Signal is incrementally better than the incumbents on the technology side. We do a better job encrypting message contents than most and I think we do a much better job staying ignorant about message metadata (e.g. who you’re talking to) than our competitors. I’m proud of the work my colleagues have done and I do think we have some significant differentiators, but Signal’s architecture is similar to WhatsApp’s.
The bigger shift, I think, is not technical. People know that corporations don’t always have users’ best interests in mind; Facebook is emblematic of this problem. In my view, shifting from a for-profit app to a nonprofit one is as significant as switching from a centralized platform to a federated one, if not more significant.
That’s not to say Signal gets a pass; we are far from perfect. But I think we’re a baby step towards the ideal.
I spend a lot of time on Mastodon and the cries for a better federated/decentralized system are loud there. I, too, would love to see messaging get there in the mainstream. Maybe it’s Matrix, maybe it’s Berty, maybe it’s Briar, who knows. But I see Signal as an important step to get there.
This isn’t an official response from Signal, just my opinion!!
Thanks for the input here! I think these are reasonable ways to view things even if I periodically express frustration at the ways Signal falls short of (or operates on a philosophy that contradicts) my personal ideal. I derive a tremendous amount of value from it even if I’m uncomfortable with, say, the stances laid out in the ecosystem is moving, and I’m grateful for the utility provided in a very hard space to work in.
The bigger shift, I think, is not technical. People know that corporations don’t always have users’ best interests in mind; Facebook is emblematic of this problem. In my view, shifting from a for-profit app to a nonprofit one is as significant as switching from a centralized platform to a federated one, if not more significant.
As someone who works for a nonprofit on a public good that’s extremely centralized in architecture (I’m an employee of the Wikimedia Foundation), I tend to share this view. The way software labor gets paid for is crucial, and if there might be better models than a foundation, then there are certainly also far worse ones.
That said, though I’d far rather work for a donation-supported nonprofit than most of the realistic alternatives, our centralization sure is a vulnerability that keeps me awake at night. All institutions are vulnerable to capture, corruption, or collapse, and I wish we had better models for mitigating that risk. I’m pretty sure federation / distribution of architecture is an important piece of the puzzle, but it’s often difficult to discuss that in a way that’s also clear-eyed about the benefits and affordances of centralization.
I don’t think we automatically get a pass because we’re a nonprofit. I’d trust a nonprofit’s incentives over a corporation’s, but we could still do plenty of bad things. I’m not aware of us doing anything like this, but I want to avoid saying “nonprofits = always pure and good”.
The most obvious improvements I see are with the desktop app, which is what I work on day-to-day. It’s no secret that the app is buggy, consumes a lot of resources, and isn’t at feature parity with the mobile apps. I joined in an effort to improve those things, but there’s still a ways to go. Turns out it’s hard to build a good native app for three different operating systems (especially when no two Linux installations are the same)!
For what it’s worth, there’s no love lost between me and the Electron end-user experience in the general case, but Signal at least manages to be the one Electron app I run routinely. On my fairly new and expensive desktop system I don’t usually have performance complaints and I can’t remember it crashing much. That may sound like damning with faint praise, but then again if you’ve used the typical Electron-based chat app maybe not…
Tangent on this, a lot (or at least some) would like to know if OWS has a stance on making bots and clients for unsupported operating systems. That bear has to be poked eventually and we can only hope for a positive response! :)
I know you can’t answer this (and might not be fair for me to ask) but what’s your opinion of the Radio Free Asia (CIA spin off) funding that seeded Signal? I’m not trying to create FUD, just not seeing much talk about it. How do you convince a skeptic like me?
Also, why isn’t Signal investing in p2p? Maybe you can answer the second question…
You are swallowing FUD from the same people that has been trying to discredit the Tor project for the past 6-7 years on the same reasons.
Inherently it doesn’t matter if CIA throws money on secure crypto. Because it’s secure. The double ratchet algorithm has had eyes on it for years and considering the fairly good track record of people finding suspicious crypto I’m not even batting an eye on the conspiracy some people are trying to push.
If a US government run conspiracy exists around Tor I would be far more worried it relates to the laughably low count of active nodes and the potential that a not so insignificant count of them are being run by malicious parties.
You don’t need a conspiracy to point at the multiple successful attacks against the Tor network and active sybil attacks people have used on it though.
Who brought up conspiracy theories? Is it a conspiracy to think that the intelligence community would be more likely to fund a project that they can crack?
When a large group of people with disparate goals and interests are treated as though they were all cooperating on a single unified goal, yeah, that’s conspiracy. At the very least, the intelligence community is divided into two very different groups: “attackers” and “defenders”.
It’s quite plausible that the “attackers” group would want to fund vulnerable crypto systems in the hope that more useful traffic would be unprotected. However, it’s also quite plausible that the “defenders” group would want to fund very strong crypto systems, so that their agents’ communications would be secure, and hidden among a flood of equally-secure civilian communications.
Just saying “Ah, this was funded by a spin-off of the CIA!” is not in itself evidence of vulnerability or security. If you could prove whether that funding came out of the “attackers” or “defenders” budget, that would be interesting and useful.
For me, the fact that the CIA money was part of the seed funding (not when Signal was already popular) suggests that the money came from the “defenders” budget — they hoped it would get big enough that their own agents’ traffic would go unnoticed. I’d expect a donation from the “attackers” camp to come later on, once they had found a weakness, to help Signal establish a lead over competing apps without known weaknesses. That’s not proof, of course, but without hard evidence nothing’s certain.
When a large group of people with disparate goals and interests are treated as though they were all cooperating on a single unified goal, yeah, that’s conspiracy.
is anyone saying that?
Just saying “Ah, this was funded by a spin-off of the CIA!” is not in itself evidence of vulnerability or security.
What FUD are they swallowing exactly? They only stated that a CIA spin off initially funded Signal, which is true. It’s reasonable to ask why the U.S. intelligence apparatus would want to fund projects like Signal and Tor.
Sure but in some cases, the CIA’s and the public’s interests can be aligned. Strong crypto, safe communication, identity hiding proxies are needed for both.
sure, for some definitions of “the public.” during periods for which we have records of CIA activities, the peasants of southeast asia probably would’ve preferred the CIA to be less able to secure identities and communications.
Well, when someone asks on lobste.rs, where they know that the chances of getting a factual answer to this question are zero, you might reasonably think that the question isn’t a straightforward request for factual answer. What else might it be? FUD and innuendo are among the possiblities.
Personally my first guess for that funding would be someone at the CIA used some money in a way that helped their own performance reviews and maybe get them promotions, without regard to what effect it would have on other people at the CIA or NSA.
“Tasks accomplished this year:
Blah that helps Chinese/Burmese/Indonesian blah blah against state wiretapping”
This is a guess, not a factual answer. I’m just assuming that the CIA is no better coordinated than the places where I’ve worked. That people at the CIA will put their own department’s tasks and goals above those of other people in other buildings, just like… I could digress into frustrated rambling here.
A union election is about to start in the Amazon facility in Bessemer, Alabama. Amazon wanted the election to run on their internal voting system instead of mail in ballots. The union reps declined because they were suspicious about running a union vote on the companies own platform for what seems to be like a good reason. Of course Amazon made the same arguments, that their software is secure an anonymous.
The question is it legitimate FUD? Because it seems to me, if people are getting on Signal because they are worried about US government monitoring, then it would seem like a legitimate concern that the CIA funded the same software they are trying to use.
Just because it’s FUD doesn’t mean it’s illegitimate. Just like just because it’s a conspiracy theory doesn’t mean there isn’t a conspiracy. I personally think this is a legitimate concern and there is no reason to believe Signal at face value given it’s history.
Let’s also point out that technically, it’s very easy to shut signal down. Look at the recent outage. Look at the fact they are renting AWS hardware. Even if you don’t believe the FUD, nothing technically about signal seems robust.
A union election is about to start in the Amazon facility in Bessemer, Alabama. Amazon wanted the election to run on their internal voting system instead of mail in ballots. The union reps declined because they were suspicious about running a union vote on the companies own platform for what seems to be like a good reason. Of course Amazon made the same arguments, that their software is secure an anonymous.
How does this apply to signal? Union workers that has consistently been under threat and pressure in the US are completely sane to consider something else. For this argument to make sense then you are just suggesting signal is in direct opposition to the goal of their users. This feels like constructing some strawman.
The question is it legitimate FUD? Because it seems to me, if people are getting on Signal because they are worried about US government monitoring, then it would seem like a legitimate concern that the CIA funded the same software they are trying to use.
I disagree that some undocumented donation from a government agency is funding anything. The article Yasha has written is pay walled. Whatever donation they made years ago doesn’t matter as they have created a non-profit and gotten a significant donation from the whatsapp founder.
Just because it’s FUD doesn’t mean it’s illegitimate. Just like just because it’s a conspiracy theory doesn’t mean there isn’t a conspiracy. I personally think this is a legitimate concern and there is no reason to believe Signal at face value given it’s history.
The argument needs to be stronger then “some government agency gave a donation”.
The union comparison is correct because there is a long history of vulnerable groups being targeted by the US government. Isn’t it sane for the same groups to be suspicious of tech funded by their oppressors?
The term FUD is only honestly used to describe disingenuous propagandising. Amazon’s voting software is not widely used FLOSS, unlike Tor and Signal. You are actively spreading FUD by making this misleading comparison.
