I'd vote for https://riot.im/ instead.
I also seem to remember going over their homebrewed cryptographic rachet and it didn't properly HMAC.
EDIT: Apparently riot.im supports E2E, but it's not a part of the Matrix protocol and it's not encrypted by default. The Olm rachet was also audited by NCC, so that's nice.
I would love a Ricochet/Rio+Signal+Burner combo.
Wire is doing a pretty good job of making a fun to use chat interface, but it has its own problems in privacy and speed.
Can't we kill phones already, please? Identify people by e-mail addresses, which are easier to remember and not tied to countries.
Which to me is an incredibly dumb idea since it leaves out WiFi only terminals such as el cheapo tablets but also small embedded boards etc. I know some of these messaging apps can be used on WiFi only devices, but never in an immediate way and I believe you can't use them at the same time, which is very dumb. This also kills any IoT use for instance, where you could make N copies of a Linux image that boots a node, connects through the same user and sends the data available to its IO pins, or accepts commands to drive them in order to turn on or off other appliances.
iOS users get iMessage which is great, but there's no cross platform version.
Telegram + Encrypted by default and in groups would be best, but they have some (invalid) reason for keeping it unencrypted.
If you're using WiFi, there's no "phone" anything involved.
Or at least, I don't get why there would need to be.
I mean, sure one can get more-or-less anonymous phone numbers. But why create the need for that?
There are things like keys for verification :)
To prevent spam and promote discovery. Finding someone on WhatsApp or Signal is easier than on WeChat as with the latter someone might be using a screen name, or an email address or a phone number.
Good enough privacy for the masses is.
They are always making these tradeoffs, and always make the same decisions. Perfect privacy in every situation isn't the goal. The goal is better privacy than the average person currently has, while still maintaining a level of convenience that the average user well accept.
I suspected that, but have they openly said it? I suspect it's also to deter criminal activity.
I really do not like it either too though.
Signal client is open source though, so maybe this is easy to work around.
I decided to ditch GSM and just use wifi. I have been thinking it could be a good platform for encrypted messaging using Matrix/Riot. Unfortunately I am not a software developer. If anyone is interested in helping out, let me know.
Its amazing to learn about 500 yr old buildings in Germany and England using low cost, simple techniques. I hope more people might realize that this is a lifestyle option.
good luck for v2. Hope to read about it on your page.
Maybe I should build one of these...
I have a Garmin for the car, but their public transit directions are difficult to replace.
Maybe something like nixOS where the phone's state is the result of a pure derivation. No installing or configuring anything except through a privileged ssh after decryption. Then boot and go again.
Only automatically updating is possible from the device proper, rollback on failure.
They do; it's called GTFS. It tends to need a lot of cleaning and manual in-person verification, which is expensive.
...then start deleting code out of it, hardening it, and using memory-safe apps. A nice step on the way to a truly, dumb phone that might take a lot of custom work.
That's going to severely limit the usability of the device. If you want to make a device for practical security, you'd need to find a way to isolate the mobile network chip. IIRC, better USB 4G dongles are standalone and expose expose either serial interface for PPP or an USB ethernet device, so the attack surface is limited.
If you build the phone around the chip from one of these, and make sure all data is VPN'd (and voice is VOIP'd), I think you should be able to contain cellular/baseband related attacks (to be clear, the baseband is still vulnerable, but won't be able to make the jump in the phone proper, and will only be able to see an encrypted data flow).
Further the chips are able to run mini applications and these can be pushed by service providers with no real way preventing it from the OS level.
Couldn't you use a small tablet?
From what I've done so far I imagine it's quite difficult to remove dependency on Google Play Services and I've been wondering, which alternatives exist and what's the rationale behind completely removing dependence on Google Play Services? With Lineage OS I've been able to restrict most permissions besides storage so is there any need to remove it?
Most apps (e.g Signal until today) rely on Google Cloud Messaging (GCM) service for push-notifications.
Without GCM, many apps simply crash.
Cyagenomod with no google apps/services at all makes me feel much better though. I may have to get a new device just for lineage.
My previous hack was two phones. One clean and one with Google Play. Both with f-droid as f-droid has this wonderful feature of copying one apk to another over WiFi.
Sorta like a private repo.
Except many many phones are NOT supported by LineageOS.
