zlacker

I fail to understand the point of supporting an organization that is completely against self-sovereignty like Signal is. Why would I want to pay someone to develop something that traps me into their platform and does not offer a way out?

>>rglull+(OP)
Not completely ? Their server seems to be open source too now (with the exception of the spam filter) ?

>>BlueTe+J2
Can I operate my own Signal server and talk with people on the "main" one?

>>rglull+q5
You're moving the goal post from "self-sovereignty" to supports federation with an infinite number of servers. Nothing is stopping you from compiling your own Signal server and modifying a Signal client to use your server.

Given that Signal is free as a service, supporting federation only increases their expenses.

>>Caliga+t9
Without federation, Signal is still working with the advantage of network effects. So an open source server is not enough of a way out.

Element can do it for their Matrix servers. Process.one can do it for ejabberd. Prosody as well. Why can't Signal?

>>rglull+(OP)
Given how many activists have used it in overthrowing dictatorial governments, self-sovereignty seems an odd choice of words to claim it doesn’t support.

>>rglull+Lc
Back to your original point: please don't support an organization that doesn't share important values of yours! That is absolutely your choice!

You've named several products that share your values. Perhaps those would be a better fit if you were to donate.

>>rglull+(OP)
Just don't use it, don't generate cost for them, don't be trapped by them. Everyone wins.

>>rglull+q5
Federation can only make security worse and I do not want it. You can have something else.

>>daniel+kj
Perhaps it was a bad choice of words. What I mean is that they say "you don't need to trust us", yet they require you to run through them. They refuse to build their system in a decentralized way, and the more that time goes by the more the decentralized alternatives are showing they are as secure as Signal without forcing us to accept their restrictions like mandatory use of phone numbers for authentication.

>>illiac+gu
The 50 million using them all lose because they are locked into a monopolistic platform.

>>rglull+Ky
they can communicate to anyone with WhatsApp, SMS, iMessage.... This is a closed system, not a monopoly.

>>rglull+Cx
> "you don't need to trust us"

you literally don't. It's a fully encrypted service. The literal purpose of encryption is to move data securely through insecure or even adversarial channels. Which you can verify, it's audited and open source.

They refuse to build the app in a decentralized way because decentralization is an ideological obsession that is useless in this context, and because centralized organizations can actually ship polished software that works for normal people and move quickly.

>>Clamch+2w
Genuine question: Does Tor fall under the definition of federation? Either way, a Tor-like model would have security benefits over a centralized system like Signal, right?

>>Barrin+pC
Centralized supply chain, and metadata protection is anchored on SGX.

They can use their pick of SGX exploits to undermine the weak metadata protections and they (or apple/google) could, if pressured, ship tweaked versions of their centrally compiled apps to select targets that use "42" as the random number generator. No one would be the wiser.

Signal is a money pit with a pile of single points of failure for no reason.

Matrix is already proving federated end to end encryption can scale, particularly when users are free to pay for hosting their own servers as they like, which can also generate income.

>>lrvick+zJ
> They can use their pick of SGX exploits to undermine the weak metadata protections and they (or apple/google) could, if pressured, ship tweaked versions of their centrally compiled apps to select targets that use "42" as the random number generator. No one would be the wiser.

Signal builds on Android have been reproducible for over seven years now. That's not to mention the myriad of other ways that people could detect this particular attack even without build reproducibility.

>>chimer+pN
Who is reproducing these and publishing results?

Moxie made it very clear he never wants third parties like f-droid -actually- reproducing and signing packages for distribution to de-googled signature-enforcing android distros etc. Providing side-loadable apks as an alternative a joke.

Third party builds and distribution would serve as public canary and be better for privacy forbidden. He argued the tracking advantages of centralized development and distribution outweighed any wins of allowing third party clients.

In reality a build published with a breaking change and a subtle crypto backdoor omitted from public sources may not be discovered for days or longer. Long enough to decrypt most every convo on the planet.

>>rglull+Ky
Nobody is locked into Signal. It's free to use, and free to leave.

>>Spaghe+bH
Tor is distributed, not federated. And it has drawbacks, like high latency and a lack of a centralized system for human-friendly names (because that would mean a system like DNS, which is centralized). As far as security goes, there's probably little benefit. E2EE doesn't get more secure because there's more encryption.

The most comparable system to Tor that has practical properties I can think of is maybe ipfs, but nobody will store your encrypted chat blobs for you out of the goodness of their hearts. Ipfs also tends to have high latency. A slow system of uncooperative nodes isn't what you want your messaging app built on.

A federated messaging system looks a lot more like Matrix. The obvious problems are that splitting users up over multiple nodes mean encrypted data doesn't live on your instance, it lives everywhere the people are you chat with. Another problem is what you see with bsky, where identifiers come with a domain name (like an email).

