e-mail has a lot of legacy cruft. Regardless of the technical merits of e-mail or Telegram or Delta Chat, Signal, matrix.org or whatever, what people need to be hearing today is “WhatsApp and Facebook Messenger are unnecessarily invasive. Everyone is moving to X.” If there isn’t a clear message on what X is, then people will just keep on using WhatsApp and Facebook Messenger.
It seems clear to me that e-mail is not the frontrunner for X, so by presenting it as a candidate for replacing WhatsApp and Facebook Messenger, I think the author is actually decreasing the likelihood that most people will migrate to a better messaging platform.
My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.
Signal is a silo and I dislike silos. That’s why I post on my blog instead of Twitter. What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?
Signal isn’t perfect. My point is that Signal is better than WhatsApp and that presenting many alternatives to WhatsApp is harmful to Signal adoption. If Signal can’t reach critical mass like WhatsApp has it will fizzle out and we will be using WhatsApp again.
Yeah, I think the point of the previous poster was that these systems should be improved to a point where they’re just really good alternatives, which includes branding and the like. Element (formerly riot.im) has the right idea on this IMHO, instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.
Of course, die-hard decentralisation advocates don’t like this. But this is pretty much the only way you will get any serious mainstream adoption as far as I can see. Certainly none of the other approaches that have been tried over the last ~15 years worked.
…instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.
Same problem with all the decentralized social networks and microblogging services. I was on Mastodon for a bit. I didn’t log in very often because I only followed a handful of privacy advocate types since none of my friends or other random people I followed on Twitter were on it. It was fine, though. But then they shut down the server I was on and apparently I missed whatever notification was sent out.
People always say crap like “What will you do if Twitter shuts down?”. Well, so far 100% of the federated / distributed social networks I’ve tried (I also tried that Facebook clone from way back when and then Identi.ca at some point) have shut down in one way or another and none of the conventional ones I’ve used have done so. I realize it’s a potential problem, but in my experience it just doesn’t matter.
XMPP and (to a lesser extent) Matrix do need to be improved before they are viable alternatives, though. Signal is already there. You may feel that ideological advantages make up for the UI shortcomings, but very few nontechnical users feel the same way.
Oh, definitely. At least in the case of Matrix it’s clear that (1) the developers regard usability as an actual goal, (2) they know their usability could be improved, and (3) they’re working on improving it. I admit I don’t follow the XMPP ecosystem as closely, so the same could be the same there, but… XMPP has been around for 20 years, so what’s going to change now to make it more approachable?
Do you realize you’re cheering for keeping the WhatsApp silo?
Chat platforms have a strong network effect. We’re going to be stuck with Facebook’s network for as long as other networks are fragmented due to people disagreeing which one is the perfect one to end all other ones, and keep waiting for a pie in the sky, while all of them keep failing to reach the critical mass.
I mean that by opposing the shift to the less-bad silo you’re not actually advancing the no-silo case, but keeping the status quo of the worst-silo.
There is currently no decentralized option that is secure, practical, and popular enough to be adopted by mainstream consumers in numbers that could beat WhatsApp.
If the choice is between WhatsApp and “just wait until we make one that is”, it means keeping WhatsApp.
Domain-name federation is a half-assed solution to data portability. Domain names basically need to be backed by always-on servers, not everybody can have one, and not everybody should. Either make it really P2P (Scuttlebutt?) or don’t bother.
I sadly agree, which is why logically I always end up recommend signal as ‘the best of a bad bunch’.
I like XMPP, but for true silo-avoidance you need you run your own server (or at least have someone run it under your domain, so you can move away). This sucks. It’s sort of the same with matrix.
The only way around this is real p2p as you say. So far I haven’t seen anything that I could recommend to former whatsapp users on this front however. I love scuttlebutt but I can’t see it as a good mobile solution.
Signal really needs a “web.signal.com”; typing on phones suck, and the destop app is ugh. I can’t write my own app either so I’m stuck with two bad options.
This is actually a big reason I like Telegram: the web client is pretty good.
I can’t write my own app either so I’m stuck with two bad options.
FWIW I’m involved with Whisperfish, the Signal client for Sailfish OS. There has been a constant worry about 3rd party clients, but it does seem like OWS has loosened its policy.
The current Whisperfish is written in Rust, with separate libraries for the protocol and service. OWS is also putting work into their own Rust library, which we may switch to.
Technically you can, and the risk should be quite minimal. At the end of the, as OWS doesn’t support these efforts, and if you don’t make a fool of them, availability and use increases their brand value.
Don’t want to know what happens if someone writes a horrible client and steps on their brand, so let’s be careful out there.
Oh right; that’s good to know. I just searched for “Signal API” a while ago and nothing really obvious turned up so I assumed it’s either impossible or hard/hackish. To be honest I didn’t look very deeply at it, since I don’t really care all that much about Signal that much 😅 It’s just a single not-very-active chatgroup.
Fair enough, sure. An API might sound too much like some raw web thing - it is based on HTTPS after all - but I don’t think all of it would be that simple ;)
The work gone into the libraries has not been trivial, so if you do ever find yourself caring, I hope it’ll be a happy surprise!
Is there a specific reason why? The desktop version of Telegram is butter smooth and has the same capabilities as the phone version (I’m pretty sure they’re built from the same source as well).
