Signal is Flawed, Why XMPP is Amazing! (new animated video)

Some will curse me out for discussing decentralization and freedom. I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

Signal supposedly hides metadata or who talks to whom, with a system called “sealed sender”, where it puts who sent it inside the encrypted packet. However, in a paper published by NDSS, headed by Ian Martiny, these university researchers found that Signal’s “read receipts”, which lets the sender know that the receiver got the message can be used as an attack vector to analyze traffic because it sends data packets right back to the sender. In as few as 5 messages, their team identified both participants in a conversation with a replicated version of Signal’s client.

The US Military funded Signal and Briar’s development, but yet they use XMPP. XMPP is often neglected even though it’s the most secure, private, fast, and reliable framework for end-to-end encrypted messengers.

In this animated video, it discusses how XMPP works, and why it’s the best: video.simplifiedprivacy.com/xmpp/

Some will curse me out for posting this as they prefer the commercially backed project Matrix, but the Element Matrix client is objectively slower, and it’s harder and more expensive to setup your own server. We should discuss concepts and ideas without attacking me as a person. If you disagree, state what facts you’re disputing.

!deleted125603,

deleted_by_author

    •
    SummerBreeze,

    I agree that I applaud the move from SMS text to Signal. I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

    If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

    gamma,
    @gamma@programming.dev avatar

    It requires a phone number to log in. That already kills any hope for anonymity. I use it to message family and close friends, of which the fact that I’m messaging them is not surprising.

    ninchuka,

    Where did signal ever advertise it’s too be used anonymously

    DeltaTangoLima,
    @DeltaTangoLima@reddrefuge.com avatar

    I think the commenter you’re replying to is supporting the point made further up. People aren’t using Signal for anonymity, because that’s not it’s advertised purpose. As we all (except the author of this article) know, its purpose is privacy.

    jack, (edited )

    Lol, privacy is definetely not what you’re getting with Signal. They know your entire connection graph, who you talk to, when and how much. They collect all of the phone numbers.

    EDIT: It seems like people here don’t understand what privacy is. If I know when exactly you take a big shit on the toilet and where you do it, every single time, but I don’t know what it looks like when you are doing it, would that be a privacy concern for you?

    DeltaTangoLima, (edited )
    @DeltaTangoLima@reddrefuge.com avatar

    Privacy and anonymity are different things.

    The post office knows who I am, my address, and who sends mail to me. They even know who I send mail to, if I write my return sender details on the envelope. I am not anonymous.

    But, if the person we use ciphers to encrypt our letters, and only the two of us can decrypt and read them, our communications can indeed be considered private.

    There’s a fundamental difference.

    Edit: to answer your crude (but funny) example, I have no expectation of anonymity when I walk into my toilet at home or the toilets at work. The very fact that I, as a man, walk into a stall rather than stand at the urinal, gives any of my colleagues washing their hands at the basin the reasonable confidence of knowing I am taking a shit.

    The size of the shit, the faces I make, and the nature of the resulting product, however, are not know to anyone else except me. That’s the difference.

    jack,

    Okay, I get where you’re coming from. Signal is private enough for you, while I would feel more private if there is also no metadata about me.

    For the toilet example, it’s more like that a foreign, unrelated person (like the Signal Foundation and by extension the government with a national security letter) knows about your shit-taking, not just family at home or colleagues who happen to be there. This would be a concern for me.

    DeltaTangoLima,
    @DeltaTangoLima@reddrefuge.com avatar

    Yeah, I get it, but there’s just no way at all to ensure 100% total anonymity like you’re talking about, while also using a 3rd party carriage service of some sort (eg. mobile network; internet, etc).

    We should go back to carrier pigeons with encrypted notes. That way, the sender and recipient “metadata” is only known to themselves (and the pigeons).

    jack,

    That’s why I’m using SimpleX Chat, there is no network-wide identity so no data can be collected. It’s a very clever architecture, actually exactly the carrier pidgeon scenario you describe, but in digital form. simplex.chat/-simplex-worksI’ve found my solution.