IRC is also federated (sort of), and there's a long list of tired, age-old problems. The most common one is simple: different servers have different features, so you can't reliably "just use it" like you can with Signal.

>>rglull+(OP)
Yeah this is the one thing I have against signal and why I always advise against it. Their stance against third party clients and federation.

>>bravoe+pp1
That’s not how platform lock-in works.

>>Barrin+pC
You can trust Signal all you want for data security. It doesn’t help you when they run out of money and shut down and all your messaging is gone.

>>lrvick+R31
What’s your solution to this?

>>saagar+tC1
You can export to markdown apparently. Who's locked in? It might be a pain to import that into any other app but I don't think any messaging app is going to make that easy. You still have all your data if you want to bail

>>rglull+(OP)
Great, you go ahead and get all your friends in family using Matrix. I'll join you there when all that is sorted out and it's practical to get my lawyers and doctors and accountants and friends and family onboard. Until then, we'll keep using Signal.

>>daniel+kj
> Given how many activists have used it in overthrowing dictatorial governments

How many? There's some news about it being recommended for use by BLM protesters, and about it being blocked in China, Iran, etc. Where is this info about it being used in "overthrowing dictatorial governments"?

>>rglull+(OP)
bro, you're working for one of chat programs, yes? never heard of communick before. won't ever use it. if people ask me about it, i will show them how a person related to communick behaves in public.

>>Barrin+pC
> can actually ship polished software that works for normal people and move quickly

They can ship it, because they got a fuckton of money. But apparently they can not maintain it, because now they are crying about how expensive it is to run it.

Signal is acting like a sprint runner who signed up for a Marathon and wants to be carried out to the finish line after showing how much faster he was in the first mile. That's what I think is dishonest here.

>>Canada+7Q1
First, you talk like Signal never had any issue with usability or functionality, which is far from the truth. Signal amount of bugs and security issues with their client is notorious, and the insistence of requiring phone numbers is just a silly "let them have cake approach" that is conveniently ignored for too long.

Second, are you hedging your bets and supporting Matrix or XMPP as well, or will you only encourage people to "donate" to the platform that you happen to have picked already?

>>Clamch+2w
Security is extremely important, but it is not the only concern one should have when considering the design of a global communications infrastructure.

I worry a lot more about not having one single actor responsible in dealing for the communication of millions of people than about "quantum-resistant encryption".

>>8n4vid+0Q1
> pain

That's how lock ins manifest themselves

>>rglull+oV1
Yes, I am encouraging people to donate to Signal because I prefer it. Why would I be soliciting donations for something I don't favor? If you want to contribute to something else go right ahead, but this is a thread about Signal's financial needs so it shouldn't surprise you that Signal supporters encourage other supporters to donate.

I also use Matrix. Element has been pretty good for a few years now, but it's still not smooth enough for mainstream use. (Encryption state in chats gets messed up sometimes, for example. It feels like Signal 10 years ago, and it's had security issues in its client also)

The Matrix protocol is also inferior to Signal in that all metadata is stored in cleartext on the server. You get to choose or run a server, but the protocol still leaks the user info to whoever runs the home server and to any foreign server that has a user in the same channel if you are using it in a federated context. Signal manages all of this by peer to peer messages where cleartext is only available to clients, which is really slick.

XMPP is just dead. Forget about XMPP. Matrix is the clear leader in the federated messaging system category. I'd like to see Matrix displace things like Telegram, Discord, and Slack. I may donate to Matrix affiliated projects in the future, as I also donate to other open source projects from time to time, but I'm not going to promote any of those things in this thread.

>>lemper+hT1
You are creating an ad-hominem by thinking that I can not criticize Signal because I have a competing offer. And to add insult to injury, you seem to have a misconception of what Communick is.

Communick is not "a chat program". Communick is a service provider, which promotes and works only with truly open protocols. There is no custom client or lock-in based feature that I have. This means that if you are my customer and you want to move out you are absolutely free to get your things and move to a different place instantly.

>>Canada+J22
> Why would I be soliciting donations for something I don't favor?

Because you are (consciously or not) creating a self-fulfilling prophecy for one champion over the others. Worse still, you are asking everyone else to devote resources to your preferred champion when we have no reason to believe that this is long-term sustainable.

> The Matrix protocol is also inferior to Signal in that all metadata is stored in cleartext on the server.

As I said in another thread: I honestly care less about the security guarantees from one protocol over the other than I care about the fact that pushing for Signal would mean that everyone's communication would be tied to one single provider. This is a systemic risk that no amount of "you don't need to trust us, you just need to trust math" can ever mitigate.

>>saagar+IC1
Something built like any other internet protocol with staying power.

A federated network with multiple strong client and server implementations that are able to be built, reproduced, and distributed by multiple independent parties. Like Matrix.