Security is the biggest reason for me. Every other week, you hear about a fiasco where a desktop client for some communication service had some sort of remote code execution vulnerability. But there can be other reasons as well, like them being sloppy with their .deb packages and messing up with my update manager etc. As a potential user, I see no benefit in installing a desktop client over a web client.
Security is the reason that you can’t easily have a web-based Signal client. Signal is end-to-end encrypted. In a web app, it’s impossible to isolate the keying material from whoever provides the service so it would be trivial for Signal to intercept all of your messages (even if they did the decryption client-side, they could push an update that uploads the plaintext after decryption).
It also makes targeted attacks trivial: with the mobile and desktop apps, it’s possible to publish the hash that you get for the download and compare it against the versions other people run, so that you can see if you’re running a malicious version (I hope a future version of Signal will integrate that and use it to validate updates before it installs them by checking that other users in your network see the same series of updates). With a web app, you have no way of verifying that you’re running the same code that you were one page refresh ago, let alone the same code as someone else.
A web based client has no advantages with regards to security. They are discrete topics. As a web developer, I would argue that a web based client has a significantly larger surface area for attacks.
When I say security, I don’t mean the security of my communications over that particular application. That’s important too, but it’s nothing compared to my personal computer getting hacked, which means my entire digital life getting compromised. Now you could say a web site could also hijack my entire computer by exploiting weaknesses in the browser, which is definitely a possibility, but that’s not what we hear every other week. We hear stupid zoom or slack desktop client containing a critical remote code execution vulnerability that allows a completely unrelated third party complete access to your computer.
I just don’t like opening a new window/application. Almost all of my work is done with one terminal window (in tmux, on workspace 1) and a browser (workspace 2). This works very well for me as I hate dealing with window management. Obviously I do open other applications for specific purposes (GIMP, Geeqie, etc) but I find having an extra window just to chat occasionally is annoying. Much easier to open a tab in my browser, send my message, and close it again.
A fraction of users is moving, the technically literate ones. Everyone else stays where their contacts are, or which is often the case, installs another messenger and then uses n+1.
A fraction of users is moving, the technically literate ones
I don’t think that’s what’s happening now. There have been a lot of mainstream press articles about WhatsApp. The technical users moved to Signal when Facebook bought WhatsApp, I’m now hearing non-technical folks ask what they should migrate to from WhatsApp. For example, one of our administrators recently asked about Signal because some of her family want to move their family chat there from WhatsApp.
Yeah these last two days I have been asked a few times about chat apps. I have also noticed my signal contacts list expand by quite a few contacts, and there are lots of friends/family who I would not have expected to make the switch in there. I asked one family member, a doctor, what brought her in and she said that her group of doctors on whatsapp became concerned after the recent announcements.
I wish I could recommend xmpp/OMEMO, but it’s just not as easy to set up. You can use conversations.im, and it’s a great service, but if you are worried about silos you are back to square one if you use their domain. They make using a custom domain as friction-free as possible but it still involves DNS settings.
I feel the same way about matrix etc. Most people won’t run their own instance, so you end up in a silo again.
For the closest thing to whatsapp, I have to recommend Signal. It’s not perfect, but it’s good. I wish you didn’t have to use a phone number…
Anyone who has written email software used at scale by the general public can tell you that you will spend a lot of time working around servers and clients which do all sorts of weird things. Sometimes with good reasons, often times with … not so good reasons. This sucks but there’s nothing I can change about that, so I’ll need to deal with it.
Getting something basic working is pretty easy. Getting all emails handled correctly is much harder. Actually displaying all emails well even harder still. There’s tons of edge cases.
The entire system is incredibly messy, and we’re actually a few steps up from 20 years ago when it was even worse.
And we still haven’t solved the damn line wrapping problem 30 years after we identified it…
Email both proves Postel’s law correct and wrong: it’s correct in the sense that it does work, it’s wrong because it takes far more time and effort than it really needs to.
I hear you (spent a few years at an ESP). It’s still better than some siloed walled garden proprietary thing that looks pretty but could disappear for any reason in a moment. The worst of all worlds except all others.
I’m not so worried about this; all of these services have been around for ages and I’m not seeing them disappear from one day to the next in the foreseeable future. And even if it does happen: okay, just move somewhere else. It’s not even that big of a deal.
Especially with chat services. There’s not that much to lose. Your contacts are almost always backed up elsewhere. I guess people value their chat history more than I do, however.
My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.
I’ve recently started using it, and while it’s fine, I’m no fan. As @jlelse, it is another closed-off platform that you have to use, making me depend on someone else.
They seem to (as of writing) prioritize “security” over “user freedom”, which I don’t agree with. There’s the famous thread, where they reject the notion of distributing Signal over F-Droid (instead having their own special updater, in their Google-less APK). What also annoys me is that their desktop client is based on Electron, which would have been very hard for me to use before upgrading my desktop last year.
My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.
What I hate about signal is that it requires a mobile phone and an associated phone number. That makes it essentially useless - I loathe mobile phones - and very suspect to me. Why can’t the desktop client actually work?
