1. 55
    1. 28

      I hate captcha. I consider the premises of captcha completely broken, stupid and an insult to all the people with disabilities

      And then it’s just left there. As if Signal is doing this captcha thing for fun, or just to mess with their users. Does the author (or anyone really) want to suggest alternatives to combating large scale automated abuse against public account signup systems? It seems like an important topic, and one that won’t really be solved by federation. Once you hit a certain scale, it seems like the need for this kind of thing is inevitable.

      1. 9

        I’ve never needed to solve a captcha to either sign up for or use my email account, even though my phone is one of those Android phones that doesn’t use any Google services (including no Google Play). Email is federated. It’s the primary example of a federated protocol that is subject to large scale automated abuse, but I have no problem with captchas. I pay my email provider $50 per year for email service – this is a personal choice I made, I wanted a solid reliable provider that has tech support, and doesn’t have a surveillance capitalism business model. A large scale automated account signup “attack” against my provider would spend $50 for each account created, and maybe that’s why captcha isn’t needed? If my email provider starts behaving like Signal, then I can just switch providers. I own my email address, so this is straightforward.

        1. 9

          Email is federated. It’s the primary example of a federated protocol that is subject to large scale automated abuse, but I have no problem with captchas.

          Instead, the burden of effort is shifted to the email provider.

          1. 6

            Yup. AKA, people getting paid to handle the drudgery rather than users who are just trying to talk to each other.

            1. 2

              And then some tech giant starts doing it for free to lure in more users to exploit and boom, now your federated protocol is owned by only a few parties that have names like Google, Apple and Microsoft.

              1. 3

                That still seems preferable to just one of the big players. And you still have the option to go with a small player (of which there are plenty with email).

        2. 6

          I’m sorry, I should have specified: other than asking for money. Obviously that is an easier way to prevent abuse, but it turns off far more users than a captcha does. Signal would never be able to grow to the size it is today if they had demanded $50/yr from each user. Or even $1/year. People complain endlessly about the phone number requirement. Can you imagine how irrelevant it would be if the “private” messenger also wanted your 16 digits and full billing address?

          edit: not to suggest the main issue would be forking over the data for most people. For most people it would be forking over the money. But even if they somehow got past that, the cryptonerds would complain about forking over the data.

          1. 3

            asking for money. Obviously that is an easier way to prevent abuse

            Sort of. Battling the horde of stolen credit cards is nontrivial in its own right

          2. 1

            Public funding for providers to do what they normally must charge users for.

            1. 7

              this isn’t about funding, this discussion is about creating reasonable barriers to entry when allowing signups from the public internet, such that normal users aren’t too inconvenienced but large-scale abusers are. Charging money is one way to do that, regardless of how much it costs to run the service.

              1. 1

                Ah, I misunderstood.

                You could use a voucher system to relieve users of the burden to pay for their first few accounts, while maintaining the incentive not to make a bunch of accounts.

      2. 4

        One abuse prevention mechanism that probably doesn’t scale but I think might be interesting is the one employed by lobste.rs itself. I wonder what an “invite-only” Signal would look like. I’m sure there would be a lot of problems, I’m not sure there would be more problems than the phone number + captcha system they employ today. There would certainly be more people mad about it.

        1. 5

          Invite only seems pretty sensible for something like Signal. It’s of no value if you don’t know at least one other person with a Signal account.

          1. 1

            my concern would be about the perceived level of trust extended to invitees. it would almost certainly be higher than the perceived level of trust extended to people you talk to on Signal. That is to say: I might be willing to give some rando on the internet my Signal # to talk to them, but I probably wouldn’t give them a Signal invite if their potential misbehavior could come back to bite me.

            1. 1

              I think this is closely related to my biggest problem with Signal. Like the phone network and email, it conflates an identity with a capability. For giving contact info to a company, I really want to be able to mint a single use capability that allows the to run a key exchange protocol precisely once and then be able to contact me from a specific account, but which doesn’t allow them to share that ability with anyone else. Once you make that separation, you can do a lot of interesting things. You can still have a rule that allows anyone that I have in my contacts to contact me with no further authentication.

