
Privacy-focused messenger Signal is ready to go mainstream and take on WhatsApp - neverminder
https://www.androidpolice.com/2020/02/17/privcy-focused-signal-mainstream-take-on-whatsapp/
======
tptacek
Blogspam of this:
[https://news.ycombinator.com/item?id=22326731](https://news.ycombinator.com/item?id=22326731)

Extensively discussed already; this piece is literally just a summary of that
one.

------
cyborch
Let me know when it's ready to use without a phone number.

As it is, I lose my identity if I switch phone numbers (say, I move to another
country). Even worse, someone else might get my old identity when my old phone
number is recycled.

~~~
alpn
This.

Is there an actual technical limitation preventing Signal from offering a one-
field signup, whereby one would simply enter a self generated public key?

~~~
maqp
There's no technical limitation, but read this
([https://news.ycombinator.com/item?id=22357948](https://news.ycombinator.com/item?id=22357948))
comment to understand why Signal did what they did. Your SIM card stores your
contact list across devices. With usernames, your phone's contact list doesn't
work anymore. You need a persistence, i.e. cloud backups, to store the contact
list first. This is in the works ([https://signal.org/blog/secure-value-
recovery/](https://signal.org/blog/secure-value-recovery/)). Expect to see
user names once that's done.

The nice thing is the persistence can also remember identity keys, fingerprint
and their verification statuses, and even group membership status -- so it'll
mean much more convenient use once it's ready.

------
revicon
Started a HackerNews group chat on Signal to test it out. Ping me your signal
phone # to hngroupchat@mattcrampton.com and I'll invite you to the group.

~~~
pixxel
Serious question: Is this the only way to invite users to a Signal group?

Couple of concerns here; you might use google to host your email for all I
know and I’m not inclined to help google update my shadow profile. Also,
giving my phone number to random dudes seems ridiculous given what we’re
ultimately trying to achieve here.

BTW I’m not being snarky towards you, it just reads that way :P

~~~
maqp
It's not what Signal is built for. If you want to join public chat rooms, you
can use Telegram equally securely. E2EE never hurts in the case of public
groups, but since you're not able to verify none of the group members are
malicious, and logging and leaking your (and everyone else's) comments to
every bad actor, it doesn't matter.

Your only protection is anonymity, but that's something not even Telegram
offers by default: This has lead to speculations about attacks where the
Chinese cyber army has performed massive reverse look-ups of Hong Kong
citizens' phone numbers, by storing what TelCo has in it's database / what
IMSI catchers / hacked towers see, and adding them as contacts. This by
default reveals Telegram user's username to the attacker. You can disable this
by opting in, but very few do.

------
infinity0
> Enabling group administration was also a hard feat, as Signal has to give
> administrators the ability to add and remove members without its servers
> knowing who's part of the conversation.

I was chatting with Trevor Perrin about abstract crypto relating to this when
he was presumably working on this, and never got the chance to ask him - even
if the group crypto hides this information, the Signal server still has to
physically deliver the messages to the correct people in the group, whose
phone numbers are all known by the server, so isn't this exercise a bit
pointless? Or are there long-term plans to drop the critical reliance on phone
numbers?

~~~
maqp
"Or are there long-term plans to drop the critical reliance on phone numbers?"

Yes

[https://community.signalusers.org/t/signal-introducing-
usern...](https://community.signalusers.org/t/signal-introducing-
usernames/9157)

~~~
infinity0
That's a good start. I forgot to add though, to actually make group membership
private _for real-world practical purposes_ , you have to achieve all of the
following:

1\. group crypto can't give away the identities 2\. your identity system can't
give away the actual people 3\. your distribution system can't give away the
locations of those people

It's a hard problem, nobody in the world has done it yet. Signal seem now to
have some concrete thing for (1), by your link they are supposedly working on
(2), but (3) is also needed.

------
glogla
Signal started lately (maybe it's AB tested and it happens at differet times
to different oeople) doing the annoying "add your name" thing, where you get
askedfor your name pretty much every time, and you can only caugh it up, or
say "remind me later", not"no thanks".

