14 votes

Signal deploys closed-source measure to mitigate spam

Topic deleted by author

25 comments

  1. [25]
    Comment deleted by author
    Link
    1. [5]
      fleg
      Link Parent
      If you want a fully open source solution that you control yourself, you can take a look at XMPP. You can self host a server of your own, there's full federation, E2E encryption based on Signal's...

      If you want a fully open source solution that you control yourself, you can take a look at XMPP. You can self host a server of your own, there's full federation, E2E encryption based on Signal's protocol (OMEMO), a variety of clients, and even some solutions which utilize Signal's phone number-based workflow for onboarding ( https://quicksy.im/ , also fully open source).

      There's also Matrix, which is also fully open source, but way harder to self-host. I think XMPP is closer in its spirit to Signal than Matrix, which is closer to tools like Slack.

      But yeah, Signal is easier for the end user, even if not much easier.

      10 votes
      1. [3]
        Gecko
        Link Parent
        On the flip side matrix supports what they call "bridges", i.e. bots that allow you to interact with other platforms. You still need an account on the other platform and give the bridge access to...

        On the flip side matrix supports what they call "bridges", i.e. bots that allow you to interact with other platforms. You still need an account on the other platform and give the bridge access to it to send messages on your behalf (all the big ones are open source and self hosted though so I don't see an issue there).

        Overall it looks like a great solution to consolidate many different messengers into one place.

        5 votes
        1. fleg
          Link Parent
          XMPP had transports for a long time, which are pretty much the same thing.

          XMPP had transports for a long time, which are pretty much the same thing.

          4 votes
        2. admicos
          Link Parent
          Somewhat unrelated, but you can connect to all Matrix rooms, and therefore any rooms they are bridged publicly, using XMPP. https://github.com/matrix-org/matrix-bifrost/wiki/Address-syntax The...

          Somewhat unrelated, but you can connect to all Matrix rooms, and therefore any rooms they are bridged publicly, using XMPP.

          https://github.com/matrix-org/matrix-bifrost/wiki/Address-syntax

          The user experience is still meh, but if you need to, it's there.

          2 votes
      2. river
        Link Parent
        yeah, XMPP with OMEMO is the way to go!

        yeah, XMPP with OMEMO is the way to go!

        4 votes
    2. [9]
      Moonchild
      Link Parent
      Telegram's cryptography has been criticized. I would not trust it. (Signal's has not.)

      Telegram

      Telegram's cryptography has been criticized. I would not trust it. (Signal's has not.)

      7 votes
      1. [8]
        Adys
        Link Parent
        Telegram has had problems in the past it's true. Those criticisms I don't believe still stand today. Apart the "E2E isn't default", which, yeah it's not but that means Signal is incredibly...

        Telegram has had problems in the past it's true. Those criticisms I don't believe still stand today. Apart the "E2E isn't default", which, yeah it's not but that means Signal is incredibly inconvenient to use whereas Telegram is actually useful by default and allows you to trade convenience off for more security. It gives you a choice.

        I think among the security community, Telegram got a bad rap early on, partly because of that, and never shook it off. But frankly, I would also trust it more today than Signal. Literally the only pushback I ever hear about Telegram is yours: "its crypto has been criticized". It's an appeal to authority at this point.

        5 votes
        1. [7]
          Grzmot
          Link Parent
          Is it? You sign up and start messaging. I don't see the inconvenience. The reason for this criticism still being repeated is because it still holds. Telegram rolled their own crypto and it was...

          Signal is incredibly inconvenient to use

          Is it? You sign up and start messaging. I don't see the inconvenience.

          "its crypto has been criticized"

          The reason for this criticism still being repeated is because it still holds. Telegram rolled their own crypto and it was proven insecure.

          Additionally to that, their operational centre is in Dubai, UAE. Not a country known for it's toleration of opposition. Their server software is completely closed source and proprietary. The Telegram server can read your chat messages unless you're in a secret chat, which means that governments like the one in the UAE can fairly easily get access to it.

          From Wikipedia:

          In May 2016, the Committee to Protect Journalists and Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, recommended against using Telegram because of "its lack of end-to-end encryption [by default] and its use of non-standard MTProto encryption protocol, which has been publicly criticized by cryptography researchers, including Matthew Green".

          Also fun stuff like those rigged security contests they did that you literally could not win were real head scratchers and caused me to immediately distrust the developers.

