I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message “hi <name entered>” could be displayed was baulked at.
Why does signal want a phone number to register? Is there a better alternative?
I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message “hi <name entered>” could be displayed was baulked at.
Why does signal want a phone number to register? Is there a better alternative?
Jami.net
Ignore the comment saying signal is “end to end encrypted” “private” etc They are simply stuck in a delusional state where they try to convince themselves that signal is the best option so they can continue using it. Nothing is private if it isn’t fully libre because you never know what the proprietary code is doing. The signal protocol itself has its source code released, and the encryption and security code is publicly available, but the signal Foundation has stated that it uses both free code and proprietary code. Their reason is UI, but it’s hard to make sure whatever proprietary code is being used for because you simply can’t see it. As GNU puts it: “You’re walking in a pitch black cave”. Jami is fully libre and is a GNU project. You don’t even need any phone number!
You should have visited Signal’s github page first, I dunno. Before talking. Made up a lot of stuff.
They do have proprietary code for that crypto wallet they have there, well hidden, and for, eh, phone number registration, but other than that module it’s all released, I think.
The server and the client applications are FOSS. You can host it for yourself, patching out the domain names and registration parts the way you like it more.
That’s not the full picture. That’s exactly the problem I was highlighting. The issue isn’t whether some of the code is “FOSS”, it’s about whether all of it is. If even small parts remain proprietary (as you mentioned), then we can’t verify what those parts are doing. And those parts could theoretically significantly affect the data collection. Also, I didn’t make up a lot of stuff. The Signal Foundation themselves have confirmed that certain UI and build components are not fully libre. As the GNU project puts it, if part of your system is closed, then you’re trusting a black box, no matter how well-lit the rest of it is.
Signal protocol guarantees that what’s on the server we can discard in your suspicions, it doesn’t matter, because you are not trusting it.
The client is fully open.
You are trusting the server, or do you verify the fingerprint of EVERY contact of yours? The normal people don’t, as Signals UI purpusfully doesn’t encourages it.
Normal people don’t anyway.
They also have Google Play Libraries included for Push Notifications and Maps.
I didn’t actually know the server code was published. It’d be cool if the client allowed multiple servers so you could talk to people on the “normal” master while also thing a private instance
I think choosing a server, like in some ICQ clients, is not a complex modification.
They had it implemented but discarded it out of stupid centralization ideology. Moxie said it on a Chaos communication Congress presentation he held but which he didn’t wanted to be recorded, as the stuff he said was stupid and wrong.
Well, some of the stuff they wrote, not said, wasn’t stupid and wrong.
This is why escaping WhatsApp and Discord, anti-libre software, is most important part.
Molly.im is a Signal Client fork with Security enhancements and the possibility to install a version with only free software.
Great, but it relies on signal’s servers, so it’s centralised. Also, Moly merely removes proprietary parts from Signal, but that’s a workaround (same thing for linux-libre kernel, it’s free software, but just a workaround which is why I’m looking to help with HyprbolaBSD). I’m not coming here to say Molly isn’t an improvement, but being centralised and relying on a non-tully-free program’s servers is a huge red flag for me :)
It doesn’t matter whether a server claims to run free software or not. You can’t verify what it’s running. That’s why E2EE is designed entirely around the client. You can’t trust the server no matter what.
Did anyone say that was the problem? It will not matter how encrypted your messages are when the centralised service gets easily banned.
Yeah the comment I responded to did
Directly above, doesn’t look like it.
k
You can easily verify the keys of the person you’re speaking with, and they’re generated locally… so technically speaking, even if their servers are leaking, your messages are still unreadable, but yea that’s not ideal
Not when it’s backdoored. So, tell the guy above there’s a fully libre copy.
? Even if the servers are backdoored, your messages are still encrypted by your key - as long as the server didn’t manipulate the keys at the first exchange, which you can check by verifying the security code
If it matches, then it’s okay. Such features exist in all encrypted messenger apps
Jami, as much as I prefer it on various philosophical grounds, simply doesn’t work very well at the moment. :(
And we should report problems and fix them ourselves to make it better
Based
Yeah I’m on their Discourse forum, but the situation isn’t that great, and it’s unclear to me if the problems are fixable. Particularly when there are incompatibilities between version X and version Y, where both versions are already in the wild. You can’t travel backwards in time to fix those versions, and this (like email clients or telephones) is an application area where you can’t tell people to update their clients all the time. You have to keep things interoperable.
It’s also often inconvenient to reproduce bugs like that in order to diagnose them. If you try to talk to someone over Jami and it doesn’t work, you generally can’t borrow their phone to analyze the issue. If you’re one of the core developers, maybe you have access to a room full of different kinds of phones and OS versions to test with, but a typical user/contributor won’t have anything like that.