Hacker News new | past | comments | ask | show | jobs | submit login

I'm feeling dirty, because I don't like to be that negative, especially if we're talking open-source software. And I feel that I kinda hold this project to higher standards: If I compare this to WhatsApp/Telegram/Threema/Whatever, I inheritently, somewhat subconciously expect more from Signal.

And I'm disappointed. I tend to repeat the 'central server' and 'a phone number is not an address and not public information, it certainly is no identity' criticism.

When I read the headline/title, I thought 'Now maybe that would be enough to be ~good enough~ to ditch Telegram' in spite of these problems (which Telegram has as well, ofc). But really. A Chrome app. And works only (yeah, I think I said it before: Phone numbers suck) as a secondary client. And only if the first client is Android?

I seriously don't get it. And it certainly is not for me: I don't like that browser (I do have it installed for testing and to follow it at times, but there's no 'app' I'd run in Chrome). I don't want to tie something to my phone and I don't think that it should matter what platform my handset runs on - SailfishOS looks nice, FxOS progresses slow but ticks a good number of boxes for me.

Full circle to the first line: I don't _like_ to be negative and the headline gave me hope for a couple seconds. Unfortunately this release just deepened my belief that Signal wasn't meant to be for me.

If we were going to rank our priorities, they would be in this order:

1) Make mass surveillance impossible.

2) Stop targeted attacks against crypto nerds.

It's not that we don't find #2 laudable, but optimizing for #1 takes precedence when we're making decisions.

If you don't want to use your phone number, don't use it. You can register with any GV, Twilio, Voicepulse, or other throwaway VoIP number.

If you don't want to run Chrome, use Chromium instead.

If you don't want to use Google Play Services, use GcmCore.

The world you want this software for is not the world that everyone else lives in. You can certainly make it work in that world with a little effort, but because of how we've prioritized our objectives, that's not the default experience.

Thank you for your reply. I really appreciate it. As I stated earlier, I feel bad about 'expecting more' here - I certainly see the appeal of a popular ~decent~ option. Without trying to derail this further, let me look at those points:

If I use throwaway numbers: What happens if I lose access? Do I _need_ the number for anything in the future (say, device died)? Can someone else mess with me if they get access to this number, if the number gets reassigned? Searching for this kind of information is hard, because 'Signal' isn't exactly a word that search engines understand in context.

Chromium and Chrome are the same thing for me: A browser I don't care for and only install on a dev machine for some tests. I wouldn't install either on my personal rig, ignoring the suffixes. And certainly not for an 'app'. It's both 'Not liking Google' and 'No general web browser to run an IM client'. The latter isn't solved by Chromium.

As far as I'm aware there are no Google Play Services for FxOS (looking at this Flame right here) and I expect that there's no easy solution for SailfishOS either.

I understand that I'm not the target audience. Please believe me when I say that I don't feel that I can (as in, it suits me/feels okay to do so) use Signal right now. I'm writing these messages here not to hit on your work, but to express that there is an audience with other preferences/goals. It's Christmas soon, after all - consider this my public, unrealistic, idealistic wishlist.

(Edit: And I apologize that my critical comment ranks rather high right now. I might believe that I'm not completely bonkers and there are other people that feel the same way, but it still sucks to see this kind of feedback on an announcement post)

That's a pretty big holiday wishlist. =)

This is the world we live in: people do most of their communication on mobile devices running iOS or Android, use Chrome on the desktop, and expect contact discovery to be automatic in their social apps. The browser has won the desktop, iOS and Android have won mobile, and the velocity of the ecosystem is unlikely to make "distributed" communication mechanisms possible for some time.

We're trying to make mass surveillance impossible within this world of ours. We want to produce technology that is privacy preserving but feels just like everything else people already use, not somehow convince everyone to fundamentally change their workflow and their expectations.

It'd be sweet if we lived in an alternate reality where everyone ran SailfishOS or something (and maybe this year will be the year of Linux on the desktop!), but we can't just pretend that's already the case.

If we ever meet I'll buy you a beer for the year of the Linux desktop line.

But honestly: I understand mobile support for iOS/Android only. I don't understand Chrome as a platform (FF isn't dead. And the biggest reason for that is that I fail to understand why that client needs to be 'web based' and then again not. A web app in a silo)

Mobile numbers.. Why? I mean, if 90% of the population WANT mum to see that they use a service and when they're online (or whatever metadata you want to exchange for contacts), just because they happen to know the phone number: Fine. But why isn't it possible to sign up, hit a box that says 'no phone number associated' and .. add contacts manually? I don't want the 99.999% to change, to make it harder for them. I just wish that Christmas brings an option that lets me opt-out of that. Chat contacts don't need my phone number. People that know my phone number are not chat contacts.

I'll get back pretending that Linux has won and will try to surf the web in FxOS for 30min just .. to prove you wrong. :)

This is my question exactly. What features does Chrome have that are worth making the app completely incompatible with other browsers? Why is it not just a "Web app" and it's a "Chrome app" instead?

Similar to Firefox extensions, Chrome has "apps" and "extensions". Both are locally-saved packages of locally-run JS/HTML/CSS, differing in what capabilities they have w.r.t. chrome api access.

