Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
I am from Denmark. I have spent the last 10 years fighting to get schools and government institutions to switch away from American software.
What a waste of time, when all it takes is the threat of an imperialist take-over of Greenland to actually get my fellow countrymen to finally listen and act.
@Muffi @Novocirab
Same. This applies to EVERY non-US country!!
I can’t believe that the EU, France, UK, Spain, Italy etc. do not have their own comprehensive Fedi servers for their own institutions, govt departments & citizens! ALL still relying on US tech.Signal is still centralized US software.
It is the least evil for the ignorant technology end user.
Problem is if they change to Signal now they are less likely to change again to something “better”.
There’s no better. When that hopeful better comes we will all think about it.
Telegram is still better, while not being ideal, of course. But at least its servers aren’t located in the USA.
The ideal options are decentralized/p2p, but for now they have very few users (not many less than Signal, to be fair).
telegram is the absolute wirst when it comes to constant spam from scams and bullshit group chats… it’s an utter cesspool.
pretty big fan of http://delta.chat/ secure and decentralised
They are supreme denialists and try to gaslight people into believing that Foward Security is a thing you don’t need. I may have it installed and the ui is cute enough, but I can’t even consider it hitting close to the level of security Signal employs. It’s basically a toy experiment.
bummer, i had not realised that forward security was not there :/
sounds like its a while off.
Why do you think that? The owner of it is alt right and the fascists are using it. Why feel safe on it? Doesn’t make sense.
But at least the US government can’t listen in on your conversations, and if they don’t know your phone number, can’t block your specific communications either.
That you know of.
This is from 2020 after the news discovered that yeah actually, the US gov could read your encrypted messages. https://www.forbes.com/sites/daveywinder/2020/02/12/cia-secretly-bought-global-encryption-provider-built-backdoors-spied-on-100-foreign-governments/
Edit: how fascinating! I’ve been downvoted. Really makes you wonder who is pushing for this adoption of this.
Well yeah, but if you take into account theoretical vulnerabilities, then nothing is safe, including your self-hosted decentralised server (let alone your conversation partner’s).
You were downvoted because what you posted is completely irrelevant to Signal. The only way to read the messages is to install spyware on your phone.
It’s the fediverse, signal is sacred and will not be questioned nor criticiced, anyone else who wishes to have a non-US instant messenger gets downvoted to hell.
Wish I was joking but just look at the other guy who dared to like Telegram.
It’s basically signal or matrix in here.I personally don’t use it, it’s much more suspicious that other messengers get so much flak and signal is defended so fiercely… And it’s also USA based.
It’s the fediverse, signal is sacred and will not be questioned nor criticiced
you can question signal just as much as you want, but you’d better come with actual arguments rather than just conspiracy, because signal has counters to pretty much every claim that non-experts try to make
signal was built and is run by one of the worlds foremost security researchers and privacy activists
it uses standard encryption that is used in huge numbers of things. if there were a problem with any part of that, the world would have a much bigger problem than individual communications. the US government does not behave in a way that suggests these algorithms are compromised
it has been repeatedly audited by 3rd parties
the fact that it’s US-based is barely worth mentioning… why is that a problem? are you sure it’s not solely a knee-jerk reaction?
it’s free (so you’re not supporting the US economy), the client - and server, though that’s not important because E2EE - is FOSS (so it’s auditable and extendable by anyone: AFAIK they also ensure repeatable builds), the encryption is basically as good as it gets (they even have various protections for quantum computing), their architecture means they can’t even see metadata like senders… so, again, in this case what are you giving up by having it US-based? perhaps a little bit of soft power, perhaps an acknowledgment that in this 1 case the US produced a good product counter to their governments interests
the other guy who dared to like Telegram
because telegram is not for security or privacy conscious people, despite their marketing: they actively muddy the waters and make people less safe
their encryption is custom, written by mathematicians not cryptographers so doesn’t include features like perfect forward secrecy, replay protection, etc
and their default chat mode isn’t even e2ee - only secret chats use their custom encryption, and nobody actually uses them!
there are numerous sources documenting these problems, and plenty more
it’s okay to like telegram: i like it as a chat app, and i use it for the features it provides… but it’s not okay to say in a privacy and security context that they’re even remotely comparable
Weren’t it Signal devs who made e2e for WhatsApp? So what’s the point of switching?
Signal punished their spec and WhatsApp re-implemented it, yes but critically only the messaging parts rather than all the other privacy parts
the reasons to switch basically start with WhatsApp is owned by Meta, and given that these things become more important:
- WhatsApp is closed source so it’s difficult to confirm if their implement is “correct”
- they may have the ability to extract your keys from your device somehow
- i’m not sure who is the ultimate key-holder for whatsapp: if it’s like apple, they hold your private keys and thus can decrypt anything they like (different to signal where devices transfer your keys between each other via qr codes etc)
- on that last point, i can confirm that to login with whatsapp on the browser just now my process was: enter phone number, type an 8-digit code from my phone… this could be an temporary key of some kind used to e2ee between the devices to transfer my master key or something, but i’m very suspect on this being anything more than plain text verification that meta could man in the middle
- whatsapp stores your contacts, and message metadata… that’s all i personally need to avoid it: meta doesn’t need to know who and how often i message people to add to their profile on me
meta says whatsapp is secure exactly for this reason: people think “why switch?” when it’s really about the metadata for them… they are experts and building a profile with scraps of metadata
writing a secure application is about more than technically rock-solid encryption and protocol
Italian in Denmark here.
I thank you so much for this! I am amazed at the dependence of all facets of social life and information on Meta and Google’s properties.
I am cut out of my building’s initiatives because I don’t have a Facebook account. There are no events (such as dance events, protests, etc) published anywhere else than on Facebook’s Events.