How is this scummy dark pattern good for privacy is beyond me. If it werent
for my obe privacy nut friend, I would have stoppped using it.

------
6gvONxR4sf7o
I love and hate signal. The tech seems good, but the UX has some real
frustrations. Group chats are the most glaringly frustrating part in my mind.

~~~
maxwellito
I'm probably missing the point, I use groups in Signal but I never faced any
issue. I'm probably not a power user. Can you provide more details please? I'm
curious about it. Thanks :)

~~~
y-c-o-m-b
Not sure what exactly OP is referring to, but this bug has plagued Signal for
quite some time in that it doesn't handle Signal to non-Signal group messages
gracefully:

[https://github.com/signalapp/Signal-
Android/issues/8571](https://github.com/signalapp/Signal-Android/issues/8571)

The bug is my only real complaint with Signal's group messaging system.

EDIT: I should note that the bug was opened in January of 2019 (although
existed for much longer than that) and as of December 2019 it was still in
ongoing problem for some users.

------
bmarquez
I'm looking forward to Signal introducing basic features like iOS message
backup (which exists in the Android version).

~~~
otachack
As soon as Apple gives access to that data (they won't)

------
A4ET8a8uTh0
Eh, I want to like signal. I really do. But it does not play nice with Blokada
( though that is an easy fix ). My tech illiterate parent was unable to use it
( when compared to whatsapp ). I am kinda done with whatsapp so I finally
broke down and added international plan.

I am annoyed, but I can't really blame my parent.

------
skrowl
Signal has MAJOR UX problems when you have several devices (which is fairly
normal for mainstream users). Try using the same account multiple computers,
smartphone, tablet / chromebook at the same time. It's painful.

Compared to Telegram (which is also privacy-focused and NOT owned by Facebook
like WhatsApp is) that simply works, I'm not sure what Signal brings to the
mainstream table.

The people behind the predecessor to Signal were somewhat successful in a
disinformation / FUD campaign against Telegram's cryptography early on, but 0
POC exploits have ever been released. Telegram even upgraded their
cryptography to alleviate some of the concerns -
[https://core.telegram.org/mtproto](https://core.telegram.org/mtproto) . They
are now recognized as IND-CCA secure
[https://en.wikipedia.org/wiki/Ciphertext_indistinguishabilit...](https://en.wikipedia.org/wiki/Ciphertext_indistinguishability#IND-
CCA).

To be mainstream, you have to have mainstream usability. Signal does not (at
least not right now).

~~~
tptacek
Telegram's cryptography isn't comparable to Signal's. Telegram provides end-
to-end encryption only for private messages between two people, and, last I
checked, that encryption was disabled by default. There is no group end-to-end
encryption; rather, Telegram claims that TLS hop-by-hop encryption --- in
which Telegram's own servers get to see message plaintext --- is sufficient.

Signal provides true end-to-end encryption, for groups, by default, always-on,
in a privacy-preserving design that ensures that Signal's servers don't have
to collect a log of who's talking to who. Signal won the Levchin Prize at Real
World Crypto --- in fact, they won the _first_ Levchin prize ever awarded,
meaning that when Dan Boneh and Tom Ristenpart and Kenny Paterson and the
other referees sat down to figure out who should get the inaugural Levchin
Prize, Signal was the first thing that came to mind.

That cryptographers recoil from Telegram's bizarre IGE-based cryptography is
besides the point. Nobody needed to "FUD" Telegram to show that it's inferior.

~~~
otachack
Telegram does invest heavily on their UI. It's been hard for me to convince
people to move to it, regardless.

I imagine I'd have an even harder time moving people to Signal. While their
encryption is better, I've seen complaints of messages not being sent and the
sender not being aware until days/weeks later after personal follow up on the
receiver. Even if this didn't deter me from using it, I have little to no
contacts using it. And for the ones that do have it I have no way of knowing
if they uninstalled and I'm sending a message to a black void.

If Signal had the reliability, UI polish, consistent updates, and feature-rich
experience of Telegram I'd be putting more effort to convert users toward it
rather than the latter. I'm a fan of both apps and companies running them
nonetheless and am using Signal as my primary SMS app as it's a step to detach
from Google.

