Signal is Flawed, Why XMPP is Amazing! (new animated video)

Comments

• Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

  Could we stop with this nonsense? Signal is neither run by nor funded by the CIA, nor have any of its many haters shown that it is vulnerable to exploitation. Signal's obfuscation of metadata is absolutely capable of being bypassed, but the core function of Signal... E2EE encrypted messaging... remains secure. Signal's core purpose was -never- anonymous communication, but secure communication.

  If you need anonymity, Signal is not the way. But attempting to malign it with conspiracy porn and misleading data points does nothing but undermine support for E2EE generally.

  source

  • vlad76@lemmy.sdf.org ⁨1⁩ ⁨year⁩ ago

    Signal uses computers. You know who else uses computers?? CIA!

    source

    • Ildar@lemmy.world ⁨1⁩ ⁨year⁩ ago

      And even FSB

      source

      • -> View More Comments
    • Pat@kbin.run ⁨1⁩ ⁨year⁩ ago

      You're telling me governments use computers? That's insane, I don't believe it. Next you'll be telling me they're on the internet too.

      source

      • -> View More Comments
    • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

      Should we tell them about DARPA?

      source
    • Kyoyeou@slrpnk.net ⁨1⁩ ⁨year⁩ ago

      I heard those computers use electricity, damn

      source
    • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

      Would you agree that Signal does sealed sender to protect metadata? If there were flaws in this system, then should we not discuss it?

      source

      • -> View More Comments
  • pranqster@infosec.pub ⁨1⁩ ⁨year⁩ ago

    Could not have said this better.

    source
  • gamma@programming.dev ⁨1⁩ ⁨year⁩ ago

    It requires a phone number to log in. That already kills any hope for anonymity. I use it to message family and close friends, of which the fact that I’m messaging them is not surprising.

    source

    • ninchuka@lemmy.one ⁨1⁩ ⁨year⁩ ago

      Where did signal ever advertise it’s too be used anonymously

      source

      • -> View More Comments
  • MashBoilPitch@lemm.ee ⁨1⁩ ⁨year⁩ ago

    But Signal is bad, an op-ed by one of Lemmy’s founders: dessalines.github.io/essays/why_not_signal.html#c…

    I certainly agree there is cause for caution, as one should always exercise where trust is placed in such matters. But there are leaps of bad logic in that writeup, and the dog pile of FUD swirling around Signal feels nearly orchestrated.

    source

    • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

      That's because it is. The Lemmy founder in question has a hate on for anything west and United States especially.

      source
    • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

      I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

      If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

      source

      • -> View More Comments
    • SuddenlyBlowGreen@lemmy.world ⁨1⁩ ⁨year⁩ ago

      Yeah, calling Signal’s founder’s politics confused and idiotic because he referred to China and Russia as authoritarian regimes doesn’t really make me trust this person and his biases.

      source

      • -> View More Comments
  • jack@monero.town ⁨1⁩ ⁨year⁩ ago

    Security is not enough.

    source

    • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

      Is for me, but there are plenty of solutions for those who need more.

      source
  • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

    I agree that I applaud the move from SMS text to Signal. I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

    If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

    source

    • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

      Except Signal has dozens of viable competitors, and even XMPP is likely passing through those same AAS servers if it spreads far enough. And you'll never even know, most likely.

      Implying that the CIA using a cloud provider makes the entire provider suspect is silly, especially if we're talking about an E2EE service. Decentralization is great. I love it. But I also recognize the value of a centralized service when done well and when subjected to scrutiny and competition.

      source
• Bipta@kbin.social ⁨1⁩ ⁨year⁩ ago

  You derailed your entire post with this single line scare tactic:

  So you’re trusting CIA military contractors.

  source

  • RaivoKulli@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

    Me about to step into a train: “Nice try but I’ve heard some disturbing allegations about this whole train thing”

    source
  • CookieJarObserver@burggit.moe ⁨1⁩ ⁨year⁩ ago

    Yeah id rather have the CIA spying on me than some Criminal or fucking China

    source

    • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

      Why not all?

      source

      • -> View More Comments
• robotdna@toast.ooo ⁨1⁩ ⁨year⁩ ago

  Signal is not designed for anonymous communication. This is fine. Some of us like having a messaging platform that is E2EE because we don’t have to trust the midpoints. I get to chat with my family in a convenient manner while not worrying about the telecom company doing things like logging SMS contents. Different tools for different jobs.

  source
• DrQuint@lemm.ee ⁨1⁩ ⁨year⁩ ago

  signal containers run in in the same cloud provider services as military enterprises

  that means signal is in the CIA’s pocket

  HOLY REACH BATMAN. The explanation is literally that they’re 3 degrees detached and then therefore one and the same. What the hell?

  source

  • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

    They all run on the Internet which was sponsored by DARPA, a known US government organization that has had its tentacles in the works from the very start. Conspiracies! UFOs!! JFK!!!

