1. 60
  1.  

  2. 65

    This blogpost is a good example of fragmented, hobbyist security maximalism (sprinkled with some personal grudges based on the tone).

    Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

    Talking about threat models, it’s important to start from them and that explains most of the misconceptions in the post.

    • Usable security for the most people possible. The vast majority people on the planet use iOS and Android phones, so while it is theoretically true that Google or Apple could be forced to subvert their OSs, it’s outside the threat model and something like that would be highly visible, a nuclear option so to speak.
    • Alternative distribution mechanisms are not used by 99%+ of the existing phone userbases, providing an APK is indeed correctly viewed as harm reduction.
    • Centralization is a feature. Moxie created a protocol and a service used by billions and millions of people respectively that provides real, measureable security for a lot of people. The fact is that doing all this in a decentralized way is something we don’t yet know how to do or doing invites tradeoffs that we shouldn’t make. Federation atm either leads to insecurity or leads to the ossification of the ecosystem, which in turn leads to a useless system for real users. We’ve had IRC from the 1990s, ever wonder why Slack ever became a thing? Ossification of a decentralized protocol. Ever wonder why openpgp isn’t more widespread? Noone cares about security in a system where usability is low and design is fragile. Ever tried to do key rotation in gpg? Even cryptographers gave up on that. Signal has that built into the protocol.

    Were tradeoffs made? Yes. Have they been carefully considered? Yes. Signal isn’t perfect, but it’s usable, high-level security for a lot of people. I don’t say I fully trust Signal, but I trust everything else less. Turns out things are complicated when it’s about real systems and not fantasy escapism and wishes.

    1. 34

      Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

      In this article, resistance to governments constantly comes up as a theme of his work. He also pushed for his tech to be used to help resist police states like with the Arab Spring example. Although he mainly increased the baseline, the tool has been pushed for resisting governments and articles like that could increase perception that it was secure against governments.

      This nation-state angle didn’t come out of thin air from paranoid, security people: it’s the kind of thing Moxie talks about. In one talk, he even started with a picture of two, activist friends jailed in Iran in part to show the evils that motivate him. Stuff like that only made the stuff Drew complains about on centralization, control, and dependence on cooperating with surveillance organization stand out even more due to the inconsistency. I’d have thought he’d make signed packages for things like F-Droid sooner if he’s so worried about that stuff.

      1. 5

        A problem with the “nation-state” rhetoric that might be useful to dispel is the idea that it is somehow a God-tier where suddenly all other rules becomes defunct. The five-eyes are indeed “nation state” and has capabilities that are profound; like the DJB talk speculating about how many RSA-1024 keys that they’d likely be able to factor in a year given such and such developments and what you can do with that capability. That’s scary stuff. On the other hand, this is not the “nation state” that is Iceland or Syria. Just looking at the leaks from the “Hacking Team” thing, there are a lot of “nation states” forced to rely on some really low quality stuff.

        I think Greg Conti in his “On Cyber” setup depicts it rather well (sorry, don’t have a copy of the section in question) and that a more reasonable threat model of capable actors you do need to care about is that of Organized Crime Syndicates - which seems more approachable. Nation State is something you are afraid of if you are political actor or in conflict with your government, where the “we can also waterboard you to compliance” factors into your threat model, Organized Crime hits much more broadly. That’s Ivan with his botnet from internet facing XBMC^H Kodi installations.

        I’d say the “Hobbyist, Fragmented Maximalist” line is pretty spot on - with a dash of “Confused”. The ‘threats’ of Google Play Store (test it, write some malware and see how long it survives - they are doing things there …) - the odds of any other app store; Fdroid, the ones from Samsung, HTC, Sony et al. - being completely owned by much less capable actors is way, way higher. Signal (perhaps a Signal-To-Threat ratio?) perform an good enough job in making reasonable threat actors much less potent. Perhaps not worthy of “trust”, but worthy of day to day business.

      2. 18

        Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

        And yet, Signal is advertising with the face of Snowden and Laura Poitras, and quotes from them recommending it.