      3. 2

        Since Signal requires a telephone # anyway, they could do a code via SMS/phone call. That could be automated on Signal’s side. It would cost more, since someone has to pay for sending those messages. They seem to have plenty of funding still though. I believe this is what Gmail does now if you want to open a new account with them.

        1. 5

          they do sms verification, it’s even mentioned in the article

        2. 1

          Do captchas even cost anything for a third party to use? I wouldn’t be surprised if they got a kickback for helping Google with their AI models that will be (are?) used for automated drone targeting.

          1. 1

            I don’t know. I don’t think they pay you to use Captcha’s and I don’t think they cost anything either.

      4. 2

        Proof of work. Since captcha only slow down (but not stop) serious bots these days it’s really the same effectiveness.

    2. 19

      I’m sympathetic to the author’s arguments, but I recently got a very good piece of advice: life is all about trade-offs. If being able to use non-Google-services phones, or federation or such are requirements for you, that’s fine. But then using Signal is simply not an option for you. There are plenty of people who don’t care about those things (or not as much) as they can keep using Signal. The author will have to use a different service or build their own. As far as I know, Signal has always been clear about their priorities and what they will or will not support. Their decisions may be not what you want, but they haven’t been unethical or deceiving.

      1. 14

        This comment frames it as an individual decision, which I think is problematic. What’s missing is that using Signal pressures others to use it in order to participate in the same discussions, and in this case you make it more difficult for people who have insomnia or eye strain which warrants e-ink screens, or if you’re Chinese.

        1. 6

          Which the author mentioned specifically. “Signal is for everyone”. But you have to have our world view.

    3. 11

      Sometimes I think we were too quick to leave xmpp behind. Something like the conversations app provides easy signup, easy e3ee, video calls, read markers etc, plus it’s federated. Using it isn’t all that different from sending an email.

      I like matrix but I haven’t had many positive experiences using the apps.

      1. 4

        Your argument doesn’t make sense because most of us early adopters left XMPP behind before conversations was good or even available.

        It’s been 10 years, but from the top of my head: Android was in it’s infancy, apps were bad in general, XMPP clients sucked your battery dry, no/bad push notifications. I don’t 100% remember if you could easily post images or attachments, I think not - it was mostly text chat. Forget about video/audio.

        And that is leaving out the XEP and presence issues other people mentioned.

        Because I hate being vague when I make such accusations, but the conversations website says “Copyright 2014–2021” and the earliest release I can find on Github is from 2017.

        For my personal usage, I happen to have a few sentences I wrote in my end of year blog posts.

        2014 - Jabber - moderately often 2015 - Jabber - very seldom, everyone seems to have moved on and I can’t blame them 2016 - Jabber - practically dead this year

        and apparently I shutdown my server only in 2019, I would’ve guessed it was sooner.

        So that means me and my peer group (and also one ex-company) used XMPP as the messenger protocol of choice ca 2010-2014. Before that even the desktop clients were terrible (looking at you Psi) or lacking features (was that Trillian?). I think I got my first Android phone in 2009 or ‘10, so that’s probably a good 2-4 years of giving it a try. So yeah, maybe we gave up too soon but I don’t even remember prosody being a thing back then (wikipedia says 2008) but I don’t think most people switched until 2011-13.

      2. 6

        XMPP lived in a world of XEP hell - apps likely didn’t have a mutual set of extensions to use. Conversations is pretty much the only client that hasn’t calcified and people would want to use. And that doesn’t do me much good as an iOS user.

        1. 3

          Yeah but conversations is a good app, and is developed mostly by one person. How hard would it have been to do something comparable on ios, compared to the resources that have gone into developing matrix?