~~~
_wldu
To me it comes down to one simple question... do you want other parties
reading the messages you send to your family and friends? If not, use Signal
and encourage them to as well.

------
Funes-
I'm personally against using _any_ instant messaging app, even more so if it's
on a smartphone rather than on a desktop computer. I don't care how private
they are. Why? Well, I think it's an inefficient communication tool, and thus
a huge waste of time. Modern instant messaging applications work by
interrupting people and being interrupted by them constantly throughout the
day, since there's no way to turn it off—in contrast, MSN Messenger didn't
allow for offline messaging until 2005; most of the time you found yourself in
front of the computer with the program opened if somebody sent you a message,
ready to engage in conversation instead of dealing with anything else.

Of course, you can turn the notifications off and check messages at a specific
time every day, but good luck with that! If nested conversations without a
subject attached to them, no character limit, and no formal way of telling
when they either start or end aren't already put off enough and stretched out
unnecessarily, imagine setting a time restriction to your responses. Imagine
setting up a meeting or a date: as cumbersome and as long as it takes as it
is, you'd spend a week trying to meet with somebody. Believe me, I've been
there. I've tried it all: installing WhatsApp on a virtual machine with
Android_x86 and only using it at night didn't solve a thing; still, a phone
call was _always_ faster and much more efficient in dealing with anything you
can conceive. However, most people didn't want to pick up the phone; texting,
on the other hand? I'd receive texts from people wanting to start full
conversations there, to which they would respond every two or three hours. How
can _anyone_ do anything efficiently or be productive enough at work, or even
enjoy hobbies, while doing that?

I know I'm alone on this one, but it's really frustrating seeing how something
that isolates us and separates us from our own lives, immediate environments,
and thoughts will probably never stop growing.

End of the rant.

~~~
papreclip
> How can anyone do anything efficiently or be productive enough at work, or
> even enjoy hobbies, while doing that?

by replying every 2 or 3 hours, when you're waiting in the elevator, or have
some other idle time to fill

>you can turn the notifications off and check messages at a specific time
every day, but good luck with that

some people simply ignore their notifications until they're ready to deal with
them. they don't toggle some setting on their device, they simply choose to
ignore the whole device. it varies from person-to-person and you might just
not be personally suited to this kind of technology.

personally, i read every email i get as soon as i get it, but i realize this
is not the norm.

~~~
Funes-
>by replying every 2 or 3 hours, when you're waiting in the elevator, or have
some other idle time to fill

Most people don't seem to do that. Most people I know, in fact, check their
phones while driving, during lectures, during meals with friends and family,
walking the dog (poor things), in the gym, walking down the street... I mean,
you see it every day. Those aren't ideal times at which you should be checking
your phone. Moreover, idle time can be hugely beneficial to rest our minds,
relax, or to quietly reflect on important things about our lives.

>some people simply ignore their notifications until they're ready to deal
with them. they don't toggle some setting on their device, they simply choose
to ignore the whole device. it varies from person-to-person and you might just
not be personally suited to this kind of technology.

If having your smartphone around occupies some of your cognitive capacity [0],
imagine trying to "ignore notifications". You are keeping your mind busy with
endless conversations kept on the air. I don't think _anyone_ is suited to
this kind of devices, because the software they run on has been designed to
keep you glued to it [1]. I just don't tolerate it as much as other people, I
think.

[0] [https://news.utexas.edu/2017/06/26/the-mere-presence-of-
your...](https://news.utexas.edu/2017/06/26/the-mere-presence-of-your-
smartphone-reduces-brain-power/).

[1] Tristan Harris has talked at length about it, among other people.

------
wyxuan
The 50 million infusion happened in 2018. Why has it taken so long to scale
up? Anyway, I don't think it can take on WhatsApp. If you look at the history
of when signal succeeds and gains many users, it's only when WhatsApp is down.
Which is not for very long, as it's so important that it goes back up pretty
quickly.