What if it doesn’t matter if the messages are encrypted. What if the metadata, who talks to who when is what they’re trying to capture? Because getting the rest of the conversation is easy… Simply arrest them and get access to the phone.
I don’t think that a donation from the CIA is sufficient enough reason to worry. However it would have surely been smart for a project like Signal not to accept it, given the clear conflict of interests at play.
Or alternatively that money would’ve enabled a lot of good and may not have come with significant strings - after all, I’m sure the CIA would use Signal too if it met their needs.
Ultimately we just don’t know. That’s what breeds the conspiracy theory. I’m not convinced we’re entitled to an answer, but it is something that could be easily disspelled if the project wanted to.
You underestimate conspiracy theorists’ ability to do mental gymnastics if you think this can be easily dispelled. Look at how insistent mempko is being about factually incorrect assertions about metadata.
Bottom line, historical funding is not evidence of ANYTHING. It’s clear (to me) why the CIA might want something like Signal to exist and be rock solid, but that will never satisfy some who choose to see opportunity for conspiracy.
As far as I know, only contact discovery is in the SGX enclave. Signal themselves made it clear they are working on not knowing who sends messages to who but as far as I know, they aren’t there yet. Am I factually wrong here? I would love to see the evidence. I’m a big boy and can admit when I’m wrong.
Signal set themselves up on a huge up hill battle by insisting on a centralized architecture. They could have gone p2p and would have no idea when people are talking and who they are sending messages to. They decided against that because it’s easier to upgrade the client with shiny new features. In other words they chose ease of development over security.
And you know what? It worked! They are really popular now and have a really nice client.
The double ratchet algorithm has had eyes on it for years
The double ratchet algorithm is also fairly simple, and quite obviously correct. Any student in applied cryptography can examine it and convince themselves there’s nothing fishy there.
I’ll repeat what I said above. What if it doesn’t matter if the messages are encrypted. What if the metadata is what they are trying to capture. Signal knows who is connected and who talks with who, when. Getting the rest of the conversation is easy, just get physical access to the phone.
And? They removed a whole class of metadata, pushing an attack from a trivial lookup to the statistical realm. Is your complaint that they haven’t done enough? That the CIA protected you from everyone but them?
I’d love a chat app that advertised itself as “literally only the CIA can read your messages.”
I was responding to /u/Foxboron’s claim that Signal doesn’t know who talks with whom. My understanding is that the IP address logging and traffic correlation can be done by Signal, so they could figure out who talks with whom.
There are solutions for this problem. Examples - Pond by imperialviolet and Vuvuzela. Both hide the fact that you are sending the message. The cost - your device sends data all the time. Most of the time it’s white noise, sometimes it’s encrypted message. Observer can’t distinguish. Obviously, this does not work on mobile because of power requirements.
Alternatively, you can introduce random delays. This means you are no longer in chat territory - you are operating mailing service.
Anything short of two solutions above makes correlation attacks directed at contact network discovery very doable. And decentralization does not help - it will leak the same or greater amount of metadata, depending on implementation.
In this case I think the attacks are a lot easier than with e.g. Tor because all messages go through Signal’s servers and they know the identity of the recipient.
They know the identity of the recipient, but not the identity of the sender.
There is an argument to be made, that by partitioning users into federated servers (or relay nodes, without permanent residence) you partition your anonymity set.
Correct me if I’m wrong but it seems really easy to deduce or guess with high confidence who the sender is, based on the information that Signal servers have access to. For example if you receive a message and reply to it immediately, Signal could get a pretty accurate mapping from your IP address to your identity for that message, no?
If I’m right it’s quite interesting that this blog post is being spread around as evidence that Signal doesn’t know who talks to whom.
There is an argument to be made, that by partitioning users into federated servers (or relay nodes, without permanent residence) you partition your anonymity set.
I don’t see an argument for that. In this case it seems like your “anonymity set” is the group of people who could plausibly use the same IP address as you at the time you are sending a message, which is quite small if not a group of one.
Correct me if I’m wrong but it seems really easy to deduce or guess with high confidence who the sender is, based on the information that Signal servers have access to.
Yes. Definitely. But that is also true for an attacker who just controls the routers around signal’s servers, which is cleaner way to attack the network (hard to get caught!).
In this case it seems like your “anonymity set” is the group of people who could plausibly use the same IP
That would be trying to hide the fact that you are using the communicator.
No. I’m speaking about hiding whom is talking to whom. Imagine your server handling high amount of traffic. And we have a hostile router that can see packets and their destinations, but not packet contents. When router does time correlation attack to identify whom is talking to whom, the worst thing server can do is immediately forward messages from sender to the receiver. This makes connecting the dots trivial. Now, if multiple pairs of people talk at the same time, server can introduce a small random delay (lets say below 1s) between receiving and forwarding to confuse the router. More people talking - more possible permutations there is. AFAIK this method of confusing the observer is not a very good one. I recall seeing papers about de-anonymization of Tor users via capturing and analyzing traffic data for a long period of time. But that is a problem of every low latency communication method. To work around that you would need to lots of wasted bandwidth (as in vuvuzela) or long delays (as in mixnet).
I think we are talking about two different things. It’s easier for Signal because for each message they know the IP address of the sender (at the time of sending) and the identity of the recipient. If they can figure out who maps to the IP address for a given message, they know the identity of the sender and the recipient for that message – not just that the sender is using their service.
To add to my snarky reply, I don’t think you are right that Signal doesn’t know. If you reply to a message within a few seconds of receiving one, your IP address probably hasn’t changed, so Signal would know your identity as a sender. That’s just one example, and it’s not hard to think of ways that Signal could figure out the sender and receiver in most cases (or at least have a confident guess).
You’ve expressed confidence in Signal’s message encryption. It’s open, well analyzed, and widely used.
You’ve expressed concern about Signal retaining metadata. Your only specific threat of “who talks to who when” has been specifically and repeatedly addressed: https://signal.org/blog/sealed-sender/
Well over a year after that announcement, I looked at their code to see how it worked. It didn’t. It wasn’t on. And I don’t care enough to look again because…
Signal is still strictly more secure than every other major messaging app.
Finally: both the autobahn and the US interstate highway system were national defense projects. Should I be skeptical of them?
Moxie doesn’t like p2p and decentralization. He made an entire talk about that during 36c3 and the recording of that talk was promptly deleted after a wave of backlash and criticism since apparently Moxie didn’t actually agree to have the talk recorded.
I just prefer to present something as part of a conversation that’s happening in a place, rather than a webinar that I’m broadcasting forever to the world. I have less faith in the internet as a place where a conversation can happen, and the timelessness of it decontextualizes.
I’m of the opinion that Signal becoming mainstream is a success worth celebrating and a huge step forward for mainstream WhatsApp users.
Now it’s up to is techies to fight for and normalize the next frontier. Is it going to be decentralization? No metadata? Less dependent on phone numbers? I don’t know. Only time will tell.
Great to know but they all use Signal’s library, so it is somewhat weaker than truly independent clients written based on a protocol spec. I don’t know if Signal takes any measures to prevent third party clients, beyond Moxie saying he “hopes that they will stop.”
Matrix is not decentralised. I suspect that if users jumped onto it like they are right now with Signal, they would head to one instance and we would experience the same issues.
True decentralisation would be wonderful, but right now it’s not offering what a secure centralised service can, so I have to recommend Signal.
I don’t see silo-to-silo communication as fully decentralised, which is why I said “not decentralised” instead of “centralised”. You are still beholden to a server and client model, where you have to trust the server.
I completely agree with all the trust issues have people have with Signal, I think that for most people they don’t go away with matrix.
Secure Scuttlebutt is perhaps closer to properly decentralized. There are servers (termed “pubs”), but any client can sync via any pub it has access to.
Unfortunately, it’s quite hard on the CPU, and hard to write clients for.
So what if 80% use the most common 2 servers (like with email)? There’s still the option of going elsewhere without burning all bridges:
Everybody can (in principle) set up a server and still communicate with the rest. The hard part here is making that process simple enough that everybody does, but at least it’s possible.
With Signal (or Whatsapp, Telegram, Threema) you don’t have that option.
There are other systems that provide a p2p experience now (such as SSB) but they’re even less mass-marketable than Matrix, and with communication systems, mass market appeal is, sadly, important.
How many bridges were burnt in the move from Whatsapp to Signal? The transition is almost completely seamless. If this is the benefit of federated systems, why would people care when moving between two different centralised services was this easy?
To be clear, I’m not happy with having one person run one server that controls everything. I just haven’t seen anything else that I could give to my non-techie friends and say ‘use this and you won’t notice the difference’. Maybe that’s coming, but for now we have Signal.
It’s the duck test. “A protocol if walks/quacks like a centralised one if there exists some server that affects most of the chat groups yo’re in because at least one member of that group relies on that server.” Disagree if you want, set the threshold where you want, reword the test to be about your correspondents instead of groups, but that’s roughly the argument.
That “test” is not very useful: If your own server goes down, all chat groups you’re in are affected because you’re gone.
For a true peer to peer system with absolutely no coordinating node (no super nodes, no seed nodes, no query services, no NAT penetrating reflection services) I’d still argue that your own system is your server. And guess what: if that goes down, all your groups are affected because at least one of their members (you) relies on that server.
At the very least it makes us think about what it means for a protocol to be centralized or decentralized.