I completely agree. At the beginning of 2020 I gave up my smartphone and haven’t looked back. I’ve got a great dumb phone for voice and SMS, and the occasional photo. But now I can’t use Signal as I don’t have a mobile device to sign in to. In a word where Windows, Mac OS, Linux, Android, and iOS all exist as widely used operating systems, Signal is untenable as it only as full featured clients for two of these operating systems.
Signal isn’t perfect.
This isn’t about being perfect, this is about being accessible to everyone. It doesn’t matter how popular it becomes, I can’t use it.
They’ve been planning on fixing that for a while, I don’t know what the status is. The advantage of using mobile phone numbers is bootstrapping. My address book is already full of phone numbers for my contacts. When I installed Signal, it told me which of them are already using it. When other folks joined, I got a notification. While I agree that it’s not a great long-term strategy, it worked very well for both WhatsApp and Signal to quickly bootstrap a large connected userbase.
In contrast, most folks XMPP addresses were not the same as their email addresses and I don’t have a lot of email addresses in my address book anyway because my mail clients are all good at autocompleting them from people who have sent me mail before, so I don’t bother adding them. As a result, my Signal contact list was instantly as big as my Jabber Roster became after about six months of trying to get folks to use Jabber. The only reason Jabber was useable at all for me initially was that it was easy to run an ICQ bridge so I could bring my ICQ contacts across.
What I hate about signal is that it requires a mobile phone and an associated phone number.
On the bright side, Signal’s started to use UUIDs as well, so this may change. Some people may think it’s gonna be too late whenever it happens, if it does, but at least the protocols aren’t stagnant!
E-mail is terrible unreliable due to spam prevention, and I even had issues with gmail to gmail messages not going through before switching to my own e-mail server. It’s kinda a shot in the dark if your e-mail actually makes it through.
This has little to do with gmail; email by design isn’t a real-time communication system.
I didn’t have a smartphone for a long time, and for about two years I communicated with my then-girlfriend primarily over email (and Skype video chat). We were apart for extended periods of time for a year as she was finishing her studies in another country (we tried XMPP but that didn’t really work well for her).
Sometimes emails just take five minutes to arrive, sometimes longer. There are all sorts of reasons for this, but even a 20-second delay can be quite an inconvenience with real-time chat IMO.
I do kind of like the idea in principle, but I’m skeptical about how well it will work in practice for fast-paced real-time conversations for extended periods of time.
There are all sorts of reasons for this, but even a 20-second delay can be quite an inconvenience with real-time chat IMO.
I think it’s normal for server to server SMTP to involve at least 6 RTTs of delay because the protocol is so chatty? I’m not sure if you can safely eliminate some of those by sending multiple commands without waiting for the responses.
Yeah, there’s a lot of back of forth; and it’s indeed pretty suboptimal based on that alone; I hadn’t even thought about that actually. A lot of email systems are designed in such a way that real-time delivery just isn’t a priority; for example on the system I worked on we would just let stuff queue for a few minutes during some updates and such. For email this is totally fine. For real-time chat: a bit less so. Some anti-spam techniques such as greylisting also take advantage of email’s lack of realtime expectations (it will respond with a “temporary failure” and lets the server retry; a lot of spam servers never will).
There has certainly already been spam on matrix. Both bridged from IRC and matrix native. But the people of element.io / matrix.org have plans. It will take a lot of work, but they have thought about it and will keep thinking about it. https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors
It feels like this article is trying to have it both ways regarding encryption and compatibility. It touts it as a feature that “Delta Chat encrypts messages automatically” but then says that “Delta Chat allows you to communicate even with people who don’t use Delta Chat at all, all you need is an email address!” That’s great, but it implies not only that (1) Delta Chat can be used in an unencrypted mode, which is not even possible with e.g. Signal, but also that (2) people are being encouraged to use it in an unencrypted mode while also being told that the service is encrypted. Is there UI clarifying which connections are encrypted and which are cleartext? If not, technical users will understand that if you send an email to some arbitrary address then of course it’s going to be unencrypted, but ordinary users are being set up for failure.
The article seems to allude to this when it says that “it would be advisable not to use Gmail, Outlook or GMX as email service”. You can have an encrypted chat channel, or you can have a backward-compatible unencrypted channel that your email provider can read, but you can’t have both. (Or if you can, then this article doesn’t explain how that would work.)
Edit: I feel bad about posting such a negative comment. I too have been annoyed at the proliferation of incompatible messaging services. I like federation, and I like the idea that someone would be able to use this without creating yet another account. But I’m worried that people are going to misunderstand the limits of Delta Chat’s opportunistic encryption.
There’s UI to show whether a chat is encrypted or not, encrypted messages will have a lock symbol. But you’re right, it’s possible to use it without encryption too. There are three options: 1. Message someone without support for autocrypt - the chat will be unencrypted, 2. Message someone with autocrypt (i.e. DeltaChat) - only the first message will be unencrypted, 3. Scan someone’s QR code - all messages will be encrypted.
As unencrypted HTTP has become less and less common, browsers have switched from highlighting when a page is encrypted to highlighting when it isn’t encrypted. How obvious does Delta Chat make it when a chat is plaintext?
I clicked to the comments because very similar thoughts occurred to me.
I don’t think having insecure messages go through the “secure” chat interface is a good idea at all. A decent compromise might be:
user attempts to send a secure chat message to someone whose email address they have
delta alerts them that secure messaging is not possible and offers to send them an insecure message instead
if the user opts to send an insecure message, it uses the system’s mailto: url handler to open the default mail client so that this looks like every other insecure message the user sends.
