Soatok Dreamseeker
But Soatok, if you agree that centralization is bad, why do you still recommend Signal?
Because Signal is the only app that currently implements E2EE correctly that isn't owned by Meta.
If you want people to use your "federated" or "decentralized" faves, they really need to step up their game on how cryptography is implemented. Matrix, XMPP, whatever. I will never recommend anything that isn't at least as secure as Signal is.
Soatok Dreamseeker
If the app in question uses RSA at all, it's disqualified.
If the app uses cipher agility in the same way that JWT does, it's disqualified.
If it uses non-AEAD modes for encryption, it better Encrypt-then-MAC and verify the tag (in constant-time) before decryption on the other end.
These are some basic things that disqualify a lot of homemade proposals. I imagine it will get even stupider with GenAI.
Soatok Dreamseeker
@jernej__s Yup!
Jernej Simončič �
@soatok Doesn't Signal being centralised actually help here – the more people use it, the easier it's to get lost in the crowd?
Soatok Dreamseeker
@msfjarvis Oh no. Do I even want to know?
Harsh Shandilya
@soatok yeah but you see it's easier for me to say you are a Signal shill than admit my threat model starts with admitting defeat.
God the comment section on Lobsters was unusually frustrating this time around.
David Chisnall (*Now with 50% more sarcasm!*)
And you need to acknowledge that post-Snowden, leaking the shape of the connection graph to passive adversaries doing traffic monitoring on servers is an important part of your threat model. And so is leaking connectivity when one of your correspondents' servers is actively malicious.
And if you don't design your protocol around these being threats then it isn't a good fit for modern problems.
And that's not just a cryptography problem, that's a protocol problem that depends on good cryptography. Using 'the same crypto as Signal' doesn't help if the way that it's integrated with the protocol loses some of the security.
Soatok Dreamseeker
@egoldblatt I don't have one to actively recommend currently.
Endy
@soatok Signal is option 1, then. What's option 2 as you see it?
Soatok Dreamseeker
@david_chisnall 100%
David Chisnall (*Now with 50% more sarcasm!*)
Given this, why is the phone number requirement for Signal dismissed as not important?
For two reasons. The bit one is that everything in security is a tradeoff. For a privacy-focused network, one of the most important benefits is a large anonymity set. If a million users are routing their traffic through the same server as you, that's incredibly valuable for preventing passive adversaries from being able to correlate traffic.
Signal's use of a phone number for discovery makes it very easy to get people quickly onboarded. Anyone using SMS or WhatsApp already has their contacts' phone numbers in their address book and so can instantly switch to Signal and find a load of their existing contacts. If you introduce a new identifier and require out-of-band sharing, that's a huge barrier to adoption. This is how WhatsApp grew so rapidly to over a billion active users (and that was when they charged 99¢/year after your first year!).
Every family member you get sharing cat pictures over Signal adds to that anonymity set for people organising unions, whistleblowing to journalists, and so on.
Is there proof that metadata can't be leaked/stolen?
No, quite the reverse. The set of valid phone numbers is sufficiently small that Signal's zero-knowledge discovery protocol is almost certainly possible to exploit to link accounts to phone numbers (and trivial if you know the phone number).
EDIT: It's important to note that you can opt out of this discovery functionality, if your phone number is well known and you want to avoid having it tied to your identity. And then it's only someone who compromises Signal's server who can tie the number to the account.
But then the question is: what can you do with that? You can't tell when that user is sending messages (sealed sender). Only Signal (or anyone who compromises their server) can tell when they're receiving messages and they can also tell the size of messages that they download. And that's it. They can't build a communication graph from phone numbers.
Olivetree
@david_chisnall
Given this, why is the phone number requirement for Signal dismissed as not important?
Is there proof that metadata can't be leaked/stolen?
@soatok
Soatok Dreamseeker
@david_chisnall @olivetree They had a Trail of Bits audit at the end of 2024: https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SimpleX_Design_Review_2024_Summary_Report_12_08_2024.pdf
The findings were all medium at worst. That inspires some confidence.
David Chisnall (*Now with 50% more sarcasm!*)
Censorship resistance is another related one, no one knew what would happen to Signal under Chat Control, that's a red flag for something that can plausibly happen.
This is one of my biggest concerns. Signal threatened to pull out of the EU. And that demonstrates a big single point of failure: a single entity withdrawing its services kills the network. And this is made worse by the fact that their clients are AGPL, which means that no one else can put something derived from the iOS one in the Apple App Store (Signal can because they have a CLA and so can relicense the code for inclusion in the App Store).
Also, phone numbers did very little for my contacts to join Signal, people simply don't want to change apps. Sometimes they change, but drop it shortly after.
It depends on where you are in the migration sequence. If you're the first person, it's not helpful. If you're a bit later, then asking people to try Signal and they suddenly see that twenty of their contacts are there already makes it easier.
Any opinions on SimpleX?
No, I keep hoping @soatok will take a look. From what I've read, they are actually trying to solve the right problems, which is better than most of the alternatives. I'm not really qualified to tell if they're succeeding.
Olivetree
@david_chisnall
Thank you for your response.
Server compromise and centralization is exactly the source of fear. Them being on AWS and GCP is not good at all. Censorship resistance is another related one, no one knew what would happen to Signal under Chat Control, that's a red flag for something that can plausibly happen.
Also, phone numbers did very little for my contacts to join Signal, people simply don't want to change apps. Sometimes they change, but drop it shortly after.
Any opinions on SimpleX? Looked better than Signal to me, privacy wise (and apart from some missing functionality and excluding anonimity set, but Signal didn't have that in the beginning as well), but I'm by no means an expert.
@soatok
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.