    /sarcastic Mel

    source
  • ShustOne@lemmy.one ⁨1⁩ ⁨year⁩ ago

    Yeah we really need a downvote button, at least on the posts themselves.

    source

    • Feathercrown@lemmy.world ⁨1⁩ ⁨year⁩ ago

      You don’t have one?

      source

      • -> View More Comments
• tux@lemmy.world ⁨1⁩ ⁨year⁩ ago

  The US Military also uses IRC, is that the future too? I’m sick of the ridiculous Signal hate with basically no good reason. Basically everything is run in AWS, or Azure, or Google cloud. All the governments have contracts with those cloud providers, because almost every organization large enough has things in the cloud.

  Obfuscation is not meant to be foolproof. Without something like the Tor network (oh wait, the NSA and other organizations have already taken over that) WHO you talk to is not hard to determine. If someone is monitoring ALL network traffic in the world, they’ll know who is talking to who everywhere. But with good end to end encryption and no server side logging recording who you talk to, that’s definitely a good enough combo for me.

  XMPP is certainly not a bad protocol, but I’m not seeing a reason to justify the Signal hate.

  source

  • LollerCorleone@kbin.social ⁨1⁩ ⁨year⁩ ago

    Same! There is a lot of misinformed Signal bashing going on. I can't figure out why.

    source

    • Osa-Eris-Xero512@kbin.social ⁨1⁩ ⁨year⁩ ago

      If you conspiracy board right back at them, the conclusion I come to is that Signal is starting to see some market penetration into non-technical spaces and that's a problem for... someone. Dealer's choice for whom. So, time to spread some FUD.

      source
    • Ilandar@aussie.zone ⁨1⁩ ⁨year⁩ ago

      That’s just the privacy community. It has always attracted the crazies. Signal is not the only reasonable service that these people will attempt to spread paranoia and misinformation about.

      source
• privacyfalcon9899@lemmy.one ⁨1⁩ ⁨year⁩ ago

  This can just be a bad joke. Xmpp is not event considered by PG as an alternative. Besides, as long as you encrypt the data it does not matter on AWS or somewhere else.

  source

  • jonno@discuss.tchncs.de ⁨1⁩ ⁨year⁩ ago

    If privacyguides is your only source of truth, you’re in for a surprise at some point in time. As with any one-source-truth.

    source

    • MajesticFlame@lemmy.one ⁨1⁩ ⁨year⁩ ago

      Sure, but there are good reasons not to use XMPP if you need security.

      source
• smeg@feddit.uk ⁨1⁩ ⁨year⁩ ago

  Literally your very first point is complete bollocks. The entire point of the way Signal works is that you don’t have to trust the backend in order to communicate securely, so it doesn’t matter what backend they were using even if your red-string-on-the-wall suggestion that anything running on AWS is run by the CIA made sense.

  source

  • venia_sil@fedia.io ⁨1⁩ ⁨year⁩ ago

    To be fair (and this is something I don't recall being established with or dealt with in the video) you need to at least trust that the backend is there. Currently if "lol CIA AWS" servers are not working, you don't have an option (Advanced Settings or whatever) in Signal to choose another provider, such as say a self-hosted community server.

    source
• Asudox@lemmy.world ⁨1⁩ ⁨year⁩ ago

  It does not matter if they are using AWS, the data is already encrypted by the user’s device by the time it arrives their servers.

  source

  • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

    I disagree. There are a variety of ways your data can be leaked. For example, the person you’re talking to can be using a Google stock phone or Microsoft windows which may collect data. If this was a random XMPP name, this would provide more protection than your real phone number. Furthermore, there are academic studies proving the metadata can be gotten. Please see this for more information: simplifiedprivacy.com/signal-messenger-guide-to-a…

    source

    • Asudox@lemmy.world ⁨1⁩ ⁨year⁩ ago

      this would provide more protection than your real phone number.

