Signal messenger

Moving to Session messenger (https://getsession.org/) is looking more and more attractive… Session is still in its early stages relative to Signal, but they seem to have a more idealistic approach to data privacy.

It’s difficult to accept that Signal would not support a fully-featured linux client once the Librem 5 becomes widely available. That idea feels extremely dissonant with what I have hoped Signal and the Signal Foundation would be.

3 Likes

I don’t have high hopes regarding Signal/Whispersystems. For them, centralization is not a bug or a workaround, it’s a feature for them.
That’s where they obviously differ from Purism. And they are well-funded by BigTech, another point where they differ from Purism, so don’t waste your money carrying owls to Athens.

1 Like

1 Like

Fully agree. Centralized server have always been a problem to me regarding Signal.
What’s the difference between Signal and Whatsapp ? :

  1. They have open source client, which is good, you can audit it… but on the other hand you have no access to the server-side (logically). It is somewhere, with encryted messages and most of all, I think, full of metadata showing which phone number is contacting which other, and when.

  2. They are a non profit organization, which is also good, and we can think that they can’t read your messages and have no interest to do so… but one the other hand, as somebody said here, Signal foundation receive fundings (from whom ?, how could they financially handle so much newcomers last weeks if they are a non profit organization ?). I read that the foundation been made by Moxie Marlinspike and WhatsApp co-founder Brian Acton (the person who has sold Whatsapp to Facebook) according to Wikipedia. It is said that Brian Acton has put a lot of money into Signal so maybe it explain why they could support the huge amount of newcomers, but it is only an hypothesis.

On the other side, Session has a E2E decentralized architecture and can keep messages when you are offline, not in a specific server, but across the network. It does not require a phone number, and it does not require an email address. To use Session, you just have to share the Session ID, and ideally, it is better to share it face to face by hand or by encrypted way.

Conclusion :

  1. I don’t say Signal is a bad app, I would even say the opposite : it is a good app, however I (we ?) don’t know really how it works behind the scenes, especially for group discussions. Tomorrow, the server could be backdoored illegally or legally for safety reasons, do you think Signal can oppose to this or inform us about this ? Also Brian Acton has sold Whatsapp to Facebook (and I can understand, maybe I would do the same on his behalf), but now : is Signal for him a real transparent project or it is a new business ? Who can tell ? Not me.

  2. I prefer Session Messenger, I think it proposes the best architecture. However, I easily imagine that not everybody feels comfortable with neither seeing a phone number, nor seeing in the contact app who uses it. Nobody in my contacts want to proceed that way, this is why I don’t use it, but I like the concept.

1 Like

It’s clear though that at least $2,955,000 was provided by the Open Technology Fund (OTF) 2013-2016, and the organisation’s website refers to Signal being “originally developed with OTF funding.”

OTF was part of Radio Free Asia (a USA propaganda unit against a.o. China) and funded by the State Department.

It seems that at least some of this is not true.

1.I don’t know if the signal server is open source but I thought so. You should be able to research this.

  1. I think server software audits seem to be problematic in general to me, because an organization could make it look like their servers run algorithm A but the servers actually algorithm B. Or they could switch algorithms the moment the auditor leaves. How could the auditor ever be sure he audited the actually used algorithms? I am not an expert for audits.

  2. Wasn’t there something with a self hosted server maybe without Google services for push messages?

So much semi knowledge from my site. But I’ll go on.

  1. Read the signal blog. They reported about an incident where a US court wanted them to deliver data about a man. OWS / Signal simply could not give significant data because all they stored in plain text was the users last login date and a second datum that I don’t remember. Everything else was end to end encrypted and not even OWS knows the plain text. Also OWS fought against the order to deliver such data to the court.

You may believe this or not, but OWS has been transparent about this. There are two blog articles at least and linked documents IIRC.

Sorry, I should have been clearer (I even say “They have open source client”“They are a non profit organization”, in fact I was talking about Signal, not Whatsapp wich is closed source of course).

My feeling behind my long post was the following : today, Signal can be really honest, but we never know if (or when) it can turns bad. A centralized service like, it is “easier” to corrupt than a decentralized network, and the second point was that Session seems to be a very (very, very) nice app, but I am not sure people are ready to have such usage of communication, this was my idea.

1 Like

Just the fact you don’t know how something works is not a profound argument for that matter. :stuck_out_tongue: Group messagea are handled by the server exactly the same way normal messages are handled. The server does not know of groups at all and you can just check that with the client without knowing the server code.

The Signal server used to be Open Source by the way. But the code hasn’t been updates for around three quarters of a year.

1 Like

Please, don’t use this topic for this kind of discussion.
There are already several topics dedicated to this on the forum

4 Likes

I don’t want to get banned off the face of the earth or anything for off-topic discussion, but I should say that I still find Signal preferable in several ways. I think if you read Session’s blog posts about their rollout of the Session protocol, you’ll see some consequences of Session still being young in development. Session protocol is extremely bare-bones crypto, and it loses several really cool security features versus the Signal protocol. Signal protocol is highly regarded by security experts worldwide, while Session protocol is more like something that an average Joe like me would come up with.

I love the direction of Session messenger and the Loki Foundation, but Signal is still doing really awesome work for people’s security and privacy. I’ll use both for now.

Another large factor is ppl usually stick with applications that match their echo system of contacts. If someone already has 90% of its contacts already using signal, its going to be hard to convert and convince those contacts to swap over to another platform.

I got most of my friends over to signal a few years ago. And now a lot of people have gone over, so I guess it will not be impossible to do it again if the reason to do so arises.

Part of the answer to this is that IT infrastructure is really cheap! We can’t think of it as traditional product where each unit has to be manufactured. In IT the first unit costs a lot, the second unit barely nothing. That is why all the big IT giants can give billions of users IT services free of charge (And then they steal your data and make money on that). With open-source it becomes even cheaper.