When I propose to be contacted on Signal people look at me as if I was an alien.
You are doing God’s work, as a Christian would say.
Meshtastic. Let’s get some critical mass. Get single points of trust out of the equation.
Yeah, a network based on the principle of flooding ain’t gonna work across that many people.
IIRC, I looked into Meshtastic a while back, and it was known to be unreliable. Is that still the case? It seems like a really cool concept
Or briar, tox…
Tox is not really great for multi-device, is it?
no. But if you mean independent access with various devices, neither signal is since you need always the phone to access the desktop version.
Thats why I personally prefer Matrix.
However, the solution that Signal offers is the easiest for most people. Also it is not true that you always need the phone. The desktop version works fine alone unlike Whatsapp it doesn’t request you to connect the devices all 2 weeks. It does need a first installation on a Mobile or Android device in order to get the PC version running.
The difficulty is when you need to exchange the encryption keys between different clients. This is where it gets complicated with Tox and Jabber/OTR. And to be honest the solution of Matrix is easier but also can get confusing for people who are just used to having a phone as their main device.
It does need a first installation on a Mobile or Android device in order to get the PC version running.
I stand correct.
And to be honest the solution of Matrix is easier
What is the matrix solution for that? Keys will always have to be exchanged between devices
I stand correct.
Yes, but fact is, that this is the easiest way for most users. And also most users don’t care if you can use it stand alone on a PC or not, and if it is linked to a phone number or not.
What is the matrix solution for that? Keys will always have to be exchanged between devices
You can use devices to cross-sign each other or use a passphrase.
You can use devices to cross-sign each other or use a passphrase.
nice
Are they switching in the hope they’ll get added to a group chat planning the invasion?
Kinda ironic that if the danish representatives in the EU got their way with chat control, danish people wouldn’t even be able to install signal (officially at least), since Signal said they would leave the EU in such a case.
Unfortunately Threema the European alternative that’s at least as secure as Signal costs money - and that one time fee is enough to send everyone to Signal.
The people that are orchestrating the takeover of Greenland literally owns that fucking platform you fucking idiots.
Does no one in the west have a fucking brain?
Perfect is the enemy of the good.
Just see it as a first step. Signal is still better than WhatsApp being owned by Meta. If we get more people of WhatsApp, in the future there might be more European alternatives.
There are no big European alternatives the majority of people are willing to switch.
I got rid of WhatsApp last year myself and could only convince 8 people to use Signal. I tried Threema and Matrix, but most normal people are not willing to do this and don’t care they give up their data and so on…
Thank you for contributing to the critical mass o7
I joined Signal for the very few people in my contact list that use it, but I am holding out for the further establishment / gaining traction of a non-walled-garden solution before I start evangelizing Signal… So that I don’t get more people to switch, and then after a few months/years have to try to get them to switch again e.g. to a Matrix solution (and once again losing my chat history in the process).
Like one of the main things Signal is really terrible at given that it is based in the US and hosted on AWS servers 🤦
Besides being hosted in the AWS servers, there’s no way to check if what’s running there is the same as the published code. That’s why i don’t use signal.
When the signal foundation is losing money every year, i can just wonder what will happen when the money runs out. Even the good guys need to eat.
Or what will happen when trump will decide to seize the AWS servers running the signal application server.
It shouldn’t matter because you can verify that your data is encrypted and thus not accessible to the server, but also, IIUC, they use secure enclaves so that you can verify that their server is running the published source code.
It’s e2e encrypted. Although, as I noticed, the key is just a short pin, unless you use password, but the recipient might not use it and your messages are just as secure as your recipient.
The other party is always the weakest link.
But also signal’s pins are a little more complicated than that, but you’re right, switch to a passphrase.
Plus side, even if signal themselves edited the secure enclave, the world would need a new client pushed and probably notice something was off.
The way signal’s encryption works is really an art in paranoia.
the world would need a new client pushed and probably notice something was off.
Not if the US have the support of Google.
Totally not how the APK teardown community works, but ok.
How does APK teardown help if Google can replace the app unnoticed?
Because there will always people running Signal from a different source, and only one of them is sufficient to notice the server has been tampered with.
(And I’m not sure if they have reproducible builds yet, but if they do, people can also verify that even the Google Play-provided APK does or doesn’t match the published source code.)
notice the server has been tampered with.
Which server?
doesn’t match the published source code
People don’t control their phone. There is no way of knowing if the installed app is the one that is running.
And? That doesn’t help at all if the US government decides to force Signal to stop servicing Denmark.
It helps in that they still can’t read your messages. The EU is likely to make e2e messaging illegal before the USA cuts access.
You can’t really make e2ee messaging illegal, at least it is impossible to enforce with decentralized open-source messengers.
It is much more likely that the US will mess with Signal, than that you will stop being able to use an e2ee messenger like XMPP, which is just as secure as Signal regarding the e2e encryption.
at least it is impossible to enforce with decentralized open-source messengers.
All you need is a central registry where licensed messengers register their e2ee connections. Then network providers only have to report all ip addresses with connections that are not on that list.
Impossible with VPNs, but politicians have already announced their desire to make them illegal.
The issue is that it’s already pretty hard to convince people to use something easy like Signal, most people just don’t care enough for something “complicated” like XMPP-based messengers, especially if mainstream app stores had to stop letting EU-based users install messengers with these features.
Well, yes. But when it comes to digital independence Signal isn’t better than WhatsApp. At least recommend something like Threema if you think the much better alternatives are too hard.
Except Meta fully owns the WhatsApp metadata, and frankly Signal is a lot more trustworthy about its e2e implementation being actually, in practice, secure.
