Comment on Time to get serious with E2E encrypted messaging
cmhe@lemmy.world 3 days agoBut you should also be aware that Signal does not federate, so the company can be bought. They have control over all accounts and the servers, without easy way to migrate away again. So it might just be another trap.
Try to use federated services (like matrix), they are more robust against hostile take overs.
This is such a bad take it seems like deliberate misinformation.
Signal is open-source software maintained by a non-profit. User data is not stored on Signal servers, they have no way to access messages as they are stored and encrypted on your phone. If the Signal Foundation were revealed as bad actors then the open-source code could be forked to a new project.
Feel free to fully evaluate their code here: github.com/signalapp
That’s the signal app. The software which runs on their servers is proprietary.
At least (to my knowledge) the Signal messages are decrypted on the client end, so buying the company doesn’t give you automatic access.
Having said that, I’m sure a hostile new owner could update the app to decrypt and then send the messages as plaintext to the servers if they wanted…
Well, you can still insert client side decryption into the app.
But it isn’t really about the messages, it is about the control of the servers and the accounts. You cannot easily move away from their servers, because you will lose your contacts. This gives the people controlling the servers power over you. A sort of vendor lockin.
Well, you can still insert client side decryption into the app.
That’s why all clients are fully open-source. You can also use a fork like Molly.
AFAIK, Signal does not want anyone to use alternative clients, has that changed?
In the 1990s US ISPs would “give you” an e-mail account with their service: you@isp.com. Of course, this is insta-lockin for that e-mail address, you can never port it.
Owning your own domain name and running e-mail service through that worked, for a few years, but the big players have made whitelist / blacklist such a frustrating whack-a-mole game in the e-mail space that running your own e-mail server quickly became impractical.
There are different degrees of vendor lock in. If you use email (or Matrix) with a domain, you have no control over, you are soft-locked it. You can buy a domain, self-host or pay for a managed service and inform everyone that you are now reachable over some other address, but nobody else has to change.
If you use Signal (or Discord or whatever) and want to switch to a different domain. You cannot. If you switch to a different protocol, everyone in your contacts has to switch as well, or you lose that contact. The network effect forces you into the service of one provider. The only way out of there would be if the service get so bad, that a critical mass leaves, but you will have to deal with that bad service all the way.
As long as financial interest are there, non-federated services will sooner or later start to enshittyfy. So if you choose a communication medium, choose something that leaves your options open. If you don’t like Matrix, try XMPP, it has come a long way as well.
Shortcut question: What’s a workable federated e2ee solution that’s available today?
Matrix?
IMO the whole “metadata insecurity” stuff about Matrix is over exaggerated. Also Matrix is improving there.
If metadata security is really that important, you could try Tox or similar P2P chats.
I actually tried Tox - maybe 8 years ago now… the real problem with it, or anything similar, is that you need both ends of every conversation to take the trouble to set it up. It was pretty easy to setup, IMO, but… as an example, in 2005 I had an engineer co-worker ask me about “that Linux thing” when I got around to telling him that pretty much everything he used on a daily basis was available in Linux, just under different names than he was used to in Windows “Oh, you mean I’d have to learn different names for Word and Excel and Outlook?” “Uh, yeah.” “Oh, that’s more trouble than I think I want, I’ll just stick with what I know.”
Andromxda@lemmy.dbzer0.com 3 days ago
The company (Signal Messenger LLC) is fully owned by Signal Foundation, a 501©3 non profit organization.
I generally like this idea, and I also use federated services for things like social media, that’s why we’re having a discussion here on Lemmy. But it introduces some issues with private messaging, like lack of reliability, which sucks if you want to use Matrix as your primary messenger, as well as metadata leaks. Federation is not always the answer, and in my opinion definitely not when it comes private and secure messaging.
Probably around 80-90% of Matrix users are on the matrix.org homeserver, so it’s absolutely not as decentralized and resilient as you think it is.
cmhe@lemmy.world 3 days ago
OpenAI is also non-profit. Not really an argument.
Well, the goal is that moving to your own server, will not mean that you will loose access to all your contacts. Which makes moving instances much simpler. If Matrix gets a hostile take-over, your don’t really need to reach a critical mass for an alternative server.