So... I think the question still stands.

Perhaps Signal just isn't for you. No one who I've introduced signal to has ever had a problem with it. Now if you add a randomly generated 128 bit account identifier, then people WILL have problems with it. Not with you, but with your mum/grandma.

I really think Signal might not be for you. Signal is not about building the most secure or private system, it's about building the first mass-market encrypted that that's Good Enough. Signal is a infinite percent improvement over plaintext/https. It's not supposed to be as good as OTR.

Non-technical people I've introduced to Signal on iOS stop at the "upload your contacts" stage and go "I don't want this random little company to have access to my contacts". These are non-technical people who understand the importance of keeping their contact list private, and there are a lot of them.

Making it a de facto requirement that users on your network be personally identified via a phone number ("get a burner number"? really?) and that you have a copy of their contact list and phone calls, all within US jurisdiction, means mass metadata surveillance a single judicial order away (as it is now with the telecoms).

Unlike POTS, Signal prevents phone taps, yes, but it does not hide your social network, and so does little to provide you with the ability to associate with someone anonymously.

> These are non-technical people who understand the importance of keeping their contact list private

Do you take this opportunity to point out to them that they do away with this privacy every time they install whatsapp / fb messenger / hangouts / skype / practically anything that asks for contacts permissions?

The last person I'm recalling this conversation with actually blocks Whatsapp / Facebook from getting her contact list, but trusts Microsoft and Google. I'm not sure how representative that is, but I wouldn't be surprised if people trust big companies with big brands over relatively no-name startups in this regard.

See, that identifier might be an option. Or .. it might not be necessary. If that identifier would be the core 'me' on Signal, why wouldn't you be able to add me by phone number - if I gave Signal one to share/associate with? Mum and Grandma would see no change. People like me could run around without a phone number.

It's not as if that hasn't been done. twitter.com/darklajid is me (not worth checking it out). See? A name, tied to an identity. Same here. I used to have a FB account and even _there_ you can have a profile name that is unique and shareable. I really think you conflate things here: I DO NOT want to make life harder for mum/granny/the average WhatsApp fan. If you love that random people show up in your roster because you store their number (or vice versa: You show up on your Ex's roster because she didn't delete you yet) that's fine. And could continue to work like that.

I really have a hard time understanding why it isn't impossible to opt out. If I have a key, registered with Signal - why would I need a number on top? _Especially_ given that there's no federation to speak of, so I assume they don't need to 'shard' base on the identifier. foo@example.com -> talk to example.com? That's not happening here. And I don't see why/how they'd shard on numbers? +49 -> route to a German server?

Why is a phone number (and all the things that come with it: Discoverability for example) a requirement? You didn't answer that.

Yes, Signal might not be for me. I'm reasonably sure that I mentioned that before in this thread ;-)

If that identifier was linked to my Keybase.io account, that would be really cool. Or linked to Namecoin. Using methods like that to find my contacts would be great.

> Not with you, but with your mum/grandma.

Hey, please consider finding a better way to say "the average person" than calling out women and old people as being groups you think of as non-technical. Thanks!

It's a bit of a slippery slope argument. Things are hard. Let's compromise to make them usable.

That said there's a lot of potential as the crypto libraries are known to be top notch and reviewed. I hope they progressively address these issues.

If Signal's not good enough for us, what is?! I want to know...

> FF isn't dead

From http://www.computerworld.com/article/2893514/an-incredibly-s...:

> In the last 12 months, Firefox's user share -- an estimate of the portion of all those who reach the Internet via a desktop browser -- has plummeted by 34%. Since Firefox crested at 25.1% in April 2010, Firefox has lost 13.5 percentage points, or 54% of its peak share.

I love Firefox, but having used FxOS and mobile versions of Mobile Firefox, the Mozilla Foundations new products feel like the Netscape 6 / Mozilla Browser Firefox was created to replace, rather than the lightweight, user focused alternative.

Chrome is not any better at all. Speedwise they're about the same, but Chrome has better separation between tabs. However it allocates ram like there is an infinite supply of it, and it absolutely kills the battery on my computer. This is with the same extensions installed in both browsers, uBlock Origin, Privacy Badger, No Script, Last Pass, and Wunderlist.

They are not at all the same. I love Firefox too, but had to change to Chrome because of JS engine speed alone.

> I understand mobile support for iOS/Android only. I don't understand Chrome as a platform

> Mobile numbers.. Why?

Pidgin + OTR works on Linux, and doesn't relate to mobile numbers or Chrome at all. This might be a better fit for you.

I'm aware of that. I used to run an xmpp server and recently switched to Telegram for inter-family conversations (wife, brother, intimate friends) because the xmpp UX story is unfortunately not perfect (you need message carbons, you need stream management and you probably want MAM to have a usable system that can be used on mobiles as well).

This is great news! Such a big fan of the work you guys are doing at Whisper Systems. We are in the middle of an update to Umbrella App (which contains lessons on digital and physical), so will add the latest Signal changes to it in the next few days.

If anyone is interested in taking a look (free, open source, code reviewed, Android) please feel free: https://play.google.com/store/apps/details?id=org.secfirst.u...