    DeltaTangoLima,
    @DeltaTangoLima@reddrefuge.com avatar

    Reading the SimpleX overview, it seems the only way the carrier pigeon analogy is truly satisfied with is with a private server, correct?

    jack,

    Not necessarily. You can use any server/pidgeon to send your message while your contact uses a different server to send. Also you can at any time change which servers you use and it is planned that the servers get rotated automatically in the future. There is no point in time where one pidgeon is responsible for multiple connections, you are using a bunch of pidgeons and swap them out all the time.

    vlad76,
    @vlad76@lemmy.sdf.org avatar

    Signal uses computers. You know who else uses computers?? CIA!

    SummerBreeze,

    Would you agree that Signal does sealed sender to protect metadata? If there were flaws in this system, then should we not discuss it?

    vlad76,
    @vlad76@lemmy.sdf.org avatar

    Sure, but everything is flawed. So we need to find the best solution that is least flawed. Signal is the best alternative to messaging apps that has the features most people want and most importantly people actually use it. It’s at a good intersection of useful and secure. If the article headline was “Evaluating security of Signal” it would be fine. But it’s basically “SIGNAL IS FLAWED! USE SOMETHING ELSE!”. That’s like when someone switches from Chrome to Firefox, which is objectively a better choice, and then they get told “Don’t use Firefox is BAD” and point them to Brave, and when Brave has a flaw they tell people to migrate again. So you get a minority of people using the bleeding edge apps that no sane person would want to spend the time to set up, and the majority just goes back to whatever is the easiest option, which would be Chrome, or in our example probably WhatsApp. It’s important to address concerns, but also to do it in a manner that is careful to not start a panic where one doesn’t need to exist.

    Kyoyeou,

    I heard those computers use electricity, damn

    Ildar,
    @Ildar@lemmy.world avatar

    And even FSB

    NegativeLookBehind,
    NegativeLookBehind avatar

    FaSeBook

    vlad76,
    @vlad76@lemmy.sdf.org avatar

    It was there in front of us the whole time!

    nitefox,

    Friedrick Stein Braun, who is a _C_ERN agent who wants to get the microwave Time Machine. Checkmate, Stalin!

    hansl,

    Everybody knows you use a toaster, not a microwave, for Time Travel.

    Noreia,
    @Noreia@lemmy.one avatar

    correction: he wants the Phone Microwave (Name Subject to Change)

    Pat,

    You're telling me governments use computers? That's insane, I don't believe it. Next you'll be telling me they're on the internet too.

    Neon,

    Don’t worry. Most branches still prefer the Fax to the Computer.

    FARTYSHARTBLAST,
    FARTYSHARTBLAST avatar

    There is no Internet.

    jabberati,
    @jabberati@social.anoxinon.de avatar

    deleted_by_author

    •
    jack,

    I don’t like the idea of providers at all. I use SimpleX Chat, there are no identities or registration with a server. Thanks to clever design. Check out this comparison: github.com/simplex-chat/…/SIMPLEX.md#comparison-w…

    ninchuka,

    They don’t implement the same encryption as signal OMEMO uses the double ratchet system that signal uses that’s it

    Asudox,
    @Asudox@lemmy.world avatar

    You can also self host or use other’s self hosted signal instances as well.

    !deleted125603,

    deleted_by_author

    •
    jabberati,
    @jabberati@social.anoxinon.de avatar

    deleted_by_author

    •
    !deleted125603,

    deleted_by_author

    •
    jabberati,
    @jabberati@social.anoxinon.de avatar

    deleted_by_author

    •
    !deleted125603,

    deleted_by_author

    •
    jabberati,
    @jabberati@social.anoxinon.de avatar

    deleted_by_author

    •
    !deleted125603,

    deleted_by_author

    •
    jabberati,
    @jabberati@social.anoxinon.de avatar

    deleted_by_author

    •
    !deleted125603,

    deleted_by_author

    •
    pranqster,

    Could not have said this better.

