
How Signal Beats WhatsApp - kushti
https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/
======
arjie
Personally, I only want to send messages regarding harmless stuff. Being able
to send my location in-line (or even share live like WeChat) is a feature I'd
drop any privacy protection for.

On top of that, I'm not going to get my parents to switch to the messaging app
du jour. I'm going to hope that the one I use adopts good technology.

Maybe Signal is awesome. But privacy from law enforcement is not a killer
feature. The US Government has substantial leverage over me in other ways. If
it's come to the point that they want my communications, I've already lost.

~~~
moxie
This is why the Signal team spends time working with other messengers. We want
to help enable Signal Protocol in the products that everyone is already using
(like WhatsApp), rather than expecting everyone to switch to our app.

~~~
arjie
And thank you for that.

------
newman314
The article says that Signal hashes contacts etc.

I was under the impression that this had been reverted because it is "hard".
Has that decision changed?

[https://whispersystems.org/blog/contact-
discovery/](https://whispersystems.org/blog/contact-discovery/)

~~~
moxie
Nothing has changed. The premise of that blog post is that we'd like to do
_better_ than ephemeral intersection requests using truncated hashes of
contact identifiers, but that we don't believe it's currently possible to do
better.

~~~
newman314
So to confirm, the current version of Signal now transmits contact data in the
clear.

~~~
moxie
I don't know what you mean by "in the clear," but Signal has always done
contact intersection with an ephemeral query of truncated hashes of phone
numbers.

------
pfg
I feel like the metadata collection argument is overrated here. It's a nice
promise, and it's not that I don't believe them, but at the end of the day
it's just that: a promise. We've got messengers with E2E crypto because we
don't want to just take someone's word that messages won't be
read/intercepted, so the same logic should be applied to metadata: Either the
protocol guarantees that metadata cannot be collected, or we should assume
that it's being done.

Signal being open source is still a very good argument in favour of it. It's
also great that they're careful about not including features that could make
it easy to shoot yourself in the foot (online backups). We can do without the
whole "just trust them" dance.

~~~
themartorana
I think this is an important point. The article says WhatsApp doesn't collect
metadata as normal course, but it can and will where legally required.

Then it says Signal doesn't collect metadata, and stops there. I'm pretty
willing to bet they're just as governed by NSLs as WhatsApp, and if legally
required, can and will collect said metadata and hand it over.

The only way to not do so is to go the Lavabit route.

------
amelius
No messaging service is going to beat another messaging service purely on
technological grounds. The "network-effect" is just too strong.

~~~
gajjanag
Exactly. I have Signal installed, but none of my contacts have it installed on
their phones.

And Signal's "helpful" banner at the top that allows easy invitation of
contacts will (rightly) be treated as spam by most of my contacts - these
secure/encrypted chat apps keep coming and going, with some people saying
"just use Whatsapp, it is now encrypted", others complaining that it is closed
source, etc. I can't keep changing my recommendations every few months and
expect my contacts to do the same. In fact, it is only through hn that I even
heard of yet another protocol: [https://matrix.org/](https://matrix.org/).

Practically speaking, WhatsApp works best wrt security for me due to these
network issues - essentially all of my Indian contacts have it for some
reason, likely again some positive feedback loop due to network effects in
India. And there is no such dominant app among my US contacts, hence I fall
back to plain old SMS.

------
Bromskloss
I'm trying to figure out what chat method is considered superior. What about
Matrix? Should I use that or Signal?

~~~
tptacek
The premise of the article --- and it's a good premise --- is that the secure
chat applications you should consider are those that implement Signal
Protocol. Matrix does not.

~~~
vonklaus
do you have any resources for building a secure chat application, or maybe
more accurately, implementing secure chat as a feature of an application?

~~~
CiPHPerCoder
That's not an undertaking that should be taken lightly. At minimum, you should
have a team wherein one of the people making the final design decisions is a
cryptography expert.