      Again, Signal is not supposed to be a anonymous messaging service. It is supposed to be a private one. You’re literally comparing a messaging protocol designed to be anonymous to a non-anonymous one. Sure, it would be great if XMPP was used overall, but unfortunately it isn’t. At least Signal developed a protocol that is starting to be pretty popular and is E2EE. You can use XMPP, but your average privacy user will use Signal over WhatsApp. Your argument literally is just about how XMPP is more anonymous than a protocol not even designed to be anonymous in the first place.

      source
  • jack@monero.town ⁨1⁩ ⁨year⁩ ago

    Signal knows your entire connection graph. Who you talk to, at what time and how much. Storing literally all of the phone numbers/identities on their servers. I use SimpleX Chat where you have no identity that can be recorded. It is also easy to use, though it’s relatively new and in active production

    source

    • Asudox@lemmy.world ⁨1⁩ ⁨year⁩ ago

      As everyone other said, Signal is NOT supposed to be an anonymous messaging service, but a private one. Anyone knows that the moment a service asks for their personal phone number, they can’t be anonymous. For the average Joe, Signal is the superior choice over WhatsApp, at least.

      source

      • -> View More Comments
• mojo@lemm.ee ⁨1⁩ ⁨year⁩ ago

  Do you know why they mention Signal (the app), but nobody mentions a single XMPP app? Because there’s not a single good app for it lol.

  You expect people to use XMPP how exactly? Is Conversations, that Android kitkat looking $4 app on Google Play the Signal killer app you expect it to be? People pick apps/software, not protocols. Otherwise what do you expect them to do.

  source

  • amanneedsamaid@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

    Dino is a much better desktop client than Signal’s imo. Especially because Signal only distributes their desktop app as debs and flatpaks. Mobile apps aren’t as good looking, but Conversations is more performant. iOS clients are the only missing link to make that last point moot, and I think Monal is getting there.

    source

    • AllNewTypeFace@leminal.space ⁨1⁩ ⁨year⁩ ago

      Isn’t the only available desktop Signal client Electron bloatware as well?

      source

      • -> View More Comments
• ExLisper@linux.community ⁨1⁩ ⁨year⁩ ago

  I don’t use signal to hide from the CIA. I use it to hide my data from Meta. Do you have any proof or even suspect signal of selling data to Meta/google/amazon? If not I don’t care.

  source

  • HurgletOfficial@lemmy.basedcount.com ⁨1⁩ ⁨year⁩ ago

    Average threatmodel enjoyer. I use Signal as a whatsapp alternative for my friends.

    If i truly wanted something secure, I’d selfhost an IRC server over Tor, and force all users to verify their nickname using public key cryptography

    source

    • jet@hackertalks.com ⁨1⁩ ⁨year⁩ ago

      Knowing your threat models very useful and important. If I was running a government communication program, I wouldn’t let my people use signal. Too much trust in another government. But that’s not nay saying signal, but my threat model would be much more complex, and I would absolutely not be able to use signal.

      source
• zeekzag@lemmy.world ⁨1⁩ ⁨year⁩ ago

  I’ll stick with signal. Thanks…

  source
• MajesticFlame@lemmy.one ⁨1⁩ ⁨year⁩ ago

  This post is the personification of why downvotes should be enabled. This is just load of FUD.

  source

  • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

    Which statements are you disputing as untrue?

    source

    • MajesticFlame@lemmy.one ⁨1⁩ ⁨year⁩ ago

      XMPP is often neglected even though it’s the most secure, private, fast, and reliable framework for end-to-end encrypted messengers.

      This. I studied on how e2ee works in XMPP when I was trying it a few years back. It is absolutely atrocious. I have seen half-assed school projects with better security than most XMPP clients. Largely caused by encryption being bolted on through an extensions of the standard as an afterthought and going throug several revisions.