    MashBoilPitch,

    But Signal is bad, an op-ed by one of Lemmy’s founders: dessalines.github.io/essays/why_not_signal.html#c…

    I certainly agree there is cause for caution, as one should always exercise where trust is placed in such matters. But there are leaps of bad logic in that writeup, and the dog pile of FUD swirling around Signal feels nearly orchestrated.

    SuddenlyBlowGreen,

    Yeah, calling Signal’s founder’s politics confused and idiotic because he referred to China and Russia as authoritarian regimes doesn’t really make me trust this person and his biases.

    cwdolunt,
    @cwdolunt@dice.camp avatar

    deleted_by_author

    •
    SuddenlyBlowGreen,

    I somehow got the feeling he would be :-D

    SummerBreeze,

    That link you provided (which by the way is hosted on microsoft github in violation of his own principles) is very good! And repeats a lot of the same information from the simplified privacy site: simplifiedprivacy.com/signal-messenger-guide-to-a…

    I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

    If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

    jack,

    You seem open minded, have you checked out SimpleX Chat yet? There you have no identity at all, so you don’t even have to register an account at some server. This gives much more autonomy and also has some privacy/security benefits. Check out this comparison: github.com/simplex-chat/…/SIMPLEX.md#comparison-w…

    jack,

    Security is not enough.

    furrowsofar,

    Question. Did XMPP ever solve the firewall traversal problem. What I found back when I used XMPP was that I simply could not use it on a lot of networks because the server port would be blocked. 443 would often work but not all XMPP servers support 443. Not sure but maybe NAT traversal was sometimes an issue too.

    Thanks for the post. Kind of blast from the past. Mostly XMPP as died and blown away in my neck of the woods but some people still use it. I think the fsf does, and maybe duckduckgo has a server. All for it coming back though, but good luck with that. I’ll keep it in mind though in the event I have an application. Thanks.

    SummerBreeze,

    If you just use a VPN, doesn’t that solve it? Or you’re talking about hosting the server in your home?

    PublicLewdness,
    @PublicLewdness@burggit.moe avatar

    Signal requires a phone number which is a non starter for me. I refuse to bend to that. I’ll stick with Session; XMPP; Matrix; etc.

    twistypencil,

    I heard that people at the Cia breathe air, and I bet you breathe air, so you are compromised by Cia air particles. XMPP is better because it’s XML and that can operate in a vacuum.

    MajesticFlame,

    This post is the personification of why downvotes should be enabled.

    SummerBreeze,

    Which statements are you disputing as untrue?

    MajesticFlame,

    XMPP is often neglected even though it’s the most secure, private, fast, and reliable framework for end-to-end encrypted messengers.

    This. I studied on how e2ee works in XMPP when I was trying it a few years back. It is absolutely atrocious. I have seen half-assed school projects with better security than most XMPP clients. Largely caused by encryption being bolted on through an extensions of the standard as an afterthought and going throug several revisions. Its usually not even enabled by default.

    Now you may find a good client implementation, I think conversations for android seemd decent, but with everyone using a different client and no way to ensure the other side uses a secure one, there is little point.

    Numberone,

    For me using signal wasn’t about becoming Jason Bourne, it was about changing the threat model. I don’t have any dilusions of grandeur that I can’t be owned if I’m targeted, but you know what? My calls and texts aren’t stored with my phone company with a direct link to the Government and advertisers. That may be low hanging fruit, but that’s dealing with most of the issues the average user is going to run into. I’d suggust that the step from SMS to Signal is of greater benifit to a normal user than from signal to something more advanced. And, fwiw it’s open sourced and audited, which gives me more confidence than something like imessage or WhatsApp, despite similarities im encryption schemes.

    SummerBreeze,

    I agree with you that Signal is far better than WhatsApp and SMS. I applaud your adoption of freedom and thank you for your time. I am looking to educate people on open source decentralized alternatives that exist for philosophical purpose

    Numberone,

    Oh I see. Yeah that’s cool. I’ve seen several posts around the fediverse that take a real tsk tsk signal user kind of tone, So I responded to yours kind of defensively. As a person with middle of the road tech knowledge I also curious if how I think about it stands up to scrutiny (because people will tell me!). Didn’t mean to distract from the intent. Thanks for posting this in any case.

    theKalash,

    Based on XML

    Be gone, demon.

