Signal depends on play services on android. I keep reading here that signal is secure and we should all switch to that, but I just can't get over the fact that it works only if you effectively give root to google on your phone. I can not take Signal seriously when it tells me it is secure, but has that requirement.
They offer an app version on their website that does not depend on play services¹. I've been using it on a "google free" lineageos for quite a while (years?) and it works very well.
My device runs Android without Google Play Services. Signal has often presented a feature to use its own HTTP WebSocket notification services after I freshly upgrade my phone by re-installing an upgraded ROM. It's not specific to any release of Signal, it just happens when it doesn't detect Google Play Services. There is a process to correct this and make it use microG which is much easier on battery life. microG still connects to Google's notification services, but there is no Google malware on the device. From what I can tell, Signal only uses Google's services to "wake up" the connection to Signal to check for new messages.
I might give Android another try seeing iPhones have also started growing faster than my palm. But I don’t see any sanely sized phones for which there’s a zero friction google-free Android migration available with at least 3-4 years of support.
The app (Signal) works just fine on my Android even when I kill Google Play Services, firewall-block then, disallow them from "touching" anything. The only annoying thing is that all alerts/notifications pass via GooPlaServices.. and tyiu won't "see" the new messages u less you fire up the Signal (or any other) application.
If I remember correctly, Signal can do push notifications without Google Play Services (using websockets), but it will only do it if Play Services are not present on your device. So by blocking them but leaving them installed, you've put yourself into the very small category where notifications will not work.
Yeah, or Telegram. Telegram is not even end-to-end encrypted by default, you need to open a secret chat, which of course is not supported on PC!
Wire is lame, too, it stopped supporting older Android versions, so I cannot use it on my ~3 years old phone. I will no longer be vouching for them, they have done nothing but make it worse through many different ways.
It's not a cryotocurrency. It's a private blockchain. As I understand it, it incentivises nodes to play nice.
Signal's requirement for phone numbers is an absolute red flag for me. And using contact lists seems insane.
I've been playing with it a little, using the Linux app, and it was extremely intuitive.
But then, I only chat with people who I know online via other channels. With zero meatspace involvement. So if I care, I can cross authenticate. Using GnuPG even.
I'm 0525c5ba8a4bc6fc6f107b637b5107b6b7abfd1153ea042b5e9fe474acb5d9cf35 if y'all would like to chat.
It's more like if any new car has your full name, address and phone number clearly written on every side, that you prefer to keep driving your current car which does not have those "features".
It is not giving my phone number to an entity I don't trust.
I don't trust anyone/thing that asks for my phone number without a valid reason. Signal does not have a valid reason. And in the context of privacy that makes signal borderline fraudulent.
Even further, signal uniquely gives facebook and linkedin et al. my contact graph. Why? Because it relies on the contact list. Chances that anyone I'm talking to over signal also has facebook/linkedin/... is rather great.
Even facebook is better in this regard since you don't have to have a phone number to create a facebook account.
I don't get how it's a hard problem. For many years we got by without using phone numbers as identifiers to communicate online. Why not usernames? Or any other one of the myriad of phone number alternatives
Signal's developers don't want to store contact lists on their servers because of their concerns about privacy. They also worry about ease of use for non-technical users.
Their solution is to use the end user's address book as a contact list with users' phone numbers acting as identifiers. The identifiers are mapped to endpoints with some method that is supposed to protect the end user's privacy.
The app could encrypt a list of usernames and store it on a server, but that would affect usability for non-technical users.
It could store usernames locally on the phone and use the same method to psedonymize them. It seems to me that Signal devs just have a strong preference for the convenience of using phone numbers.
That's okay, but does not make the change hard to make.
Why do you need to know anything about identity? The only important question is whether you control the keys used to initially register that identity.
There's potentially value in having the option to link two identifiers together, so that people can find you on Signal via phone number or email address. But only as an option.
i find usernames much more convenient. the only time a phone number is useful is when it is already in my contact list. but this assumes that on first contact people still exchange phonenumbers.
i stopped giving out my phone number years ago. when i meet someone, i give them my username on the communication service that we both choose. the phonenumber adds absolutely no value here. on the contrary, my username is easier to remember than any number. you don't even need to write it down.
>With phone numbers you know it has to be connected to physical device and most of the times a person.
That's not true. TextNow, and i'm sure others, will just give you a phone number through their app from whatever ___location you want that you can change nearly at any time. You can use it from a web browser, it doesn't need to be tied to a phone or anything else.
I've personally used it responding to ads and things I'd rather not give my actual number for and a friend of mine used it on a phone for a year or so as their personal phone number when they couldn't afford to pay for regular phone service. That friend actually used one of those numbers to authenticate some other messaging service.
Just because it's attached to TextNow doesn't mean it's not attached anywhere. But yes, things like number-as-ID or email based identity is flawed and has been manipulated and abused plenty of times.
I'm not saying identity is a must or that it's either good or bad, I'm saying that that is what the market is like right now and removing it causes people to see it as a downgrade.