      Now you may find a good client implementation, I think conversations for android seemd decent, but with everyone using a different client and no way to ensure the other side uses a secure one, there is little point.

      source
• meiko60@lemmy.sdf.org ⁨1⁩ ⁨year⁩ ago

  for noobs or someone without strong IT skills like elderly. Signal is still the best imo

  source
• geosoco@kbin.social ⁨1⁩ ⁨year⁩ ago

  When I see the monero.town domain, I know it's gonna be garbage.

  source

  • jet@hackertalks.com ⁨1⁩ ⁨year⁩ ago

    That’s unfair. There’s a lot of great discussions that happen on that instance.

    source
  • Genghis@monero.town ⁨1⁩ ⁨year⁩ ago

    lmao please give us another chance

    source

    • isVeryLoud@lemmy.ca ⁨1⁩ ⁨year⁩ ago

      no lol

      source
• MagneticFusion@lemm.ee ⁨1⁩ ⁨year⁩ ago

  People just won’t stop bashing on Signal will they? Do they not realize all the extra complexities and the normie unfriendly ness if these other messaging protocols? Signal is easy you put a number put done. The rest not as easy and not as reliable

  source

  • amanneedsamaid@sopuli.xyz ⁨1⁩ ⁨year⁩ ago

    1. The phone number requirement is by far Signals largest downside, and usernames have been their most requested feature.
    2. Signing up with a username and password is not more complicated than putting in a phone number.
    3. Thats assuming a lot about the XMPP sever you’re using. I’ve never experienced downtime with mine, so either pick one with a good history for reliability, or self host.

    source

    • MagneticFusion@lemm.ee ⁨1⁩ ⁨year⁩ ago

      Having a phone number and just syncing contacts is way more user friendly than searching for individual usernames. You have to make it as frictionless as possible if you want normies to download and use an extra app.

      Also, Signal was not designed for anonymous communication, it was designed for private communication.

      source

      • -> View More Comments
• Numberone@startrek.website ⁨1⁩ ⁨year⁩ ago

  For me using signal wasn’t about becoming Jason Bourne, it was about changing the threat model. I don’t have any dilusions of grandeur that I can’t be owned if I’m targeted, but you know what? My calls and texts aren’t stored with my phone company with a direct link to the Government and advertisers. That may be low hanging fruit, but that’s dealing with most of the issues the average user is going to run into. I’d suggust that the step from SMS to Signal is of greater benifit to a normal user than from signal to something more advanced. And, fwiw it’s open sourced and audited, which gives me more confidence than something like imessage or WhatsApp, despite similarities im encryption schemes.

  source

  • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

    I agree with you that Signal is far better than WhatsApp and SMS. I applaud your adoption of freedom and thank you for your time. I am looking to educate people on open source decentralized alternatives that exist for philosophical purpose

    source

    • Numberone@startrek.website ⁨1⁩ ⁨year⁩ ago

      Oh I see. Yeah that’s cool. I’ve seen several posts around the fediverse that take a real tsk tsk signal user kind of tone, So I responded to yours kind of defensively. As a person with middle of the road tech knowledge I also curious if how I think about it stands up to scrutiny (because people will tell me!). Didn’t mean to distract from the intent. Thanks for posting this in any case.

      source
• theKalash@feddit.ch ⁨1⁩ ⁨year⁩ ago

  Based on XML

  Be gone, demon.

  Also, Signal is literally endorsed by Edward Snowden … But sure, it’s CIA software.

  source

  • SummerBreeze@monero.town ⁨1⁩ ⁨year⁩ ago

    We need to separate the code from the people running the service. Which is not possible with signal.

    I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

    If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

    source

    • theKalash@feddit.ch ⁨1⁩ ⁨year⁩ ago

      you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud

      Ok. I trust the Signal fundation. What cloud service it’s running on is is really only relevant when it comes to stability and AWS is very stable.

      So you’re trusting CIA military contractors.

      I have no idea what you’re even talking avbout.

      source

      • -> View More Comments
  • Neon@lemmy.world ⁨1⁩ ⁨year⁩ ago

    Edward Snowden the ex-CIA employee?

    Checkmate, liberals

    source
• jet@hackertalks.com ⁨1⁩ ⁨year⁩ ago

  www.privacyguides.org/…/real-time-communication/

  Always worth checking the privacy guides right ups on these matters. Unfortunately XMPP is not listed.