    Also, Signal is literally endorsed by Edward Snowden … But sure, it’s CIA software.

    Neon,

    Edward Snowden the ex-CIA employee?

    Checkmate, liberals

    SummerBreeze,

    We need to separate the code from the people running the service. Which is not possible with signal.

    I am NOT saying the average person should be concerned with CIA spying. What I’m saying is that one should promote decentralized internet infrastructures that empower the individual over corrupt institutions, even though this threat model likely does not apply to you. XMPP is just as easy to use use as Signal.

    If you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud. So you’re trusting CIA military contractors. I am NOT saying that Signal is a CIA tool. What I’m saying is that you are trusting and obeying a centralized authority, as opposed to being able to run code on your own server. And this contributes to the centralization of the internet and a loss of freedom.

    theKalash,

    you use Signal messenger, you have to trust the Signal foundation, which uses Amazon’s AWS for the cloud

    Ok. I trust the Signal foundation. What cloud service it’s running on is only relevant when it comes to stability and AWS is very stable.

    So you’re trusting CIA military contractors.

    I have no idea what you’re even talking avbout.

    jack,

    You trust Signal? Are you by chance retarded? I bet you trust Apple as well, they advertise that they are private, right?

    zeekzag,

    I’ll stick with signal. Thanks…

    Asudox, (edited )
    @Asudox@lemmy.world avatar

    It does not matter if they are using AWS, the data is already encrypted by the user’s device by the time it arrives their servers. They are already a non profit organization, they can’t afford dedicated bare metal servers in their workplace.

    jack,

    Signal knows your entire connection graph. Who you talk to, at what time and how much. Storing all of the phone numbers/identities on their server. I use SimpleX Chat where you have no identity that can be recorded. It is also easy to use, though it’s relatively new and in active production

    Asudox,
    @Asudox@lemmy.world avatar

    As everyone other said, Signal is NOT supposed to be an anonymous messaging service, but a private one. Anyone knows that the moment a service asks for their personal phone number, they can’t be anonymous. For the average Joe, Signal is the superior choice over WhatsApp, at least.

    jack, (edited )

    I think you don’t understand what “privacy” means. Being anonymous is the highest achievable level of privacy. There are levels before that, and Signal is at the bottom of the spectrum (WhatsApp is not even on the spectrum)

    => Signal is doing a bad job if it’s goal is “privacy”

    Asudox,
    @Asudox@lemmy.world avatar

    Anonymity isn’t privacy, and privacy isn’t anonymity. I don’t know what you’re talking about.

    jack,

    Do you define privacy as “message content is hidden, everything else is irrelevant”?

    Asudox,
    @Asudox@lemmy.world avatar

    Of course not, but it is a known fact that anonymity isn’t privacy.

    jack, (edited )

    Who says privacy equals anonymity?? No one here.

    Signal does nothing more than hiding message content, which by your own words is “of course not” privacy. Signal could be a lot more private, but it is not and it doesn’t want to be. I’m done talking to you, I can’t get much clearer than that…

    Asudox,
    @Asudox@lemmy.world avatar

    Being anonymous is the highest achievable level of privacy.

    You. Literally contradicting.

    smollittlefrog,

    Signal could be more private indeed. But:

    Being anonymous is the highest achievable level of privacy.

    is obviously a misguided statement.

    jack,

    Anonymity guarantees that many aspects (all?) of privacy can’t be violated. When e.g. Signal doesn’t know who you are (anonymous), metadata about you doesn’t violate your privacy either. What else do you need?

    smollittlefrog,

    My comments on lemmy are completely anonymous. Would you claim they are private?

    jack,

    Considering that anything you post here should be public, the only real privacy concern is your identity. So yes, Lemmy respects your privacy because you are anonymous.

