One interesting aspect of this is that Signal gets to do this, because they have immense goodwill with the cryptographic research and engineering communities; though it's no guarantee of soundness, they have the advantage of having the feature designed, implemented, and ultimately reviewed by cryptography engineers that aren't generally/economically available to other messaging projects.
This is either a reason you love Signal (raises hand) or can't stand Signal. My take is, if you're in the latter group, that's fine; I use Slack, too.
Today, on iOS, you can't move your Signal history to a new device, and on Android you can only do so by manually making an encrypted backup file and writing down a 30-digit passcode, completely separate from the normal Android process of moving to a new device.
People keep long histories of messages, going back a decade, containing pictures and memories that aren't stored anywhere else. Message history is valuable data.
This doesn't seem like a "new cryptographic research" problem, this seems like a "well-established crypto (encrypted files) plus integration with standard device backup/migration" problem.
I really like Signal, I think they're doing things very well, and I wish I could use it without being constantly at risk of data loss. And this doesn't seem like an uncommon request, from what I've found.
Is there something I'm missing that makes this a hard problem? Or is it just a problem that nobody has prioritized?
The Signal devs don't discuss their roadmap, as is their prerogative. The result is of course that no one knows if such features are even planned, let alone worked on. Half a decade (?) of sad and frustrated forum posts and GitHub issues attest to that. I scan through them from time to time to see if there's any word.
But! There was actually a tweet from Moxie just a few weeks ago in a thread started by Matthew Green, I think, hinting that they might be working on it. It did make me a little happier. But yes, five years is a long time to wait for this feature, and we don't know for sure if or when it's coming. Me, amidst all the frustration I am very happy for the software they are giving me almost for free (I've donated a little bit).
By the way, Josh, props to you for your patience and professionalism in the debian-devel thread about librsvg the other day.
The other sticking point is the phone number requirement. A (female) friend shared her “Signal” contact info with a professional acquaintance who doesn’t understand boundaries. After ignoring him on Signal, that led to unwanted SMS messages and even phone calls. For such a privacy-focused app, I don’t know why they are not more interested in protecting phone numbers.
I turned on timer (1 week) for all of my conversation.
Nothing stays more than a week and I do not keep any backup.
It's not for security or privacy reasons. I feel like I don't need a full history of all my conversations with everyone from the beginning of time.
This fits more to the real life model of having a conversation with someone. I don't record my conversations with people so why do I need to do it in chat apps?
My Whatsapp is the same. Don't need all the massive amount of chat history...
I'm also reluctant to release it publicly because I'm worried about the support burden, because, while I've made the experience as easy as possible, it's still not a great experience considering how Signal works. I expect to see a lot of angry users who don't realize (despite documentation) that they need to download the backup to their new phone before running the Signal app for the first time. And then I expect people who lose their backup encryption key to blame me that their backups are unrecoverable.
I guess at the very least I could open source it at some point, but the setup is a pain since you need to create a Google Cloud project authorized to use the GDrive APIs.
Signal really needs this built-in. It puzzles me that it hasn't happened yet, since I built this little app in under ten hours (and I hadn't touched Android development in a good 7 years and had no experience with the GDrive APIs).
I would love that. But even with WhatsApp it never worked for me.
Last three device switches:
Windows Phone to Android: Not supported. Android to Android: something went wrong. Android to iPhone: Not supported.
Yes. Pretty much the entire security model of Signal underpinned by this UX compromise. The way signal works at the moment, you sign up for an account with your phone number, your device generates a secret, and that secret is used to secure all your communication. You can pass that secret around devices (as long as you have a device that has it - or just the original phone, I can’t remember). You are also responsible for making sure the people you talk to are really who they say they are. When you first add a contact, it’s up to you to make sure they’re not an imposter, and if they have to reset their account their secret changes, and you have to verify who they are again. If somebody takes over their phone number on a new device, they have to generate a new secret, and while they may succeed in impersonating the person (depending on how vigilant their contacts are), they at least won’t get access to the message history.
To allow for recovery of message history, you have to escrow the secret somewhere. If you give it to the service provider, then the security model is thrown out the window, and you just invented FB Messenger. If you give it to the user to escrow, then you’ve just kicked the can down the road, because a consumer is just as likely to lose a secret as they are their device, and the ways they may choose to store it will make the whole system less secure for essentially no UX gain.
This is an unavoidable trade off. If you want the service provider to be able to recover your account, then they (or at least somebody in addition to you) has to have access to your secret. If you want your messages to be private, then you can’t allow for a 3rd party to be able to recover your account.
If there are photos that should be kept then there are other ways to back them up. Is there valuable context in the conversation that was had around the delivery of the photo?
Are messages backed up and restorable for other messaging systems, and have you ever needed to go through a restore process to look back through a conversation?
If it's for the purposes of software project development team discussion and history needs to be kept for legal reasons then I think Signal is intentionally not aiming at that demographic.
I get that there are special moments in life but, for me, the textual conversations around them are very secondary to the moments themselves. But then, in discussions I've had with other people, my opinion seems to be the exception.
Eh? Why either or? (and why are there people who can't stand it?)
Signal forces users to use phone numbers; some people don't like this because they want to use multiple ephemeral usernames so they can be 'Joe' to friends, 'kleptoclown' to their github group, 'dungeonmaster42' to their DND group, 'joesolutioner' to anyone who browses their personal website or business card, etc. that way they are not having to give out the phone number to strangers which represents Sim-jacking and spam risks.
If you create a signal group and invite folks to it, you cannot remove members from the group (this is being worked on now) without them clicking the 'leave' button or creating an entire new group sans whoever needs to go, which causes loss of group history.
