Discussion

If you are organizing folks in Minneapolis right now, you may find this guide to Signal for beginners by @mshelton useful: https://freedom.press/digisec/blog/signal-beginners/

Freedom of the Press

Signal, the secure messaging app: A guide for beginners

Also available in Spanish.

Leander Lindahl

@leanderlindahl@mastodon.social replied · yesterday

@evacide @mshelton I'd like to suggest Delta chat @delta easy to install and get started with, no phone number, no central server, open source and doesn't rely on US tech from Mountain View, CA.

Signal is a really good app. But it makes me uncomfortable.

PKPs Powerfromspace1

@Powerfromspace1@mstdn.social replied · yesterday

@evacide @mshelton 👌🙃

Paulo Delgado

@pdd@mastodon.social replied · yesterday

@evacide @mshelton every time I see your posts:

Meme: A cat seating at a breakfast table, reading the newspaper and feeling the urge to buy a burner phone. The caption reads "I should get a burner phone"

Risotto Bias

@risottobias@toot.risottobias.org replied · 2 days ago

@evacide @mshelton thank you both <3

DrBob, Neurologist, 🧠Mechanic

@drrjv@vmst.io replied · 2 days ago

@evacide @mshelton Another option: #Meshtastic

https://meshtastic.org

Lily Cohen

@lily@foothills.social replied · 2 days ago

@drrjv @evacide @mshelton Ummm if you’re at all familiar with Meshtastic “security”, or completely lack thereof, absolutely please do not use it where you need security!!!

And this is coming from a mesh nerd…

Lily Cohen

@lily@foothills.social replied · 2 days ago

@drrjv @evacide Also I reread what I typed after the fact and My passion on the subject and wanting to make sure others don’t try to use it as a secure solution (trust me I think mesh tech is cool AF) could be interpreted as confrontational, accusatory, or as a doglile and was not intended to read that way. My apologies if it was received that way! 💜

Taran Rampersad

@knowprose@mastodon.social replied · yesterday

@lily @drrjv @evacide I read it as a needed dash of cold water. Mesh is cool, but beta testing in production is never good, and in the environment we speak of, the stakes are higher.

You were right to say it. No apology needed.

Jérôme

@jerome@jasette.facil.services replied · 2 days ago

@lily @drrjv @evacide oh my yes… mesh is great as an alternative way to communicate outside the internet, but don’t rely on it for security or privacy

🌱🏴‍🅰️🏳️‍⚧️🐧📎 Ambiyelp

@ambiguous_yelp@veganism.social replied · 2 days ago

@evacide @mshelton

Signal is centralised and was attempted backdoored by the uks online safety bill and saved by signal threatening to walk. Simplex is open source and quantum resistant e2ee like signal and also has its secret group chats and metadata protection like Signal but SimpleX is also decentralised with ip protection, tor support, no persistent id basically "a burner phone for every contact"
Signals centralisation also makes it more vulnerable to total censorship, all you need to do is block signals domains, being a decentralised network SimplexChat has no single point of failure to censor and anyone can run their own relay node

#PSA #E2EE #Privacy #Encryption #Anonymity #Signal #SimpleX #UnitedKingdom #OnlineSafetyAct #Censorship

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange replied · yesterday

@ambiguous_yelp @evacide @mshelton

Signal has Tor support built in, which it uses in unfriendly countries where it’s blocked, such as Iran. This doesn’t help in cases where it’s a friendly country (i.e. one that members of the Foundation may want to visit or risk extradition to), because actively circumventing a ban would place them under legal risk.

The thing that makes this particularly bad for Signal is their choice of AGPLv3 for their apps. Apple does not allow code under this license in their App Store and so Signal relies on a CLA that allows them (and only them) to relicense the code to ship the App Store version.

If a court requires Apple to block Signal from the App Store, Signal is gone for about half of the users in that country. Google Play has no such restriction (and Android allows other install mechanisms), so you can install things like Molly on Android even if Signal stops distributing their client in a particular country. But that doesn’t really help if half of your contacts suddenly disappear.

This is (one of the reasons) why communication protocols should have a permissible licensed reference implementation.