    SummerBreeze,

    I disagree. There are a variety of ways your data can be leaked. For example, the person you’re talking to can be using a Google stock phone or Microsoft windows which may collect data. If this was a random XMPP name, this would provide more protection than your real phone number. Furthermore, there are academic studies proving the metadata can be gotten. Please see this for more information: simplifiedprivacy.com/signal-messenger-guide-to-a…

    Asudox, (edited )
    @Asudox@lemmy.world avatar

    If this was a random XMPP name, this would provide more protection than your real phone number.

    Again, Signal is not supposed to be a anonymous messaging service. It is supposed to be a private one. You’re literally comparing a messaging protocol designed to be anonymous to a non-anonymous one. Sure, it would be great if XMPP was used overall, but unfortunately it isn’t. At least Signal developed a protocol that is starting to be pretty popular and is E2EE. You can use XMPP, but your average privacy user will use Signal over WhatsApp. Your argument literally is just about how XMPP is more anonymous than a protocol not even designed to be anonymous in the first place. Plus why care how the CIA or whatever knows who you’re talking to when they don’t know what you’re talking about? That would be a concern if you and/or the one you’re talking to were some criminal or something, but not for the average person. So if you’re some criminal, if you have even a little bit of common sense, you wouldn’t be using Signal in the first place. There’s other more secure and anonymous means of doing so. Whether it be over some protocol like XMPP, Matrix or SignalX’s protocol or something. Are you some paranoid person or a criminal? Because the CIA or the FBI wouldn’t give a fuck about why I am talking to person Y 24/7 as long as their phone numbers are not in the suspicious persons list and the messages are encrypted so that even if I were doing some stuff that would anger the government, they wouldn’t ever know it.

    It is already a pain in the ass to get someone to join Signal over from other apps like Instagram, FB messenger, WhatsApp etc. By introducing decentralized systems, you’re causing even more “confusion”. They most likely don’t even understand what decentralization is and just back off because it “sounds” so complicated and scary to them. Plus even if they did switch to XMPP or at least started using it, would their friends switch too? Without someone to message, why keep using the messaging service? They’ll switch back right to their original messaging service they used to use before you encouraged them into switching over to XMPP. And now you even seem like someone they wouldn’t ask for advice from, because you once did give them advice and it was not useful.

    If you are also so against phone numbers, you might like that Signal will introduce usernames soon. The ones you give your Signal username to will never ever know your real phone number (as long as you turn phone number privacy on in the settings [coming soon after the usernames]). Not a replacement for real anonymous messaging services, but at least somewhat similar concept.

    meiko60,
    @meiko60@lemmy.sdf.org avatar

    for noobs or someone without strong IT skills like elderly. Signal is still the best imo

    privacyfalcon9899,

    This can just be a bad joke. Xmpp is not event considered by PG as an alternative. Besides, as long as you encrypt the data it does not matter on AWS or somewhere else.

    jonno,

    If privacyguides is your only source of truth, you’re in for a surprise at some point in time. As with any one-source-truth.

    MajesticFlame,

    Sure, but there are good reasons not to use XMPP if you need security.

    thecam,
    @thecam@lemmy.world avatar

    XMPP is more lightweight but way more clunky. I think Matrix is better since all the features are built in and is having more development, more users and more clients on multiple operating systems.

    kate, (edited )

    It sounds like all your criticisms of matrix are around the element client?

    gonzoknowsdotcom1,

    Briar desktop/mobile isn’t a bad option

    geosoco,

    When I see the monero.town domain, I know it's gonna be garbage.

    Genghis,

    lmao please give us another chance

    isVeryLoud,

    no lol

  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacyguides@lemmy.one
  • mdbf
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • tacticalgear
  • ethstaker
  • Youngstown
  • thenastyranch
  • slotface
  • rosin
  • kavyap
  • cisconetworking
  • khanakhh
  • Durango
  • JUstTest
  • tester
  • Leos
  • GTA5RPClips
  • ngwrru68w68
  • everett
  • modclub
  • cubers
  • normalnudes
  • provamag3
  • osvaldo12
  • anitta
  • megavids
  • lostlight
  • All magazines
    •