        What kind of impression of the threat models involved do you think does this create?

        1. 5

          Who should be the faces recommending signal that people will recognize and listen to?

          1. 7

            Whichever ones are normally on the media for information security saying the least amount of bullshit. We can start with Schneier given he already does a lot of interviews and writes books laypeople buy.

            1. 3

              What does Schneier say about signal?

              1. 10

                He encourages use of stuff like that to increase baseline but not for stopping nation states. He adds also constantly blogged about the attacks and legal methods they used to bypass technical measures. So, his reporting was mostly accurate.

                We counterpoint him here or there but his incentives and reo are tied to delivering accurate info. Moxie’s incentives would, if he’s selfish, lead to locked-in to questionable platforms.

        2. 18

          We’ve had IRC from the 1990s, ever wonder why Slack ever became a thing? Ossification of a decentralized protocol.

          I’m sorry, but this is plain incorrect. There are many expansions on IRC that have happened, including the most recent effort, IRCv3: a collectoin of extensions to IRC to add notifications, etc. Not to mention the killer point: “All of the IRCv3 extensions are backwards-compatible with older IRC clients, and older IRC servers.”

          If you actually look at the protocols? Slack is a clear case of Not Invented Here syndrome. Slack’s interface is not only slower, but does some downright crazy things (Such as transliterating a subset of emojis to plain-text – which results in batshit crazy edge-cases).

          If you have a free month, try writing a slack client. Enlightenment will follow :P

          1. 9

            I’m sorry, but this is plain incorrect. There are many expansions on IRC that have happened, including the most recent effort, IRCv3: a collectoin of extensions to IRC to add notifications, etc. Not to mention the killer point: “All of the IRCv3 extensions are backwards-compatible with older IRC clients, and older IRC servers.”

            Per IRCv3 people I’ve talked to, IRCv3 blew up massively on the runway, and will never take off due to infighting.

            1. 12

              And yet everyone is using Slack.

              1. 14

                There are swathes of people still using Windows XP.

                The primary complaint of people who use Electron-based programs is that they take up half a gigabyte of RAM to idle, and yet they are in common usage.

                The fact that people are using something tells you nothing about how Good that thing is.

                At the end of the day, if you slap a pretty interface on something, of course it’s going to sell. Then you add in that sweet, sweet Enterprise Support, and the Hip and Cool factors of using Something New, and most people will be fooled into using it.

                At the end of the day, Slack works just well enough Not To Suck, is Hip and Cool, and has persistent history (Something that the IRCv3 group are working on: https://ircv3.net/specs/extensions/batch/chathistory-3.3.html)

                1. 9

                  At the end of the day, Slack works just well enough Not To Suck, is Hip and Cool, and has persistent history (Something that the IRCv3 group are working on […])

                  The time for the IRC group to be working on a solution to persistent history was a decade ago. It strikes me as willful ignorance to disregard the success of Slack et al over open alternatives as mere fashion in the face of many meaningful functionality differences. For business use-cases, Slack is a better product than IRC full-stop. That’s not to say it’s perfect or that I think it’s better than IRC on all axes.

                  To the extent that Slack did succeed because it was hip and cool, why is that a negative? Why can’t IRC be hip and cool? But imagine being a UX designer and wanting to help make some native open-source IRC client fun and easy to use for a novice. “Sisyphean” is the word that comes to mind.

                  If we want open solutions to succeed we have to start thinking of them as products for non-savvy end users and start being honest about the cases where closed products have superior usability.

                  1. 5

                    IRC isn’t hip and cool because people can’t make money off of it. Technologies don’t get investment because they are good, they get good because of investment. The reason that Slack is hip/cool and popular and not IRC is because the investment class decided that.

                    It also shows that our industry is just a pop culture and can give a shit about good tech .

                    1. 4

                      There were companies making money off chat and IRC. They just didn’t create something like Slack. We can’t just blame the investors when they were backing companies making chat solutions whose management stayed on what didn’t work in long-term or for huge audience.

