There are big wishes for Signal to adopt the perfectly working Flatpak.
This will make Signal show up in the verified subsection of Flathub, it will improve trust, allow a central place for bug reports and support and ease maintenance.
Flatpak works on pretty much all Distros, including the ones covered by their current “Linux = Ubuntu” .deb repo.
To make a good decision, we need to have some statistics about who uses which package.
Oh look an essay full of fearmongering that adds nothing to the discussion. Thanks for contributing!
They’re actually very good points.
The problem is that all the suggested alternatives are unworkable for adoption by the general public (they require stuff like Tor, self-hosting etc.)
Git clone
Cd [the clone]
[Text editor of choice] why_not_signal.md
[Exit text editor]
Cd …
Rm -rf [the clone]
So… not using Signal because it’s based off a conspiracy theory that it’s secretly funded by CIA?
Well, let’s stop using RSA and encryption because the most used secure crypto algorithms today were created by none other than the NSA!
EDIT: None of the alternatives provided are good alternatives for Signal. Matrix is an extremely complicated protocol that lacks some features compared to normal IM apps (I use Matrix and the experience is quite close to a standard messaging app). XMPP is dead and has a very niche userbase. The others are not suitable for being a daily messaging app.
Signal is a good alternative and while I do agree with some points, they are not bad enough to prevent you from using it (e.g. not having usernames).
The appeal of signal is it is a good option (may have flaws but it is better than say discord) and it’s pretty easy to get normies using it, all the other alternatives you mentioned are obscure and convincing normies such as friends and family to use them is much harder, and while signal isn’t perfect, it’s certainly better than whatsapp or other proprietary solutions
I’m thinking about abandoning Signal given the fact that they use AWS servers, still insist on requiring a phone number to use the APP and haven’t yet implemented nicknames like Telegram
If you want absolute control over your communications, the only way is to self-host an XMPP server
Matrix, the protocol, is quite nice.
Element, the Matrix reference client, is too complicated IMO. If everyone were to only use FluffyChat, it would be great but then FluffyChat afaik doesn’t implement every protocol feature and and you could end up in compatibility issues with Element users.
Purely as a client I find Telegram the most convenient. I think more should copy their homework from there, heck perhaps post the client to Matrix.
Your data is always encrypted before it reaches the AWS servers though, so it’s not like Amazon has access to them. The phone number/nicknames is still in progress, but it’s hard to do that securely, and given that their user base is really big now, they also need to make sure it works well for everybody.
The concerns about AWS servers are around metadata. If metadata were not a concern, why not just use Whatsapp? They use the Signal protocol so messages are end-to-end encrypted by default, and most people already have it or are willing to download it as compared to Signal.
Signal also encrypts your metadata. (And notably, WhatsApp does not.)
I quit using signal after they stopped supporting text messaging on Android. I had my whole family using it and that just evaporated overnight 😭
So your family used SMS? Sms is horrible, you should just not use it.
If signal supported encrypted SMS that would be useful. DekuSMS is the only alternative here, as Silence is abandoned.
But it makes sense that they dont want to pretend SMS was a good standard.
Meanwhile, they use a phone number for anything, ironic
My parents are approaching 60. I told them that the signal text message app would work a lot like iMessage if we both used it. And it did. It was great. For the other people that used signal, the experience was generally better. For other people that didn’t, SMS was fine because that’s how I was going to talk to them anyway.
The thing is, My parents are not going to go to more than one app to communicate with other people. Since it no longer sends and receives text messages, it doesn’t work with 99% of the other people in their lives.
They own and run a pretty large business. There’s no way that they’re staying on more than one messaging platform. You can talk all day about what they “should” do, but at the end of the day just getting them to switch to another app was a huge lift for me. Not only did they switch back to regular SMS, I burned a lot of credibility with them on tech related stuff through no fault of my own.
Repeat this story for the 90 or so people I had converted. There was no critical mass, so adoption evaporated overnight because my social graph is not enough to provide any sort of critical mass and adoption.
That sucks I am very sorry to hear that.
The thing is just that nobody should use SMS really. If they have a business they may have experience with it and whatever but really, dont use SMS at all…
Then it is just a single messaging app.
It makes no sense to include unencrypted SMS in an encrypted messaging app over secure protocols. Like, SMS are all scanned, surveilled and can easily be manipulated.
They went from doing some communication secure with signal, to doing no secure communication, because of a rug pull of a genuinely convenient feature. The problem with communication apps is that it is almost impossible to convince anyone to use anything they haven’t heard about, if it is not very convenient. They’re not going to use a separate app just for communicating with a single person/a few people.
Looks like RCS might be viable in the future when it works on both iphones and androids though. I just hope that it doesn’t all go through googles servers.
You do realise that mobile data is non-existent or limited in some counties right? Even here in New Zealand mobile data is still limited or expensive and the main communication, especially between people who don’t know each other, is SMS. Some encryption is still better than nothing.
Crazy. But Signal never encrypted SMS.
And even if they did, this would be worse than signal protocol and really confusing, because SMS only worked between signal and an sms app, encrypted sms would only work between signal and signal too.
So you would have the same encryption over 2 protocols and people may just stay with sms all the time which is baaad.
So seperate apps, I dont get peoples problems.
I recommend DekuSMS for encrypted SMS.
Same. I just didn’t have any use for signal after SMS removal. Yes I know SMS is insecure but I was stuck. Either you use a separate secure app and magically convince everyone else to use it whilst falling back onto a separate SMS app anyway (for those who don’t use the encrypted app). Or alternatively you just have to use a mainstream app like Google Messenger with SMS plus RCS.
At least when signal supported it I could migrate family to signal and then our communication would be encrypted and they could still message everyone else over SMS. It meant a large portion of my messages were encrypted. After SMS removal everyone I had on signal just quit so there was no one to communicate with. Trying to get people to use multiple apps was like herding cats.
I don’t use signal because I care about anonymity. I dont use flat pak because I care about security
Flatpak is generally very good for security. Especially considerino you can override some defaults, you can have fairly tight isolation.
No, it doesn’t even cryptographicly check signatures on packages when it downloads them lol
That is one security aspect only, and signature checking is done by OStree, but the only key used is the one from flathub, from what I understand. So you don’t verify the key of the application author, but solely the one from flathub, which means if the flathub distribution pipeline is compromised, you will not notice it and install a malicious package.
That said, the isolation that provides is great, and things should be evaluated in context. I will consider much much more likely that a package I install has bugs/cves/is outright malicious, compared to the risk that the publisher pipeline gets compromised (this is essentially what the signature verification would protect from). This means that it is a huge net gain in terms of security, from my PoV, to have an “unverified” package running in flatpak, under the isolation that it provides, if we compare it to having it running in the native system, but verified.
In other words, there is not a specific scale that if you “don’t even do…”, then it means you are not secure at all.
I generally use the latest available.
I tend not to use flatpack. I lost a few nights trying to get OBS plugins to work in flat pack. It would probably be fine for something as simple and straightforward as signal. But it’s more or less nothing but disadvantage to end users. That said I’m sure it’s a great savings for you guys.