The problem of course being that those users that use the closed source Google browser and iOS won't care much about what Signal is offering either. They're already using Hangouts, iMessage and Signal is pretty much a downgrade from those.

Millions disagree.


I don't really know anybody who uses "Chrome apps", technical or non-technical. I agree that was an odd choice, and will probably exclude a lot of people.

It's also odd to me that privacy advocates would push people to Google's ecosystem.

I hope one day there will be Windows and Mac apps. And that instead of phone numbers, we can use email addresses.

First, congratulations on shipping. Usable E2E encryption is something I care deeply about and Signal is the best Ive ever used. Completely agree fighting mass surveillance for avg users is highest priority.

What do you mean by "the velocity of the ecosystem is unlikely to make distributed communication mechanisms possible for some time"?

Ecosystem - tools and services with network effects, like Google Cloud Messaging.

Lots of phone carriers whitelist that server of theirs to allow it to wake up phone unprompted from idle while typically only allowing phone-initiated connection to stay active, and they also tend to block most incoming connections once the phone has been inactive for a while.

While it isn't technically hard to make something distributed, to also make it work well can be troublesome...

Yet another reason I want home servers to become common, as your phone could automatically request that your carrier whitelist your chosen trusted nodes such as your home server.

"most people" in "the world we live in" are completely hopeless. You won't get to them until you sink completely to the level of the services you are trying to replace. So you won't help people who can be helped because you're trying so hard to get to the people who just can't be.

By the way - the biggest problem with textsecure^Wsignal right now is the lack of encrypted export and import of the private key. Forget the issue about message history, the freaking private key is the most important thing. All the dumb users you may manage to reach with your current integrations and conveniences are just accepting a changed key for their contacts at any time, and now also smart and diligent people are doing the same thing because you can't keep private key continuity unless you root your android phone and use a root backup app. It's a basic core failing.

I would argue that the removal of SMS encryption is a worse failing. Accepting all key changes without question renders you vulnerable to active attacks, but you remain safe from mere passive collection (the most common case). On the other hand, whatever Whisper Systems would have you believe, people really do still use SMS. A lot.

I will never convince my friends to use an internet-based messenger - I might as well try and get them to use Pidgin+OTR if that's the ball game. I have, however, switched a few of them over to SMSSecure, the SMS-only TextSecure fork, which is a perfectly serviceable SMS client.

Why do your friends care about the underlying transport?

I too think SMS transport should have been maintained, but I believe it only really matters when you're stuck without mobile data access (for example, when I was on a cruise ship earlier this year I had roaming SMS/voice but not data).

As long as you _do_ have mobile data access at both ends, then a message to another TextSecure user will be sent encrypted over the data connection; and a message to a non-TextSecure user wouldn't have been encrypted anyhow.

I am farting in a thunderstorm, since this argument has been had a million times. Nevertheless, i will explain why i personally worry about the transport. Perhaps the other commenter has different reasons, i don't know.

I currently pay €2 per month for my mobile bill. That is very little money. Notably, that includes no internet/data, but it does include unlimited text messages. Can you see why SMSSecure is something i would want?

Because most people I know keep their data switched off most of the time, which will always be the case as long as apps are abusive about phoning home.

I like the fact that Signal makes good cryptography available to the masses. But I also share the OP concern about Chromium (and about a central server, but this is technically much harder to fix).

Perhaps it would be possible to have a simple CLI app that is free from these dependencies (which should also be quite simple to develop).

some signal cli clients were discussed on the mailing list yesterday: https://lists.riseup.net/www/arc/whispersystems/2015-12/msg0...

Sounds very interesting, thanks.

Yes because the GUI is the hardest part of p2p networking.

The main thing I have against webapps is that from a technological point of view they aren't meant for the use we go today. Obviously the privacy thing is another big issue, but this leads me to point 2; I can protect my privacy: I just need to switch off my router, throw away my phone and say good bye to the grid, but that is the 2015 way of being an heremit and honestly, is something I don't want. So I came up with this solution: carefully try to not divulge sensible data and, if I need to, split that over many possible unrelated services.

We're not going to win, but at least I try to defend myself

Please make it possible to use public keys as identifiers somehow, maybe linked via for example keybase.io to provide simplicity in lookups and tracking usernames.

It would also be much easier to allow federation with that mechanism, as your keybase.io account even could point to your chosen server together with the public key.

> 1) Make mass surveillance impossible.

A worthy goal. But let's be real; to stop mass surveillance by writing a new chat program, you need mass adoption of your new program, and that means you need truly amazing UX.

If you write something which is technically perfect and would work if it was widely used, but nobody uses it because Telegram is just a little bit easier to get started with, and has nice cartoon drawings to explain their features (or whatever), then you've completely failed.

Signal combines a competent and relatable user experience with a reliable security model. The latter is required to make a few people install it, the former is required to make their acquaintances install it, too.