And then I buy a phone that _does_ support rooting and other ROMs.
it provides a location service that works without google and they re-built the play services and maps API, so you don't have to have any google apps installed at all. for those apps that actually need to talk to google servers, there's an option for that.
but the xposed route should be simple, provided you have root access.
If we had to choose between them, I'd take Matrix in a heartbeat, but I just let them co-exist.
Really, as long as you have mobile data, there's no difference between supporting SMS encryption and not - you can only talk encrypted to other Signal users anyway, and other Signal users will get your non-SMS-routed encrypted message just fine.
The use case for Signal-encrypted-SMS is continuing to send encrypted while you have no IP connectivity, but thankfully that is becoming a rarer corner-case. The last time I had SMS but no IP was on a cruise ship.
> I expect it to have high battery consumption and an unreliable user experience, but would be fine with it if it comes with a warning and only runs in the absence of play services
You don't get high battery consumption, or unreliable user experience, or a requirement for Play Services with pure SMS encryption.
SMS encryption is actually quite a tricksy problem. TextSecure's entire purpose (over bog standard IM OTR) was to solve it, providing individual message-level forward secrecy. This is why it's so perplexing to me that they dropped it (I understand that part of the reason is that iOS simply does not allow it)
It is not enough to make the system distributed, you need to exploit the fact that different parts of the network are controlled by different parties to build self-enforcing protocols that ensure anonymity.
For comparison, see how bitcoin is just distributed and zerocoin is anonymous. Gnutella is just distributed and FreeNet is anonymous.
This is how Signal provides Giphy search (spoiler: they tunnel a TLS connection through their own server, with TLS negotiated end-to-end from the Signal app to the Giphy server, so that Giphy can't tell what client is searching for what GIF while at the same time Signal's server's can't see what people are searching for).
Does anyone believe that in a world where 90% of Signal-network client installs weren't Signal.app, that this is how features like this would work? It's not an unknowable question. All you have to do is look and see how Signal's competitors, like Wire, tackle this problem.
It's true that in a federated Signal-network, you might get clients that have security features Signal itself lacks. But because it's far easier to produce an insecure client than a secure one, insecurity will dominate, and be a boat anchor around any efforts to improve security down the road.
Call it "the libpurple problem".
Likewise, Open Whisper Systems is pretty trustworthy, but if someone gets access to their servers, either by hacking or by coercion, and starts, say, logging metadata (who's chatting with who), all Signal users are compromised. When I chat on a private (and SSL-only) IRC server, the security guarantees are awful compared to Signal - and I'm not saying that's not a problem - but at least I know that my conversations will only be compromised if someone really has it out for my group in particular; they won't show up in some massive leak and/or government database.
This also applies to binary distribution. When software is compiled by N different distros or package managers or by users directly, that does make it hard to get security updates out in a timely manner. But with a centralized system like Signal's, if the binaries are compromised, everyone is pwned. Yes, measures like reproducible builds can reduce the risk, but they're far from perfect. Is there even anyone who verifies Signal builds on a regular basis/automatically?
That's a dangerous meme to be spreading. FreeNet is not anonymous. Peers know your IP address. And malicious peers can learn what chunks your node is handling. Sure, there's "plausible deniability". And common probabilistic attribution arguments are bogus. But that's cold comfort after the SWAT team has impounded all of your gear.
They can't however tell if you are serving them or if you cached them due to their requests.
All the metadata of Signal is available in one single system, transmitted across the globe into a foreign, and hostile country.
In fact, we have to assume every bit that ever goes through the US is logged and stored by the NSA, and that makes Signal entirely untrustworthy.
It's sure become fashionable to hate on Signal/OWS. The price of actually successfully bringing good encryption mainstream?
Edit: The comment I replied to originally included a question on whether Signals server is even open source.
And that "no more" is really important. "Just slightly more" won't do. Especially not if it's "slightly more to someone who frequents HN". Because that's likely already prohibitive to most.
Take a person that just barely knows how to operate the play store. I can instruct that person over phone how to start chatting with me securely in a minute or two:
Go to the play store, download signal, open signal, I'm already there in your contact list. Write me a message. Done.
That's an amazing achievement. The much maligned fact that phone numbers are used as identifiers is key to that experience, too, because my phone number already is on that persons phone.
