Follow

Problems we are having with :
* It is and will remain centralized (clear strategy of *not* federating servers)
* It requires strong identifiers/selectors (phone#) to use
* Author disallows distribution by anyone but Google, although free/libre
* It keeps pushing away verification of fingerprint in interface
* It relies on Google+Amazon infrastructure
* Its funding is shady (OTF = Radio Free Asia = USG)

= clearly unethical choices, unjustifiable by accessibility or technological reasons.

@jz

Hi Jérémie, Thank you for your work.
Is Wire better ?

@vendreditreize @jz you should look into XMPP+OMEMO. It uses the same encryption basis as the signal protocol but is truly libre and decentralised.

@jz what do you mean by "It keeps pushing away verification of fingerprint in interface"?

There is a feature to verify a conversation hash/QRCode when physically meeting the correspondant — so I suppose you are speaking of something else.

@turb The verify feature used to be within the conversation, starting with a healthy warning "your conversation has not been verified yet, do it". now it is not displayed, like if safety was assumed by default.. and you have to go into *4 (four!)* clicks before you can find this feature now "conversation settings, scroll down, etc." where it is called "view safety blah" not even "verify..."... If UI were to be used to discourage from doing it, it would exactly look like this.

very bad practice.

@jz Share your concerns + also that they have effectively helped whitewash Google/Facebook by working with them to add encryption that's not on by default.

At the same time, only one of two solutions right now that are fully open source + cross platform (the other being Wire). (Also, an apk is available for download but is discouraged/not easy to find - they do push people to Google.)

We definitely need decentralised alternatives that publicly oppose surveillance capitalism.

@aral Actually the download link to the APK on their website doesn't even work until you enable javascript coming from....

....

(guess who?...)

...

..

.

Google!

What a surprise... :/

Conversation is working well. Omemo gives hope that some flaws of XMPP/OTR could be compensated (offline messages, decent crypto...)

@jz @aral I've been thinking about widening my use of XMPP lately.

Last time I tried to use it as a daily driver for my friend's group communication (~6years), the notification sync between computers and phones was regularly failing. Don't clearly remember why, I think it was coming from diverging implementation of an obscure XMPP extension.

Are notifications more reliable nowadays?

@Ninjatrappeur @jz @aral yes, the XMPP(+OMEMO) combo is proving stable. Including notifications. An OOTB install of ejabberd gives a good set of XEP implementations.

See conversations.im/compliance/ for a non exhaustive list of XMPP server and XEP compliances.

@aral @jz

I think things are slowly moving in a good direction. Certainly the situation today for secure chat looks a lot less hopeless than it did three or four years ago.

The lesson from XMPP is also that standardised server configurations are needed. This is where Matrix gets it right. There's so much diversity in the configuration of XMPP servers that this is often the cause of bad user experiences.

@aral @jz Have you tried Tox? I haven’t used it extensively, but it’s been very easy to setup and use.

@jz
Every time I question this app among my privacy aware friends, they say I don't make sense. I'm happy to see I'm not alone.

@jz Well it's nice to see the rest of the internet catching up. For a while I seemed to be the only Signal complainer, and that's because not long after it was first released I wanted to try running it myself (including the server side) and then encountered the problems you've listed. There was also a hostile reaction towards LibreSignal.

On the upside, Signal probably is better than WhatsApp or Telegram.

My original complaints: https://freedombone.net/faq.html#sec-18

@bob

when it demanded an sms capable number ALSO registered to a mobile provider i dropped signal like a radioactive rock spewing infected blood

@jz

@returntrip @jz

I havn't used it, but it looks like something to try out. I have a test installation of NextCloud I can try it with.

@returntrip @bob @jz

So far it's looking good. Doesn't depend on a single server, even as a default. End to end encryption. Server and client are open source. They have a good track record on security, at least since NextCloud has become a mature product. Other than having to enter a server URL as well as a user name and password, it's pretty friendly to non techs to install and set up (excluding the server). Client is on FDroid.

@bob @jz there is a downloadable apk for signal, but maybe you want to check out #DeltaChat delta.chat – should not have any of the problems you mentioned. 😉

@mray @jz

I've seen deltachat, although havn't used it. My thoughts are that I'd prefer to keep GPG keys intended for email away from Android devices, and I expect the app will need to poll the mail server quite frequently which might not be good for battery.

@bob @jz battery consumption is very moderate. You only need to use the same GPG keys on mobile/desktop if you want to read chat messages inside your regular mail client.

@mray @bob @jz Delta chat seems creative but very silly... they make it sound like creating an account is this HUGE hurdle/problem. And like I guess? But it doesn’t stop most people. On one hand it’s clever to use encryption(pgp?) over email as the IM transport, but that also seems very convoluted and complex? Which leads to problems.

If I want a secure chat, I’d just use like Tox or Ricochet that’s been designed from the bottom up to be secure.

@Thepunkgeek @jz @mray

Also PGP chat has no forward secrecy or ratchet, but this may still be an improvement over what many people are using currently.

@bob @jz @mray It’s totally an improvement, but like why create software that’s only slightly better than something else when there’s software already out there that’s doing way more way better?

I’m not trying to attack this project, I think the idea is cool, just seems like there’s better solutions already and energy would be better spent improving those?? But that a FLOSS community problem.

@Thepunkgeek @mray @jz

At present I don't think there's any chat panacea and that the best we have is XMPP with the Conversations if the server is set up *just right* so that everything works.