Moxie, you really think crypto nerds are being attacked? They're not the ones with Keys to the Castle. Sysadmins have the keys! In fact, the NSA has been targeting sysadmins for a while. Sysadmins make great targets. Forget about their inability to implement a real security program, a sysadmin can barely get a security compliance regimen off the ground. Here's an article from Glen Greenwald's TheIntercept that details why Sysadmins are sitting ducks against both the NSA and Nation States: https://theintercept.com/2014/03/20/inside-nsa-secret-effort...

It's Sysadmins who make for a delicious muskrat lunch, not the crypto nerds.

There is a bunch of overlap between those groups (though too many sysadmins indeed don't grasp the threats that face them, or don't take them seriously).

I'm saying this as a sysadmin and crypto nerd who really wishes we had a secure messaging system that achieved both of Moxie's stated goals. Unfortunately, I don't want to use it in its current state for largely the same reasons as laid out by 'darklajid.

Both goals are important and feed into each other. If we don't have #2, it's easy for NSA and friends to backdoor the software or services for #1, for example like they did with their trusting-trust trojaned XCode.

Does anyone really believe these agencies will not react as we deploy "mass-surveillance-proof" software? What will be their next move to collect the data that they want? All of these attacks that people now write off as "crypto-nerd paranoia" will just become the new normal.

If someone was able to come up with a native equivalent, would you support that level of access or is that something you'd oppose?

It seems to me, at least, it might be possible to do so if the API was consistently exposed and versioned.

Regarding #2, since it's worded somewhat ambiguously, should we read that as wanting to stop targeted attacks in general (I'm thinking specifically of criminal suspects/etc. when a valid warrant exists) or targeted attacks against specific targets (i.e. people being illegitimately targeted like crypto nerds)? As a follow-up, are there any situations in which you think it would be appropriate to give information or the plaintext content of encrypted messages for a specific user to a law enforcement agency?

Why not both?

#1 is essential, but you really need to cater to #2 as well because "crypto nerds" are likely those who will eagerly adopt the software and advertise and praise it to others.

Here is a simple non-exhaustive list of changes to better achieve #2:

1. If the phone number starts with +xx where xx is a reserved/invalid country code, the rest is the client's base10 public key. Verification happens by signing a challenge or simply successfully performing a DH handshake instead of by SMS.

2. Provide a "pull" notification socket in the Signal server, use it if GCM is not available

3. Package the mobile-sync Chrome app with node-webkit or simply as a standalone server that auto-opens your browser to localhost:port

4. Use libtextsecure-java to make a simple standalone desktop client that could either have a command line interface or a localhost web interface (please don't use the C library, since C is not suitable for secure software)

Obviously these changes could be done by third parties, not necessarily by Open Whisper Systems.

#1: Will require really long numbers.

What is GcmCore? It doesn't show up on ddg or google.

It's GmsCore, moxie typo'd. However you can also install via F-Droid by adding this repo https://fdroid.eutopia.cz

Moxie is probably going to hate you for it, but it works very well and doesn't require Google Services or anything else.

Using that websocket stuff instead of Play Services or GmsCore will make receiving Signal calls impossible.

> Moxie is probably going to hate you for it

Overly dramatic...

It's a typo of GmsCore:


Is there a technical limitation against having two phone numbers?

I live between two countries, and have two phone numbers - friends and family in one country have the one, in the other have another.

In places like Myanmar, people regularly have several SIMs with several numbers due to poor connectivity.

Could you tell me more about gcm core? I've removed play services from my phone and for the moment accept that this means some apps dont work. I'd love a substitute, but a quick search for 'gcm core' didn't give useful results.

You can't make mass surveillance impossible if you require a platform that is a mass surveillance nightmare.

Also can we please stop calling this a Desktop app? It requires Chrome to run, so it's neither Desktop nor Web app.

> 1) Make mass surveillance impossible.

That's an extremely noble goal, and it seems you've made great progress towards it, but..

Will the US government really just let you do it? Have they not interfered yet? It seems highly unlikely that they wouldn't somehow neutralize the threat your work represents, so I'm just.. cautiously optimistic instead of really excited.

> Will the US government really just let you do it? Have they not interfered yet?

Of course they did: the recent propaganda wave against "encryption" is all about preventing the next wave of privacy-conscious communication tools, to which Signal belongs.

Smart governments don't have to "interfere": they just have to pass laws.

Making encryption illegal would certainly count as "interference".

The central server in Signal does not have the same role as the Telegram's.

If you care first and foremost about UX, use Telegram. If you care first and foremost about the security of your communications, use Signal; go out of your way to use Signal.

> go out of your way to use Signal

With that mindset we will never get secure communications to the masses but will repeat the PGP dilemma again and again. UX is of utmost importance.

We would still be on 99.99% HTTP websites if HTTPS required going out of one's way.

Signal is an order of magnitude easier to use than PGP. It's not even close.

The GP was comparing two apps that are actually both very easy to use, one maybe slightly moreso.

(That said, PGP isn't THAT hard either.)

I've been actively using PGP for about 2 years with a few friends that all use keybase, but I still don't feel like I really know what I'm doing, or if I'm really doing the right thing. A lot of the terminology and best practices I learned while first setting it up are lost on me now. It still works though! Well, somewhat... since I switched to KDE thunderbird no longer remembers my pgp password. I miss the gnome keyring.