Sending plaintext from your secure tool should be scary and involve extra steps, IMO.
I have other reservations about selecting email as the substrate for this, but those aren’t security related.
I see all of these articles about what messenger app to use. None of those address the real problem: they don’t work for the people I talk to.
A lot of my friends are furries and we use telegram exclusively because it supports stickers. It’s impossible to understate how important stickers are for us.
The Furry Writers’ Guild, moved our Slack server to Discord. It’s been hugely popular. We couldn’t get anyone to use Slack.
My church uses Facebook. I’m not on it and I’ve effectively not been a member since March as a result.
A few of my friends use Twitter direct messages.
My family uses SMS. (And my uncle keeps trying to push everyone to LinkedIn.)
I know exactly one person on Earth who uses Signal. He’s on Telegram because he can’t get his friends to use Signal.
I remember a time when it was MSN Messenger, YIM, AIM, ICQ or IRC and you could have one open source client that was able to provide a single interface for the lot.
You can do the same thing with Matrix but it’s no where near as simple or accessible as Pidgin/Trillian/Audium/etc. Signal and Telegram have APIs, but Facebook and Google make it incredibly difficult to interface with their messengers.
The Signal folks, at least, seem to understand this. It supports sending emoji, has sticker packs, and makes it very easy to share photos (as in, UI in the mobile app for taking a photo and sending it, just like WhatsApp). The big missing feature is the ability to have video / audio calls with more than two people. That said, the Signal desktop clients (unlike WhatsApp) do support video calling. This is the killer feature for some of the non-technical folks I talk to - everyone has had to have the hardware for video conferencing on a laptop to be able to join work calls while working from home during the pandemic and going from a Teams or Zoom call on a laptop (with or without an external monitor) to having to use a tiny phone screen for WhatsApp calls is frustrating. With Signal, you can call directly from the desktop app and answer calls in it. We have used that feature with my mother quite a lot over the last year.
I have 40 year old email boxes that I can still access on essentially all of my devices, mobile and otherwise. I have current mail boxes that are in the same format I can access in the same format. It takes a more or less finesse depending on platform, only because people are casting about for the new hotness and ignoring the old reliable, but it works. There are all kinds of problems and limitations with it (how the hell did we end up with MIME?), but the underlying use case (communication) works.
Will I be able to access my Signal or Telegram store 40 years from now?
By coincidence, I just tried Delta Chat yesterday or the day before that, and I too was positively surprised. I uninstalled WhatsApp last November, and my friends have been complaining how inconvenient it is to email me when they want to say something. Usually people don’t like creating new accounts for new services, but Delta Chat seems interesting as it’s just a pretty client, that doesn’t have to use HTML mail or something like that to appal to regular people.
The only thing that concerns me is how energy efficient the persistent IMAP connection is. I’ve uninstalled it, because my Email workflow doesn’t sync very well, but I can imagine that if I tell someone to use Delta Chat, they might decide not to if it wastes 10-20% of their battery.
Okay, sure. Let’s have everyone migrate to email. Will they set up their own servers? Probably not.
So then we have people looking to service providers, which are….Google and Microsoft, most likely. Maybe a few discover ProtonMail, or FastMail, or whoever. So people are moving from one silo to another. Like, yeah, at least with email I can download my messages and transfer them to another service, but again, what average user is going to actually do that?
IMHO, The thing that’s missing in these “move away from WhatsApp” discussions is that the majority of Latin America (up to 70% by some accounts) use WhatsApp. The reason? Many of the mobile providers make the app free to use, meaning that WhatsApp data doesn’t deduct from your quotas. So if you have any family or friends in these countries, you’re going to be really hard pressed to convince them to migrate.
Thanks for your post, and I rather strenuously agree with you on the key point in the title, but I’d suggest you consider taking the time to make a more compelling case for your article.
The first few paragraphs are great and on point, and then the article fizzles into why you installed Delta Chat for your IM needs.
I firmly believe that we need less real time interrupts, and that E-mail can be a great mechanism to encourage that.
I am glad that progress is being made and this is definitely a client I will watch the releases for. I will not however be pushing this on my contacts until OAuth2 is implemented. It is unfortunate how dependent we are on google but we are. If the app does not work seamlessly with gmail then I can’t recommend it to my contacts who have gmail accounts, which is the majority. This undermines the whole utility of having an imap based system.
e-mail has a lot of legacy cruft. Regardless of the technical merits of e-mail or Telegram or Delta Chat, Signal, matrix.org or whatever, what people need to be hearing today is “WhatsApp and Facebook Messenger are unnecessarily invasive. Everyone is moving to X.” If there isn’t a clear message on what X is, then people will just keep on using WhatsApp and Facebook Messenger.
It seems clear to me that e-mail is not the frontrunner for X, so by presenting it as a candidate for replacing WhatsApp and Facebook Messenger, I think the author is actually decreasing the likelihood that most people will migrate to a better messaging platform.
My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.
Signal is a silo and I dislike silos. That’s why I post on my blog instead of Twitter. What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?