          I like matrix and what it does, but sometimes when my laptop fans are spinning up to open element I wonder if it was all worth it

          1. 1

            There are non-electron native apps for e.g. Linux as well.

        2. 2

          The issue here is looking at a protocol as though it is an implemetation. The reason “every client named signal” has the same features is that there is only one ter platform and made by the same people. If you want the same experience “on XMPP” you pick an app and all use that. Other people can use other apps, but if they don’t work as well that’s their own fault same as using a 3rd party signal client or bridge might sometimes do funky stuff.

        3. 1

          I run an XMPP server that has about a dozen users. The major issue with XEPs is that people create them and then don’t document them well. Configuration can definitely be difficult to figure out.

          But that’s a server-side issue. Users don’t have to figure that stuff out.

          That being said, I can’t get my wife to use it because the iOS apps just aren’t very good. Conversations and Yaxim on Android are both better than any iOS alternative.

          1. 4

            That being said, I can’t get my wife to use it because the iOS apps just aren’t very good.

            https://monal-im.org/ is being actively developed and has been my go-to recommendation for iOS users, with reasonably good feedback from my server’s users (I don’t use Apple stuff, so I can’t say myself).

    4. 17

      There will always be many responses of “the leopard has not, to date, eaten my face” and “risking a face is well worth it to have a leopard”. Sometimes the answer is simply to decide not to play. Signal will, in the fullness of time, sheepishly admit to a slew of security problems, sharing the complete message stream with various governments, and enact new monetization methods.

      The leopard will always eat your face.

      1. 13

        Is this based on anything or are you just saying you get the wrong “vibe” from Signal? If so, what would you suggest to replace it? Signal has done a better job at bringing secure, encrypted communications to the masses than any other group or app that I’m aware of, and it’s detractors always seem to have arguments like it feels wrong. And then they typically suggest replacing it with options that either don’t even encrypt basic metadata (like Matrix) or are wildly difficult to use and could never possibly gain mass adoption (like Briar).

        1. 3

          There are parts in the security design of Signal that are lacking (though it also did innovate better security in quite a few parts). Signal also fails on some basic security practices, e.g. https://github.com/signalapp/Signal-Desktop/ does have commits and releases that are not signed. I offered to help them specifically with that on their bug tracker, but nobody from Signal signalled interest nor was it fixed in the years since then. Other suggestions that would IMHO improve security they declined with incorrect technical reasoning. I think there are a few of these arguments that are scientifically accurate and would not clash with their anti-federation stance. But IMHO the leopards would still eat your face even if anti-federation is the only issue.

          https://github.com/simplex-chat/simplex-chat does read like it has massive security design improvements over some parts that Signal is lacking, however I neither reviewed it in detail nor tested it yet. It seems to satisfy your requirements for suggestions, can you confirm?

      2. 4

        Maybe. Signal’s already answered subpoenas in US court (see their writeup here) and they would be in an immense, project-ending amount of legal trouble if it turned out that they were technically able to provide more data, but chose not to reply. I don’t want to accuse you of FUD, but I do want to point out your lack of evidence.

        1. 1

          Technically OP didn’t say decrypted messages nor past message stream, which leaves the stream of still encrypted future messages (and their metadata). If the signal organisation or individual employees are being compelled by a court or otherwise under duress to modify the servers to share this, then no technical mechanism is in place to prevent this. Such a protection mechanism is practical.

          Furthermore getting the cleartext is also possible in a similar way. None of the signal clients are protected against signal being compelled to create an update that exfiltrates the cleartext of old stored or new messages. It could be prevented by the combination of having security reviewers in multiple jurisdictions, using verified reproducible builds, and using an updater fetching from an observed global append only log / binary transparency.

          Is this sufficient evidence for you that it is possible?

          AFAIK Signal has no willingness to accept help to implement either of these protections nor willingness to implement themselves. I’m interested in contrary evidence.