Matrix is far from perfect yet but it is miles beyond Signal in being a sustainable solution that can survive any single point of failure.

>>rglull+qa2
yes, it's an ad hominem. people need to know who are you and what incentives behind them. if you're from a competing provider, other will need to take that into account.

also, if you want to peddle your stuff, make your own announcements or something.

>>lemper+Km2
I'm somewhat flattered that you think Communick is a "competing provider" to Signal. Or anything, really. Maybe I will add that to the "testimonials" section of the website along with other nice things I get to hear from my 8 customers.

Whether Communick exists or not, even if I close it down next week (because if we are being honest it is nothing but a money pit which I keep running out of spite and stubbornness, and unlike Signal I'm not panhandling for donations) my criticism of centralized messaging platforms would still stand: whether it's Signal, or WhatsApp, or FaceTime or Telegram... we should not be supporting any platform that centralizes all communications in one single place, no matter how "well intentioned" or even how "provably secure" it is.

>>rglull+2g2
I don't care about your preferences. I'm consciously using and giving money to Signal, and I'm encouraging others to do so. Go ahead and work on or use or donate to whatever you like.

>>Canada+pO2
You sidestepped the whole point about systemic risk and tried to argue based on my "preferences". My friend, that's as cheap a copout as it gets.

Sorry to break it to you, but if it was only a matter of preference, I would've been fine with Signal or even WhatsApp.

>>bastaw+rp1
Because code is law, centralized systems that grow bigger than the polity they started in are inherently problematic. See Facebook in Burma/Myanmar as one recent infamous example.

>>BlueTe+vl3
Some centralized systems. But I don't think there's any evidence to suggest that's universally true. Nor is the implication that non-centralized systems don't suffer from similar problems, or other problems which result in substantially bigger drawbacks.

>>rglull+Lc
Because centralisation provides ecosystem agility, which they absolutely value as an upside. Find a way of doing post-quantum secure key exchange? Just roll it out to the server and all the clients essentially overnight.

They've talked about this, a lot.

>>rglull+sW1
> I worry a lot more about not having one single actor responsible in dealing for the communication of millions of people than about "quantum-resistant encryption

I'm glad you worry about this. Me and other people have other priorities.

You're putting an awful lot of effort into projecting your values onto other people, which is a bit weird.

>>growse+fG4
I'm well aware of their justifications. I'm also aware that centralization brings systemic risks, which they don't talk about.

The internet would be a lot more efficient and able to evolve if we just had it controlled by one single entity like Google or Microsoft. Do you think is a good idea to do that?

The economy would be a lot more efficient and allocation of resources could be a lot more fair if we could put it all in the hands of one single corporation or government. Do you think it's a good idea to do that?

Agricultural output would improve significantly if all crops used the exact same genetic strain and if all soil was artificially managed. Do you think it's a good idea to do that?

In case you are wondering, "ability to quickly roll out post-quantum key exchange" is waaaaay down the list of my worries compared to "facing a catastrophic Black Swan affecting all of the world's communications".

>>growse+EG4
> Me and other people have other priorities.

Did you watch "The Big Short"? You are sounding like one of those jocks-turned-real-estate agents that are bragging about how easy it is to make money and thinking the analysts were idiots.

> You're putting an awful lot of effort into projecting your values onto other people.

We live in a world where people are bullied for not using iPhones and showing up with different bubble colors on the chat apps and family members will refuse to call you on the phone and only accept you if you use WhatsApp.

All I am saying is "please let's not collectively put ourselves in the hands of any single entity". Are you sure I'm the one projecting values, here?

>>eviks+XY1
Sure. But honestly, what are you hoping for, and does any app provide it? Honest question.

I'd prefer a JSON dump but something's better than nothing.

>>rglull+VT4
> Did you watch "The Big Short"? You are sounding like one of those jocks-turned-real-estate agents that are bragging about how easy it is to make money and thinking the analysts were idiots.

I've literally no idea what this means. Who thinks who's an idiot in this analogy?

> All I am saying is "please let's not collectively put ourselves in the hands of any single entity". Are you sure I'm the one projecting values, here?

I don't care what messaging platform you use. You appear to deeply care what other people use, and therefore what should be important to them. Yes, I'm pretty sure.

>>rglull+qP4
Signal is so far from being a monopoly that runs "all the world's communications" that these comparisons are essentially meaningless.

There's plenty of diversity in the messaging space. Decide your values, choose your compromises, pick your platform. Simple.

>>growse+566
Some people avoid platforms out of principle. Look up «protocols, not platforms» if you have never heard of it.

>>bastaw+FV3
I'm willing to entertain the idea, what would be a counter-example ?

Old enough that the «honemyoon» period is over, say... a decade ?