  Here’s the privacy guides internal discussion about XMPP github.com/orgs/privacyguides/discussions/208

  source
• Cube6392@beehaw.org ⁨1⁩ ⁨year⁩ ago

  In addition to what inaccuracies people here have pointed out, remember how hard it was to get people to adopt Signal when it was easy? How are you going to get people to adopt XMPP. I love XMPP, but I’m never gonna get my girlfriend or parents to get on board for that

  source

  • kraxyk@beehaw.org ⁨1⁩ ⁨year⁩ ago

    This. I can’t even get most people to switch from WhatsApp to Signal. Because everyone is already on WhatsApp so it just works for them.

    source
  • Melpomene@kbin.social ⁨1⁩ ⁨year⁩ ago

    My partner is up for a challenge and we try different things, but Signal remains our go-to because it's easy and the fact that we use it to talk isn't exactly secret. XMPP feels like a lot of work for something that isn't offering us much more in the way of features we'd use.

    source
• twistypencil@lemmy.world ⁨1⁩ ⁨year⁩ ago

  I heard that people at the Cia breathe air, and I bet you breathe air, so you are compromised by Cia air particles. XMPP is better because it’s XML and that can operate in a vacuum.

  source
• OurMoneyIsBroken@lemmy.dbzer0.com ⁨1⁩ ⁨year⁩ ago

  Simplex.chat is the only option

  source

  • McBain@feddit.ch ⁨1⁩ ⁨year⁩ ago

    Love it. Too bad people don’t want to try new things…

    source

    • zingo@lemmy.ca ⁨1⁩ ⁨year⁩ ago

      Yes. The number one hurdle is the get common folks off WhatsApp. Good luck with that.

      So the most liable option to substitute WhatsApp is Signal, which has a somewhat big (not huge) user base, but the probability of that happening is slim to none.

      Telegram is even more used than Signal but don’t trust it for total privacy and its used for funny business.

      Then coming in on 4th place, you have the rest like Matrix, Briar etc. You might get your best friend to use it, but that’s about it.

      source

      • -> View More Comments
• earthling@kbin.social ⁨1⁩ ⁨year⁩ ago

  Man, I tried to watch the video but that voice is incredibly annoying.

  source
• kate@lemmy.uhhoh.com ⁨1⁩ ⁨year⁩ ago

  It sounds like all your criticisms of matrix are around the element client, unless there’s something else?

  source
• gonzoknowsdotcom1@monero.town ⁨1⁩ ⁨year⁩ ago

  Ask yourself who holds the keys that’s all that matters

  source

  • jet@hackertalks.com ⁨1⁩ ⁨year⁩ ago

    This is why I was really pissed off when signal started storing people’s private keys in the cloud trusting SGX enclosures to prevent them from getting cracked. A four-digit pin is nothing. That’s antithetical to their entire emission. SGX enclosures have been compromised multiple times.

    To me this is the greatest feeling of signal.

    source

    • gonzoknowsdotcom1@monero.town ⁨1⁩ ⁨year⁩ ago

      yea, I’m pretty sure the 4 digit pin can be changed to an higher count

      source

      • -> View More Comments
• gonzoknowsdotcom1@monero.town ⁨1⁩ ⁨year⁩ ago

  Briar desktop/mobile isn’t a bad option

  source
• jet@hackertalks.com ⁨1⁩ ⁨year⁩ ago

  I appreciate the videos you make are a lot of work. I’m curious why you don’t post them on YouTube as well? They would have more reach there. I’m all for self-hosting your videos, but in terms of educational engagement YouTube has many orders of magnitude more reach.

  Take mental outlaw for example, he has the various alternative video services, but his bread and butter is YouTube

  source

  • smeg@feddit.uk ⁨1⁩ ⁨year⁩ ago

    I’ve seen a few accounts posting “controversial” opinions here which link to that same website. I don’t want to sound like as much of a conspiracy theorist as OP, but I wonder if its all bait to drive up traffic to their own website.

    source

    • jet@hackertalks.com ⁨1⁩ ⁨year⁩ ago

      Yeah 100%. I don’t hold that against anybody though. They’re making content. They’re getting us to talk about it. So far so good. But limiting yourself outside of YouTube is going to miss a huge audience you could grow into.

      source
    • ninchuka@lemmy.one ⁨1⁩ ⁨year⁩ ago

      It’s almost certainly the same person posting them as well just on different accounts

      source
• PublicLewdness@burggit.moe ⁨1⁩ ⁨year⁩ ago

  Signal requires a phone number which is a non starter for me. I refuse to bend to that. I’ll stick with Session; XMPP; Matrix; etc.

  source
• sj_zero ⁨1⁩ ⁨year⁩ ago

  Matrix is a standard, so you don't need to use synapse or element. I'm shocked at how well matrix Conduit works on trivial hardware.
• thecam@lemmy.world ⁨1⁩ ⁨year⁩ ago

  XMPP is more lightweight but way more clunky. I think Matrix is better since all the features are built in and is having more development, more users and more clients on multiple operating systems.

  source