          But frankly, I would also trust it more today than Signal.

          Why?

          11 votes
          1. [7]
            Comment deleted by author
            Link Parent
            1. [6]
              Grzmot
              Link Parent
              (I think you replied to the wrong comment, you're quoting from the parent comment) True, Signal is consistently recommended by security experts as the messaging app. They have Edward Snowden...

              (I think you replied to the wrong comment, you're quoting from the parent comment)

              True, Signal is consistently recommended by security experts as the messaging app. They have Edward Snowden literally on their homepage.

              5 votes
              1. [5]
                mtset
                Link Parent
                Edward Snowden is a not a credible security expert, but you're right that Signal is a decent piece of software. "Use Tor, use Signal" is a cliche for a reason.

                Edward Snowden is a not a credible security expert, but you're right that Signal is a decent piece of software. "Use Tor, use Signal" is a cliche for a reason.

                4 votes
                1. [4]
                  Grzmot
                  Link Parent
                  He isn't? He has behind him the education and a career in the field and gave it all up to whistleblow. In fact I'd say that he's one of the most credible netsec experts around. Maybe not...

                  Edward Snowden is a not a credible security expert

                  He isn't? He has behind him the education and a career in the field and gave it all up to whistleblow. In fact I'd say that he's one of the most credible netsec experts around. Maybe not specifically cryptography but netsec in general.

                  1 vote
                  1. [3]
                    mtset
                    Link Parent
                    He hasn't been in the field in years, but more importantly, he's Putin's creature now. I suppose "not credible" is a bit harsh, but you know... Just apply some critical thinking, is all I'm...

                    He hasn't been in the field in years, but more importantly, he's Putin's creature now. I suppose "not credible" is a bit harsh, but you know... Just apply some critical thinking, is all I'm saying. Not that you're not now, I'm just skeptical of anything someone so dependent on a totalitarian government says about defending oneself against totalitarian governments.

                    6 votes
                    1. [2]
                      calm_bomb
                      Link Parent
                      How do you know he's Putin's creature? Is it the same story as with Assange? Is there any real proof of this? If so, where?

                      How do you know he's Putin's creature? Is it the same story as with Assange? Is there any real proof of this? If so, where?

                      1. mtset
                        Link Parent
                        He lives in a house provided to him by Putin, in a land ruled by Putin, because Putin likes that he embarrassed Putin's political enemies in the USA. He does not speak out when Putin does worse...

                        He lives in a house provided to him by Putin, in a land ruled by Putin, because Putin likes that he embarrassed Putin's political enemies in the USA. He does not speak out when Putin does worse things than he was willing to lose his job and country over, and does occasionally speak out on behalf of the Russian government on Twitter.

                        What more do you want?

                        5 votes
    3. [6]
      admicos
      Link Parent
      I really don't care about this specific move, but I do agree with you on Signal being a walled garden. Moxie's approach to federation and LibreSignal's demise were all important parts, but the...

      I really don't care about this specific move, but I do agree with you on Signal being a walled garden. Moxie's approach to federation and LibreSignal's demise were all important parts, but the Mobilecoin cryptocurrency integration was the nail in the coffin for my personal Signal use.

      If someone wanted to not have Mobilecoin anywhere near their messaging experience, nope! Signal Overlord Moxie disallows! And you will be harassed until you stop.

      Yes it's "Open Source", even "Free Software" according to the license, but licensing is never enough (try telling that to all the annoying FOSSbros), the community and development approach is so laughably far from that, that it could've been completely closed source or, more likely, "source available" a la Vivaldi and Unreal, and nothing would be different. Just like most internet browsers of today, though their main reasons are the complexity, rather than one cryptobro's baseless decision.

      Now I host my own XMPP server and have everyone I talk to on there with OMEMO. No complaints so far except from the Android clients not using Google/Firebase notifications and bad OEM ROMs showing useless "might be using battery" notifications.

      The only good thing to come out of Signal is the protocol itself, now adopted by just about every E2E protocol, including the aforementioned OMEMO. The rest of Signal is trash and I doubt anything else will make me change my opinion.

      5 votes
      1. [5]
        skybrian
        Link Parent
        MobileCoin isn't enabled in the US and I see no sign of it in the Signal UI. Apparently it's in the UK, Germany, France and Switzerland. Someone in one of those countries will need to say how...

