this post was submitted on 03 May 2022
9 points (100.0% liked)

Privacy

32109 readers
764 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] XpeeN@lemmy.ml 9 points 2 years ago (3 children)

Fuck signal and their phone number requirement, how is it vs Element?

[–] angarabebesi@lemmy.ml 10 points 2 years ago (1 children)

I have difficulty taking Signal seriously because of this.

[–] ree@lemmy.ml 2 points 2 years ago (1 children)

Yhea their double ratchet algo is a complete joke. I wonder why it's been implemented in WhatsApp, xmpp, matrix , etc.

[–] southerntofu@lemmy.ml 2 points 2 years ago (1 children)

Disclaimer: i'm no cryptographer

I think the crypto in Signal looks fine. The double ratchet isn't bad, although it has some drawbacks (at least the OMEMO variant) about long-absent participants running out of published ephemeral keys.

The problem with Signal is the centralized system (which relies on absolute trust in a server's "trusted computing" module) and the business governance. I'm very critical of m0xie and friends in their political/economic decisions, but they seem to produce good cryptography...

[–] ree@lemmy.ml 2 points 2 years ago

I was trolling.

I know the direction of the project and their stance against centralisation is debatable but they produce good and reviewed software and libraries.

What you do with it is a personal choice.

[–] sandro_linux@lemmy.ml 3 points 2 years ago (1 children)

Matrix does have some metadata problems (not hating on Matrix though)

[–] XpeeN@lemmy.ml 1 points 2 years ago (1 children)

Interesting. Can you elaborate?

[–] southerntofu@lemmy.ml 3 points 2 years ago

In matrix pretty much everything is a public, logged append-only datastore (a room in matrix vocabulary). There is some access-control applied on top but it means that basically any server involved in some room (because their users are part of it) gets a full copy of the full history of the room including all user addresses.

In contrast, XMPP has a clearer threat model: your server knows about you, the server of a user you're communicating with knows about you, 3rd party services you employ know about you (eg. chatrooms) but other users of that 3rd party service don't. Practical example: when i join room anarchism@chat.jabberfr.org from southerntofu@userserver.net address, i'm giving the chatroom server (MUC server) a nickname to identify me with. When other users receive messages in the chatroom from me, they see it from southerntofu from chatroom anarchism@chat.jabberfr.org but have no idea what my actual JID (XMPP address).

That's certainly good for reducing chances of having all your messages being logged by a sysadmin somewhere, but it's even better for abuse-resistance. Having your address leaked in every public interaction is fine for most people but is a no-go for people who have stalkers or are targeted by harassment campaigns. See also this HN thread on XMPP and anti-abuse mechanism.

[–] Tryp@fuckreddit.tryp.digital 1 points 2 years ago (1 children)

You can use VoIP with Signal so it's not much of an issue.

[–] XpeeN@lemmy.ml 2 points 2 years ago* (last edited 2 years ago) (2 children)

Do they require a phone number when registering? I remember they do, but I might be wrong. I compared all FOSS WhatsApp alternatives a while ago, and I think that's one of the reasons I ruled out Signal. Element was the winner btw.

BTW, even if they don't, I still think Element is better. Signal doesn't meet f-droid's standard while Element does, and ofc Element is federalized while Signal is not (it's centralized Oo).

[–] Tryp@fuckreddit.tryp.digital 1 points 2 years ago* (last edited 2 years ago) (1 children)

I didn't explain myself very well but yes they do require a phone number. What I meant was you can use any VoIP number with Signal and it's fine, TextNow or any service that lets you retain the number works.

[–] XpeeN@lemmy.ml 1 points 2 years ago
[–] southerntofu@lemmy.ml 1 points 2 years ago (2 children)

I upvoted because the phone number requirement is the n°1 problem with Signal.

But to be clear, Signal does meet F-Droid's policy (albeit with a "centralized service" antifeature flag). The only reason Signal is not distributed on F-Droid is because Signal threatened legal action if it ever was (LibreSignal scandal).

Also, i appreciate that Matrix (Element is just a client) is a federated protocol. Unfortunately, it consumes a lot of resources server-side (like A LOT of RAM and disk storage), and the default client Element is nearly unusable with high-latency links (eg. over Tor). I personally recommend getting into XMPP... there is no default client because XMPP is an ecosystem not a government-backed startup and some of them really suck (see joinjabber.org for the better clients) but at least the client and server don't eat all your resources (a "big" XMPP server for hundreds of users uses <500MB RAM, a similar matrix server uses 5-20GB RAM).

[–] Tryp@fuckreddit.tryp.digital 1 points 2 years ago (1 children)

XMPP+OMEMO or OTR is a great alternative, lots of people use it in the DNM realm.

[–] southerntofu@lemmy.ml 1 points 2 years ago (1 children)

Yup Jabber/XMPP has some interesting properties, although the ecosystem is far from the potential it could achieve with more full-time dedicated efforts (and/or more funding to employ people for that). What's DNM though?

[–] Tryp@fuckreddit.tryp.digital 1 points 2 years ago

Dark net markets .

[–] XpeeN@lemmy.ml 1 points 2 years ago (1 children)

TIL. Tnx.

I thought the reason they doesn't at F-DROID is that they're using google firebase (I think session uses that too because it's a signal fork but I'm not sure).

[–] southerntofu@lemmy.ml 2 points 2 years ago

Well that's the reason upstream Signal was not packaged on F-Droid, that it required Google Play Services to run. That's why Signal was forked into LibreSignal (which didn't change anything beyond removing this dependency) which could be distributed on F-Droid. [This ticket]https://github.com/LibreSignal/LibreSignal/issues/37) is where the discussion took place. m0xie from Signal team said:

I'm not OK with LibreSignal using our servers, and I'm not OK with LibreSignal using the name "Signal." You're free to use our source code for whatever you would like under the terms of the license, but you're not entitled to use our name or the service that we run. (...) It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult. (...) I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world

This discussion ultimately led to an article (and a CCC talk) called The ecosystem is moving, to which Conversations developer Daniel Gultsch replied. There was also a more XMPP-centric reply to the talk. Happy reading.