1. 16
  1.  

  2. 7

    I use Signal (also mentioned, strangely not in the title) most of the time. It’s not too bad, though having to open Chrome to use a desktop client basically means that I don’t use the desktop client.

    I do think it would be nice to have a means of identification that is not a mobile number, maybe make that optional.

    1. 5

      I do think it would be nice to have a means of identification that is not a mobile number, maybe make that optional.

      Agreed. I think this is getting out of control. Am I the only one wondering why it is that in the wake of all the Snowden revelations, all the big ones (FB, Google, WhatsApp, Yahoo(/Flickr), I guess Twitter too, and any of the chat stuff like this and e.g. Wire, etc, etc) are now all pushing really hard to get your phone number? Like, doesn’t giving them that mean you’re neatly and voluntarily tying together all your online activity with your phone metadata and geo data and, y'know, everything? Making the ‘signals’ stuff even easier for whatever agency’s programmes they’re enrolled in, and providing a completely transparent token to connect people across platforms that they don’t even need to spring in there? But, of course, we’ve got nothing to hide, so I guess it’s all fine.

      1. 2

        They do it to ease adoption and favor growth. For most users, it’s easier to use the phone number as an identifier, instead of having to create another account. But of course that’s a big tradeoff.

        1. 2

          Still, this could be optional.

          Perhaps automatically go for using a mobile number, with an option underneath to use a generated “phone number”, obviously done so it does not collide with any real ones. Of course you could also use email or something else like that, just options would be nice.

          Though I do certainly see (and agree with) your point on ease of adoption, I just tend to find it a little hypocritical how some are all for privacy, yet ask for my mobile number.

          1. 1

            Yes, it would be great to have this option. But I’m not sure this is enough to guarantee anonymity. All communication between WhatsApp clients and WhatsApp servers is layered on an encrypted channel, which makes metadata invisible to an unauthorised observer. An attacker wanting to collect metadata has to compromise the transport layer encryption, or compromise WhatsApp servers. If an attacker gets in, and I don’t use something like Tor, then it’s easy to reconcile my WhatsApp “ID” (for example a random ID) with my IP address. I’d argue that replacing phone numbers with a random ID is useful if and only if you use an anonymity network like Tor, which most users don’t do. Am I missing something?

            1. 2

              I don’t think it has to guarantee anonymity. I like having e2e encrypted chat on mobile, I think it’s a great idea. I also have a lot of people I’d like to talk to online who I don’t necessarily want to hand out my mobile number to. A random ID on the otherhand, completely fine.

              Plus, as @igorclark said, it’d tie everything together. A lot of services seem to want my number as of recently, and it’s much harder to get multiple of those than it is emails. Linking my accounts together with this would be a great deal easier than it would be with simply an email address. While they may be storing this securely, there is no guarantee that it won’t “get out” by some human error or breach. The more services that want my number, the higher the probability of this occuring.

              Regardless of that, I’m a little uncomfortable about handing personal information like that to WhatsApp. They’re owned by FB, and FB make money from personal details.

              1. 1

                All communication between WhatsApp clients and WhatsApp servers is layered on an encrypted channel, which makes metadata invisible to an unauthorised observer.

                Interested in this - everything I’ve read about the WhatsApp encryption carefully says only that it encrypts content. Which would make sense, as I can see how a large part of FB’s interest in buying WA would have been for the connection-graph metadata, and thus that they probably wouldn’t exactly be be down with rendering it unreadable. (Not to mention any agency they have to give access to probably blocking any move like that.) But that’s obviously all total conjecture. Do you have any references about metadata being encrypted too? Would love to have a read.

                1. 1

                  To be clear, metadata are visible to WhatsApp servers (they need them to route messages), but are hidden from outside observers because communication is encrypted between clients and servers. In other words, metadata are encrypted while in transit, but are not encrypted while being in the servers.

                  More info here: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf

                  1. 2

                    Right, exactly, the metadata has to be accessible to be able to be routed, so 3rd parties would just need FB/WA’s cooperation to access it.

        2. 3

          I think Signal is implied now that whatsapp has moved to using the “Signal protocol”.

          1. 1

            Another Signal user here. Love using it, but the only thing I’d like to have added, is the ‘send audio recording’ feature of WhatsApp. Because it sure beats typing!

            1. 2

              I believe it already has that! On Android at least, if I go to attach a file I have the option for audio.

              1. 1

                Well, kind of. What I meant is a ‘record and send voice message’ feature. The option you mention sends a file, so that needs to be recorded first. A bit too tedious for something like cheering “Hamburgers!” when I’m asked what I’d like for dinner.

                1. 1

                  Ahhh right, I see. That would indeed be useful.

                  If you want it that badly, it is open source, you could always add it ;)

          2. 2

            WhatsApp does not have any desktop/laptop application. only iOS or Android apps.

            There is a web version at https://web.whatsapp.com/, but like Signal, it needs your phone.

            1. 2

              To me, the major difference between Signal desktop and WhatsApp Web is that you only use your phone on Signal to verify your number, then you can use it independently from your phone, and messages are then synced to your phone upon connecting.

              WhatsApp Web, unfortunately, doesn’t do that. It just links to your phone to send messages thorough it, which means you have to keep your phone on at all times for WhatsApp Web to work.

              1. 1

                Agreed. It’s a big advantage of Signal over WhatsApp.

            2. 1

              Comparison using unweighted list of pros and cons? No thanks.

              1. 3

                How would you add weights specifically?

                1. 3

                  I think its a poor way to organize a comparison, so I probably wouldn’t. Barring that, I’d make some effort to identify a threat model and then evaluate whether each point breaks security in that scenario or not. Sorry, I don’t want to make my own score sheet, but I know I would not apply identical weight to “mostly open source” and “uses curve25519”.

              2. 1

                I mean, I use both telegram and whatsapp and I have to say I prefer whatsapp.

                I really don’t understand why telegram doesn’t use encryption by default. That’s a bit silly.

                1. 1

                  It does, just not end-to-end.