                      1. 2

                        IRC happened before the privatization of the internet. So the standard didn’t lend itself well for companies to make good money off of it. Things like slack are designed for investor optimization, vs things like IRC being designed for use and openness.

                        1. 2

                          My point was there were companies selling chat software, including IRC clients. None pulled off what Slack did. Even those doing IRC with money or making money off it didn’t accomplish what Slack did for some reason. It would help to understand why that happened. Then, the IRC-based alternative can try to address that from features to business model. I don’t see anything like that when most people that like FOSS talk Slack alternatives. Then, they’re not Slack alternatives if lacking what Slack customers demand.

                          1. 1

                            Thanks for clarifying. My point can be restated as… There is no business model for federated and decentralized software (until recently , see cryptocurrencies). Note most open and decentralized tech of the past was government funded and therefore didn’t face business pressures. This freed designets to optimise other concerns instead of business onrs like slack does.

                    2. 4

                      To the extent that Slack did succeed because it was hip and cool, why is that a negative? Why can’t IRC be hip and cool?

                      The argument being made is that the vast majority of Slack’s appeal is the “hip-and-cool” factor, not any meaningful additions to functionality.

                      1. 6

                        Right, as I said I think it’s important for proponents of open tech to look at successful products like Slack and try to understand why they succeeded. If you really think there is no meaningful difference then I think you’re totally disconnected from the needs/context of the average organization or computer user.

                        1. 3

                          That’s all well and good, I just don’t see why we can’t build those systems on top of existing open protocols like IRC. I mean: of course I understand, it’s about the money. My opinion is that it doesn’t make much sense to insist that opaque, closed ecosystems are the way to go. We can have the “hip-and-cool” factor, and all the amenities provided by services like Slack, without abandoning the important precedent we’ve set for ourselves with protocols like IRC and XMPP. I’m just disappointed that everyone’s seeing this as an “either-or” situation.

                          1. 2

                            I definitely don’t see it as an either-or situation, I just think that the open source community typically has the wrong mindset for competing with closed products and that most projects are unapproachable by UX or design-minded people.

                    3. 3

                      Open, standard chat tech has had persistent history and much more for decades in the form of XMPP. Comparing to the older IRC on features isn’t really fair.

                      1. 2

                        The fact that people are using something tells you nothing about how Good that thing is.

                        I have to disagree here. It shows that it is good enough to solve a problem for them.

                        1. 1

                          I don’t see how Good and “good enough to solve a problem” are related here. The first is a metric of quality, the second is the literal bare minimum of that metric.

                  2. 1

                    Alternative distribution mechanisms are not used by 99%+ of the existing phone userbases, providing an APK is indeed correctly viewed as harm reduction.

                    I’d dispute that. People who become interested in Signal seem much more prone to be using F-Droid than, say, WhatsApp users. Signal tries to be an app accessible to the common person, but few people really use it or see the need… and often they are free software enthusiasts or people who are fed up with Google and surveillance.

                    1. 1

                      More likely sure, but that doesn’t mean that many of them reach the threshold of effort that they do.

                    2. 0

                      Ossification of a decentralized protocol.

                      IRC isn’t decentralised… it’s not even federated

                      1. 3

                        Sure it is, it’s just that there are multiple federations.

                    3. 17

                      A while ago, discussing with LibreSignal developers, Moxie wrote:

                      I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world.

                      That pretty much sets the tone for the future of Signal, and how it will be distributed. Can we all agree to disagree (or not), and move on? There are alternatives based on federated servers, or completely decentralized. Let’s push for these instead of shaming Signal.

                      1. 13

                        I think I understand where the author’s coming from, but I think some of his concerns are probably a bit misplaced. For example, unless you’ve stripped all the Google off your Android phone (which some people can do), Google can muck with whatever on your phone regardless of how you install Signal. In all other cases, I completely get why Moxie would rather insist you install Signal via a mechanism that ensures updates are efficiently and quickly delivered. While he’s got a point on centralized trust (though a note on that in a second), swapping out Google Play for F-Droid doesn’t help there; you’ve simply switched who you trust. And in all cases of installation, you’re trusting Signal at some point. (Or whatever other encryption software you opt to use, for that matter—even if its something built pretty directly on top of libsodium at the end of the day.)