Also, depending on your jurisdiction it might be illegal to provide a number that isn't yours (varying from spam laws to identity theft), just as it might violate the EULA and suspend service from whoever wanted that number in the first place.
Generally, if you want to circumvent doxing yourself there are plenty of methods, but we're talking about mass-market here. The rest uses Jabber with OTR or some form of the signal protocol or maybe plain PGP/GPG crypto. But if we go down the rabbit hole of niches we would have a completely different context to work from.
>I'm saying that that is what the market is like right now and removing it causes people to see it as a downgrade.
The market's only like that because there's a lack of alternatives. 'The market' isn't an abstract entity that came into existence out of nowhere. Companies make the choice to provide only that option, people never chose this.
Removing the ability to chat with people using a username and password is the downgrade, that existed long before SMS and phone verification and tying those services to what is essentially an epehemeral number not ever actually owned by you, but the company that provides it.
There's plenty of places in the world where having a consistent phone number isn't really the norm. I've got friends i've saved multiple phone numbers for because they signed up to this or that messenger with different phone numbers.
Phone numbers are useless as an identification method.
I pointed this out in another comment, but because whatsapp and signal use this system, there are random people in my contacts list, whose profile pictures and status updates I can see, but I have no idea who they are because the people that used to have those phone numbers no longer have them and they were reassigned to someone else.
We did, but then we upgraded to (semi-)fixed identities using phone numbers. And losing something that was perceived as a gained feature is much harder.
That would be a huge step forward, and would make me seriously reconsider Signal.
I know this would create the identification problem in contexts where one actually wants to give proof of his/hers identity by pairing the client to a personal piece of hardware, but I believe/hope there are better ways to accomplish this without tying the account to a phone number (==cellphone).
Also, old netbooks can be purchased literally for the cost of a pizza at flea markets, and they're much much better platforms for building secure communications terminals; a lot more reliable and trustworthy than cellphones and tablets with their closed operating systems.
OK, so the messaging app is a fork of Signal that uses arbitrary IDs instead of phone numbers. That alone is a huge win for me.
But what I find most interesting is its built-in anonymity. Like Tor, it uses an onion routing network where only entry nodes see users' IP addresses. Users are anonymous from the swarms that cache messages, and also from other users. Except of course for the ID, both that's not tied to anything in meatspace.
Edit: The onion routing network is Loki, which I gather is a fork of ZeroNet.
So it's a fork of Monero that gives rewards out to "service nodes" periodically for not being ejected from the network. stores data. A service node also have a "stake" that's lost if the node ejected. The service nodes together form a "swarm" that routes messages and stores data and occasionally does various tests to eject bad nodes.
IDK, doesn't seem that bad. I'm sure because of the complexity there's some emergent bad behavior that will crop up, but the cryptocurrency is separate from the message platform - there's no cost to send messages, it's a separate proof-of-work Blake2b hash. So at worst the chain will fork and you'll have to update the app again.
Wire (wire.com) doesn't require phone numbers either. I've been using it for the last year or so to communicate with my family, and its usability for non-technical users is very good, including top notch audio and video.
It syncs across all my devices (iPhone, iPad and laptops, Mac and Linux), and I can quickly do full-text search over large amounts of data and docs we've exchanged over time.
It's full OSS, including the clients. I don't know why it's not more widely used.
I can tell you why I stopped using it. It was clear after a few months that features, layout, and UX wasn’t being developed keeping individual users in mind. Later the CEO stated that they are not at all their concerns.
And compared to Signal, WhatsApp, and Telegram their call quality was horrendous so not many of my contacts stayed.
I’ve been using Wire for years and love it. It’s easily my favourite “secure” messenger to give to non techies. It’s as easy to use as Telegram and it “just works”.
I tried the app a couple of weeks ago after hearing about it elsewhere. It looks interesting but as someone just looking to use a potential app, it really put me off with these two "conversations" that you can't delete, remove yourself from or permanently mute/ignore:
- "Session Updates" - I assume this is news about the app itself, like new features. However the messages here all refer to "Loki Messenger" rather than "Session".
- "Loki News" - Has weekly updates about "Loki". When I first installed the app I had no idea what "Loki" was or why I should care.
Messages to these trigger notifications and everything else a message would normally do. They're confusing and annoying and the first thing you see when you finish the onboarding process.
You can delete the "Loki News" contact, but not the "Session Updates" one. Although I don't have a problem with either, it would be good if users could opt out.
They are messages. I'm guessing that's because Session has no other connectivity except through the Loki network. I do recall reading that the app only talks to the Loki entry node. And if that's true, it would be a very good feature.
Who pays? Well, as it’s not free, the users pay for it. And you can buy it in the Apple/Google App Store, or if you really wish, with Bitcoin in the Threema Store.
Regarding the privacy concerns: the end to end encryption can be validated by yourself if you wish. Meta data is reduced to a minimum, see their FAQ.