70% of the UX complaints people have about PGP stem from the huge number of options it has and the lack of guidance it gives you for which options matter.

Which is a shame, because none of the options actually matter.

If you're encrypting messages to a public key, and not with a passphrase, and you're signing the messages you encrypt, you're getting 98% of the value PGP has to offer.

If you want to do things more advanced than that, you probably shouldn't use PGP. PGP has lots of advanced options, but it lacks a lot of fundamental features you'd want from a secure messaging system.

But for the basic use case it supports without options, PGP is just fine.

That's what the Cryptocat people said.

Is it? It is also what Edward Snowden said.

In fact, he may have even said it on Cryptocat; Poitras and Greenwald used it to collaborate with him. Snowden also used Lavabit to send email. Why? Because Lavabit had superior UX to his other options --- because Lavabit handled all the crypto serverside. NSA has presumably read everything he sent on both of those systems. Despite the extreme ease of use both systems boasted, they were both so badly designed that they enabled retroactive decryption.

So I think, if that was an attempt at a rebuttal, it was not a very effective one.

So they used bad products because their UX was good. That seems to be grandparent's point?

Secure messaging products with good UX and bad security should wait to launch until they can have good security; the alternative puts people at risk, as it did to Snowden.

They should but they don't. That's why have competitive UX is important for the good tools or people won't even consider using them. We have seen that happen countless times.

Tbh, Signal's UX on Android is pretty good.

Is Telegram just better on iOS or am I missing something when you say it has better UX?

Enh. Signal's UX is still not effortless.

For example:

* Does not make it clear it's a point to point mapping (on iOS) right now. I discovered this the hard way.

* Unclear failure modes (see above). It's entirely possible to have messages be silently dropped.

* Texting vs. call methods unclear. I.e. there's a phone icon but no text icon (select name instead).

* Contacts list has some text only, some phone only, some both.

* The whole contacts list arguably needs to be rethought. It only shows others that have installed Signal/RedPhone/Textsecure. There is no easy way to see if someone does NOT have Signal installed and have the functionality to send a link to invite other person to add the app. I think this would help tremendously in the virality of the app.

* There used to be easy ways to invite people to the app within the app, seems to have gone away with only a tweet an invite to app store function remaining.

* There have been several instances when I can't see someone after they install Signal. They have to initiate a message to me in order for the contact to show up in the list.

* Signal has poor handling for contacts with multiple numbers. It's not clear which number is being used and you can't switch selection of numbers.

So what I'm saying is don't necessarily ape what Telegram/WhatsApp etc. is doing but I think Signal would do well to study hard the onboarding workflows of those apps.

What do you mean it's a point-to-point mapping? Genuinely curious.

You mean that there is no server to buffer failed delivery attempts if one of the devices is off or disconnected?

(Side note, I've hit that the same bug where the other person has to contact me first because they don't show up in my contacts, even though they should.)

It's one device to one device (as stated elsewhere in this thread. Apparently, only Android+Chrome combo is supported for multi-device).

Put differently, I can't register the same number to an iPad and iPhone simultaneously at this time and hope to communicate with someone. It apparently gets things all confused.

I was doing some more testing and it also appears that I'm unable to call someone with a greyed out name but with available phone icon. Once again, no clear indication if this is a bug (not supposed to happen) or a feature (can call but not text).

Oh I see. That is indeed annoying. So I guess this bit from the desktop announcement is a stretch: "....all incoming and outgoing messages are displayed consistently on all your devices." I mean I guess if you ONLY have one phone and a desktop that would be true? And I guess if Signal only allows you to register those two things, it is TECHNICALLY true, in the sense that "all" <= 2

And all = Android + Chrome (at least for now).

Since I'm not an Android user, I'm unable to confirm all > 2 scenarios. Someone should try and report back.

I have Signal on Chrome on multiple computers. It works just as expected with messages shared across Chrome and to the phone.

It's all very fast and working quite well.

I do have an "invite" prompt on my SMS contacts that don't yet have Signal: "Invite to Signal: Take your conversation with %s to the next level.". Perhaps it's a function in the beta version that isn't in the live version yet?

I haven't seen a message with a double-tick that's been dropped yet, at least not on a recent version. It can sometimes behave poorly with Android battery-saving mode - however, so does plain SMS. Turning off sync is part of the actual point of battery-saving, but conversely, I never want to not get messages. That's arguably Android's problem, not Signal's. Still, it uses GCM, so at least there's hope for the deep sleep (which I haven't tried yet).

Surely battery saving modes should not drop messages? It could delay them but should never (well, almost never) drop them.

With no knowledge of how signal's servers actually implement this, I would like to ask you... how long should the central server hold on to the (encrypted) message that Alice sends to Bob if Bob never becomes available again?

I haven't thought about what's reasonable (an hour? a week?) but it still shouldn't be dropped but bounced back to the sender with an undelivered message. At last that's how email solved it some thirty years ago.

(But perhaps a new protocol could take the opportunity to improve things further and offer on-line delivery status notifications throughout the process.)

No matter what, messages should never be silently dropped.

Best effort, deliver at least once?