Protocols are super interesting, but the reason we discuss (de)centralization is generally due to issues of power and agency that people experience using technology. So I think to a lot of us the more important question is how the system itself - built on the network, implemented by the protocols - is centralized/federated/decentralized and how that impacts the people that interact with it.
The web is built on a whole stack of decentralized protocols developed in the open, but it’s also more centralized than its ever been.
>signal
>"one that was commonplace in the hacker community"
>using Electron for its desktop client
>completely US-based and absolutely dependant on the us-govt humour
FFS, please. I know the Signal appeals for some people as “holy grail” - mainly for Americans who only see FB Messenger, WhatsApp and Discord and completely throw away the Telegram on first sight because “muh russian lol”, but idealizing it is not the way to achieve anything. I think it’s even worse, because it slowly gets to the point that Signal is the “ultimate answer to private communication” in public opinion, which is not.
Unless it’s an open (by specification and reference clients using native technologies or being a loadable lib), not intentionally complicated (i see you, matrix), decentralized (but not silo-to-silo like mastodon) and maintainable to the point that it could be used for the next 20-30 years from now on and any person which studied the spec could write the client/server.
throw away the Telegram on first sight because “muh russian lol”
To be fair, there are more issues with Telegram:
Russians, perhaps, who knows if they still are involved? Right now they seem to be based in Dubai, but even that is just a hunch. No problem with Dubai per se (although it’s a surprising choice), but nothing seems certain with regard to their operations.
Their approach to cryptography has been interesting to put it mildly (although I haven’t followed up to see if they’re more reasonable today). Their approach at convincing folks that their interesting cryptography is secure (cracking contests with onerous terms, then claiming that nobody could crack it) is another red flag.
End-to-End encryption is supported but not enabled by default. That makes some sense for legacy platforms (such as XMPP) which have to deal with participants using old software but not for a system that started out in an E2E world.
Sorry, forgot my “don’t care”. The more important part is “who are they even?”. The founders are known, okay. They’re Russians, big deal.
Are they still driving it? Maybe, maybe not. How could I reach out to them if I need to, e.g. through legal means? Where are they: Dubai, perhaps Paris, Nepal? who knows for sure?
Given the distribution mechanism for their software (including strongly preferred automatic updates), you’re running code by whomever working wherever doing whatever, subject to change whenever. If I want to take things up about some xmpp client developed by hobbyists I have a better chance of getting hold of them.
As per https://signal.org/legal/, Signal’s PO Box is at Privacy Signal Messenger, LLC 650 Castro Street, Suite 120-223 Mountain View, CA 94041, so there’s a legal point of contact, and it’s clear that if push comes to shove, they’re under US jurisdiction.
In contrast, Telegram: Per https://telegram.org/faq#q-do-you-process-data-requests they think they’re very clever by distributing key material across jurisdictions (“The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.”) and my suspicion is that when (not if) some jurisdiction really wants to pierce that veil, there will be a rude awakening because governments generally don’t work that way (compare https://xkcd.com/538/). In the meantime however, they hide from ordinary people.
Telegram’s theory of operation is a cute cyberpunk fantasy, but nothing I intend to support by strengthening their network effect.
Signal strongly prefers automatic updates just like Telegram right?
I guess it is up to the user whether they feel more comfortable using a service under U.S. jurisdiction. I personally don’t see how it helps me that Signal has a consistent legal point of contact in the U.S.
Unless it’s an open (by specification and reference clients using native technologies or being a loadable lib), not intentionally complicated (i see you, matrix), decentralized (but not silo-to-silo like mastodon) and maintainable to the point that it could be used for the next 20-30 years from now on and any person which studied the spec could write the client/server.
I don’t understand this sentence. (Though maybe the formatting is/parentheticals are throwing me off.)
The Signal protocol, as I understand it, is specified (https://signal.org/docs/) and there reference implementations of it. I believe other apps have adopted the same protocol, so there must be some hope of writing a client/server.
You can even run your own server, but it’s a silo just like the official signal server is a silo. Running your own mailserver means you can still talk to users of other mail servers. Signal? No such luck.
I’ve been using signal for years and have gotten several friends and family to use it as well. But the centralization is definitely a concern - the outage on Friday was directly disruptive to me. In fact, I’m right now scheduling an event with some friends over clear text SMS because signal was down on Friday when we first started talking about it. AWS’s behavior with Parler should rightfully make anyone suspicious of the reliability of any platform running on AWS compute power. In any case, because Signal requires a phone number, it never has worked for the important use cases of talking with people online anonymously who don’t already have access to my phone number.
Matrix is a very promising technology (and can interoperate with signal, although I haven’t tried this yet). I will be excited to see the protocol become more mature, and hopefully become something I can recommend to people I know IRL.
Ever since I got rid (or actually lost) my smartphone, I’ve been unable to use Signal, and I’ve begun to realize that what I really want isn’t primarily privacy – I just want accessible instant messaging. I really miss the days when Google Talk and Facebook were connected to XMPP.
However, here’s something to think about: while privacy preserving tech is commendable, does it have to come at the cost of user freedoms? Hint: it doesn’t, and it shouldn’t.
What user freedoms are being trampled? Author does not seem to specify any.
I don’t mean to sound conspiratorial, but what’s to say that the server in production hasn’t been backdoored? In fact, the Signal server code hasn’t even been updated since April 2020. You’re telling me it’s undergone no changes?
Serious accusation. Completely unfounded one. Two points are made. First, that backdooring the server would achieve something. Hint, it would not. E2E is exactly for that. Contact list crosschecking is being done inside SGX enclave, and clients are validating if SGX enclave is running particular version of code. What would server backdooring achieve? Author is clueless. Second accusation. “You are telling me it’s undergone no changes?” For half a year? On a platform where almost everything happens client-side? Server just shuffles cryptotext around. Nothing to see here.
What user freedoms are being trampled? Author does not seem to specify any.
Two come to mind: Freedom to distribute software, eg. in the F-Droid store, even if this means that not everyone has the newest version. Freedom to use my own Server, instead of trusting someone else, at the conscious expense of my security.
You can distribute the software in the F-Droid store. You can’t use their trademark (the name signal) or servers while doing it.
You also can run your own server with your own build of the app in the F-Droid store.
Presumably what you want is to use the network they’ve built with your own client. I agree that would be nice-to-have, but AFAIK not even Stallman wants OSS licensing to require it.
I can distribute, but I can’t actually cause people to use it. Like spam filters: I can send my email all right, it’s getting it received that’s more problematic. I can run my own server, but it won’t talk to the official one. It has to be a separate network, that, understandably, nobody will use.
So yes, using their network with different clients would be very nice.
Ad hominem much? Seriously, it hurts any argument you’re trying to make.
The problem they allude to is that we have to trust that moxie is running the server code that he claims to run. It does seem suspicious that the server code has seen 0 changes in almost 1 year.
People like to point out that signal has e2ee, and that the server doesn’t have to be trusted, but they (conveniently?) forget that signal collects a fair amount of information from users (phone numbers, contacts, other meta data), and has the potential to collect a lot more on the server side.
Contact list crosschecking is being done inside SGX enclave, and clients are validating if SGX enclave is running particular version of code.
Could you expand more on that? If I’m sending my contact list to a Signal server for crosschecking, how can I trust that server to keep the list private?
Long story short - it’s guaranteed by Intel. It’s a piece of the processor that user can load with code, lock and burn the key. Metaphorically - since there was never a key. Next, external application can talk to https server running from the enclave, and validate enclave’s claims about code that it runs with a help from Intel’s service.
This tech has it’s limitations - it’s still buggy, exploits being published every year, but it will mature some day. It also has some limitations in it’s threat model - it does not cover de-capping and RAM page replay attacks.
Signal’s own description of the problem and what they are doing with it:
The problem still exists, you have to trust that they are doing what they say they do, and since it’s 100% centralized you have no way of knowing for certain that the server code they are running is what they say they run. And you can’t run it yourself since moxie is 110% hostile towards any sort of decentralization of his baby.
you have no way of knowing for certain that the server code they are running is what they say they run.
The server code is able to send a verification code derived from intels private key, the current time, and the hash of the built server code.
In order to do that, they’ve either A) somehow gotten hold of intels private SGX key, B) successfully used an SGX bypass, or C) run code with a hash matching the one they’ve published, which comes from a reproducible build.
I think that list is roughly in order of least to most likely.
I’d say an SGX bypass is more likely than any other. Intel’s opsec regarding their keys was flawless so far, hash collisions are hard (I think SGX uses SHA256 which is still unbroken in the general case?), but SGX and every other bolt-on “security” technology that Intel implemented since protected mode has been an utter disaster.
Jami — formerly Ring — is distributed and E2E encrypted, and you can link several devices to one account.
However, while text messages sent from contacts are echoed to every device, my own messages only appear on the device from where it was sent. This is a highly frustrating experience.
Also, Jami does not support groups yet.
If the latter two issues were fixed, I would probably prefer Jami to both Signal and Telegram when I ditch WhatsApp soon.
Because the author wanted to moan about something that is actually currently pretty good, not to provide a conclusive and valid assessment. Just yet another opinion piece, that’s all.
Because XMPP has multiple, incompatible, standards for doing end to end encryption (and for sharing vCard info, and for avatars, and for sending pictures, and for video calling) and the odds of two clients implementing the same one are pretty small. On top of that, none of the XMPP protocols has a good story for distributing decryption keys between clients and so there’s a good chance that you’ll have some messages that are viewable on one of your devices but not others.