    5. 6

      I’ve gone back and forth on the idea of an e-ink smart phone. This experience is exactly why I’ve never pulled the trigger.

      I long for the sweet spot of the “medium smart” phone. I want an eink display with a decent map, authentication apps, transportation, and email. But that’s niche and specific to me; it’ll never happen. I’ve more or less accepted that I’ll ‘go with the flow’ with consumer tech.

      Either you conform to the norm, or you are too different to have your existence acknowledged.

      That’s just it. In the end of the day, it’s all about balance. Anything out of balance and the ecosystem will fight you. The troubling part is: the balance is continually shifting towards large companies and the private sector.

      1. 7

        Organic Maps, OSMAnd and Magic Earth all work perfectly. Komoot also. Google Maps works without any account or Google Play Service but may sometimes have strange behaviors or freeze in the middle of a travel. The hardest part is that, on some map, water and forests have the exact same grey shade.

        Authy works fine (despite warning for the lack of Google Play Service)

        Protonmail and K-9 mail work perfectly (except for notifications in Protonmail according to some but I’ve disabled them).

        Firefox (or Fennec for me) work perfectly. I recommend testing “Einkbro” as a quick browser.

        Aurora Store/F-Droid/Neo Store work fine

        Signal was working fine for years…

        Bluetooth with Garmin and Wahoo devices work fine.

        What does not work:

        • Strava
        • Banking app
        • Camera (completely crappy, photo are awfully blurry to the point it’s nearly impossible to scan a QR code)

        What doesn’t work well:

        • The chinese operating system is crap, with lot of crapware, lot of untranslated part and settings and lot of bugs.
        1. 3

          The chinese operating system is crap, with lot of crapware, lot of untranslated part and settings and lot of bugs.

          How do you square this with not wanting to be spied upon? I mean, Google is obviously spying, but there’s been plenty of indications that Chinese software is also spying on people in the West (think the current TikTok debate). This is an honest question, not trying to troll here.

          1. 4

            That’s a perfectly valid question. I know for a fact that some of my data are sent to China. It is a problem but, for now, I accept the tradeoff and rationalize with the following:

            • Better to have fewer data in different silos than lot of data in one big silo.
            • I’ve disabled every default app that could be and using the phone with the adguard proxy: data collection should be minimal and could only be done on the OS level. (in fact, unlike a Google phone, I didn’t detect any suspicious data flows but that doesn’t prove anything, of course)
            • Data are not related to any account (such as a google one) and is thus probably harder to use.
            • Data are mainly not collected for commercial reason but for surveillance reason. I made the conscious choice to never go to China with that phone.

            But, yes, this is a problem and this is a valid point one should be aware of before using that phone.

            1. 1

              Thanks for your thorough answer! It sucks that we have to make such trade-offs though :(

      2. 2

        I wonder how remarkable will fare with its niche, especially with kindle scribe competing, since they e.g. don’t want to provide a browser. And I understand and support that vision, to a point.

    6. 9

      Any service that claims to be secure / private and requires a phone number to sign up is a lie. The account creation page tells you everything you need to know about their stance on decentralization.

      My personal flow is to use XMPP hosted on my own server (NethServer) with people I really care about, and a burner phone number through jmp.chat for people I need to fall back to SMS to communicate with.

      1. 1

        No offence but I cant understand why you’ve to go through so much troubles just to communicate with other peoples. And does those people use XMPP mainly or just for contact you?

        1. 4

          Is XMPP a lot of trouble though? I set up a prosody server ages ago, just do type a command every now and then to update/upgrade. It’s how I communicate with family and friends. Conversations on the phones. Pretty straight forward. I am not exclusive on that and use most of the commercial ways to communicate as well. XMPP feels pretty convenient and works for everyone. I don’t even try to convince people. I just sometimes mention Conversations/XMPP as one of the ways to reach me and if they are curious about it I mention it.

          I tried Matrix ages ago. At least back then it was a huge hassle and didn’t work properly. And I wasn’t even self-hosting.