At least that how it seems iMessage seems to work. I have no idea how long iMessage holds on the queue but it seems no more than a few days.

Not sure what kind of attack vector a public TTL would constitute.

This reply is mainly intended for Moxie and the team developing Signal as feedback (which they probably have received from others). I'm not going to focus on security, because Signal is likely the best on that front from whatever I have read.

I really want Signal to be my only app for chats and I do try Signal once in a while, but I always go back to Telegram for a few reasons. Telegram is very fast in delivering messages, just like it claims. Signal, on the other hand, has been and continues to be slow. Messages could sometimes take anywhere from 10 seconds to even a minute or several minutes to get delivered. That's not really a good UX for chats when you can't say whether your message would get delivered or not. If I wanted to send a slightly urgent message (urgent enough to be a message but not urgent enough to be a call), I wouldn't rely on the current implementation of Signal. Back and forth communication also becomes very odd and frustrating if the messages don't get delivered within a few seconds. Even SMS seems better when compared to Signal's speed of message delivery.

Next is the multi-device availability and syncing of conversations in Telegram. Once you get used to having Telegram on the desktop/laptop and phone (and perhaps a tablet), it fits in so well with the physical location someone is in, what the person is doing and which device the person feels comfortable with. There are many people who have deep and heavy conversations on these chat apps, and doing that on a small screen's touch keyboard is a big hindrance. Being able to do that with a laptop or a desktop makes it so superior an experience that it's difficult to give that up.

People that I chat with either don't know much about encryption and privacy or don't care much about those. Getting some of them to use Telegram instead of WhatsApp was difficult, but they're now big fans of Telegram because of how it works and what it provides. But getting them to move to Signal? I can't imagine doing that with the current state of affairs with Signal.

While Signal may be a very secure chat app, not focusing on the things that help increase UX (and in turn, market share) will not help in the long run.

My hope and wish is that Signal development would accelerate faster and provide quicker releases that solve what I see as fundamental issues. This would benefit everyone and make our world a much better place.

What if you care about control over the system and not being tied to a single vendor?

Then you definitely don't want to be using Telegram.

I'm curious about this response. Could you please explain or point to something that explains, for a common person who doesn't code or cannot build code or cannot maintain servers, how Signal would provide more control and avoid being locked to a single vendor when compared to Telegram?

It does not. In practice both are equivalent in that regard. I guess tptacek meant that Signal might have less control over you than Telegram, but that's a different issue from what I was thinking of.

Both Telegram, Signal¹ rely on a central server to which all users connect. If that server goes up in flames then nothing will work for anyone. Or if those who run it turn out to be evil or otherwise doing bad things then there is nowhere you can go without losing all your contacts.

But in a system that has multiple servers that talk to each other, like email and Jabber/XMPP, you have a choice in who provides the server while still being able to talk to everyone on the network. So then it is at least possible to switch to another server or provider and still be able to reach your contacts. It is also possible to run your own server, or convince your more technical friend to run one for you. This model is called a federated client-server model.

A true serverless peer-to-peer system would in theory be even better, but in practice it is much harder to build and maintain, especially on mobile where devices may lose coverage at any time. So for example Skype (before Microsoft bought them) would promote some clients to "super nodes" which other clients would use to communicate ... kinda like having servers but with less control over who they are.

(Note, I work on XMPP software so I'm kinda biased)

¹ There appears to exist server software but it is unsupported and might not be useful for more than talking to yourself.

There was talk some time ago now about Signal server federation. I was under the impression that it was planned and either dropped or de-prioritised for now.

Certainly, it seems that while running your own server might not be actively discouraged, it isn't supported by the Open Whisper Systems team at the moment.

They don't like to admit it, but Signal has a metadata problem. It's fine if that's not their threat model, but I wish they would be more clear about it, especially when other chat systems get criticism more often for precisely that aspect.

Edit: "As far as we can determine, practical privacy preserving contact discovery remains an unsolved problem." -03 Jan 2014

[0] https://whispersystems.org/blog/contact-discovery/

The kind of data they hold is legally within the reach of authorities and would allow metadata analysis similar to the NSA's former phone metadata program.

They don't like to admit it, that is why the write a whole blog post about it? The app tells you when registering that is is about to send some contact information to the server and that it will not be stored.

Your criticism would be stronger with a list of examples and evidence they are unfixed for at least 6 months.


That metadata problem is essentially unsolved and unsolvable. No system is immune to metadata contact discovery at present.

For instance, https://ricochet.im/, is attempting to solve that problem by relying on the user to make the initial exchange securely. However, in reality, any method of relaying that to their contact point is vulnerable to discovery of that kind of metadata.

Phil Zimmermann gave it a stab:


I suggested this to Moxie, he said "it's not meaningfully privacy preserving", but there wasn't any more detail.

> "As far as we can determine, practical privacy preserving contact discovery remains an unsolved problem."

This reminds me of an idea I had which I would love for people to tear apart (I know that the obvious bandwidth problem makes it completely impractical, but I wonder if there are theoretical flaws):

Have a central server which everybody connects to. All clients send a constant stream of data, 24/7 - if they don't have anything useful to send, they send /dev/random. When they do have something to send, they send a GPG public-key-encrypted message. Every client then receives the entire stream of data, handles the data which it can decrypt using its private key, and discards the rest.