                        That all gets back to centralized trust. Unless the author is reading through all the code they’re compiling, they’re trusting some centralized sources—likely whoever built their Android variant and the people who run the F-Droid repositories, at a bare minimum. In that context, I think that trusting Google not to want to muck with Signal is probably honestly a safe bet for most users. Yes, Google could replace your copy of Signal with a nefarious version for their own purposes, but that’d be amazingly dumb: it’d be quickly detected and cause irreparable harm to trust in Google from both users and developers. Chances are honestly higher that you’ll be hacked by some random other app you put on your phone than that Google will opt to go after Signal on their end. Moxie’s point is that you’re better off trusting Signal and Google than some random APK you find on the Internet. And for the overwhelming majority of users, I think he’s entirely correct.

                        When I think about something like Signal, I usually focus on, who am I attempting to protect myself from? Maybe a skilled user with GPG is more secure than Signal (although that’s arguable; we’ve had quite a few CVEs this year, such as this one), but normal users struggle to get such a setup meaningfully secure. And if you’re just trying to defend against casual snooping and overexcited law enforcement, you’re honestly really well protected out-of-the-box by what Signal does today—and, as Mickens has noted, you’re not going to successfully protect yourself from a motivated nation-state otherwise.

                        1. 20

                          and cause irreparable harm to trust in Google from both users and developers

                          You have good points except this common refrain we should all stop saying. These big companies were caught pulling all kinds of stuff on their users. They usually keep their market share and riches. Google was no different. If this was detected, they’d issue an apologetic press release saying either it was a mistake in their complex, distribution system or that the feature was for police with a warrant with it used accordingly or mistakenly. The situation shifts from everyone ditch evil Google to more complicated one most users won’t take decisive action on. Many wouldn’t even want to think to hard into it or otherwise assume mass spying at government or Google level is going on. It’s something they tolerate.

                          1. 11

                            I think that trusting Google not to want to muck with Signal is probably honestly a safe bet for most users.

                            The problem is that moxie could put things in the app if enough rubberhose (or money, or whatever) is applied. I don’t know why this point is frequently overlooked. These things are so complex that nobody could verify that the app in the store isn’t doing anything fishy. There are enough side-channels. Please stop trusting moxie, not because he has done something wrong, but because it is the right thing to do in this case.

                            Another problem: signals servers could be compromised, leaking the communication metadata of everone. That could be fixed with federation, but many people seem to be against federation here, for spurious reasons. That federation & encryption work together is shown by matrix for example. I give that it is rough on the edges, but at least they try, and for now it looks promising.

                            Finally (imho): good crypto is hard, as the math behind it has hard constraints. Sure, the user interfaces could be better in most cases, but some things can’t be changed without weakening the crypto.

                            1. 2

                              many people seem to be against federation here, for spurious reasons

                              Federation seems like a fast path to ossification. It is much harder to change things without disrupting people if there are tons of random servers and clients out there.

                              Also, remember how great federation worked out for xmpp/jabber when google embraced and then extinguished it? I sure do.

                              1. 2

                                Federation seems like a fast path to ossification.

                                I have been thinking about this. There are certainly many protocols that are unchangeable at this point but I don’t think it has to be this way.

                                Web standards like HTML/CSS/JS and HTTP are still constantly improving despite having thousands of implementations and different programs using them.

                                From what I can see, the key to stopping ossification of a protocol is to have a single authority and source of truth for the protocol. They have to be dedicated to making changes to the protocol and they have to change often.

                                1. 2

                                  I think your HTTP example is a good one. I would also add SSL/TLS to that, as another potential useful example to analyze. Both (at some point) had concepts of versioning built into them, which has allowed the implementation to change over time, and cut off the “long tail” non-adopters. You may be on to something with your “single authority” concept too, as both also had (for the most part) relatively centralized committees responsible for their specification.

                                  I think html/css/js are /perhaps/ a bit of a different case, because they are more documentation formats, and less “living” communication protocols. The fat clients for these have tended to grow in complexity over time, accreting support for nearly all versions. There are also lots of “frozen” documents that people still may want to view, but which are not going to be updated (archival pages, etc). These have also had a bit more of a “de facto” specification, as companies with dominant browser positions have added their own features (iframe, XMLHttpRequest, etc) which were later taken up by others.

                                2. 1

                                  Federation seems like a fast path to ossification. It is much harder to change things without disrupting people if there are tons of random servers and clients out there. Also, remember how great federation worked out for xmpp/jabber when google embraced and then extinguished it? I sure do.

                                  It may seem so, but that doesn’t mean it will happen. It has happened with xmpp, but xmpp had other problems, too:

                                  • Not good for mobile use (some years back when messenger apps went big, but mobile connections were bad)
                                  • A “kind-of-XML”, which was hard to parse (I may be wrong here)
                                  • Reinventing of the wheel, I’m not sure how many crypto standards there are for xmpp

                                  Matrix does some things better:

                                  • Reference server and clients for multiple platforms (electron/web, but at least there is a client for many platforms)
                                  • Reference crypto library in C (so bindings are easier and no one tries to re-implement it)
                                  • Relatively simple client protocol (less prone to implementation errors than the streams of xmpp, imho)

                                  The google problem you described isn’t inherent to federation. It’s more of a people problem: Too many people being too lazy to setup their own instances, just using googles, forming essentially an centralized network again.

                              2. 10

                                Maybe a skilled user with GPG is more secure than Signal

                                Only if that skilled user contacts solely with other skilled users. It’s common for people to plaintext reply quoting the whole encrypted message…

                                1. 3

                                  And in all cases of installation, you’re trusting Signal at some point.

                                  Read: F-Droid is for open-source software. No trust necessary. Though to be fair, even then the point on centralization still stands.

                                  Yes, Google could replace your copy of Signal with a nefarious version for their own purposes, but that’d be amazingly dumb: it’d be quickly detected and cause irreparable harm to trust in Google from both users and developers.

                                  What makes you certain it would be detected so quickly?

                                  1. 5

                                    “Read: F-Droid is for open-source software. No trust necessary”

                                    That’s non-sense. FOSS can conceal backdoors if nobody is reviewing it. Often the case. Bug hunters also find piles of vulnerabilities in FOSS just like proprietary. People who vet stuff they use have limits on skill, tools, and time that might make them miss vulnerabilities. Therefore, you absolutely have to trust the people and/or their software even if it’s FOSS.

                                    The field of high-assurance security was created partly to address being able to certify (trust) systems written by your worst enemy. They achieved many pieces of that goal but new problems still show up. Almost no FOSS is built that way. So, it sure as hell cant be trusted if you dont trust those making it. Same with proprietary.

                                    1. 3

                                      It’s not nonsense, it’s just not an assurance. Nothing is. Open source, decentralization, and federation are the best we can get. However, I sense you think we can do better, and I’m curious as to what ideas you might have.

                                      1. 4

                                        There’s definitely a better method. I wrote it up with roryokane being nice enough to make a better-formatted copy here. Spoiler: none of that shit matters unless the stuff is thoroughly reviewed and proof sent to you by skilled people you can trust. Even if you do that stuff, the core of its security and trustworthiness will still fall on who reviewed it, how, how much, and if they can prove it to you. It comes down to trusting a review process by people you have to trust.

                                        In a separate document, I described some specifics that were in high-assurance security certifications. They’d be in a future review process since all of them caught or prevented errors, often different ones. Far as assurance techniques, I summarized decades worth of them here. They were empirically proven to work addressing all kinds of problems.

                                    2. 2

                                      even then the point on centralization still stands.

                                      fdroid actually lets you add custom repo sources.

                                      1. 1

                                        The argument in favour of F-Droid was twofold, and covered the point about “centralisation.” The author suggested Signal run an F-Droid repo themselves.