I was actively involved in XMPP back during its initial IETF standards process but the standard ballooned into a load of XEPs with no reference implementation and many of them (e.g. PEP, on which a load of other XEPs were based) sat for years without a client or server implementation. Setting the bar of either one permissively licensed client and server implementation or two interoperable implementations of each (client and server) would have done a lot for that ecosystem.
I don’t know AstraChat. I recommend Monal (although I don’t use iOS myself, but there are Monal-using people in my peer group). They are interoperable incl. OMEMO.
Contrary to popular opinion, Matrix in general does not use the double ratchet algorithm, except for initializing its megolm algorithm, which is quite different. See https://blog.soykaf.com/post/encryption/
What worries me is that, basically, there is no real solution to messaging right now. So anything I might choose and decide to recommend is me betting that it take a bad turn. But at the same time, I can’t betray people’s trust all the time by saying X was bad, Y is better (for now). And putting it as it is, “X appears to be good enough for now” doesn’t sound confident enough to motivate friends into switching. So all that is left between alarmism and realism appears to be cynically advocating for something like Signal, not because it is the best, but because it is the most probable to disrupt the current landscape held together by the network effect. Until then, you can just hope that there will be a proper solution, i.e. something secure, with a specification and without dependence on a single organization.
Until then, you can just hope that there will be a proper solution, i.e. something secure, with a specification and without dependence on a single organization.
Maybe it’s time to start wondering whether a decentralized or multi-organizational tool is actually worse. So far, any attempt at them has not worked and the outlook is not good.
What worries me is that, basically, there is no real solution to messaging right now.
What is a “real” solution? Something with a spec and decentralized, as the quote earlier suggests?
…the most probable to disrupt the current landscape held together by the network effect.
I posit that any messaging system will require the network effect. Making a good protocol, for example, is not nearly enough.
Maybe it’s time to start wondering whether a decentralized or multi-organizational tool is actually worse.
The advantage of a non-centralized network is that there is no central point of failure, neither technical nor social, which I think is important. But of course, it is more difficult to implement, which I believe is the reason why attempts at this have historically been worse. I’m cautiously optimistic about Matrix though.
What is a “real” solution?
To oversimplify: Something that isn’t a compromise.
I posit that any messaging system will require the network effect.
Conversely, by weakening the network effect of already existing networks makes it easer for newer solutions to compete.
I would totally prefer to build on top of a incentive aligned protocol enabling secure and cheap communication. Signal is not that.
But bitching about some fringe theoretical gripes of technical folk at the moment when alphabet-soup groups syphon out all the communication data.. it’s just shortsighted. Signal is a tool ready for mass consumption. Alternatives are really not even close. Including everything Matrix and XMPP.
Nobody here mentioned that Signal itself was originally funded by the CIA spin off Radio Free Asia. So there is some good reason to be conspiratorial as the OP said in the post. How do we know it isn’t backdoored?
I wouldn’t trust any messaging system that isn’t P2P for privacy. I may be a bit biased (I wrote Firestr http://firestr.com) and can say pretty confidently that nobody funded me. I did it out of passion for privacy after the Snowden leaks. There is no central repository of users. I have no idea who is using it and where and it’s easy to hack on imo. Also it does more than just send messages. I use it every day but haven’t developed it actively in years because there is no funding or interest in p2p anymore. I have a day job that takes all of my time. It’s a shame really.
I wish p2p tech was pushed forward more but we now have centralized messaging apps like Signal, Whatsapp, Telegram, Matrix. and it makes me really sad.
Element.io mobile/desktop apps and EMS for self-hosting (utilizing Matrix.org under hood) provide a compelling open source and self-hosted alternative, IMO. Still some rough edges to work out, but a good start. Unfortunately it requires one person shelling out some time or cash for a homeserver on behalf of one’s friends, or relying on the shared services that are floating out there.
(Only for programmers, though. For “normies” I’d still recommend Signal or WhatsApp.)
Speaking of which… What’s wrong with good old fashioned IRC? Yes I know the user experience isn’t there and no its not e2e encrypted. But it is federated and decentralised. I run my own private server for my family. I know matrix is going great work, but IHMO the scope is to large and honestly I’ve tried to spin up a server of my own and it was just all too hard.
very few affordances for offline messaging / presence / scrollback
trivially easy to monitor by third parties
table-stake features like multi-line comments, editable comments, and text styling are either missing or client-dependent
Pre-emtive rebuttals:
using a bouncer or a service like IRCloud helps, but bouncers are hard to set up and IRCloud is a paid service (not that there’s anything really wrong with that, just hard to compete with free)
Yeah these are good point and quite valid. Problem I find with any new alternatives is they are “hard”, I mean hard to setup, hard to operatalize. Example setting up a matrix server, I gave up and I write software for a living. Why can’t we have something with the ease of say setting up an IRC server, with the security/privacy of say Signal and feature set of say Slack? Is it so much to sask? If I could run my own Signal server today (for example) and my friends/family/colleagues/whatever could reach me via my own server without them having to know or care, that would be awesome :D
Agreed. Part of the problem is that mobile devices aren’t set up to keep persistent connections, which is somewhat fundamentally disharmonious with IRC’s design.
easy to monitor by third parties
How so? SSL (granted not E2E, but that’s only relevant for the first party i.e. the server) is supported by most servers; and you can disallow non-SSL users from joining a given channel.
multi-line comments, editable comments, and text styling
I don’t find any of these particularly compelling features.
How so? SSL (granted not E2E, but that’s only relevant for the first party i.e. the server) is supported by most servers; and you can disallow non-SSL users from joining a given channel.
I’m just a user of IRC and have only ever been granted op status, so I don’t know how much access the server operator has. Can they view DMs, for example? Are there provisions for mandating stuff like 2FA for server ops? If not, it feels trivial to me for an attacker to impersonate the server owner and get elevated access.
How can I be sure that the server software hasn’t been tampered with and is reading everything in plaintext after people logon using SSL?
multi-line comments, editable comments, and text styling
I don’t find any of these particularly compelling features.
You might not, but I do, after using “mainstream” chat apps for a while . Multiline is a nice affordance. Being able to “like” someone’s comment is a good semi-out-of-band way to signal agreement or ack without messing up the timeline. People looooove emojis.
I’ve been on IRC basically daily since 2003. It’s my favorite way to chat. But I’m under no illusion that it’s going to be a compelling product for someone who is not used to it.
I’m just a user of IRC and have only ever been granted op status, so I don’t know how much access the server operator has. Can they view DMs, for example? Are there provisions for mandating stuff like 2FA for server ops?
That depends entirely on the server implementation; this isn’t standardised.
I don’t know what the popular implementations do, but I would be very surprised if they allowed server ops to snoop private messages. Obviously you have to trust that your server operator isn’t doing anything untoward, but assuming you do I think you can have reasonable confidence that they’ve taken reasonable precaution against such eventualities.
The way IRC is deployed these days it is actually neither. When you run your own IRC server and connect your client to it you cannot join rooms on, eg, freenode. When you connect your client to the freenode servers you cannot join rooms on other IRC networks. It acts as a centralized system just like Signal.
I know the IRC vision was a single, global decentralized network, but because of the nature of security and trust on the Internet these days it can’t quite acheive that and we’re left with seperate silo’d networks.
XMPP was created to fix this problem and in general be a “better IRC”. These days it goes far beyond just that of course. You can even join IRC rooms via public bridges like irc.cheogram.com (which I run and use for all my IRC these days. it’s like using a bouncer that talks to my Jabber server instead of to my IRC client).
I am also concerned about the centralized aspect of Signal, but I do believe this massive adoption of Signal from the public is really great. On one hand because Signal seems much better than Whatsapp — just looking at the business model is sufficient imo — and on the other hand because these questions about privacy start to become mainstream, which will hopefully push the debate on the political side.
Matrix/Element has strong good points w.r.t. privacy, but it is not really equivalent to Signal ; it is much more like some discords. Also, as raised by others, it requires someone to set up a homeserver and throw some money and time on it, which is clearly not at everyone’s fingertips.
olvid.io / made by actual cryptographers / fully encrypted metadata (really) / verified E2E at the initialization of the conversation / no contact list sent / soon opensourced / made in EU.
Why would I put “my future” in the hands of Signal? Telegram? Berty? Session? or foobarBozoSecureMessenger :)
Sadly, our entire landscape is “for profit”, our phones are “for profit”, our computers are “for profit” and this is where the messenger runs.
I want alternatives, I’m happy to see them in EU (where I live) outside US or outside China, Russia where we have slightly stronger privacy protecting laws.
I don’t want to send my contact list for accessing a service and I don’t need to see who’s using the app.
I want to see competitors that actual have provable verified end to end cryptography at communication channel establishement, not just if/when you verify your peer by checking fingerprints or scan the QR codes, it helps improving the “landscape”.
Luckily, I’ve met with one of the cryptographer behind olvid back when he was a PhD student in Vaudenay’s lab and trust his (and peer’s) skills more than SV personality cults & stories and I guess not everybody has revenge (just a guess) driven billionaire’s friend to fund a competing “product” :)
I don’t mind to pay/bet for a product that works and reward people that did a great job, taking risks and trying to innovate and propose something different.
I am also fine with open, federated, community based and open services like IRC.