          XMPP/prosody you set up once and as mentioned just do type in your update command every once in a while. Works fine. As do the commercial messengers. At least all but Slack which frequently does weird stuff regarding notifications, doing them late, not at all, alerting me, when I already read it, sometimes multiple times. And other weird things, while being a slow resource hog at times.

          I used to be a fan of Signal, back when it was TextSecure and basically opportunistic encryption of text messages (SMS). Sadly now they turn off this very feature and together with some other decisions they made that I don’t like I think I am going to stop using it.

        2. 1

          I was already running NethServer to host my own nextcloud, e-mails, etc., because privacy is important to me. It was trivial to add on XMPP (with SSO) to let me have a fully-featured chat application and be able to SMS from any device. It’s a lot like what Google Talk was before they killed it.

          The people using XMPP are mostly within my family group. The people who choose to do it are the same people who would create an account on whatever walled garden I chose in order to keep in touch with us and see pictures of our kids. The people who choose not to are the people who don’t remember my birthday unless [social media platform] tells them about it. It’s a win-win.

    7. 5

      I looked a bit more and found a rather technical note that Signal deliberately wants to use Google Services.

      1. 1

        Google Play Services provides push notification functionality to applications (among other things). If you want reliable push notifications, your app has to use google services.

        For devices that don’t provide play services (GrapheneOS, custom OSes, these Chinese phones, maybe amazon phones), Signal uses a constant notification so it can run in the background, and even then notifications aren’t as reliable.

        1. 1

          and how’s this related to the fact that you cannot verify your number on a MicroG system? Moreover, I am willing to sacrifice the push notification functionality over an environment that pushes Google down my throat.

          For what’s its worth, Signal works absolutely OK on my older phone who has no Google Play services either, because it was activated 2 years ago. It just won’t let me activate on my new setup anymore.

      2. 1

        It’s been a while since I’ve looked at the Android API, but I think that this is related to Signal’s ability to act as an SMS application on Android. The code is deliberately handling a Google-provided intent, but in this case, SMS functionality is part of Android’s core and can’t be accessed any other way.

        Now I wonder if this is related to Signal’s recent decision to drop SMS application support on Android!

    8. 4

      Of course I did try to solve the captcha. But, after each try, I was sent back to the “enter your phone number” step, followed by “no Google services warning” then… “too many attempts for this number, please wait for four hours before retrying”.

      This is probably the ugly part, if you actually hit that “bug” in the DdoS / Login flow which locks you out. Especially when you need HN to even voice that bug. But other than that it’s very valid for signal to combat spam with captchas - it’s not like captchas are free anymore, even google wants money now.

      It’s a sad fact that if you truly want to be free of Google or Apple, then you’ve probably chosen the hardest path in this society. It’s like being illiterate.

      The blogpost / inclusion rant feels like a irrelevant tantrum. Just naming the fact that they want to be inclusive, so they might want to look into that issue, would have been enough. And probably given a better story.

      E-Ink Display for a Smartphone, that actually sounds incredible (if you don’t need videos or such), especially for not using it all the time (except reading..). I may have to look into that.

    9. 4

      Hopefully matrix will never end up in this state

      1. 15

        Matrix is built with federation in mind, while Signal specifically rejected all requests to look into it.

        This means that all Matrix clients should be able to defederate from a matrix.org server that starts any funky business, simply by going elsewhere, while Signal’s servers don’t even allow unofficial builds of the open source client.

        1. 1

          Yes, I know. Until someone decides something like 99% of all users want spam filtering / moderation based on centralization or something similar

        2. 1

          I hope the 2.0 rewrite promises are true. As it stands, it seems like a lot of folks that set up Matrix servers took them down for costing too much which leads to the results of defacto centralization around Matrix.org and how all of the metadata ends up going through them.

    10. 6

      Thank you so much for writing this. beautiful post.