                                    3. 11

                                      I use Signal, and you’d have to conclude thereby that I trust it to some extent. But I do get the feeling, over the years, that Moxie has made some really bad trade-offs in order to get Signal more widely used. I don’t think any of these trade-offs are as indefensible as Drew does, but they’re not good.

                                      Requiring a phone number makes it easy for people to adopt Signal, because they can just use it as a drop-in replacement for their SMS app (which is important in the US, and also explains the crap features like gif search and half-assed stickers). But it also breaks the threat model where you don’t want to share your phone number – not a concern when you are worried about nation-state security forces, but a real issue for sex workers, social workers and therapists, people wanting to avoid harassment from exes, etc. I have definitely had friends who didn’t want to use Signal because they were unwilling to have something potentially leak their phone number. It also requires you to trust the app more, since it has to be able to access your phonebook.

                                      I think the Play Store Only and No Federation trade-offs are similar. They probably do, actually, do more good than harm, only because there are more people in the categories who are benefited by them than in the categories harmed by them. But I think Moxie does overstate his case for them, unfairly dismisses the arguments against them, and underestimates the bad press that they generate.

                                      (My personal messenger preference is Conversations, which uses XMPP+OMEMO, an adaptation of the Signal protocol to XMPP. But I recognize the difficulties of getting people to use it.)

                                      1. 4

                                        If you think of signal as a more secure replacement for text messaging, then the use of a phone number seems very sane. If you look at it as a replacement for xmpp/whatsapp/etc, then not so much.

                                        My guess is that Signal was aiming for the former as a primary use-case.

                                      2. 9

                                        because it forces you to use a phone number, the author works for facebook and recommends against GPG, and they did not want people to use the F-droid free appstore and they are against federating with people hosting their own server

                                        1. 8

                                          Who works for Facebook? Not Moxie, as far as I know.

                                          1. 5

                                            moxie used to work for twitter, but no longer.

                                          2. 2

                                            whole lot of assertions without really anything to back them up. like calling google play services a rootkit, and claiming it’s easy to run a f-droid repository (i don’t know if it is or isn’t, but at least prove it is without continually saying “fact”).

                                            1. 8

                                              I agree about the “lot of assertions” point, but how would you go a prove it is easy to run your own F-Droid repository? Would a link to F-Droid’s Installing the Server and Repo Tools be enough?

                                              1. 2

                                                Yes.

                                                1. 2

                                                  that sounds like something someone could look up on their own if they were curious

                                                  1. 2

                                                    Yes, but if you’re going to make an assertion like that you should still back it up, even if it’s just a simple documentation link.

                                                    1. 1

                                                      factual claims are good to back up with sources, but a fuzzy claim like “it’s not a lot of work” doesn’t really lend itself to that IMO

                                            2. 1

                                              The user has to manually verify the checksum, and figure out how to do it on a phone, no less. A checksum isn’t a signature, by the way - if your government- or workplace- or abusive-spouse-installed certificate authority gets in the way they can replace the APK and its checksum with whatever they want. The app has to update itself, using a similarly insecure mechanism.

                                              I don’t think that’s how app updates work on Android??

                                              I’m pretty sure it’s TOFU. CAs are not involved. You install an APK from somewhere, Android remembers the key that signed it. You get an APK that updates an app you already have, Android checks if it’s signed by the same key.

                                              1. 3

                                                Author here. I was referring to the process of downloading the APK from Moxie’s website. He provides an APK download and a SHA over HTTPs. Once you have the APK there’s no signatures involved afaik.

                                                1. 5

                                                  Oh, CA for the initial HTTPS download. Well, if you go to that level of paranoia, the same could be used to modify your initial download of the F-Droid client :)

                                                  Once you have the APK there’s no signatures involved

                                                  If the APK was signed, a signature from the same key will be required for an update.

                                                  You can easily see this when switching between F-Droid and PlayStore||site-download versions of the same app. (The official F-Droid repo signs APKs with the F-Droid key, while the app developer signs with their own key.) Trying to e.g. update a Play Store app from F-Droid will result in an error message.

                                                  1. 2

                                                    Thanks for the clarification, much appreciated.