Briar might be another possibility, but presently I'd regard that as being for traditional activism where you meet in a pub or at a festival and can do face-to-face key verification.

@bob @Thepunkgeek @mray @jz +1 for XMPP with the server and clientes supporting the latest Recommended set of XEPs + OMEMO (instead of OTR), and in the future: better Jingle audio/video calls support for mobile FLOSS.

@hinterwaeldler @adfeno @bob @Thepunkgeek @jz Ring eats your mobile data alive. Unfortunately. But I love how it is free, encrypted and serverless.

@mray @adfeno @bob @Thepunkgeek @jz Is this an inherent flaw or might battery consumption be fixed with a patch?

@hinterwaeldler @adfeno @bob @Thepunkgeek @jz it's part of the price you pay when nobody and everybody is the server.

@mray @adfeno @bob @Thepunkgeek @jz I'm still struggling to get the concept behind #ring. The calls / chats themselves are peer-to-peer, meaning I'm sending my message *directly* to the recipient, right? What is the necessary "server" / DHT part do?

@hinterwaeldler @mray @adfeno @bob @Thepunkgeek @jz DHT makes possible getting your message to its intended recipient without a server and without knowing your recipient's IP address beforehand, doesn't it?

@mray There is still a way to disable the local node and use another node to listen the network for you (a DHT proxy)

@hinterwaeldler The DHT is like a distributed mailbox. You send the encrypted message on the DHT network even the peer is disconnected. Then the peer has some minutes to read the DHT. So you don't send the message directly to the recipient, but let a message in a hash (like a mailbox). It's also used to init direct calls between you and your contact.

@mray @hinterwaeldler @adfeno @bob @Thepunkgeek @jz

In one month, Ring.cx ate 28GB of data. That was when I uninstalled it, real battery flattener!

@hinterwaeldler @mastodan Well, 28GB is insane and is not the result of a normal app behaviour IMO.

Otherwise, poorer data/battery perfs are the cost of a fully distributed network on mobile devices... but as said, we're working on the DHT proxy which is some kind of tradeoff between distributed network and battery/data footprint. It's still a bit experimental but you can already try it, it's kind of hidden in the settings :-)

@hle @hinterwaeldler To be frank, I could care less about the data usage, mobile data is not something that costs me additional moneh. My primary concern is battery life. Question for you, why not have volunteers run relay DHT nodes?

@mastodan
I use Ring android every day (and like a lot). Last moth: 371 Mb
28GB is not normal at all. Even on an old bugguy version

@mray @hinterwaeldler

@Jo @jz
F
E
C
Indeed, and with hidden dependencies which brick the programme if you don’t keep up with them.

@Jo @jz
I'm not being condescending, just pointing out what people I personally know have already built.

If you want alternative desktop clients written in your own language or integrating with your favorite messaging client, it isn't some impossible feat to build. Finn and a few other Seattlites have been working on bots and integrations like Weechat, I'd encourage you to poke around. Signald is pretty user friendly by the way!

@jz
So what reliable and accessible alternatives do you consider ethical?

@thinkMoult

@jz

That's not even an application.

Seriously, I'm not objecting to the post, but please accompany it with valid alternatives.

@webmind @jz sure if you want some app suggestions. Ejabberd for a server and Conversations for an android client. If you don't want to self host, you can sign up on conversations.im

@jz you can run your own signal server. Stop it.

@flash @jz Really? Last I checked Signal did not support federation?

@jz

The Better options all require advanced skills to use. Non-technical users deserve privacy too.

* Non-federation means users not giving up at server selector dialog and no one-off hostile servers.

* Phone numbers are mediocre IDs but hard for users to screw up.

* Google prevents third parties (e.g. abusive ex, corrupt local sherrif) from tampering with the apk.

* Funding is funding; the USG funds lots of stuff, some of it good.

Signal is imperfect but the perfect is the enemy of the good.

@suetanvil @jz my conclusions exactly. Where I can, I push people to use XMPP+OMEMO. Where the audience is non technical, like family, I use signal. It's a good stepping stone for privacy awareness.

@suetanvil I wish we stop attempting at justifying the ethically/morally unacceptable by "usability". this notion considers that "users" (not people eh!) are all idiots, incapable of doing what the person mentioning it is capable of.

It is by infantilizing people that they end up being subjugated, under control.

My own field experience of sec is that when u make people understand (activists, journalists doing real journalism, sources, etc.) they are capable of making efforts (tails, GPG, etc.)

@jz

Have you succeeded in training anyone without a secondary-school degree in the use of GPG? Because withholding quality education from the poor is one of the tactics in wide use against the US poor.

@suetanvil @jz Some of the grubby, uneducated poors have figured GPG out on our ownsie without being trained. Amazing, I know! Some of us would like a little less condescension in tech dev, more power settings and enhancement of agency, rather than appeals to an infantilized state. Thanks for your concern, though...

@jz
Would you get my mother to use something harder than signal?

I tried to make her use it but she said some of her contacts did not receive messages.

I mean she did not really care about privacy or crypting messages. So she went back to her standard app after switching phone.

Standards users will not make the effort to understand something more difficult than what Google teaches them.
@suetanvil

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

Bienvenue dans le media fédéré de la Quadrature du Net association de défense des libertés. Les inscriptions sont ouvertes et libres.
Tout compte créé ici pourra a priori discuter avec l'ensemble des autres instances de Mastodon de la fédération, et sera visible sur les autres instances.
Nous maintiendrons cette instance sur le long terme.