    11. 3

      Curious why you need to use the mobile app for your bank? Is this just how it is in the EU? No banking in a web browser?

      1. 8

        app-based second factors are fairly common, yes

        1. 1

          “Yes”??!

          It’s not the only option though, right?

          1. 1

            normally it isn’t at least for me there are also Options like the security-key (which costs an additional fee)

          2. 1

            in that “not all banks require them, so if your phone preference is more important to you you can switch banks”, yes, it is not the only option.

          3. 1

            Just as a data point it’s almost the only option for my UK bank. There is online banking in a web browser, and it doesn’t need a phone if you have one of those card reader second factor things. But as well as having much more annoying authentication procedures, it’s also just missing certain features. Banks here compete to have good apps, believe it or not, but there doesn’t seem to be any pressure on them to have good web-based banking, and I don’t think mine has made any material improvements to their web thing since banking apps became a thing.

      2. 2

        Some newer banks only offer mobile app interfaces. It’s not the norm in my experience.

        1. 1

          And even the traditional banks lean towards mobile apps. Lots of people primarily use phones for computing anyway, so how are you gonna offer them your new credit card if they only ever see you through an ATM?

          1. 1

            But the question is whether there’s any alternative to that. If you look specifically for banks that have online banking via the web, I wonder if there really aren’t any viable options in OP’s country.

      3. 1

        There is a European Guideline called PSD2 which aimed to liberalise the payment market, forcing banks to provide APIs for their services, but also having companies using those APIs regulated.

        Part of the directive are also requirements towards “strong user authentication” and many banks choose to provide the second factor required as part of that through their own apps. SMS authentication is not secure enough as a second factor.

        1. 1

          SMS is a second factor, your password being the first. Are you saying SMS doesn’t fulfill the PSD2 requirements for 2FA?

          1. 1

            Are you saying SMS doesn’t fulfill the PSD2 requirements for 2FA?

            Exactly, SMS is not considered a secure channel for the purposes of the PSD2.

            The SS7 protocol has been severly insecure for quite some time. In fact, NIST originally proposed depecrating SMS 2FA for their original authentication guidelines in publication 800-63-3. The only reason they backpedaled is arguably heavy lobbying by telecoms.

            1. 1

              And the only reason they would have deprecated it would have been heavy lobbying by software companies, no?

      4. 1

        My bank (in the Netherlands) at least still offers regular web access. They use a smart “reader” device in which you stick your bank card and scan the challenge on the screen. The current version of this device has a colour camera and display, and AFAIK they’re giving them away for free (or at least, I don’t remember paying for mine, and I have two of them).

        I imagine that’s rather expensive to maintain though, and they do offer using an app instead of the reader to log in to the website (yeah that’s a bit awkward, they also allow you to just use the app directly without website). So I hope I won’t get excluded in the future by these choices (as I opt not to have a device in my pocket that spies on me 24/7).

    12. 3

      I really looked into that Hisense A5 phone but it seem to have a lot of usability issues on the software side even if the hardware looked perfect for me. Hindsight shows it would have been the pain I envisioned which is a let-down.

      Molly, a Signal for, can support UnifiedPush @ this open merge request which can help with the battery drain and other annoyances due to Signal better supporting Play services.

      What gets under my skin along with the SIM card requirement is the requirement of an Android/iOS primary device. This messes with user freedom as they can’t experiment with Linux or Capyloon phones, go dumb phone with KaiOS. I suppose you could get a cheap, second-hand Android phone to be your Signal home base, but honestly that’s stupid and wasteful–and I empathize with the author needing to keep that drawer Android. I helped push my family off of SMS and Messenger to Signal, but it seems that’s going to make it difficult for me to leave the duopoly yet stay connected.

      It’s time to bring back XMPP as it’s old, stable, secure/convenient with OMEMO or PGP, and had decentralization since forever. There has been a lot of great modernization XEPs–some clients even built by Lobsters folks.