- Your contacts list is a GPG keyring - The server knows nothing - Anyone intercepting your internet traffic can't tell where your packets are destined for - You can't even look at two people's traffic patterns and say "these two people were active at the same time, they must be talking to each other"

You don't even need a central server for that. Just set up a p2p network and have all peers broadcast their messages (¶) to everyone they're connected to. Those peers in turn forward everything they receive to everyone they are connected to and so on. (And, of course, they try to decrypt everything in the meantime to see if any message is meant for them.)

(¶) I think you could do without sending random data unless network consists of only two active peers and your adversary taps every single internet link. (As in, even the cable underneath the street in front of your house.) If he doesn't, broadcasting your message to your (physical) neighbors would likely be enough to obfuscate the message's origin.

Anyway, the idea of broadcasting / flooding to protect metadata is not new. See, for instance, Bitmessage and Ethereum Whisper. If you ask me, though, (and you mentioned that, too) the traffic and performance issues originating from broadcasting and brute-force decryption make this approach rather impractical to pretty much impossible – at least if you want this to work for the masses. (Even if it's just for text messages, not cat pics or anything.)

>broadcast their messages (¶) to everyone they're connected to. Those peers in turn forward everything they receive to everyone they are connected to and so on.

That sounds like a great way to DDoS everyone using it and every network in between.

Well, there're obviously a lot of things you could improve to lower the chances of a DDoS. (E.g. introducing a TTL / maximum number of hops for a message or forwarding some messages only to some peers, thereby influencing the exact way messages are routed through the network.) But I agree it doesn't look like the most viable idea for a medium for mass communication, not even if it's just for high-latency messages. Yet, people are working on it.

I'm currently working on a decentralized instant messenger Ensichat [1] which does exactly that. Right now, it only works over Bluetooth, but internet support will be coming very soon!

[1] https://github.com/Nutomic/ensichat

/dev/random has a nonzero chance of emitting a valid GPG public-key-encrypted message. How does the server tell the two apart? How do you make sure that an external watcher can't tell them apart?

Do you have time to share more details on Signal's metdata problem, especially if you have any ideas about what they could do to solve it?

Is this something that is going to require a Tor-like approach to even have a chance of fixing?

Privacy-preserving contact discovery and obfuscation of a message's metadata (what Tor can be used for) are pretty much orthogonal issues:

The first case is about finding out who of your contacts uses Signal, too. The way it's done in Signal right now is described here: https://whispersystems.org/blog/contact-discovery/.

The second problem is about whether anyone gets to see who is sending messages to whom, e.g. by tapping the wires or running the central server all messages are being routed through (for instance, Signal uses such a server).

In both cases, your social network might get get exposed depending on what data is exposed exactly (IP addresses, pseudonyms, …) and what the attacker can infer from it (your name / home address?).

Let me know if that helps.

NSA only knows then that somebody with that phone number is using Signal ... so what?

They would find out anyway b/c your packets are sniffed on a regular basis and so they know your phone is communicating with the Signal server and maybe the packets itself are characteristic.

So in my humble opinion this criticism is irrelevant.

Isn't the criticism that Signal maps your contact metadata?

An inside man is much easier for NSA than all that expensive world wide data collection. (Of course, in reality surely they do both.)

I feel the same but in a bit other way. They tied up everything very closely to google services and they tell me "we really care about your privacy so use our app that requires google play frameworks on your android device". Those are two completely different things, use gapps or opensystem apps? It's 100% no-go for me and the whole idea seems to be a bit sarcastic for me. It hurt me when they removed content encryption from TextSecure because "NSA cares about metadata not content", yea, but European agencies like GCHQ care about content not meta-data.

Content encryption has not been removed. It never will.

You might find SMSSecure, the SMS-only TextSecure fork, useful.

I just found it unreliably slow. Principles are all good, but if I message my gf saying "see you at the bus stop in 20 minutes" and she doesn't receive the message for 2 hours, that's majorly annoying and it happened so often I had to leave it. The basic functionality isn't fit for purpose, for me.

Do you have IPv6 in your home network ? Many devices (such as all the Samsung one) stop responding to ICMPv6 packets when in sleep mode (which completely breaks long-running TCP connections over v6), supposedly to save power. This breaks push notifications of every apps using GCM, but there is no way to disable IPv6 without root, and no way to only use GCM over IPv4. I find it mind-blowing that this issue has been known for 3 years and nothing has been done to fix it...

Issue from 2012: https://code.google.com/p/android/issues/detail?id=32662

Thread starting in 2013 on Samsung dev board: http://developer.samsung.com/forum/board/thread/view.do?boar...

Status: Obsolete Closed: Dec 2014


are you sure it's Signal? cause i have this problem with my husband too, but it happens with Hangouts as well as with Signal. my best guess is that his android phone, a cheaper LG model, has limited resources and puts some services to sleep...

Yes, because it happens on recent hardware (a 6s) and other messaging systems don't seem to have this issue at all under the same conditions.

