this post was submitted on 09 Aug 2024
592 points (98.8% liked)

Technology

34984 readers
241 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
 

“We’re aware of reports that access to Signal has been blocked in some countries,” Signal says. If you are affected by the blocks, the company recommends turning on its censorship circumvention feature. (NetBlocks reports that this feature lets Signal “remain usable” in Russia.)

you are viewing a single comment's thread
view the rest of the comments
[–] tired_n_bored@lemmy.world 18 points 3 months ago (3 children)

Client/Server apps will do that in hostile countries, that's why people are moving to decentralized messaging platforms such as Matrix

[–] apprehensively_human@lemmy.ca 9 points 3 months ago

Matrix has the unfortunate problem right now where all the big clients have matrix.org set as the default homeserver. Yes, it is a decentralized and federated protocol, but I wonder how many users are registered on matrix.org vs other servers.

[–] fira959@lemmy.ml 7 points 3 months ago* (last edited 3 months ago) (1 children)

You can just as easily identify servers of a decentralized platform and block them. The disadvantage of a central service would come into play if say the US were to intervene, though Signal has already said they would move abroad if that was the case. For network level blockage it makes no difference if the service is central or not

[–] Ohmmy@lemmy.dbzer0.com 5 points 3 months ago (1 children)

It makes a difference in that you have to play perpetual whack-a-mole not only with VPN's but with hosting servers.

[–] fira959@lemmy.ml 7 points 3 months ago (1 children)

That is true for both cases as well. One thign to add though is that signals own cencorship circumvention makes it even better at resisting this kind of blockage then an arbitrary decentralized protocol, though for an objective comparison it would take some research.

[–] Ohmmy@lemmy.dbzer0.com 2 points 3 months ago (1 children)

I wasn't just talking about blockage but also servers being taken down physically or via ISP. I don't think I'm nearly as well versed in Signal as you are to go into depth of how it circumvents blockage via protocols but I assume they don't decentralize their hosts.

[–] fira959@lemmy.ml 2 points 3 months ago

Signal Servers are using AWS and are spread throught the world. The entire protocl is build to remove any need for trust in those servers, so they migth as well be places in the datacenter of the NSA. So in the end it will be the same result. With decentralized protocls like Matrix you may get lucky and not have your small server taken down because it only hosts a few users, but if we are using the number of users as a metric, Signal would fare better against server takedowns, since all users are replicated throght the world, while my matrix server is the only place where my user data is stored. Then again both can deal fairly well against takedown ins single countries.

[–] Mwa@thelemmy.club 7 points 3 months ago (1 children)
[–] Andromxda@lemmy.dbzer0.com 5 points 3 months ago (3 children)

Matrix lacks metadata encryption

[–] barryamelton@lemmy.ml 5 points 3 months ago (3 children)

And before lacked this and that. It keeps improving, contrast to Signal having the server code closed source for more than a year so the Signal devs could get a headstart and insider knowledge in their Signal-included crytpo coin grief.

How one can trust Signal after them showcasing what they truly stand for is mind blowing.

[–] fira959@lemmy.ml 4 points 3 months ago* (last edited 3 months ago) (1 children)

Whats mind blowing is the BS people like you come up with to shit on a non profit open source project.

[–] JackbyDev@programming.dev 3 points 3 months ago

Signal falls right into the perfect niche of usability and privacy, but the problem is that not many people want that. The privacy nuts don't think it is private enough or transparent enough and the people that want something usable just use stuff with more features like Discord, Facebook Messenger, etc.

I've gotten my wife to use it because we felt more safe about sharing lewd photos there than other mediums. We got our partner to use it because they're on iPhone and we're on Android and SMS/MMS sucks ass. One of my friends said he has it and would be fine using it if everyone else in the group chat wanted to. But that's it. Everybody else in my circle wants to use Facebook Messenger.

Weirdly, I think Signal needs to focus more on fin features than safety features for a while. It's an easier sell for friends to hop over when it has the same cool stuff as the other platforms.

[–] Andromxda@lemmy.dbzer0.com 3 points 3 months ago* (last edited 3 months ago) (1 children)

Signal having the server code closed source for more than a year so the Signal devs could get a headstart and insider knowledge

That argument makes absolutely no sense. This server-side code does almost nothing. The only task it really has is passing around encrypted packets between clients. All of the encryption is client-side, of course including metadata encryption. That's how end-to-end encryption works. The server code really doesn't matter. The Signal protocol, which is used for client-side, local, on-device end-to-end encryption has always been fully open, and it can be used by any app/platform.