Maybe some interoperability would be nice, but haha utopia.. :)
Yeah I might be wrong, it’s just my nobody’s choice, btw here are olvid crypto specs:
I work at Signal, and here are my two cents:
Signal is incrementally better than the incumbents on the technology side. We do a better job encrypting message contents than most and I think we do a much better job staying ignorant about message metadata (e.g. who you’re talking to) than our competitors. I’m proud of the work my colleagues have done and I do think we have some significant differentiators, but Signal’s architecture is similar to WhatsApp’s.
The bigger shift, I think, is not technical. People know that corporations don’t always have users’ best interests in mind; Facebook is emblematic of this problem. In my view, shifting from a for-profit app to a nonprofit one is as significant as switching from a centralized platform to a federated one, if not more significant.
That’s not to say Signal gets a pass; we are far from perfect. But I think we’re a baby step towards the ideal.
I spend a lot of time on Mastodon and the cries for a better federated/decentralized system are loud there. I, too, would love to see messaging get there in the mainstream. Maybe it’s Matrix, maybe it’s Berty, maybe it’s Briar, who knows. But I see Signal as an important step to get there.
This isn’t an official response from Signal, just my opinion!!
Thanks for the input here! I think these are reasonable ways to view things even if I periodically express frustration at the ways Signal falls short of (or operates on a philosophy that contradicts) my personal ideal. I derive a tremendous amount of value from it even if I’m uncomfortable with, say, the stances laid out in the ecosystem is moving, and I’m grateful for the utility provided in a very hard space to work in.
As someone who works for a nonprofit on a public good that’s extremely centralized in architecture (I’m an employee of the Wikimedia Foundation), I tend to share this view. The way software labor gets paid for is crucial, and if there might be better models than a foundation, then there are certainly also far worse ones.
That said, though I’d far rather work for a donation-supported nonprofit than most of the realistic alternatives, our centralization sure is a vulnerability that keeps me awake at night. All institutions are vulnerable to capture, corruption, or collapse, and I wish we had better models for mitigating that risk. I’m pretty sure federation / distribution of architecture is an important piece of the puzzle, but it’s often difficult to discuss that in a way that’s also clear-eyed about the benefits and affordances of centralization.
Out of curiosity, in what ways would you hope the project would improve?
Matrix’s future is encouraging, because they tackle not only centralisation but also moderation.
I don’t think we automatically get a pass because we’re a nonprofit. I’d trust a nonprofit’s incentives over a corporation’s, but we could still do plenty of bad things. I’m not aware of us doing anything like this, but I want to avoid saying “nonprofits = always pure and good”.
The most obvious improvements I see are with the desktop app, which is what I work on day-to-day. It’s no secret that the app is buggy, consumes a lot of resources, and isn’t at feature parity with the mobile apps. I joined in an effort to improve those things, but there’s still a ways to go. Turns out it’s hard to build a good native app for three different operating systems (especially when no two Linux installations are the same)!
For what it’s worth, there’s no love lost between me and the Electron end-user experience in the general case, but Signal at least manages to be the one Electron app I run routinely. On my fairly new and expensive desktop system I don’t usually have performance complaints and I can’t remember it crashing much. That may sound like damning with faint praise, but then again if you’ve used the typical Electron-based chat app maybe not…
Tangent on this, a lot (or at least some) would like to know if OWS has a stance on making bots and clients for unsupported operating systems. That bear has to be poked eventually and we can only hope for a positive response! :)
I know you can’t answer this (and might not be fair for me to ask) but what’s your opinion of the Radio Free Asia (CIA spin off) funding that seeded Signal? I’m not trying to create FUD, just not seeing much talk about it. How do you convince a skeptic like me?
Also, why isn’t Signal investing in p2p? Maybe you can answer the second question…
You are swallowing FUD from the same people that has been trying to discredit the Tor project for the past 6-7 years on the same reasons.
Inherently it doesn’t matter if CIA throws money on secure crypto. Because it’s secure. The double ratchet algorithm has had eyes on it for years and considering the fairly good track record of people finding suspicious crypto I’m not even batting an eye on the conspiracy some people are trying to push.
If a US government run conspiracy exists around Tor I would be far more worried it relates to the laughably low count of active nodes and the potential that a not so insignificant count of them are being run by malicious parties.
You don’t need a conspiracy to point at the multiple successful attacks against the Tor network and active sybil attacks people have used on it though.
Who brought up conspiracy theories? Is it a conspiracy to think that the intelligence community would be more likely to fund a project that they can crack?
When a large group of people with disparate goals and interests are treated as though they were all cooperating on a single unified goal, yeah, that’s conspiracy. At the very least, the intelligence community is divided into two very different groups: “attackers” and “defenders”.
It’s quite plausible that the “attackers” group would want to fund vulnerable crypto systems in the hope that more useful traffic would be unprotected. However, it’s also quite plausible that the “defenders” group would want to fund very strong crypto systems, so that their agents’ communications would be secure, and hidden among a flood of equally-secure civilian communications.
Just saying “Ah, this was funded by a spin-off of the CIA!” is not in itself evidence of vulnerability or security. If you could prove whether that funding came out of the “attackers” or “defenders” budget, that would be interesting and useful.
For me, the fact that the CIA money was part of the seed funding (not when Signal was already popular) suggests that the money came from the “defenders” budget — they hoped it would get big enough that their own agents’ traffic would go unnoticed. I’d expect a donation from the “attackers” camp to come later on, once they had found a weakness, to help Signal establish a lead over competing apps without known weaknesses. That’s not proof, of course, but without hard evidence nothing’s certain.
is anyone saying that?
…or that?
There are people saying that. Which is why this is being discussed in the first place.
who/where?
What FUD are they swallowing exactly? They only stated that a CIA spin off initially funded Signal, which is true. It’s reasonable to ask why the U.S. intelligence apparatus would want to fund projects like Signal and Tor.
Sure but in some cases, the CIA’s and the public’s interests can be aligned. Strong crypto, safe communication, identity hiding proxies are needed for both.
sure, for some definitions of “the public.” during periods for which we have records of CIA activities, the peasants of southeast asia probably would’ve preferred the CIA to be less able to secure identities and communications.
The FUD is that this somehow compromises the integrity of signal.
Depends what you mean by integrity and what you think of Radio Free Asia.
Well, when someone asks on lobste.rs, where they know that the chances of getting a factual answer to this question are zero, you might reasonably think that the question isn’t a straightforward request for factual answer. What else might it be? FUD and innuendo are among the possiblities.
Personally my first guess for that funding would be someone at the CIA used some money in a way that helped their own performance reviews and maybe get them promotions, without regard to what effect it would have on other people at the CIA or NSA.
“Tasks accomplished this year:
This is a guess, not a factual answer. I’m just assuming that the CIA is no better coordinated than the places where I’ve worked. That people at the CIA will put their own department’s tasks and goals above those of other people in other buildings, just like… I could digress into frustrated rambling here.
so you’re insinuating through innuendo that the only reason they would ask for an open ended opinion on this topic, is to spread FUD
A union election is about to start in the Amazon facility in Bessemer, Alabama. Amazon wanted the election to run on their internal voting system instead of mail in ballots. The union reps declined because they were suspicious about running a union vote on the companies own platform for what seems to be like a good reason. Of course Amazon made the same arguments, that their software is secure an anonymous.
The question is it legitimate FUD? Because it seems to me, if people are getting on Signal because they are worried about US government monitoring, then it would seem like a legitimate concern that the CIA funded the same software they are trying to use.
Just because it’s FUD doesn’t mean it’s illegitimate. Just like just because it’s a conspiracy theory doesn’t mean there isn’t a conspiracy. I personally think this is a legitimate concern and there is no reason to believe Signal at face value given it’s history.
Let’s also point out that technically, it’s very easy to shut signal down. Look at the recent outage. Look at the fact they are renting AWS hardware. Even if you don’t believe the FUD, nothing technically about signal seems robust.
How does this apply to signal? Union workers that has consistently been under threat and pressure in the US are completely sane to consider something else. For this argument to make sense then you are just suggesting signal is in direct opposition to the goal of their users. This feels like constructing some strawman.
I disagree that some undocumented donation from a government agency is funding anything. The article Yasha has written is pay walled. Whatever donation they made years ago doesn’t matter as they have created a non-profit and gotten a significant donation from the whatsapp founder.
The argument needs to be stronger then “some government agency gave a donation”.
The union comparison is correct because there is a long history of vulnerable groups being targeted by the US government. Isn’t it sane for the same groups to be suspicious of tech funded by their oppressors?
Are you saying that any organization taking donations from the US government is ultimately working for the US government to do their bidding?
This is inane. How much money was given how many years ago?
Obviously if the USPS funded it, or national park service, or the NSF, I wouldn’t be really be that concerned…
The term FUD is only honestly used to describe disingenuous propagandising. Amazon’s voting software is not widely used FLOSS, unlike Tor and Signal. You are actively spreading FUD by making this misleading comparison.
What if it doesn’t matter if the messages are encrypted. What if the metadata, who talks to who when is what they’re trying to capture? Because getting the rest of the conversation is easy… Simply arrest them and get access to the phone.
I don’t think that a donation from the CIA is sufficient enough reason to worry. However it would have surely been smart for a project like Signal not to accept it, given the clear conflict of interests at play.