Signal isn’t perfect. My point is that Signal is better than WhatsApp and that presenting many alternatives to WhatsApp is harmful to Signal adoption. If Signal can’t reach critical mass like WhatsApp has it will fizzle out and we will be using WhatsApp again.
Great! We don’t need more silos.
What about XMPP or Matrix? They can (and should!) be improved so that they are viable alternatives.
(Majority of) People don’t care about technology (how), they care about goal (why).
They don’t care if it’s Facebook, Whatsapp, Signal, Email, XMPP, they want to communicate.
Yeah, I think the point of the previous poster was that these systems should be improved to a point where they’re just really good alternatives, which includes branding and the like. Element (formerly riot.im) has the right idea on this IMHO, instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.
Of course, die-hard decentralisation advocates don’t like this. But this is pretty much the only way you will get any serious mainstream adoption as far as I can see. Certainly none of the other approaches that have been tried over the last ~15 years worked.
Same problem with all the decentralized social networks and microblogging services. I was on Mastodon for a bit. I didn’t log in very often because I only followed a handful of privacy advocate types since none of my friends or other random people I followed on Twitter were on it. It was fine, though. But then they shut down the server I was on and apparently I missed whatever notification was sent out.
People always say crap like “What will you do if Twitter shuts down?”. Well, so far 100% of the federated / distributed social networks I’ve tried (I also tried that Facebook clone from way back when and then Identi.ca at some point) have shut down in one way or another and none of the conventional ones I’ve used have done so. I realize it’s a potential problem, but in my experience it just doesn’t matter.
The main feature that cannot be listed in good faith and which is the one that everybody cares about is: “It has all my friend and family on it”.
I know it’s just a matter of critical mass and if nobody switches this will never happen.
Sure, but we’re not the majority of people.. and we shouldn’t be choosing yet another silo to promote.
XMPP and (to a lesser extent) Matrix do need to be improved before they are viable alternatives, though. Signal is already there. You may feel that ideological advantages make up for the UI shortcomings, but very few nontechnical users feel the same way.
Have you tried joining a busy Matrix channel from a federated homeserver? It can take an hour. I think it needs some improvement too.
Oh, definitely. At least in the case of Matrix it’s clear that (1) the developers regard usability as an actual goal, (2) they know their usability could be improved, and (3) they’re working on improving it. I admit I don’t follow the XMPP ecosystem as closely, so the same could be the same there, but… XMPP has been around for 20 years, so what’s going to change now to make it more approachable?
Do you realize you’re cheering for keeping the WhatsApp silo?
Chat platforms have a strong network effect. We’re going to be stuck with Facebook’s network for as long as other networks are fragmented due to people disagreeing which one is the perfect one to end all other ones, and keep waiting for a pie in the sky, while all of them keep failing to reach the critical mass.
Uh, not sure how you pulled that out of what I said, but I’m actually cheering for the downfall of all silos.
I mean that by opposing the shift to the less-bad silo you’re not actually advancing the no-silo case, but keeping the status quo of the worst-silo.
There is currently no decentralized option that is secure, practical, and popular enough to be adopted by mainstream consumers in numbers that could beat WhatsApp.
If the choice is between WhatsApp and “just wait until we make one that is”, it means keeping WhatsApp.
Debatable.
Domain-name federation is a half-assed solution to data portability. Domain names basically need to be backed by always-on servers, not everybody can have one, and not everybody should. Either make it really P2P (Scuttlebutt?) or don’t bother.
I sadly agree, which is why logically I always end up recommend signal as ‘the best of a bad bunch’.
I like XMPP, but for true silo-avoidance you need you run your own server (or at least have someone run it under your domain, so you can move away). This sucks. It’s sort of the same with matrix.
The only way around this is real p2p as you say. So far I haven’t seen anything that I could recommend to former whatsapp users on this front however. I love scuttlebutt but I can’t see it as a good mobile solution.
Signal really needs a “web.signal.com”; typing on phones suck, and the destop app is ugh. I can’t write my own app either so I’m stuck with two bad options.
This is actually a big reason I like Telegram: the web client is pretty good.
FWIW I’m involved with Whisperfish, the Signal client for Sailfish OS. There has been a constant worry about 3rd party clients, but it does seem like OWS has loosened its policy.
The current Whisperfish is written in Rust, with separate libraries for the protocol and service. OWS is also putting work into their own Rust library, which we may switch to.
Technically you can, and the risk should be quite minimal. At the end of the, as OWS doesn’t support these efforts, and if you don’t make a fool of them, availability and use increases their brand value.
Don’t want to know what happens if someone writes a horrible client and steps on their brand, so let’s be careful out there.
Oh right; that’s good to know. I just searched for “Signal API” a while ago and nothing really obvious turned up so I assumed it’s either impossible or hard/hackish. To be honest I didn’t look very deeply at it, since I don’t really care all that much about Signal that much 😅 It’s just a single not-very-active chatgroup.
Fair enough, sure. An API might sound too much like some raw web thing - it is based on HTTPS after all - but I don’t think all of it would be that simple ;)
The work gone into the libraries has not been trivial, so if you do ever find yourself caring, I hope it’ll be a happy surprise!
The Telegram desktop client is even better than the web client.
I don’t like desktop clients.
Is there a specific reason why? The desktop version of Telegram is butter smooth and has the same capabilities as the phone version (I’m pretty sure they’re built from the same source as well).
