history.
I do somewhat hate to be that person, but... what makes that necessarily true? As far as I'm aware, the Whatsapp clients and servers are both closed-source, which means (as far as I'm aware) there's no way to know that Whatsapp is really using the Signal protocol.
Telegram doesn't encrypt messages by default, but their clients are at least open source, so messages going out are verifiably encrypted, even if the server is closed source.
Nothing really I guess. Seems a strange thing to lie about but then Signal (and anyone else) could be doing the same. They could easily publish one set of code and run another on their servers.
For whatever it's worth, one of my oldest friends works with the Whatsapp team at Meta so I have it direct from there. Also Moxie said they did it
I think the fuss various prying governments make about the need to backdoor Whatsapp (looking at you, UK) is another good indicator too.
Well, the point is Signal can't do the same. Their apps are open source and by necessity with end-to-end encryption, if you can verify the clients are encrypting as intended, you don't need to trust the server.
I generally think governments and particularly the United States government are ridiculously good at backdooring systems: even systems considered to be cryptographically solid, so "ah yes we definitely implement this protocol perfectly" / "can we see it?" / "no" from companies does worry me.
I believe strictly speaking Signal is potentially vulnerable to man in the middle attacks if you have control of the server, although it's not easy and at some point you have to rely on clients not noticing stuff about compromised keys. Although having seen the general public's ability to notice stuff, I'm not sure an attacker needs to worry too much. Also Signal keeps hiding away the fingerprint verification stuff more and more, which does make it easier for would-be attackers.
State-level actors will almost certainly just remotely take control of the client device - all crypto has to be undone before the user's eyes and endpoint compromise gets you everything, not just messages in one app. It's pretty much a freebie these days.
Meta have a lot of faults but they're not too bad at some things. Here's their report of key transparency in Whatsapp, which includes a bunch of open source code and tools relating to security.
Don't forget Zuck is a massive lolbertarian and he doesn't want the gubmint able to read his messages any more than you or I do. E2E crypto is 100% on-brand for him.
Yeah, what was that hard drive encryption software that magically disappeared at one point? Veracrypt or something? If I remember one of the main "secure" algorithms it offered turned out to have a backdoor because it was based on some other algorithm kindly researched for the publics use by ......the NSA?
It was TrueCrypt. As far as I know there were never any major problems found with it. Veracrypt is an active project and is afaik considered safe to use. It's unclear why TrueCrypt disappeared.
You may be thinking of the Dual_EC_DRBG algorithm which was not included in Truecrypt. It was included in OpenSSL but not used by default. This is basically the only known truly backdoored cipher out of the NSA.
https://en.m.wikipedia.org/wiki/TrueCrypt
https://en.wikipedia.org/wiki/Dual_EC_DRBG
An aside--DES is another interesting story. The NSA took a cipher submitted by IBM. They then reduced its key size to 56 bits but also increased the strength of its sboxes. The result was DES, a cipher that could only be broken by brute force with the computational power available to the NSA and few others at the time. Brute force is really the front door of a cipher. So not really in the same class as Dual_EC_DRBG.
https://en.m.wikipedia.org/wiki/Data_Encryption_Standard#NSA's_involvement_in_the_design
Open Whisper Systems did audit WhatsApp and help install the protocol, so take that as you will. But I guess you can't really know if they have some kind of backdoor.
Switching to using usernames may actually get me to use signal now depending on how this is implemented. I loath services that require a phone number (and generally use of a smart phone) to use as I do not consider my phone anything close to a primary device.
This will still require a phone number just as every other leading messaging service does. You just won't have to provide your phone number to someone else to chat with them on the service.
I figured that might be the case, sadly. Thanks for clarifying, sorry signal.
On WhatsApp everyone added to a group chat will see everyone's number - which is extra stupid considering you can just make a group by adding random people in it without them accepting any invites.
Also on Signal I can see everyone's actual phone number when I add them.
I can chat with people on Telegram without them knowing my phone number, they only see my username. The only bit where a phone number is required is account creation.
This is why I'm sticking with Telegram. I need people to not know my phone number (which can be used to semi-trivially track down my actual home address) more than I need super secure End to End Encryption.
Yeah, when I had dual sims I basically used one for randos to set up phone number accounts and use data, while the other was for calls only. Felt kinda stupid having two sims for the same country just in case someone turned out to be crazy.