Gonna be gonest 99% of people’s issues with signal using phone numbers is just FUD

Like compare that to matrix where you have massive timing vulns, or xmpp with crypto years behind in updates, its pretty fuckin clear which one does a better job being a privare messenger

Causr thats the thing, from the start signal’s primary concern was privacy that means nobody can read your messages but you and the intended recipient. And it does a damn good job of that.

The phone number thing is not a matter of privacy, its a matter of anominity, and a pretty minor one at that. All a MITM or whatever could prove is that you’re using signal, nothing about who you’re talking to

@dangerdyke In EU registering a phone number requires a real life identity due to antiterrorism laws, and Signal doesn't try to hide metadata from the server the way Cwtch does, so govt employees with access to their servers could get the information who talks to who.
Signal claims not to store that information, okay nice, but the whole point of E2EE was that you don't have to trust your server.

>Like compare that to matrix where you have massive timing vulns, or xmpp with crypto years behind in updates

That other protocols are worse isn't an argument that not being able to easily have more than one identity and tying the one you have to legal documents is good, actually. Private messaging in 2024 sucks, great, we have that thread every month at the very least.

@affine ok but realistically what can an EU government do with the fact you’re a signal user?

@destroy @dangerdyke It's ass-backwards; the question is "Why does Signal want information that can be used to recover the rest of my identity?" If they didn't have it, it wouldn't be necessary to take it on faith that they don't store your contacts and recipient history.

I don't buy the spam prevention algorithm, as someone who gets spam SMS at least every week and used to get multiple spam phone calls from different numbers every day after some asshole recruiter sold my number.
Clearly getting enough burners isn't a problem for the viagra merchants out there.

The only thing it achieves is that people who can't afford 2 sim cards can't separate their identities, even when using the username feature.

Realistically, I'd bet that 99% of e2ee users don't even need the encryption in the first place, as they're using it for small talk and cat pics only. Keep up the "hurr derp privacy nuts using encryption without a threat model" rhetoric, and if you'll have your way and nobody will use e2ee without a very good reason to, _then_ merely installing Signal will be an admission of breaking laws.
Follow

@affine @dangerdyke Installing Signal *isn’t* an admission of breaking laws, though. Have there ever been any convictions that relied on someone simply *using* Signal as the evidence that they are committing crimes?

@destroy @dangerdyke I don't think so, same as nobody has launched a _practical_ exploit of the timing side channel vuln in libolm, or any of the issues with properly executed OMEMO (using the latest version, everyone dilligently checks everyone else's keys). By the standards of "has anyone ever gotten in shit because of it" there's nothing wrong with Matrix or XMPP either, it's all theoretical.

@affine @destroy that is absolutely the opposite posture you want to be taking when it comes to encryption. NEVER assume your adversaries arent taking advantage of a vuln. Thats a great way to get your messages read back to you in a courtroom

@dangerdyke @destroy Ok, but you (both) ask me to take Signal's people word that they don't store logs about which phone numbers I'm talking to, and that what they release after they get subpoena'd every now and then is really what they showed to the court. And if I can't show a particular person who got busted by giving up their phone number, then I'm spreading FUD and should shut up. Come on, that's a double standard.

@dangerdyke @affine Wait so you think that courts are falsifying records to cover up evidence they’re being given now? And the defense is fine with that?

@destroy @dangerdyke Okay fine, not "on faith", I could pay a lawyer knowledgeable about US law (where I never set foot) to go over Signal's press releases with me, together with the relevant court documents, to confirm that indeed there's no way they could have a gag order or anything that would make them lie to the public. Great, but the same proof could be more easily achieved by not collecting personally identifying info in the first place :brain4:

I'm not trying to discourage anyone from using Signal, I'm using it myself for talking to people I know IRL and happily shill it to WhatsApp/Messenger/plain SMS users, I just don't get why a principle of "don't ask for sensitive info you don't need" isn't a complete no-brainer and is instead met with demands for proof that someone was already harmed for it.

@affine @destroy sure its less then ideal for signal to ask for phone numbers. the FUD i’m talking about is when people bring it up in relation to discussions about problems with matrix or xmpp, which is 99% of the time we see it brought up

@dangerdyke @destroy (partial repost from priv) Yeah ok, sorry for being pointlessly argumentative, I agree that it's less bad than having obvious vulns begrudgingly corrected (Matrix) or clients designed in a way that can ignore verification (XMPP) and anyway I should probably spend more energy to get people to use encryption in the first place rather than poring over minor problems with an otherwise solid protocol.

@destroy @dangerdyke I mean, out of:

Asks for sensitive information it doesn’t need
Devs knowingly left a side channel vuln for 7 years or so, and deprecated the library only when a furry blogger set their asses on fire
Extremely easy to misuse, and existing implementations don’t negotiate versions
Also asks for sensitive info, and is proprietary and owned by Facebook

Signal wins, but it could just, like, not ask for my phone.

Sign in to participate in the conversation
masto.anarch.cc

A small congregation of exiles.