Signal is not the place for top secret communications, but it might be the right choice for you – a cybersecurity expert on what to look for in a secure messaging app
-
Consider Briar.
Uses Tor. Works directly over Bluetooth/WiFi if the internet is censored or shut down. Decentralized, no accounts. No phone number required.
The app is super barebones right now - feels like SMS - but it works.
That feels like a huge downside!
-
You can easily redirect xmpp to port 443 which is not blocked by most firewalls. If you have problems with firewalls or public wifis your xmpp server is misconfigured.
China will definitely block xmpp on any port. I know this because I have tested this very specifically from my own server. It lasted about a day and a dozen messages before it was blocked, and the box got slammed with vulnerability scans.
-
China will definitely block xmpp on any port. I know this because I have tested this very specifically from my own server. It lasted about a day and a dozen messages before it was blocked, and the box got slammed with vulnerability scans.
This is odd because I know a few mainland Chinese people that use XMPP without problems (and afaik without a VPN).
Sounds like your server got blocked for another reason?
-
This is odd because I know a few mainland Chinese people that use XMPP without problems (and afaik without a VPN).
Sounds like your server got blocked for another reason?
I can almost guarantee you they are using it through a VPN or they have a western SIM card. If not I'd love to know what server they use, as I've tested this a bunch of times on several public and private servers and it's always the same result. If it isn't blocked on day 1 it will be blocked quickly.
-
Wherever Signal is mentioned, I shall mention SimpleX-Chat.
Zero user ID needed to use. No phone numbers and no username.
SimpleX-Chat!!!
Not sure I want to tell all my friends to get simplex with me.
-
SimpleX is decentralized, requires no phone number, based on Signal code. Screws up invitations via FB/Messenger though.
-
It does, I tried it. Though, that may have been an addition since the attacks started.
Though, in that specific case - Russian agents conducting espionage via targeted individuals - it's very likely they surveil their targets long enough to catch their device PIN before they nab the phone and return it. In the end, there is very little recourse to defend against this type of Evil Maid attack. Signal is really better at protecting against mass surveillance, but for individuals directly targeted by state espionage? You would need serious opsec, using air-gapped computers kept in safes or guarded by humans 24x7 and other crazy stuff. They have rules about what can be physically done with devices containing top secret information for a good reason.
If they could surveil the device to see the PIN being entered then no app would protect them.
My Signal only asks for a PIN about once per month so that would be a lot of screen surveillance hours to sit through in order to catch that moment.
More likely is that it was fixed since the breach but I cannot find release notes (hard to search on my phone).
-
Privacy != anonymous
No, but it's easy enough to be both. There's a pile of IM packages out there that manage it.
Metadata is valuable info, look at what a pen order nets law enforcement and why it's the first step in an investigation. The idea that a messaging app that's supposed to be used for political action but the chain of association is visible and verified is absolutely suspect.
-
Wherever Signal is mentioned, I shall mention SimpleX-Chat.
Zero user ID needed to use. No phone numbers and no username.
SimpleX-Chat!!!
Finally someone who understands! Haven't found anything better. Just missing the bridging bit, though that comprises the privacy/security and overall personal opinion why I started using SimpleX.
UI-wise it isn't there yet, but actively being developed so. I miss posting photos (combined) with a comment, now they are all sent separately.
Anyhow if you are looking for privacy go for SimpleX!
-
If you want to get really technical, each Signal account actually has a 'secret' account number that the phone number is linked to. The phone number requirement is actually a means to reduce spam and scam accounts.
So they could have replaced it with, like, email verification or something, but they instead stuck to the design that lets governments identify all users?
<Insert rampant and unfounded speculation about FBI compromise here>
-
No, but it's easy enough to be both. There's a pile of IM packages out there that manage it.
Metadata is valuable info, look at what a pen order nets law enforcement and why it's the first step in an investigation. The idea that a messaging app that's supposed to be used for political action but the chain of association is visible and verified is absolutely suspect.
You say "easy enough" but there are some serious tradeoffs when removing phone numbers from the equation. My mom can use Signal without my help but she wouldn't be able to use SimpleX.
Signal is a fantastic middle ground messaging app that is secure enough for me to use and easy enough for my mom to use.
I also have SimpleX but I have exactly 1 contact there...
-
SimpleX is what I use. I tried Signal in the past, but there was a noticeable delay in receiving messages and it caused problems when using it to communicate with family.
I have no problems with SimpleX so far. It works well and looks modern. A feature I like is that you can create a different user identity for each contact/ chat thread.
-
This post did not contain any content.
All I'll say is Threema. You pay once for a licence, so there's less bullshit people on it and they are based in Switzerland with it's privacy laws.
-
So use no messenger? Any decentralized options?
Alternatives to Signal that prioritize decentralized communication.
- Briar Project (https://briarproject.org/
A compelling choice for censorship resistance. Briar employs peer-to-peer messaging, connecting via Bluetooth, Wi-Fi, or Tor, and incorporates privacy features by design. It’s a robust solution for those concerned about surveillance. - Delta Chat (https://delta.chat/ A decentralized and secure messenger application. It's often praised for its ease of use and integration with existing email accounts.
- XMPP (https://en.wikipedia.org/wiki/XMPP Less of an application and more of a foundational protocol. XMPP is an open standard for instant messaging, allowing for decentralized implementations – though setting up and maintaining such a system requires a degree of technical expertise.
- Briar Project (https://briarproject.org/
-
All I'll say is Threema. You pay once for a licence, so there's less bullshit people on it and they are based in Switzerland with it's privacy laws.
Proprietary?
-
I personally use carrier pigeons with caesar cipher. I know I can't out tech google, so I will go medieval.
-
Maybe, but I normally only leave battery optimization on for apps that shouldn't be running in the background at all. This was several years ago, though. If Signal isn't like that anymore, that's a good thing.
-
Fair point, it always feels dirty to send invite-link through WhatsApp, the dominant messenger in EU.
How would one go to solve the invite problem? How does Signal handle this?
Phone number and trust-on-first-use for most people, with out-of-band fingerprint verification for the paranoid. It really depends on the threat model and the security practices/awareness of your colleagues, but a link shared on some social media or lower-security chat network is more vulnerable to a man-in-the-middle attack than a phone number for your average Joe. There are a lot of ways a person could get a manipulated invite link.
-
Proprietary?
Not sure, but probably. But looking at their history I think they have a good track record and it's used by the government as well in certain cases.
-
System shared this topic on
