2
What's the deal with Signal? (discuss.tchncs.de)
submitted 1 year ago* (last edited 1 year ago) by LGTM@discuss.tchncs.de to c/nostupidquestions@lemmy.world
13 comments fedilink hide all child comments

I don't know if I'm opening a can of worms here, and I'm still trying to backtrack a lot of history where I was tuning everything out. I keep seeing random swipes at Signal (or the representatives (?)), and I was wondering whether they are founded or just lies.Is it another situation like Lemmy where we just "take the technology and move on"? Thanks!

top 13 comments
sorted by: hot top controversial new old
[-] salarua@sopuli.xyz 2 points 1 year ago

Different people don't like it for different reasons. Some people don't like it because they think it has CIA financial backing (nope), and some people don't like it because it requires your phone number, therefore it is not private (the privacy it provides is more than sufficient for anyone not actively being persecuted by a Five Eyes state), and some people don't like it because it feels corporate (it's a 501c3 nonprofit, and how corporate it feels is subjective).

[-] adespoton@lemmy.ca 1 points 1 year ago

And some people don’t like it because it used to handle SMS on Android, and they removed that feature for security reasons.

[-] wildbus8979@sh.itjust.works 0 points 1 year ago* (last edited 1 year ago)

I don't think I've ever seen people say it has CIA financial backing. It did however until only a couple of years ago have strong ties to the State Department's Open Tech Fund (from the same financial envelope that brings you RFA/RFE/VOA).

[-] WolfLink@sh.itjust.works 1 points 1 year ago

Signal is an open-source privacy-focused end-to-end encrypted texting platform (so competing with SMS, WhatsApp, iMessage, Telegram, and similar). It’s developed by a donation-funded non-profit organization.

Signal is quite good compared to the competition, but it faces a lot of scrutiny because they make big promises about privacy and security so the people who care will really get into the details on that. Also IIRC there was a period when one of their competitors was trying to slander them more or less.

In general there’s nothing wrong with Signal and it’s quite a good option. If you really care about the privacy details you can always host your own instance (but that would require you to convince your friends to use your instance … it’s not federated).

[-] muntedcrocodile@lemm.ee 0 points 1 year ago

Hey signal is better than most of the mainstream bs. I use it myself and I'm confident that the messages themselves are secure. However, it had issues.

Since we cannot verify the software they run on the server is the software that is open source then we must assume it is not.

We know for a majority of cases a phone number = a real identity. Signal implements sealed sender but since signal is a centralised point they can correlate the sealed sender extraordinarily easily. We must therefore assume signal knows when and who is communicating (We can verify they don't know what is being said) this therefore means signal could theoretically have a full social graph of real identities for every singe user.

This is of course after we remember signal received funding from BBG which is an organisation funded by the us government purely for the purpose of promoting american propaganda.

Also I believe they used to have federation but all evidence of this seems to have been wiped from the internet.

Signal can either adapt and prove themselves with more than a "trust me bro" or they can die. Just cos they are better than the alternatives does not mean we should not demand better.

[-] zergtoshi@lemmy.world 0 points 1 year ago

If they encrypt meta data like they say they do (https://signal.org/blog/signal-is-expensive/), it should be very hard to use meta data the way you explained.
Whether they do can be looked up here (https://github.com/signalapp) by those who know what to look for.
As Signal uses reproducible builds (https://signal.org/blog/reproducible-android/), itcan be verified that the builds are made from the public source code.
They make offering a secure and trustable app a lot better (by being verifyable) than other messengers.

[-] muntedcrocodile@lemm.ee 0 points 1 year ago

The point is we cannot trust they run the software they claim to run. Identifying a sender despite sealed sender is trivial if u have a centralised server.

Say I am the signal server and all the clients run the known/provable secure clients that are used. I as the signal server an subject to wiretap and gag orders so I can be obligated to run software that is not the published server software and into tell anyone. As a server I by definition have everyone's IP address. A message with signal protocol has a sealed sender and a known identity recipient. As the signal server I can see when u send a message and from what IP and to which identity and what ip that identity is. I can then simply associate IPs and identities.

I trust the app I cannot trust the server. A reproducible build does not prove anything about the server it only proves the client.

[-] zergtoshi@lemmy.world 0 points 1 year ago

Sure. If you want full control, you need to run your own server.
Matrix crosses my mind.
But using that is a different animal than installing an app from a store.
As far as security when communicating conveniently on mobile phone goes, Signal does a pretty good job. But you're right that it's important to realize what's possible and what's not possible.

[-] muntedcrocodile@lemm.ee 0 points 1 year ago

I use signal for communicating with normies who just wanna download an app. Just cos signal is better than most doesn't mean we shouldn't demand better. Why can't we have both? With self hosted federated signal servers and no phone number requirement we can have our cake and eat it.

[-] zeca@lemmy.eco.br 0 points 1 year ago

If we have a federated messager that some people self host, would that actually be more secure? i dont know much about how federation works, but i imagine that an intelligence agency could make an instance that would federate to the others, listen to the metadata of the exchanges in the network and rebuild a social graph like a centralized server could. Is this a non-issue?

[-] muntedcrocodile@lemm.ee 0 points 1 year ago

Its actually less of an issue with federation. The way most federation works is that messages are only exchanged with servers that have a relevant party, ie if I'm on instance a and ur on instance b then our messages are only exchanged between instance a and b instance c would have no idea about any of it.

Its even better than that because with sealed sender the recipient server will know that u have received a message and from what instance but not which user on the instance.

[-] PapstJL4U@lemmy.world 0 points 1 year ago

instances are severs - you now have two servers you need to trust.

The average person has no own server.

[-] muntedcrocodile@lemm.ee 1 points 1 year ago

The point of any secure system is that u shouldn't need to trust the server. If signal federated it makes the capability for any single server to collate data across all instances significantly harder.

this post was submitted on 30 Jan 2025
2 points (100.0% liked)

No Stupid Questions

47148 readers
129 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here. This includes using AI responses and summaries.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 2 years ago
MODERATORS
L3s@lemmy.world
technopagan@lemmy.world
jeffw@lemmy.world
L3s@hackingne.ws
L4s@lemmy.world