        MobileCoin isn't enabled in the US and I see no sign of it in the Signal UI. Apparently it's in the UK, Germany, France and Switzerland. Someone in one of those countries will need to say how easily it can be ignored.

        3 votes
        1. [4]
          admicos
          Link Parent
          I mean, even if it is not enabled on my country, I still find the entire thing a little bit "off", maybe it's because it might be a pointer to where Signal's interests lie (grifts, instead of...

          I mean, even if it is not enabled on my country, I still find the entire thing a little bit "off", maybe it's because it might be a pointer to where Signal's interests lie (grifts, instead of making a good, secure, messaging app), and especially with Moxie releasing a NFT (to show the flaws on the NFT implementations, but regardless it is minted and "on there", and used up that probably coal energy already)

          This is just like how I would never, ever, touch the very likely white supremacist backed Session for the obvious reasons, even if their politics never changed a byte of their resulting code, and even if their implementation of usernames are better than phone numbers.

          TLDR: it's not the code, but the morals behind said code

          2 votes
          1. [3]
            skybrian
            Link Parent
            It seems fair to say that dabbling in cryptocurrency is somewhat of a bad sign. (It was a bad sign for Keybase, for example.) Maybe the Signal organization won’t last. This is a risk for many...

            It seems fair to say that dabbling in cryptocurrency is somewhat of a bad sign. (It was a bad sign for Keybase, for example.) Maybe the Signal organization won’t last. This is a risk for many organizations and especially startups.

            However, I don’t think that wanting to make money rates a boycott. We all want to make money, at least until you have enough. It’s also very hard to go through life without doing business with people who want to make money.

            You’re asserting that they are like Session which doesn’t seem obvious to me. Aren’t they different people?

            5 votes
            1. [2]
              Cycloneblaze
              Link Parent
              What happened with Keybase since then?

              It was a bad sign for Keybase, for example.

              What happened with Keybase since then?

              2 votes
              1. skybrian
                Link Parent
                Keybase was acquired by Zoom (in May 2020) and then got very quiet. (There have been no posts to their blog since then.) As far as I know the software still works. There is some activity on...

                Keybase was acquired by Zoom (in May 2020) and then got very quiet. (There have been no posts to their blog since then.)

                As far as I know the software still works. There is some activity on Github. I see new releases, but they are bugfixes.

                So by "bad sign," I mean that as a business they probably weren't doing all that well before they tried pivoting to cryptocurrency. They also lost a lot of good will from users who dislike cryptocurrency.

                4 votes
    4. [4]
      skybrian
      Link Parent
      “Walled garden” is a somewhat ambiguous, cliched term. It might be good to think about what you dislike about Signal’s approach and explain it differently. What do they prevent people from doing,...

      “Walled garden” is a somewhat ambiguous, cliched term. It might be good to think about what you dislike about Signal’s approach and explain it differently. What do they prevent people from doing, and how important is it?

      If someone wanted to make their own Signal-like app, they would eventually need to write their own antispam code, but that’s pretty far down the road. It would take a while before the spammers bother with them and at first, a do-nothing implementation would be fine.

      And that’s not really the hard part, compared to getting people to trust them and switch apps.

      3 votes
      1. [3]
        mtset
        Link Parent
        My personal beef with Moxie (who runs Signal) is that despite there being no technical limitation preventing non-official Signal clients from working with the Signal network, he doesn't allow it,...

        And that’s not really the hard part, compared to getting people to trust them and switch apps.

        My personal beef with Moxie (who runs Signal) is that despite there being no technical limitation preventing non-official Signal clients from working with the Signal network, he doesn't allow it, which means that low-priority platforms (PinePhone, BSD, etc) don't have working Signal implementations for literally no reason other than Moxie's ego.

        6 votes
        1. [2]
          skybrian
          Link Parent
          How does he justify it?

          How does he justify it?

          2 votes
          1. mtset
            Link Parent
            His justification is that it's easier to evolve the Signal protocol if there's only one permitted implementation. I don't agree with that; he could get the same benefits if he simply didn't...

            His justification is that it's easier to evolve the Signal protocol if there's only one permitted implementation. I don't agree with that; he could get the same benefits if he simply didn't support the other implementations, but still allowed them on the network.

            8 votes
  2. Bullmaestro
    Link
    Understandable. If they release the source code for all their spam prevention tools they'd be worthless.

    Understandable. If they release the source code for all their spam prevention tools they'd be worthless.

    5 votes