Conversation
Notices
-
The smart kids don't use Signal https://www.mailpile.is/blog/2016-12-13TooCoolforPGP.html
- Claes Wallin (韋嘉誠) likes this.
- Chris and Claes Wallin (韋嘉誠) repeated this.
-
@bob In general I agree with you, but Signal (I'm not a user because it needs Google Software to run) has been doing what other security solutions haven't, which is giving users the ability to take action and care about their security. This is new, partly for the reasons in your linked article (people used to just assume email was secure) and I think valuable. But better PGP solutions are definitely to be preferred. The lack of federation on Signal is something that more attention needs to be paid to in the mainstream IMO.
-
@bob I am not surprised to see that this post is gaining absolutely no traction on Hacker News.
-
@csaurus PGP is ok for email especially when used with systems such as Mailpile, but unlike the article I do think forward secrecy is useful. Lack of federation, dependence on Google systems and use of telephone numbers are the main weaknesses of Signal.
-
@csaurus @bob @clacke signal also forbids use of third party clients on their servers.
-
@lambadalambda @csaurus @clacke Yes, and that's how LibreSignal died.
-
@bob I'd agree that forward secrecy is important as well. Having an option for deniability is useful in some contexts, but not generally for messages from one person to another. One thing I've actually wondered lately, can PGP send messages to a group of people, each with a different key? Or does the message then need to be encrypted separately for each person. I'd imagine this is how Signal works.
-
@lambadalambda @clacke @bob Yeah, if you haven't seen it the github issue about f-droid is also interesting. https://github.com/WhisperSystems/Signal-Android/issues/281 I can see the benefits of centralization for pushing updates and insuring compatibility, but IMO federation is really really important. We can see how a general lack of it is playing out for bittorrent info-hash index sites.
-
@wakarimasen @bob Email isn't monetizable enough. Also, needs more block-chain.
-
@csaurus @lambadalambda @clacke ranting about Signal seems to be something I do with increasing frequency. That's why it's in the Freedombone FAQ, so that when folks try to get me to use Signal I can just point them to why I think it's a bad idea. The thing is that even if I made a patch to federate Signal given his previous statements I doubt that Moxie would take it, and a federation patch wouldn't address the various other problems.
-
@csaurus The last comment on this issue (moxie not caring about unofficial builds) is not entirely true. Just look at what happened to LibreSignal: https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165
There has also been at least on attempt to merge LibreSignal's websocket code into Signal, which was denied by moxie, so there's no way to use Signal without Google at all, even if you compile it yourself (correct me if I'm wrong, this info might be outdated).
-
@wakarimasen @csaurus LibreSignal may live, may https://twitter.com/CopperheadOS/status/806560110097137664
-
@hfaust @csaurus Good news, until their severs start blocking unofficial builds. I wouldn't put it past them.
-
@wakarimasen Yeah, I think the conflict is spread out over a few issues, but the main thing is that there's not a good alternative to Google Cloud Messaging Service which is also free software. In terms of being problematic, my understanding is the GCMS is used mainly for waking the phone up and pushing messages, which would have been encrypted before-hand. The best I can really do for free software my phone was to install CM-Mod with no google apps, play store, etc. so I can't use Signal. I'm pretty sure that you're right though, there's really no way to use Signal without it, which is unfortunate. Its programmers probably don't expect anyone to actually care about software freedom.
-
@wakarimasen @hfaust I wouldn't either, but then their claims of being "open source" are even more tenuous.
-
@wakarimasen @csaurus I personally prefer independent implementations of Axolotl, like OMEMO and Proteus (The one used by Wire).
-
@hfaust @wakarimasen I'll have a look at those, I'd also love to see Matrix take off.
-
@wakarimasen @hfaust @csaurus Aren't they already? I had the impression that was at the core of the conflict, the name thing in addition.
-
@clacke As far as I know, moxie just told them to stop using their servers.
-
@csaurus A message sent to multiple !GnuPG (or #PGP) recipients uses a symmetric key generated for that session to encrypt the message, and then encrypts that symmetric key with the public key for each recipient, creating multiple encrypted key packets. When you receive such a message your GnuPG finds the packet with the symmetric key encrypted to your public key, decrypts it with your private key, then uses the decrypted symmetric key to decrypt the body of the message. The packets encrypted to other public keys are ignored.
-
@wakarimasen ok, thanks for the correction.
-
@bobjonkman Yeah, thank you! I'd heard a few people (non-technical folks) talking about services that allowed group chat/data sharing (MegaCloud or something?) and was skeptical simply because I knew you'd have to do something like that. In general I get antsy when people talk about encryption/security though. Particularly since I'm somewhat involved with radical politics, so depending on context it can be quite dangerous to get it wrong.