Or alternatively that money would’ve enabled a lot of good and may not have come with significant strings - after all, I’m sure the CIA would use Signal too if it met their needs.
Ultimately we just don’t know. That’s what breeds the conspiracy theory. I’m not convinced we’re entitled to an answer, but it is something that could be easily disspelled if the project wanted to.
You underestimate conspiracy theorists’ ability to do mental gymnastics if you think this can be easily dispelled. Look at how insistent mempko is being about factually incorrect assertions about metadata.
Bottom line, historical funding is not evidence of ANYTHING. It’s clear (to me) why the CIA might want something like Signal to exist and be rock solid, but that will never satisfy some who choose to see opportunity for conspiracy.
As far as I know, only contact discovery is in the SGX enclave. Signal themselves made it clear they are working on not knowing who sends messages to who but as far as I know, they aren’t there yet. Am I factually wrong here? I would love to see the evidence. I’m a big boy and can admit when I’m wrong.
Signal set themselves up on a huge up hill battle by insisting on a centralized architecture. They could have gone p2p and would have no idea when people are talking and who they are sending messages to. They decided against that because it’s easier to upgrade the client with shiny new features. In other words they chose ease of development over security.
And you know what? It worked! They are really popular now and have a really nice client.
I think people are more worried that facebook selling their data than US gov wiretapping. The latter happens anyway.
The double ratchet algorithm is also fairly simple, and quite obviously correct. Any student in applied cryptography can examine it and convince themselves there’s nothing fishy there.
I’ll repeat what I said above. What if it doesn’t matter if the messages are encrypted. What if the metadata is what they are trying to capture. Signal knows who is connected and who talks with who, when. Getting the rest of the conversation is easy, just get physical access to the phone.
They don’t.
https://signal.org/blog/sealed-sender/
https://signal.org/bigbrother/eastern-virginia-grand-jury/
“area of ongoing development” means “we have no solution for this yet”
And? They removed a whole class of metadata, pushing an attack from a trivial lookup to the statistical realm. Is your complaint that they haven’t done enough? That the CIA protected you from everyone but them?
I’d love a chat app that advertised itself as “literally only the CIA can read your messages.”
I was responding to /u/Foxboron’s claim that Signal doesn’t know who talks with whom. My understanding is that the IP address logging and traffic correlation can be done by Signal, so they could figure out who talks with whom.
There are solutions for this problem. Examples - Pond by imperialviolet and Vuvuzela. Both hide the fact that you are sending the message. The cost - your device sends data all the time. Most of the time it’s white noise, sometimes it’s encrypted message. Observer can’t distinguish. Obviously, this does not work on mobile because of power requirements.
Alternatively, you can introduce random delays. This means you are no longer in chat territory - you are operating mailing service.
Anything short of two solutions above makes correlation attacks directed at contact network discovery very doable. And decentralization does not help - it will leak the same or greater amount of metadata, depending on implementation.
In this case I think the attacks are a lot easier than with e.g. Tor because all messages go through Signal’s servers and they know the identity of the recipient.
https://signal.org/blog/sealed-sender/
They know the identity of the recipient, but not the identity of the sender.
There is an argument to be made, that by partitioning users into federated servers (or relay nodes, without permanent residence) you partition your anonymity set.
Correct me if I’m wrong but it seems really easy to deduce or guess with high confidence who the sender is, based on the information that Signal servers have access to. For example if you receive a message and reply to it immediately, Signal could get a pretty accurate mapping from your IP address to your identity for that message, no?
If I’m right it’s quite interesting that this blog post is being spread around as evidence that Signal doesn’t know who talks to whom.
I don’t see an argument for that. In this case it seems like your “anonymity set” is the group of people who could plausibly use the same IP address as you at the time you are sending a message, which is quite small if not a group of one.
Yes. Definitely. But that is also true for an attacker who just controls the routers around signal’s servers, which is cleaner way to attack the network (hard to get caught!).
That would be trying to hide the fact that you are using the communicator.
No. I’m speaking about hiding whom is talking to whom. Imagine your server handling high amount of traffic. And we have a hostile router that can see packets and their destinations, but not packet contents. When router does time correlation attack to identify whom is talking to whom, the worst thing server can do is immediately forward messages from sender to the receiver. This makes connecting the dots trivial. Now, if multiple pairs of people talk at the same time, server can introduce a small random delay (lets say below 1s) between receiving and forwarding to confuse the router. More people talking - more possible permutations there is. AFAIK this method of confusing the observer is not a very good one. I recall seeing papers about de-anonymization of Tor users via capturing and analyzing traffic data for a long period of time. But that is a problem of every low latency communication method. To work around that you would need to lots of wasted bandwidth (as in vuvuzela) or long delays (as in mixnet).
I think we are talking about two different things. It’s easier for Signal because for each message they know the IP address of the sender (at the time of sending) and the identity of the recipient. If they can figure out who maps to the IP address for a given message, they know the identity of the sender and the recipient for that message – not just that the sender is using their service.
My real point - you wont get much in terms of privacy just by distributing servers :-)
probably true, but you do get interface stability and independence
That still means Signal does not know though. You would only get the information with a global adversary which is fairly hard to protect against.
IP (still) does not correlate to a person though.
It’s not even a global adversary. You just need an adversary sitting in AWS. And who is bigger a global adversary than the USA?
are you saying U.S. intelligence funded a project with vulnerabilities that could only be reasonably exploited by a hegemonic adversary? :)
To add to my snarky reply, I don’t think you are right that Signal doesn’t know. If you reply to a message within a few seconds of receiving one, your IP address probably hasn’t changed, so Signal would know your identity as a sender. That’s just one example, and it’s not hard to think of ways that Signal could figure out the sender and receiver in most cases (or at least have a confident guess).
You’ve expressed confidence in Signal’s message encryption. It’s open, well analyzed, and widely used.
You’ve expressed concern about Signal retaining metadata. Your only specific threat of “who talks to who when” has been specifically and repeatedly addressed: https://signal.org/blog/sealed-sender/
Well over a year after that announcement, I looked at their code to see how it worked. It didn’t. It wasn’t on. And I don’t care enough to look again because…
Signal is still strictly more secure than every other major messaging app.
Finally: both the autobahn and the US interstate highway system were national defense projects. Should I be skeptical of them?
Moxie doesn’t like p2p and decentralization. He made an entire talk about that during 36c3 and the recording of that talk was promptly deleted
after a wave of backlash and criticismsince apparently Moxie didn’t actually agree to have the talk recorded.edit: I was wrong and posted rumors.
That’s not true. The talk was deleted because Moxie asked for the talk to not be recorded and to not be made public: https://twitter.com/moxie/status/1211427007596154881
Get to work unionizing so you can force Signal to allow third party clients and federation!
I’m of the opinion that Signal becoming mainstream is a success worth celebrating and a huge step forward for mainstream WhatsApp users.
Now it’s up to is techies to fight for and normalize the next frontier. Is it going to be decentralization? No metadata? Less dependent on phone numbers? I don’t know. Only time will tell.
Third party clients.
I typed “signal cli” into a search bar and found several.
Great to know but they all use Signal’s library, so it is somewhat weaker than truly independent clients written based on a protocol spec. I don’t know if Signal takes any measures to prevent third party clients, beyond Moxie saying he “hopes that they will stop.”
And what exactly would you win with that?
You would be able to run Signal on platforms that aren’t either android, iOS or capable of running an electron application well.
Independence of their software implementation and the supply chain (app stores). Presumably getting rid of electron on the desktop? :-)
Sure, this is a nice idea. Very rarely works in practice.
it would make Signal useful and provide inertia for protocol changes
Matrix is not decentralised. I suspect that if users jumped onto it like they are right now with Signal, they would head to one instance and we would experience the same issues.
True decentralisation would be wonderful, but right now it’s not offering what a secure centralised service can, so I have to recommend Signal.
I don’t see why users joining one server because it’s the default in the most common client makes a protocol centralized.
I don’t see silo-to-silo communication as fully decentralised, which is why I said “not decentralised” instead of “centralised”. You are still beholden to a server and client model, where you have to trust the server.
I completely agree with all the trust issues have people have with Signal, I think that for most people they don’t go away with matrix.
Secure Scuttlebutt is perhaps closer to properly decentralized. There are servers (termed “pubs”), but any client can sync via any pub it has access to.
Unfortunately, it’s quite hard on the CPU, and hard to write clients for.
I like ssb but yeah to me it shows that we’re just not quite there yet.
So what if 80% use the most common 2 servers (like with email)? There’s still the option of going elsewhere without burning all bridges:
Everybody can (in principle) set up a server and still communicate with the rest. The hard part here is making that process simple enough that everybody does, but at least it’s possible. With Signal (or Whatsapp, Telegram, Threema) you don’t have that option.
Also there’s work in Matrix-land to distribute the server function (see https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix/), so the federated system may not be the end of the road.
There are other systems that provide a p2p experience now (such as SSB) but they’re even less mass-marketable than Matrix, and with communication systems, mass market appeal is, sadly, important.
How many bridges were burnt in the move from Whatsapp to Signal? The transition is almost completely seamless. If this is the benefit of federated systems, why would people care when moving between two different centralised services was this easy?
To be clear, I’m not happy with having one person run one server that controls everything. I just haven’t seen anything else that I could give to my non-techie friends and say ‘use this and you won’t notice the difference’. Maybe that’s coming, but for now we have Signal.