Security is the biggest reason for me. Every other week, you hear about a fiasco where a desktop client for some communication service had some sort of remote code execution vulnerability. But there can be other reasons as well, like them being sloppy with their .deb packages and messing up with my update manager etc. As a potential user, I see no benefit in installing a desktop client over a web client.
Security is the reason that you can’t easily have a web-based Signal client. Signal is end-to-end encrypted. In a web app, it’s impossible to isolate the keying material from whoever provides the service so it would be trivial for Signal to intercept all of your messages (even if they did the decryption client-side, they could push an update that uploads the plaintext after decryption).
It also makes targeted attacks trivial: with the mobile and desktop apps, it’s possible to publish the hash that you get for the download and compare it against the versions other people run, so that you can see if you’re running a malicious version (I hope a future version of Signal will integrate that and use it to validate updates before it installs them by checking that other users in your network see the same series of updates). With a web app, you have no way of verifying that you’re running the same code that you were one page refresh ago, let alone the same code as someone else.
A web based client has no advantages with regards to security. They are discrete topics. As a web developer, I would argue that a web based client has a significantly larger surface area for attacks.
When I say security, I don’t mean the security of my communications over that particular application. That’s important too, but it’s nothing compared to my personal computer getting hacked, which means my entire digital life getting compromised. Now you could say a web site could also hijack my entire computer by exploiting weaknesses in the browser, which is definitely a possibility, but that’s not what we hear every other week. We hear stupid zoom or slack desktop client containing a critical remote code execution vulnerability that allows a completely unrelated third party complete access to your computer.
I just don’t like opening a new window/application. Almost all of my work is done with one terminal window (in tmux, on workspace 1) and a browser (workspace 2). This works very well for me as I hate dealing with window management. Obviously I do open other applications for specific purposes (GIMP, Geeqie, etc) but I find having an extra window just to chat occasionally is annoying. Much easier to open a tab in my browser, send my message, and close it again.
The same thing that’s happening now with whatsapp - users move.
A fraction of users is moving, the technically literate ones. Everyone else stays where their contacts are, or which is often the case, installs another messenger and then uses n+1.
I don’t think that’s what’s happening now. There have been a lot of mainstream press articles about WhatsApp. The technical users moved to Signal when Facebook bought WhatsApp, I’m now hearing non-technical folks ask what they should migrate to from WhatsApp. For example, one of our administrators recently asked about Signal because some of her family want to move their family chat there from WhatsApp.
Yeah these last two days I have been asked a few times about chat apps. I have also noticed my signal contacts list expand by quite a few contacts, and there are lots of friends/family who I would not have expected to make the switch in there. I asked one family member, a doctor, what brought her in and she said that her group of doctors on whatsapp became concerned after the recent announcements.
I wish I could recommend xmpp/OMEMO, but it’s just not as easy to set up. You can use conversations.im, and it’s a great service, but if you are worried about silos you are back to square one if you use their domain. They make using a custom domain as friction-free as possible but it still involves DNS settings.
I feel the same way about matrix etc. Most people won’t run their own instance, so you end up in a silo again.
For the closest thing to whatsapp, I have to recommend Signal. It’s not perfect, but it’s good. I wish you didn’t have to use a phone number…
Not supporting signal in any way, but how would your preferred solution actually mitigate those risks?
Many different email providers all over the world and multiple clients based on the same standards.
Anyone who has written email software used at scale by the general public can tell you that you will spend a lot of time working around servers and clients which do all sorts of weird things. Sometimes with good reasons, often times with … not so good reasons. This sucks but there’s nothing I can change about that, so I’ll need to deal with it.
Getting something basic working is pretty easy. Getting all emails handled correctly is much harder. Actually displaying all emails well even harder still. There’s tons of edge cases.
The entire system is incredibly messy, and we’re actually a few steps up from 20 years ago when it was even worse.
And we still haven’t solved the damn line wrapping problem 30 years after we identified it…
Email both proves Postel’s law correct and wrong: it’s correct in the sense that it does work, it’s wrong because it takes far more time and effort than it really needs to.
I hear you (spent a few years at an ESP). It’s still better than some siloed walled garden proprietary thing that looks pretty but could disappear for any reason in a moment. The worst of all worlds except all others.
I’m not so worried about this; all of these services have been around for ages and I’m not seeing them disappear from one day to the next in the foreseeable future. And even if it does happen: okay, just move somewhere else. It’s not even that big of a deal.
Especially with chat services. There’s not that much to lose. Your contacts are almost always backed up elsewhere. I guess people value their chat history more than I do, however.
I’ve recently started using it, and while it’s fine, I’m no fan. As @jlelse, it is another closed-off platform that you have to use, making me depend on someone else.
They seem to (as of writing) prioritize “security” over “user freedom”, which I don’t agree with. There’s the famous thread, where they reject the notion of distributing Signal over F-Droid (instead having their own special updater, in their Google-less APK). What also annoys me is that their desktop client is based on Electron, which would have been very hard for me to use before upgrading my desktop last year.
What I hate about signal is that it requires a mobile phone and an associated phone number. That makes it essentially useless - I loathe mobile phones - and very suspect to me. Why can’t the desktop client actually work?