And I don't mean "I learned how to do textbook RSA in college", I mean more
of, "Can tease a previously undiscovered cache-timing side-channel out of a
crypto library". (For example, the recent libgcrypt advisories.)

If the words "padding oracle" or acronyms like AEAD sound strange and foreign,
that person is not qualified to fill that role.

I would wager most developers lack the background to make a messaging service
that is _actually secure_. (To anyone reading this: Please don't let this fact
magnify any sense of impostor syndrome you may have. You're _far_ from alone.
Even the experts won't embark on this endeavor without peer review.)

~~~
vonklaus
to be clear, I was hoping to build it casually on top of a protocol or
library. I would not be planning on rolling my own crypto or anything like
that. I want a feature of my application to be encrypted chat which given the
large availability or apps & libraries, I was hoping could be more of an
integration than a build out.

~~~
CiPHPerCoder
In that case, the Signal protocol is open source.

[https://github.com/WhisperSystems/libsignal-
protocol-c](https://github.com/WhisperSystems/libsignal-protocol-c)

[https://github.com/WhisperSystems/libsignal-protocol-
java](https://github.com/WhisperSystems/libsignal-protocol-java)

More generally (i.e. not for messaging apps), libsodium is great for
application-layer cryptography:

[https://download.libsodium.org/doc/bindings_for_other_langua...](https://download.libsodium.org/doc/bindings_for_other_languages/index.html)

~~~
vonklaus
thanks, I did a cursory look a little while ago and have been thinking of
signal. Thanks for the resources. Will check out.

------
anexprogrammer
I love Signal and they're responsive to requests or bug reports in a way that
Google or Whatsapp can never be, and it seems, don't want to. I don't care if
it's missing a few features. Most of the features added to messaging are
pointless fluff anyway. So what they're 3 people, when I reported an unusual
bug it was fixed in a couple of days. Try that with Google.

What does impact me is the userbase. I've tried, and generally failed, to get
lots of friends using Signal. I get to use it with just the small subset that
are privacy aware and techie.

Given they use the same protocol, it's a shame we can't message whatsapp or
allo users. Yes it compromises my privacy compared to staying native, but less
than having to install their whole app.

~~~
nextos
I dislike a bit how they have ignored community requests to support
alternative transport systems to Google Cloud Messaging [1]. This has even led
to a fork [2].

It'd be also great to have a desktop client for Linux. Even a simple CLI would
do.

If those 2 things were fixed, it'd be an awesome messaging platform.

[1] [https://github.com/WhisperSystems/Signal-
Android/issues/1000](https://github.com/WhisperSystems/Signal-
Android/issues/1000)

[2] [https://fdroid.eutopia.cz/](https://fdroid.eutopia.cz/)

------
sbank
Does anyone have thoughts on Wickr? It comes with extra features like expiring
messages/media.

~~~
teaneedz
Though the argument is that it's closed source, there's a level of trust I
have for Wickr and team. There's even less meta involved with Wickr since no
phone number is collected and the app forensically deletes messages. Nico Sell
has a pretty awesome reputation of standing up for privacy.

------
aftbit
Has anyone tried running a "private" Signal cluster? I'm sad that Signal is so
centralized. I wish they had built a federated protocol instead. :(

~~~
iaml
At this point why not jabber?

~~~
aftbit
It looks like Conversations has implemented the Axolotl ratchet for XMPP as
"OMEMO". I need to do more research to see how I can get support for that on
all of my devices.

[1]: [https://conversations.im/omemo/](https://conversations.im/omemo/)

------
wraith69
I'm disappointed that telegram wasn't on this list!

I'm curious about signal but their with service just seems to hang for me.

~~~
pfg
Telegram uses homegrown crypto with known weaknesses[1] and doesn't do end-to-
end encryption by default (your messages are stored on their server _in plain
text_ ).

[1]:
[https://news.ycombinator.com/item?id=10713064](https://news.ycombinator.com/item?id=10713064)

------
legulere
How WhatsApp beats Signal: Almost everyone I know uses WhatsApp, I don't know
of anyone that uses Signal.