Except for those who went for Telegram, Threema or any other platform over Signal. They can either go to Signal too, or they’re cut off.
It’s the duck test. “A protocol if walks/quacks like a centralised one if there exists some server that affects most of the chat groups yo’re in because at least one member of that group relies on that server.” Disagree if you want, set the threshold where you want, reword the test to be about your correspondents instead of groups, but that’s roughly the argument.
That “test” is not very useful: If your own server goes down, all chat groups you’re in are affected because you’re gone.
For a true peer to peer system with absolutely no coordinating node (no super nodes, no seed nodes, no query services, no NAT penetrating reflection services) I’d still argue that your own system is your server. And guess what: if that goes down, all your groups are affected because at least one of their members (you) relies on that server.
At the very least it makes us think about what it means for a protocol to be centralized or decentralized.
Protocols are super interesting, but the reason we discuss (de)centralization is generally due to issues of power and agency that people experience using technology. So I think to a lot of us the more important question is how the system itself - built on the network, implemented by the protocols - is centralized/federated/decentralized and how that impacts the people that interact with it.
The web is built on a whole stack of decentralized protocols developed in the open, but it’s also more centralized than its ever been.
I’m not exactly fond of Matrix but I agree.
FFS, please. I know the Signal appeals for some people as “holy grail” - mainly for Americans who only see FB Messenger, WhatsApp and Discord and completely throw away the Telegram on first sight because “muh russian lol”, but idealizing it is not the way to achieve anything. I think it’s even worse, because it slowly gets to the point that Signal is the “ultimate answer to private communication” in public opinion, which is not.
Unless it’s an open (by specification and reference clients using native technologies or being a loadable lib), not intentionally complicated (i see you, matrix), decentralized (but not silo-to-silo like mastodon) and maintainable to the point that it could be used for the next 20-30 years from now on and any person which studied the spec could write the client/server.
To be fair, there are more issues with Telegram:
the first bullet point of your “more issues” is literally “muh russians lol.” what is wrong with russians?
Sorry, forgot my “don’t care”. The more important part is “who are they even?”. The founders are known, okay. They’re Russians, big deal.
Are they still driving it? Maybe, maybe not. How could I reach out to them if I need to, e.g. through legal means? Where are they: Dubai, perhaps Paris, Nepal? who knows for sure?
Given the distribution mechanism for their software (including strongly preferred automatic updates), you’re running code by whomever working wherever doing whatever, subject to change whenever. If I want to take things up about some xmpp client developed by hobbyists I have a better chance of getting hold of them.
That’s fair, though it largely applies to Signal and other popular messaging apps.
As per https://signal.org/legal/, Signal’s PO Box is at Privacy Signal Messenger, LLC 650 Castro Street, Suite 120-223 Mountain View, CA 94041, so there’s a legal point of contact, and it’s clear that if push comes to shove, they’re under US jurisdiction.
In contrast, Telegram: Per https://telegram.org/faq#q-do-you-process-data-requests they think they’re very clever by distributing key material across jurisdictions (“The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.”) and my suspicion is that when (not if) some jurisdiction really wants to pierce that veil, there will be a rude awakening because governments generally don’t work that way (compare https://xkcd.com/538/). In the meantime however, they hide from ordinary people.
Telegram’s theory of operation is a cute cyberpunk fantasy, but nothing I intend to support by strengthening their network effect.
Signal strongly prefers automatic updates just like Telegram right?
I guess it is up to the user whether they feel more comfortable using a service under U.S. jurisdiction. I personally don’t see how it helps me that Signal has a consistent legal point of contact in the U.S.
what is intentionally complicated about matrix? I guess doing everything over HTTP?
I don’t understand this sentence. (Though maybe the formatting is/parentheticals are throwing me off.)
The Signal protocol, as I understand it, is specified (https://signal.org/docs/) and there reference implementations of it. I believe other apps have adopted the same protocol, so there must be some hope of writing a client/server.
You can even run your own server, but it’s a silo just like the official signal server is a silo. Running your own mailserver means you can still talk to users of other mail servers. Signal? No such luck.
I’ve been using signal for years and have gotten several friends and family to use it as well. But the centralization is definitely a concern - the outage on Friday was directly disruptive to me. In fact, I’m right now scheduling an event with some friends over clear text SMS because signal was down on Friday when we first started talking about it. AWS’s behavior with Parler should rightfully make anyone suspicious of the reliability of any platform running on AWS compute power. In any case, because Signal requires a phone number, it never has worked for the important use cases of talking with people online anonymously who don’t already have access to my phone number.
Matrix is a very promising technology (and can interoperate with signal, although I haven’t tried this yet). I will be excited to see the protocol become more mature, and hopefully become something I can recommend to people I know IRL.
Ever since I got rid (or actually lost) my smartphone, I’ve been unable to use Signal, and I’ve begun to realize that what I really want isn’t primarily privacy – I just want accessible instant messaging. I really miss the days when Google Talk and Facebook were connected to XMPP.
Horrible, horrible article.
What user freedoms are being trampled? Author does not seem to specify any.
Serious accusation. Completely unfounded one. Two points are made. First, that backdooring the server would achieve something. Hint, it would not. E2E is exactly for that. Contact list crosschecking is being done inside SGX enclave, and clients are validating if SGX enclave is running particular version of code. What would server backdooring achieve? Author is clueless. Second accusation. “You are telling me it’s undergone no changes?” For half a year? On a platform where almost everything happens client-side? Server just shuffles cryptotext around. Nothing to see here.
Two come to mind: Freedom to distribute software, eg. in the F-Droid store, even if this means that not everyone has the newest version. Freedom to use my own Server, instead of trusting someone else, at the conscious expense of my security.
You can distribute the software in the F-Droid store. You can’t use their trademark (the name signal) or servers while doing it.
You also can run your own server with your own build of the app in the F-Droid store.
Presumably what you want is to use the network they’ve built with your own client. I agree that would be nice-to-have, but AFAIK not even Stallman wants OSS licensing to require it.
I can distribute, but I can’t actually cause people to use it. Like spam filters: I can send my email all right, it’s getting it received that’s more problematic. I can run my own server, but it won’t talk to the official one. It has to be a separate network, that, understandably, nobody will use.
So yes, using their network with different clients would be very nice.
Ad hominem much? Seriously, it hurts any argument you’re trying to make.
The problem they allude to is that we have to trust that moxie is running the server code that he claims to run. It does seem suspicious that the server code has seen 0 changes in almost 1 year.
People like to point out that signal has e2ee, and that the server doesn’t have to be trusted, but they (conveniently?) forget that signal collects a fair amount of information from users (phone numbers, contacts, other meta data), and has the potential to collect a lot more on the server side.
Could you expand more on that? If I’m sending my contact list to a Signal server for crosschecking, how can I trust that server to keep the list private?
Signal’s own description of the problem and what they are doing with it: https://signal.org/blog/private-contact-discovery/
SGX page: https://en.wikipedia.org/wiki/Software_Guard_Extensions
Long story short - it’s guaranteed by Intel. It’s a piece of the processor that user can load with code, lock and burn the key. Metaphorically - since there was never a key. Next, external application can talk to https server running from the enclave, and validate enclave’s claims about code that it runs with a help from Intel’s service.
This tech has it’s limitations - it’s still buggy, exploits being published every year, but it will mature some day. It also has some limitations in it’s threat model - it does not cover de-capping and RAM page replay attacks.
The problem still exists, you have to trust that they are doing what they say they do, and since it’s 100% centralized you have no way of knowing for certain that the server code they are running is what they say they run. And you can’t run it yourself since moxie is 110% hostile towards any sort of decentralization of his baby.
The server code is able to send a verification code derived from intels private key, the current time, and the hash of the built server code.
In order to do that, they’ve either A) somehow gotten hold of intels private SGX key, B) successfully used an SGX bypass, or C) run code with a hash matching the one they’ve published, which comes from a reproducible build.
I think that list is roughly in order of least to most likely.
I’d say an SGX bypass is more likely than any other. Intel’s opsec regarding their keys was flawless so far, hash collisions are hard (I think SGX uses SHA256 which is still unbroken in the general case?), but SGX and every other bolt-on “security” technology that Intel implemented since protected mode has been an utter disaster.
You’re trusting Intel OR Signal. That’s the whole point of SGX. A successful attack means they have to conspire together.
What about GNU Jami? It’s a truly decentralized messaging system based on OpenDHT.
I’d never heard of Jami before! Definitely looks interesting. Have you tried it? What has been your experience with it?
I have installed, but I don’t have anyone to chat with. I tried to chat between my phone and my PC, but it’s just a test.
Anyway, I think the technology is quite interesting and promising.
I’ve just created a user with the name munksgaard. Feel free to contact me on there, I’m curious to try it out.
I’ve just contacted you in Danish. :)
Takeaway:
Jami — formerly Ring — is distributed and E2E encrypted, and you can link several devices to one account.
However, while text messages sent from contacts are echoed to every device, my own messages only appear on the device from where it was sent. This is a highly frustrating experience.
Also, Jami does not support groups yet.
If the latter two issues were fixed, I would probably prefer Jami to both Signal and Telegram when I ditch WhatsApp soon.
Why is E2E encrypted XMPP not mentioned?
Because the author wanted to moan about something that is actually currently pretty good, not to provide a conclusive and valid assessment. Just yet another opinion piece, that’s all.