How one can trust Signal after them showcasing what they truly stand for is mind blowing

It's very simple. The client is open source, and the encryption happens locally within the client application. You don't need to trust anything or anyone except for the code and mathematics, which are fully open, so you can verify them yourself.

It's mind-boggling how people attempt to spread so much misinformation while having absolutely no understanding of the topic their talking about.

[–] barryamelton@lemmy.ml 0 points 3 months ago (2 children)

That argument makes absolutely no sense. These server-side code does almost nothing. The only task it really has is passing around encrypted packets between clients.

So it knows about all metadata, plus registration with phone number, etc. got it.

The Signal protocol, which is used for client-side, local, on-device end-to-end encryption has always been fully open, and it can be used by any app/platform.

you conveniently leave out how you need to use the client built by Signal, with dependencies from Google Services and the like, and you can't use one built from the source they provide. Which at that point means they can introduce whatever they want in whichever version.

Decentralisation is the only safe way.

[–] Andromxda@lemmy.dbzer0.com 1 points 3 months ago* (last edited 3 months ago)

So it knows about all metadata

Metadata is encrypted on the client-side using Signal's sealed sender implementation. The client also removes as much metadata as possible. All of this is open-source and happens in the client application.

plus registration with phone number

Signal doesn't store phone numbers. It derives a user id from your phone number along with other parameters. It's in the open-source server code, you can check it out yourself.

you need to use the client built by Signal

No you don't. I myself use a fork of Signal called Molly.

with dependencies from Google Services and the like

Not true again. You don't need to use the official binary that includes Google libraries. These aren't required for the app to function. You can use Signal-FOSS or Molly-FOSS, and it works just fine.

and you can’t use one built from the source they provide

If this was true, forks like Signal-FOSS or Molly wouldn't exist.

Which at that point means they can introduce whatever they want in whichever version.

Stupid conclusion, because all of your previous points are false

Stop spreading false information, focus on the facts.

[–] fira959@lemmy.ml 0 points 3 months ago

You can use reproducible builds to verify that the provided clients are the result of the source code and you can also use alternative clients like Molly

[–] Hadriscus@lemm.ee 2 points 3 months ago (2 children)
[–] fira959@lemmy.ml 2 points 3 months ago

They are refering to the crypto payment option that was build into the messenger a while back. Never used it and it never bothered anyone. It just isnt very well recieved as a feature in a secure messenger.

[–] barryamelton@lemmy.ml 0 points 3 months ago* (last edited 3 months ago) (1 children)

https://www.androidpolice.com/2021/04/06/it-looks-like-signal-isnt-as-open-source-as-you-thought-it-was-anymore/

https://www.xda-developers.com/signal-updates-public-server-code/

https://tech.hindustantimes.com/mobile/news/signal-updates-its-open-source-server-code-after-nearly-a-year-71617778373810.html

Look into their MobileCoin and how they implemented it. They are just banking on people forgetting about it.

Anybody pulling these antics with a cryptography product loses my (and others) trust immediately. I'm a security soft dev, and my colleagues and I migrated to Element and Matrix network when it happened. I remember the disgust vividly.

Of course all of this is not going to be the Signal wikipedia page.. It's amazing how their fanbois work.

[–] fira959@lemmy.ml 0 points 3 months ago

Why are you so keen on spreading misinformation around? A feature you dont like does not affect the trust in the restof the application at all. Also, the integration of MobileCoin is part of the wiki page as well.

[–] siliconfire@sh.itjust.works -1 points 3 months ago (1 children)

Is it really that big of a deal? I thought it was only being exposed to room members.

[–] Andromxda@lemmy.dbzer0.com 1 points 3 months ago (1 children)

Unencrypted means that it's not just exposed to participants of the conversation, but also the server, as well as anyone who tries to snoop in on the conversation.

[–] siliconfire@sh.itjust.works 1 points 3 months ago (1 children)

Oh, okay. Message contents are still safe right?

[–] Andromxda@lemmy.dbzer0.com 1 points 3 months ago

Yes, but metadata is still important.

We Kill People Based on Metadata

– Michael Hayden, former director of the NSA