I completely agree. At the beginning of 2020 I gave up my smartphone and haven’t looked back. I’ve got a great dumb phone for voice and SMS, and the occasional photo. But now I can’t use Signal as I don’t have a mobile device to sign in to. In a word where Windows, Mac OS, Linux, Android, and iOS all exist as widely used operating systems, Signal is untenable as it only as full featured clients for two of these operating systems.
This isn’t about being perfect, this is about being accessible to everyone. It doesn’t matter how popular it becomes, I can’t use it.
They’ve been planning on fixing that for a while, I don’t know what the status is. The advantage of using mobile phone numbers is bootstrapping. My address book is already full of phone numbers for my contacts. When I installed Signal, it told me which of them are already using it. When other folks joined, I got a notification. While I agree that it’s not a great long-term strategy, it worked very well for both WhatsApp and Signal to quickly bootstrap a large connected userbase.
In contrast, most folks XMPP addresses were not the same as their email addresses and I don’t have a lot of email addresses in my address book anyway because my mail clients are all good at autocompleting them from people who have sent me mail before, so I don’t bother adding them. As a result, my Signal contact list was instantly as big as my Jabber Roster became after about six months of trying to get folks to use Jabber. The only reason Jabber was useable at all for me initially was that it was easy to run an ICQ bridge so I could bring my ICQ contacts across.
Support for using it without a phone number remains a work in progress. The introduction of PINs was a stepping stone towards that.
On the bright side, Signal’s started to use UUIDs as well, so this may change. Some people may think it’s gonna be too late whenever it happens, if it does, but at least the protocols aren’t stagnant!
E-mail is terrible unreliable due to spam prevention, and I even had issues with gmail to gmail messages not going through before switching to my own e-mail server. It’s kinda a shot in the dark if your e-mail actually makes it through.
I personally like Matrix. I have my homserver bridged to all the chat services I use: Hangouts, Facebook, Telegram and Signal.
Wait until there’s spam on Matrix too or isn’t that possible? I agree, Gmail sucks, just use a better email service.
This has little to do with gmail; email by design isn’t a real-time communication system.
I didn’t have a smartphone for a long time, and for about two years I communicated with my then-girlfriend primarily over email (and Skype video chat). We were apart for extended periods of time for a year as she was finishing her studies in another country (we tried XMPP but that didn’t really work well for her).
Sometimes emails just take five minutes to arrive, sometimes longer. There are all sorts of reasons for this, but even a 20-second delay can be quite an inconvenience with real-time chat IMO.
I do kind of like the idea in principle, but I’m skeptical about how well it will work in practice for fast-paced real-time conversations for extended periods of time.
I think it’s normal for server to server SMTP to involve at least 6 RTTs of delay because the protocol is so chatty? I’m not sure if you can safely eliminate some of those by sending multiple commands without waiting for the responses.
Yeah, there’s a lot of back of forth; and it’s indeed pretty suboptimal based on that alone; I hadn’t even thought about that actually. A lot of email systems are designed in such a way that real-time delivery just isn’t a priority; for example on the system I worked on we would just let stuff queue for a few minutes during some updates and such. For email this is totally fine. For real-time chat: a bit less so. Some anti-spam techniques such as greylisting also take advantage of email’s lack of realtime expectations (it will respond with a “temporary failure” and lets the server retry; a lot of spam servers never will).
There has certainly already been spam on matrix. Both bridged from IRC and matrix native. But the people of element.io / matrix.org have plans. It will take a lot of work, but they have thought about it and will keep thinking about it. https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors
It feels like this article is trying to have it both ways regarding encryption and compatibility. It touts it as a feature that “Delta Chat encrypts messages automatically” but then says that “Delta Chat allows you to communicate even with people who don’t use Delta Chat at all, all you need is an email address!” That’s great, but it implies not only that (1) Delta Chat can be used in an unencrypted mode, which is not even possible with e.g. Signal, but also that (2) people are being encouraged to use it in an unencrypted mode while also being told that the service is encrypted. Is there UI clarifying which connections are encrypted and which are cleartext? If not, technical users will understand that if you send an email to some arbitrary address then of course it’s going to be unencrypted, but ordinary users are being set up for failure.
The article seems to allude to this when it says that “it would be advisable not to use Gmail, Outlook or GMX as email service”. You can have an encrypted chat channel, or you can have a backward-compatible unencrypted channel that your email provider can read, but you can’t have both. (Or if you can, then this article doesn’t explain how that would work.)
Edit: I feel bad about posting such a negative comment. I too have been annoyed at the proliferation of incompatible messaging services. I like federation, and I like the idea that someone would be able to use this without creating yet another account. But I’m worried that people are going to misunderstand the limits of Delta Chat’s opportunistic encryption.
There’s UI to show whether a chat is encrypted or not, encrypted messages will have a lock symbol. But you’re right, it’s possible to use it without encryption too. There are three options: 1. Message someone without support for autocrypt - the chat will be unencrypted, 2. Message someone with autocrypt (i.e. DeltaChat) - only the first message will be unencrypted, 3. Scan someone’s QR code - all messages will be encrypted.
As unencrypted HTTP has become less and less common, browsers have switched from highlighting when a page is encrypted to highlighting when it isn’t encrypted. How obvious does Delta Chat make it when a chat is plaintext?
