this post was submitted on 07 Feb 2025
385 points (99.0% liked)
Technology
63082 readers
3931 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
But you should also be aware that Signal does not federate, so the company can be bought. They have control over all accounts and the servers, without easy way to migrate away again. So it might just be another trap.
Try to use federated services (like matrix), they are more robust against hostile take overs.
The company (Signal Messenger LLC) is fully owned by Signal Foundation, a 501(c)3 non profit organization.
I generally like this idea, and I also use federated services for things like social media, that's why we're having a discussion here on Lemmy. But it introduces some issues with private messaging, like lack of reliability, which sucks if you want to use Matrix as your primary messenger, as well as metadata leaks. Federation is not always the answer, and in my opinion definitely not when it comes private and secure messaging.
Probably around 80-90% of Matrix users are on the matrix.org homeserver, so it's absolutely not as decentralized and resilient as you think it is.
OpenAI is also non-profit. Not really an argument.
Well, the goal is that moving to your own server, will not mean that you will loose access to all your contacts. Which makes moving instances much simpler. If Matrix gets a hostile take-over, your don't really need to reach a critical mass for an alternative server.
This is such a bad take it seems like deliberate misinformation.
Signal is open-source software maintained by a non-profit. User data is not stored on Signal servers, they have no way to access messages as they are stored and encrypted on your phone. If the Signal Foundation were revealed as bad actors then the open-source code could be forked to a new project.
Feel free to fully evaluate their code here: https://github.com/signalapp
That's the signal app. The software which runs on their servers is proprietary.
No it's not: https://github.com/signalapp/signal-server
TIL. Was it in the past?
I'm with you on this, I strongly recall there was some sort of not fully open source portion of Signal at least at one point in time.
Edit: ya, they weren't updating server for awhile, so while there is an open source server, they definitely weren't running that code for awhile, and may not be running it today. Granted since the decryption happens client side, it shouldn't matter what the server does to some extent.
https://www.androidpolice.com/2021/04/06/it-looks-like-signal-isnt-as-open-source-as-you-thought-it-was-anymore/
There was a period where they didn't push changes to the repo, but all the code was released afterwards and it's been getting regular updates ever since. But it also doesn't matter at all, since the Signal client is designed in a way that avoids putting trust in the server. Signal servers could literally be run by the NSA and it wouldn't matter, as everything is fully end-to-end encrypted, including metadata. The Signal protocol was also updated to use post-quantum cryptography in 2023.
No, the server is on the github account linked above as well. The repo is here.
Signal however doesn't federate and does not generally support third-party clients.
At least (to my knowledge) the Signal messages are decrypted on the client end, so buying the company doesn't give them automatic access to messages.
Having said that, I'm sure a hostile new owner could update the app to decrypt and then send the messages as plaintext to the servers if they wanted..
Well, you can still insert client side decryption into the app.
But it isn't really about the messages, it is about the control of the servers and the accounts. You cannot easily move away from their servers, because you will lose your contacts. This gives the people controlling the servers power over you. A sort of vendor lockin.
That's why all clients are fully open-source. You can also use a fork like Molly.
AFAIK, Signal does not want anyone to use alternative clients, has that changed?
As far as I know moxie, signals lead dev, considers only the use of the officially build and distributed client authorized to use their servers.
So if they ever manage to detect someone using their services with an alternative client, they might delete your account.
https://techcrunch.com/2016/11/07/signal-app-maker-rebuts-criticism-of-dev-direction-by-calling-for-more-community-help/
Moxie has resigned a few years ago. The article you linked to is 9 years old, Signal leadership has changed a bunch of times since. Signal can't detect that you're running an alternative client, because that check would require them to include some new code in the official client. Even if they did this, they couldn't just ban anyone who's client doesn't pass the check, since it could just be an older version of the official client. They could force everyone to use the official app, but they really have no reason to invest time and effort into enforcing this. Molly is only available for Android, and it isn't even on the Play Store or the official F-Droid repo, so the user base naturally won't be as big.
In the 1990s US ISPs would "give you" an e-mail account with their service: you@isp.com. Of course, this is insta-lockin for that e-mail address, you can never port it.
Owning your own domain name and running e-mail service through that worked, for a few years, but the big players have made whitelist / blacklist such a frustrating whack-a-mole game in the e-mail space that running your own e-mail server quickly became impractical.
There are different degrees of vendor lock in. If you use email (or Matrix) with a domain, you have no control over, you are soft-locked it. You can buy a domain, self-host or pay for a managed service and inform everyone that you are now reachable over some other address, but nobody else has to change.
If you use Signal (or Discord or whatever) and want to switch to a different domain. You cannot. If you switch to a different protocol, everyone in your contacts has to switch as well, or you lose that contact. The network effect forces you into the service of one provider. The only way out of there would be if the service get so bad, that a critical mass leaves, but you will have to deal with that bad service all the way.
As long as financial interest are there, non-federated services will sooner or later start to enshittyfy. So if you choose a communication medium, choose something that leaves your options open. If you don't like Matrix, try XMPP, it has come a long way as well.
This was outlined 50 years ago as part of Anarchist analysis of the system then. Not exactly an easy read, but "the second watershed" can be equated to "jumping the shark" or "enshittification" or whatever other term you want to apply to: a good thing gone bad due to the business owners switching from serving customers to enriching / empowering themselves:
https://archive.org/details/illich-conviviality/page/9/mode/1up
The alternative proposed by Illich to "Radical Monopolies" are "Convivial Tools" which empower individuals instead of central decision makers.
Shortcut question: What's a workable federated e2ee solution that's available today? Quantum secure? Metadata secure?
Matrix?
IMO the whole "metadata insecurity" stuff about Matrix is over exaggerated. Also Matrix is improving there.
If metadata security is really that important, you could try Tox or similar P2P chats.
I actually tried Tox - maybe 8 years ago now... the real problem with it, or anything similar, is that you need both ends of every conversation to take the trouble to set it up. It was pretty easy to setup, IMO, but... as an example, in 2005 I had an engineer co-worker ask me about "that Linux thing" when I got around to telling him that pretty much everything he used on a daily basis was available in Linux, just under different names than he was used to in Windows "Oh, you mean I'd have to learn different names for Word and Excel and Outlook?" "Uh, yeah." "Oh, that's more trouble than I think I want, I'll just stick with what I know."