And yeah, I can't verify Whatsapp, but I still trust that Moxie et.al. have checked their implementation. Still that's why I push people to switch to Signal rather than stay on WhatsApp. Doubly so as WhatsApp belongs to Facebook now (I loved their original 1 Dollar a year business model, and if they still had that I would trust them a lot more).
Even with doubts about Facebook, it almost certainly is a massive win that WhatsApp implemented this. It makes WhatsApp immune to being subpoenaed for conversations, and thus they have a clear motive to implement it properly, too.
Sorry about that, I had looked it up just a second after I posted and then removed that line.
> hate on Signal/OWS
I don't mean to hate on them, just their stance on getting away from Google, using F-Droid, federating their service and many other things has been more than a bit of a mess or disappointment. I'm glad they finally made a step in the right direction and I hope this will continue.
As I said in another reply, I can get a completely non-technical user to start using Signal with me in a minute, and have them have an experience that is as accessible as WhatsApp. That's simply not true for any of the other options I'm aware of (and it relates directly to most of the points you raise, with the notable exception of F-Droid. There I also find their reasoning weakest).
I wish there would be more devs building modern clients for XMPP instead of building the 100th communication system.
So while google play gives you these features "for free," it's not impossible at all to have them without. Only unattended upgrades requires special access, and to be honest personally I never want things modifying what's installed without asking.
Not that it matters. The phone number thing was a dealbreaker from the beginning.
I discovered after doing a clean flash recently that the ability to have Google Play Services on the phone but disabled, became unavailable. I used to use it exclusively for Signal - it meant no push notifications, but I could still foreground the app for it to check for messages.
I was disappointed that I could not install Signal again, even though my phone number was registered, without Google Play.
I was preparing to walk the microG services (or similar) path, but now I don't have to.
Still, people asked for an option to use Signal without Play Services, and here it is. Even if it will drain their battery a lot faster. Moxie actually said this beforehand:
> I expect it to have high battery consumption and an unreliable user experience
So for those who are still running on devices with Play Services, it will still use GCM, and hence won't be a drain on the battery?
Personally, I think it is a pretty poor critique but this allows people to make that choice for themselves, which for some people is important.
Though to be fair, every android phone I've used seems to have a problem with occasionally "forgetting" to get messages until I check for some reason or another.
Then after you do what the people emailing you wanted, all the people who were silent chime in. "Wait a minute, why were you spending your time on that? None of us wanted it!"
That's why it always feels like marco1 described.
Because of that, it doesn't make sense for application developers to support the use case.
Because of that, lots of applications don't work without Google Play Services.
Because of that, few people use phones without Google Play Services.
(And then people complain about the lack of open Android alternatives, or that other OSs such as Sailfish do not take off despite doing crazy things to support Android applications.)
All the applications I try and that require stuff from google they just crash randomly or at some specific options. I just uninstall them or try to be very careful for them not to crash. It's horrible experience and it's not something so hard to prepare for. Some apolications handle it showing that an action can't be done and I'm ok with it, that's simple, but crashing because the services are not installed is just plain ridiculous, lazy and bad engeneering.
Once upon a time slack just worked fine, just didn't auto refreshed updates, then on one update it started crashing and currently since a while ago an annoying message appears everytime I focus/open the apllication saying that I don't have the play services despite the application working completly fine. The proper thing to do would just to be a messsge saying something like: " the app requires google services, the quality of the experience will be reduced and actions FOO and BAR will not work. options: continue anyway, exit and continue and remeber that option" in order for it to be persintent and stop being annoying. Not that hard.
I just endup not using a bunch of applications that I would like to. Apps that use maps or or try to get location will usually just crash. I never even installed Uber or tried it because I'm pretty sure it will just not work, so I didn't even try it.
microG is the best thing I could hope for, but I really tried to use it but was not able too. It requires something about signing or whatever that just didn't work after I tried a lot doing things with Xposed or what it was called. Even getting to a point where that almost worked was crazy.
I'm pretty sure the experience will be pretty similar in any other alternative OS that has to deal with this crazy environment.
And I will never get a "real" android where that thing will come installed, I refuse to. I was thinking of changing phones to some android based thing, but the support of hardware is very limited, so I'm pretty stuck. Waiting for any newer Jolla phone or any other alternative phone/OS that works.
It's basically just installing the APK, although there are a few more steps than I thought I remembered.
I had to sadly switch back to whats app because voice and video quality are stellar.