Most of the time it would work fine, but quite frequently messages would be sent (have left my device) but not appear on the receiving device for ages, so i can only assume that sometimes the infra couldn't keep up.

Is there no acknowledgement of received messages? That seems somewhat of an oversight over unreliable third-party transports.

Yes, there is.

I used to have the problem but just trying it again now the situation has dramatically improved for me.

> I tend to repeat the 'central server' and 'a phone number is not an address and not public information, it certainly is no identity' criticism.

Your phone number is not your identity in Signal. If you change SIM cards then your friends won't notice and the app works as before.

Signal is based on asym encryption - your private key effectively encodes your identity in combination with your public key.

> And only if the first client is Android?

There is no point in dwelling on that. Android and its syblings are the only potentially secure popular smartphone OSs. Apple and Microsoft OSs are fundamentally flawed in that regard.

Approximately zero is the number of software security experts that would agree with that assessment of Android's security versus that of iOS.

There are a lot of totally fine reasons (shakes fist) that OWS would start with Android; they might all have Android phones, they might have ideological problems with app store review, it might have just been an easier platform to build for. But yours isn't one of the valid reasons.

Do you happen to have a reference to any kind of freely available technical publication (blog post, etc) that goes through some core points to reach this conclusion? I read many things around for years and I agree with the general statement, but I failed to find a recap that can be used to explain the core points of differences to people not familiar with the matter.

Huh? Apple and MS have a record of communicating in sharing data with US government - plus as companies providing closed source software they are likely to introduce backdoors ... also something you might have heard of since Snowden.

I'm making an engineering point, and you're making a conspiracy-theoretic point.

Engineering and corporate behavior aren't really orthogonal topics, are they, when the actual engineering you want to inspect is unavailable (closed source) and you have to rely on observed behavior and trust?

If Apple actually did have a history of, say, pushing customized "iOS update" binary blobs at USG targets that undermined all the security features they describe in their white papers and in their (other) marketing, that would actually be entirely relevant to claims about the security of iOS, would it not? Even without such on-device updates, a system like iMessage can potentially be thwarted if Apple itself decides to cooperate with MiTMing, at least in certain scenarios.

(Btw I'm not actually endorsing OPs point that Apple is too close with the U.S. government. That does not seem accurate given the public heat brought down on Apple by entities like the FBI recently. But if it were Microsoft, there would be a point there.)

I think Apple has gone through a lot of trouble to avoid being forced to compromise iMessage, but I am not recommending iMessage. iMessage is orthogonal to Apple's platform security, which is simply better than Android's.

That's all I'm saying.

Closed source it may be but what's stopping you from reverse assembly? After all even in 'open source' you still don't know what you run unless you built it yourself. And even then you have to trust your toolchain.

And the Android build shipped with your phone is provided by your telecom provider, which presumably cooperates with your favorite Three Letter Agency.

So, you flash the phone with your own build? Most phones on the market rely on proprietary drivers only available as binary blobs. Even if you find a phone that has all Free drivers, can you replace the bootloader with your own trusted binary? Even the bootloader isn't nearly as dangerous as the baseband processor, and I don't know of a single phone with a Free baseband OS.

Sorry, as much of a fan as FOSS as I am, with your threat model, every phone on the market is equally bad. This might change once we're able to eliminate baseband processors from smart phones, but even then I wouldn't hold my breath.

We had a similar exchange earlier.

If the phone number isn't my identity - what is the phone number for? I don't need a phone number to generate my key, do I? It seems, as far as I can follow from the outside, that phone numbers are used as namespace. Maybe 'identity' goes too far, but so far I understand that the number you register with is your - erm - user id?

Help me out. If that's totally wrong, if I "didn't get it", I'd be glad to learn more. But .. then again: Why require a phone number (-> No standalone client on the desktop)?

Thomas basically destroyed that security argument already, and I'd actually prefer a niche OS (FxOS, but I'm getting more and more into SailfishOS demos atm).

To me, this announcement feels pre-mature, the software doesn't seem ready until it integrates with other clients. But I think, giving time, your concerns could be addressed:

-Integration with other devices, backing up and importing your back up between devices, are features that will come, eventually.

-There are several 3rd party standalone desktop apps being developed for Signal.

-You could maybe build a Textsecure server, and in the future, who knows, there may be documentation for doing so.

Maybe Signal isn't ready for you right now now but I wouldn't count it out!

Huh? It's pre-mature to announce a beta product?

I feel a lot of the same things. But, on the bright side:

1. It's early days yet -- let's give them some time to work out the bugs and build out more diverse platform support.

2. The code is open source. If we (or anybody else) gets motivated enough, we can add support for other browsers or build a "real" standalone app.

Isn't Chrome app a standalone app which doesn't run inside Chrome browser, but instead only uses its engine? I don't know anything about security or privacy implications of using this tech though, anyone care to comment?

No, you're likely thinking of Electron[0]. A Chrome App[1] is a browser extension that tries to act more like a native app.

[0]: http://electron.atom.io/ [1]: https://developer.chrome.com/apps/about_apps

Sounds like Tox might be for you then.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact