Do you use Signal for chatting securely with friends and loved ones? Us too! We endorse it wholeheartedly, and rely on it for nearly all our communication.
But the vibes are deteriorating here in the US, and we should have a communications contingency plan for if Signal goes down.
OpenPGP for encryption through autocrypt is a BIG NO for me. OpenPGP is inherently flawed, read any reasonable cryptographer’s opinions on it. DeltaChat is a significant security downgrade from Signal. I would much rather use SimpleX or Briar.
If you’re in a country that is shutting down servers, then your contingency plan should involve serverless p2p apps like Quiet or Keet.
This is the second time I stumble across Keet this week. It sounds interesting, and yet it appears not to be open source. All I could find is a Github page where they publish their APKs, but no source whatsoever. Is it really closed source? Because I don’t to “trust me, bruh” crypto.
Worse, it fails to include a libre software license text file. We do not control it, anti-libre software.
Well, there’s no license because there is no code on their Github. They claim their P2P framework is open source. Yet, that is just the part that allows clients to connect. But I also need to check that what is transferred through that connection is truly encrypted. And if there’s no code, there’s no basis to even develop trust.
‘Open source’ misses the point of libre software.
The reticulum project with the Sideband client is probably a lot more censorship resistant than DeltaChat or Meshtastic.
If the vibes keep on deteriorating and there would be a crackdown on messengers and signaling infrastructure a messenger is the last of your worries.
And if Signal gets specifically targeted, there will be warning signs and time to shift away.
Nope. That’s not how Signal and E2E encrypted messaging works.
If a government asks Signal for user data they get an almost empty sheet of paper. Search for " what data does signal collect" to confirm that.
If - on the other side - your smartphone is compromised or unlocked there is almost nothing Signal can do to prevent governments from looking into your data. Also it reads like some agents simply joined a group chat. Again: nothing Signal could prevent.
I was not suggesting that the encryption was compromised. I was suggesting that signal is being targeted.
Likely, they are infiltrating Signal groups specifically. Not through breaking encryption, but still joining these groups BECAUSE of the encryption.
The fact that these groups are using private encrypted messages are what piques the interest of the FBI in the first place. Signal is just the most popular and thus the most likely target.
Still, adding feds to a group chat is a management issue, same as inviting people to your home
Any software used by enough people will be targeted.
https://eylenburg.github.io/im_comparison.htm
Falling back to email isn’t a most preferred backup, I’d rather do simplex
If Signal gets blocked, why not use a Signal Proxy?
You can use all the proxies you want, it won’t matter if the servers are shut down.
matrix.org is my new favorite
You can move to any other service, but once it becomes popular enough to draw attention they might also get blocked as well. If it’s centralized, then the central servers can be blocked and it’s not longer working. If it’s decentralized and peer to peer, then the bootstrap nodes can be blocked and it’s no longer working.
Even if it’s self hosted and not advertised, the adversary can run active probes to detect banned services and block it if it detects any.
The only thing that can work reliably is something that can be concealed and can’t easily be detected.
A simple HTTPS website that runs a small blog, forum or an image board, can have a lot of bot traffic, and human traffic that makes the traffic analysis hard, it also provides plausible deniability if someone asks why you visit that site often, you can say that you are playing games or browse images there. Such website can have a secret interface that can be used as an interaction point for secure chatting (in a store and forward manner), which responds only if the requests are cryptographically signed by the participants, otherwise the server can play dumb and show a 404 error. Therefore an active prober can’t easily detect that the website hosts that interface the first place, because they cannot produce a signed request unless they manage to compromise one of the participants.
Threat analysis:
- Obviously if the endpoints are compromised, all bets are off.
- The certificate authority (CA) that issued the certificate for the website can be compelled to issue certificates for man-in-the-middle (MITM) observation and then the MITM-er can detect the secret interface. But nowadays this is difficult to pull off due to certificate transparency (CT), TLS clients can be configured to not accept the cert if it’s not logged by a CT provider, and domain owners can get an immediate alert if someone else issues a fraudulent and logged cert for their domains.
Someone should make an app that works this way. Only one tech savvy person of the given group need to set this up (preferably someone who alredy have a website), then others in the group can be invited into it and can use it without much friction.
Does Signal host its user’s data?
Not sure why privacy-conscious people would be recommending it over something like Matrix. Unless they’re paid off or stupid.
it does not. and the reason is, matrix clients and servers are fucking unstable, and spam is still an unsolved thing.
I’ve never experienced either of these issues.
I’m still a user, I experience it frequently with element x, but old element was no different in regards to that.
I like matrix as well.
take a look at Jami.