BTW, Signal can be used to send normal SMS to your non-Signal contacts, so it can be used in unencrypted mode.
Ah, I forgot about that. (This is an Android-only feature of Signal, IIUC, and I use iOS.)
I clicked to the comments because very similar thoughts occurred to me.
I don’t think having insecure messages go through the “secure” chat interface is a good idea at all. A decent compromise might be:
Sending plaintext from your secure tool should be scary and involve extra steps, IMO.
I have other reservations about selecting email as the substrate for this, but those aren’t security related.
I see all of these articles about what messenger app to use. None of those address the real problem: they don’t work for the people I talk to.
A lot of my friends are furries and we use telegram exclusively because it supports stickers. It’s impossible to understate how important stickers are for us.
The Furry Writers’ Guild, moved our Slack server to Discord. It’s been hugely popular. We couldn’t get anyone to use Slack.
My church uses Facebook. I’m not on it and I’ve effectively not been a member since March as a result.
A few of my friends use Twitter direct messages.
My family uses SMS. (And my uncle keeps trying to push everyone to LinkedIn.)
I know exactly one person on Earth who uses Signal. He’s on Telegram because he can’t get his friends to use Signal.
I remember a time when it was MSN Messenger, YIM, AIM, ICQ or IRC and you could have one open source client that was able to provide a single interface for the lot.
You can do the same thing with Matrix but it’s no where near as simple or accessible as Pidgin/Trillian/Audium/etc. Signal and Telegram have APIs, but Facebook and Google make it incredibly difficult to interface with their messengers.
The Signal folks, at least, seem to understand this. It supports sending emoji, has sticker packs, and makes it very easy to share photos (as in, UI in the mobile app for taking a photo and sending it, just like WhatsApp). The big missing feature is the ability to have video / audio calls with more than two people. That said, the Signal desktop clients (unlike WhatsApp) do support video calling. This is the killer feature for some of the non-technical folks I talk to - everyone has had to have the hardware for video conferencing on a laptop to be able to join work calls while working from home during the pandemic and going from a Teams or Zoom call on a laptop (with or without an external monitor) to having to use a tiny phone screen for WhatsApp calls is frustrating. With Signal, you can call directly from the desktop app and answer calls in it. We have used that feature with my mother quite a lot over the last year.
Signal supports video/audio calls with up to 8 people. The most recent release raised it from 5 to 8.
Huh, looks like it was added in the middle of December. I’m a month out of date. Here’s the announcement.
Signal has stickers. Though I guess that’s not super relevant to this discussion, since Delta Chat apparently doesn’t.
I have 40 year old email boxes that I can still access on essentially all of my devices, mobile and otherwise. I have current mail boxes that are in the same format I can access in the same format. It takes a more or less finesse depending on platform, only because people are casting about for the new hotness and ignoring the old reliable, but it works. There are all kinds of problems and limitations with it (how the hell did we end up with MIME?), but the underlying use case (communication) works.
Will I be able to access my Signal or Telegram store 40 years from now?
Yes. email is a good format.
By coincidence, I just tried Delta Chat yesterday or the day before that, and I too was positively surprised. I uninstalled WhatsApp last November, and my friends have been complaining how inconvenient it is to email me when they want to say something. Usually people don’t like creating new accounts for new services, but Delta Chat seems interesting as it’s just a pretty client, that doesn’t have to use HTML mail or something like that to appal to regular people.
The only thing that concerns me is how energy efficient the persistent IMAP connection is. I’ve uninstalled it, because my Email workflow doesn’t sync very well, but I can imagine that if I tell someone to use Delta Chat, they might decide not to if it wastes 10-20% of their battery.
Okay, sure. Let’s have everyone migrate to email. Will they set up their own servers? Probably not.
So then we have people looking to service providers, which are….Google and Microsoft, most likely. Maybe a few discover ProtonMail, or FastMail, or whoever. So people are moving from one silo to another. Like, yeah, at least with email I can download my messages and transfer them to another service, but again, what average user is going to actually do that?
IMHO, The thing that’s missing in these “move away from WhatsApp” discussions is that the majority of Latin America (up to 70% by some accounts) use WhatsApp. The reason? Many of the mobile providers make the app free to use, meaning that WhatsApp data doesn’t deduct from your quotas. So if you have any family or friends in these countries, you’re going to be really hard pressed to convince them to migrate.
Hi!
Thanks for your post, and I rather strenuously agree with you on the key point in the title, but I’d suggest you consider taking the time to make a more compelling case for your article.
The first few paragraphs are great and on point, and then the article fizzles into why you installed Delta Chat for your IM needs.
I firmly believe that we need less real time interrupts, and that E-mail can be a great mechanism to encourage that.
I would say email can be both. Instant messaging with DeltaChat or similar applications and slow communication using a standard email client.
I am glad that progress is being made and this is definitely a client I will watch the releases for. I will not however be pushing this on my contacts until OAuth2 is implemented. It is unfortunate how dependent we are on google but we are. If the app does not work seamlessly with gmail then I can’t recommend it to my contacts who have gmail accounts, which is the majority. This undermines the whole utility of having an imap based system.
I wish they would elaborate on what “a reasonable email service” is
I wrote about that in 2019: https://jlelse.blog/thoughts/2019/03/email-providers