Because XMPP has multiple, incompatible, standards for doing end to end encryption (and for sharing vCard info, and for avatars, and for sending pictures, and for video calling) and the odds of two clients implementing the same one are pretty small. On top of that, none of the XMPP protocols has a good story for distributing decryption keys between clients and so there’s a good chance that you’ll have some messages that are viewable on one of your devices but not others.
I was actively involved in XMPP back during its initial IETF standards process but the standard ballooned into a load of XEPs with no reference implementation and many of them (e.g. PEP, on which a load of other XEPs were based) sat for years without a client or server implementation. Setting the bar of either one permissively licensed client and server implementation or two interoperable implementations of each (client and server) would have done a lot for that ecosystem.
is Conversations E2E encrypted?
Conversations supports OMEMO (as do Chat Secure, Monal, Gajim, Converse.js, and many others), so when set up, yes.
tangential but do you know if Conversations is interoperable with AstraChat? Or any other iOS client?
Yes. On iOS I would recommend Siskin. When used in conjunction with a Siskin server it reportedly supports the latest iOS push requirements.
I don’t know AstraChat. I recommend Monal (although I don’t use iOS myself, but there are Monal-using people in my peer group). They are interoperable incl. OMEMO.
Contrary to popular opinion, Matrix in general does not use the double ratchet algorithm, except for initializing its megolm algorithm, which is quite different. See https://blog.soykaf.com/post/encryption/
What worries me is that, basically, there is no real solution to messaging right now. So anything I might choose and decide to recommend is me betting that it take a bad turn. But at the same time, I can’t betray people’s trust all the time by saying X was bad, Y is better (for now). And putting it as it is, “X appears to be good enough for now” doesn’t sound confident enough to motivate friends into switching. So all that is left between alarmism and realism appears to be cynically advocating for something like Signal, not because it is the best, but because it is the most probable to disrupt the current landscape held together by the network effect. Until then, you can just hope that there will be a proper solution, i.e. something secure, with a specification and without dependence on a single organization.
Maybe it’s time to start wondering whether a decentralized or multi-organizational tool is actually worse. So far, any attempt at them has not worked and the outlook is not good.
What is a “real” solution? Something with a spec and decentralized, as the quote earlier suggests?
I posit that any messaging system will require the network effect. Making a good protocol, for example, is not nearly enough.
The advantage of a non-centralized network is that there is no central point of failure, neither technical nor social, which I think is important. But of course, it is more difficult to implement, which I believe is the reason why attempts at this have historically been worse. I’m cautiously optimistic about Matrix though.
To oversimplify: Something that isn’t a compromise.
Conversely, by weakening the network effect of already existing networks makes it easer for newer solutions to compete.
I would totally prefer to build on top of a incentive aligned protocol enabling secure and cheap communication. Signal is not that.
But bitching about some fringe theoretical gripes of technical folk at the moment when alphabet-soup groups syphon out all the communication data.. it’s just shortsighted. Signal is a tool ready for mass consumption. Alternatives are really not even close. Including everything Matrix and XMPP.
Nobody here mentioned that Signal itself was originally funded by the CIA spin off Radio Free Asia. So there is some good reason to be conspiratorial as the OP said in the post. How do we know it isn’t backdoored?
I wouldn’t trust any messaging system that isn’t P2P for privacy. I may be a bit biased (I wrote Firestr http://firestr.com) and can say pretty confidently that nobody funded me. I did it out of passion for privacy after the Snowden leaks. There is no central repository of users. I have no idea who is using it and where and it’s easy to hack on imo. Also it does more than just send messages. I use it every day but haven’t developed it actively in years because there is no funding or interest in p2p anymore. I have a day job that takes all of my time. It’s a shame really.
I wish p2p tech was pushed forward more but we now have centralized messaging apps like Signal, Whatsapp, Telegram, Matrix. and it makes me really sad.
Element.io mobile/desktop apps and EMS for self-hosting (utilizing Matrix.org under hood) provide a compelling open source and self-hosted alternative, IMO. Still some rough edges to work out, but a good start. Unfortunately it requires one person shelling out some time or cash for a homeserver on behalf of one’s friends, or relying on the shared services that are floating out there.
(Only for programmers, though. For “normies” I’d still recommend Signal or WhatsApp.)
Speaking of which… What’s wrong with good old fashioned IRC? Yes I know the user experience isn’t there and no its not e2e encrypted. But it is federated and decentralised. I run my own private server for my family. I know matrix is going great work, but IHMO the scope is to large and honestly I’ve tried to spin up a server of my own and it was just all too hard.
Here’s some cons of IRC off the top of my head
Pre-emtive rebuttals:
Yeah these are good point and quite valid. Problem I find with any new alternatives is they are “hard”, I mean hard to setup, hard to operatalize. Example setting up a matrix server, I gave up and I write software for a living. Why can’t we have something with the ease of say setting up an IRC server, with the security/privacy of say Signal and feature set of say Slack? Is it so much to sask? If I could run my own Signal server today (for example) and my friends/family/colleagues/whatever could reach me via my own server without them having to know or care, that would be awesome :D
Agreed. Part of the problem is that mobile devices aren’t set up to keep persistent connections, which is somewhat fundamentally disharmonious with IRC’s design.
How so? SSL (granted not E2E, but that’s only relevant for the first party i.e. the server) is supported by most servers; and you can disallow non-SSL users from joining a given channel.
I don’t find any of these particularly compelling features.
I’m just a user of IRC and have only ever been granted op status, so I don’t know how much access the server operator has. Can they view DMs, for example? Are there provisions for mandating stuff like 2FA for server ops? If not, it feels trivial to me for an attacker to impersonate the server owner and get elevated access.
How can I be sure that the server software hasn’t been tampered with and is reading everything in plaintext after people logon using SSL?
You might not, but I do, after using “mainstream” chat apps for a while . Multiline is a nice affordance. Being able to “like” someone’s comment is a good semi-out-of-band way to signal agreement or ack without messing up the timeline. People looooove emojis.
I’ve been on IRC basically daily since 2003. It’s my favorite way to chat. But I’m under no illusion that it’s going to be a compelling product for someone who is not used to it.
That depends entirely on the server implementation; this isn’t standardised.
I don’t know what the popular implementations do, but I would be very surprised if they allowed server ops to snoop private messages. Obviously you have to trust that your server operator isn’t doing anything untoward, but assuming you do I think you can have reasonable confidence that they’ve taken reasonable precaution against such eventualities.
Thanks for expanding.
I basically treat everything I type on IRC as essentially cleartext.
The way IRC is deployed these days it is actually neither. When you run your own IRC server and connect your client to it you cannot join rooms on, eg, freenode. When you connect your client to the freenode servers you cannot join rooms on other IRC networks. It acts as a centralized system just like Signal.
I know the IRC vision was a single, global decentralized network, but because of the nature of security and trust on the Internet these days it can’t quite acheive that and we’re left with seperate silo’d networks.
XMPP was created to fix this problem and in general be a “better IRC”. These days it goes far beyond just that of course. You can even join IRC rooms via public bridges like irc.cheogram.com (which I run and use for all my IRC these days. it’s like using a bouncer that talks to my Jabber server instead of to my IRC client).
If you are concerned about the privacy of metadata in a E2EE messenger, the Cwtch project over at OpenPrivacy might be of interest.
I am also concerned about the centralized aspect of Signal, but I do believe this massive adoption of Signal from the public is really great. On one hand because Signal seems much better than Whatsapp — just looking at the business model is sufficient imo — and on the other hand because these questions about privacy start to become mainstream, which will hopefully push the debate on the political side.
Matrix/Element has strong good points w.r.t. privacy, but it is not really equivalent to Signal ; it is much more like some discords. Also, as raised by others, it requires someone to set up a homeserver and throw some money and time on it, which is clearly not at everyone’s fingertips.
olvid.io / made by actual cryptographers / fully encrypted metadata (really) / verified E2E at the initialization of the conversation / no contact list sent / soon opensourced / made in EU.
NB: i’m not working there.
Looks like it’s a company with a for profit offering, why put your future in their hands? https://www.olvid.io/enterprise/en/#pricing
it sounds a bit dramatic, “my future” :)
Why would I put “my future” in the hands of Signal? Telegram? Berty? Session? or foobarBozoSecureMessenger :)
Sadly, our entire landscape is “for profit”, our phones are “for profit”, our computers are “for profit” and this is where the messenger runs.
I want alternatives, I’m happy to see them in EU (where I live) outside US or outside China, Russia where we have slightly stronger privacy protecting laws.
I don’t want to send my contact list for accessing a service and I don’t need to see who’s using the app. I want to see competitors that actual have provable verified end to end cryptography at communication channel establishement, not just if/when you verify your peer by checking fingerprints or scan the QR codes, it helps improving the “landscape”.
Luckily, I’ve met with one of the cryptographer behind olvid back when he was a PhD student in Vaudenay’s lab and trust his (and peer’s) skills more than SV personality cults & stories and I guess not everybody has revenge (just a guess) driven billionaire’s friend to fund a competing “product” :)
I don’t mind to pay/bet for a product that works and reward people that did a great job, taking risks and trying to innovate and propose something different. I am also fine with open, federated, community based and open services like IRC.
Maybe some interoperability would be nice, but haha utopia.. :)
Yeah I might be wrong, it’s just my nobody’s choice, btw here are olvid crypto specs:
Cheers :)