Signal cannot have multiple mobile clients, only one mobile client and a single desktop version. WhatsApp Riot etc. all support clients in as many spots as you can login from.
Again -> these are focused nitpicks, but in most cases Signal is much better for upholding the promise of 'you send someone a message and you have a reasonable sense that ONLY THEY will be able to read it' compared to the likes of Line/WhatsApp/FB messenger etc.
It's OK in my books: a symptom of there being no server to step in and enforce a universal truth. You just have to understand what you're getting in exchange for the occasional inconveniences.
But the sometimes uncritical love people have for it doesn't help when it has issues.
The main categories of people I've encountered who aren't absolute Signal fans are:
* People who don't want to give out their phone number to random men.
* People who weren't impressed by Signal's security issues coming up at the same time that it was being pushed as the replacement for GPG.
I don't get why users can't be addressed by both phone numbers and a "signal id", if you opt-in to use a phone number for addressing, your phone will be verified and signal will resolve it to your signal id. If you opt out people will need your signal id to address you and you can't use it for SMS. What are the challenges with that?
If I have a signal private group system, signal can find out a ton about me and my associations with others using only that information. Many other messaging platforms do not nees this very sensitive information from me to function. And it does not support a desktop only app even if you give them a phone number and verify you control that number.
I am always reminded of General Hayden (Former NSA chief) was saying how they love PGP at the NSA because they can sniff metadata and know who talks to who, it lets them easily find who has something to hide so they can target them. Not that I have the NSA in my threat model but I am very sensitive to unnecessary metadata being generated
https://telegram.org/faq#q-if-someone-finds-me-by-username-m...
The problem is not which messaging app I want to use, it's which messaging app my friends are using.
That said, if I had to choose, I think Matrix has a slight edge in my books because it's a protocol rather than a silo. Even though Signal is private and open source, they are hostile towards people running their own Signal builds on company servers, and unwilling to federate with other servers.
Essentially, you run the official Signal app on the official Signal servers, or GTFO.
Anyway I wish both projects the best of luck.
p.s. support for ephemeral msgs was released on the server in RC yesterday.
Another aspect is that Matrix, if you’re technical enough, lets you set up a custom server for your secret group, which is somewhat less vulnerable to centralized metadata interception (though there are holes, like centralized mobile notification relays). Admittedly, this is mostly out of scope for Signal, which focuses on security for non-technical users.
Finally, to state the obvious, for many use cases, pseudonymity is safety. Along the lines of the “$5 wrench” XKCD, in practice the single most likely way for your secure messages to be disclosed is not through some clever protocol hack, but by their being pulled at rest from some conversation participant’s device – often with their active cooperation. Similarly, Signal’s deniability feature is cool, intentionally allowing users to forge cryptographically valid messages supposedly sent to them by others. But in practice, messages are typically leaked via screenshots, with no attempt made to detect forgery in the first place.
In such an environment, the most effective defense overall is probably self-destructing messages, which Matrix... apparently doesn’t support, but will soon. (Yikes – like I said, I don’t use it.) But in cases where the people you’re talking to don’t need to know your real identity, pseudonymity is a close second. Its weakness is that people are bad at separating identities and maintaining opsec, but it’s still better than nothing. It’s strongest in cases where you’re part of a large group (say, of protesters): this greatly increases the chance that the adversary will be able to read your messages (with a mole in the group), but also means that they probably don’t care about you personally and would prefer to go after low-hanging fruit. Or even if everyone is equally protected, it increases the amount of time they have to spend going after each person, reducing the number of people they can find.
Anyway, I don’t want to be too negative. The world is certainly better off for Signal’s existence. Maybe Signal will add non-phone-number account support someday, solving two of the issues I mentioned in one blow. Maybe it won’t, but it’ll still be useful to many people, and its continuing cryptographic research will strengthen other messengers, including ones that target use cases Signal does not.
Still, I feel like there’s some dissonance. From a cryptographer’s perspective, Signal is head and shoulders above the pack; they really know what they’re doing, to an extent that practically nobody else does. But in other areas, Signal is just okay. Not bad, often better than average, but rarely outstanding. And that includes areas that impact security, like key transfer and the other things I mentioned.
At the moment I share it with Google so I can share it with friends or family, which sucks.
I have been part of a group organizing protest in Beirut and I was surprised there was no clearly go to app that provided the security features we need.
We started off with WhatSapp because that's what everyone used before security became a concern. We then moved to Signal mostly to get auto-deleting messages. We then ran away to Telegram because there was no way to kick a compromised phone outside of a Signal group.
We considered using Wire which seemed to have what we needed but the interface was a bit clunky and it did not run well on all the phones of the group... We are currently evaluating an considering Keybase.io which seems to have all the feature too, but not sure how it will handle about a hundred people in the group...
If anyone has ideas about which apps are recommended for that (or has additional useful things) please help, the main things we need are:
- Encryption E2E is nice to have but not a deal breaker.
- Possibility to kick a user from the group, deal breaker ( a thug stole someone's phone in the protest once and another time we got a message saying someone's security code changed then they became inaccessible) both incidents ended up ok but there was no way to kick the person out of the group and proceed while clearing things out with signal.
- no old history kept of the conversation. Either auto-deleting messages set to short duration like signal, or if not possible we can survive with an admin at home deleting old messages constantly and clearing the chat for everyone in sensitive situations ( like telegram allows)
- Free. For various reasons, some people can't buy apps no matter how cheap.
- easy to use. Most protesters are not too technical.
- possibility to display sender and group but not the content of messages in the notifications.
- having an easy way to add password to the app itself. (nice to have)
- making screenshots inconvenient to take (just nice to have).
- Not tied to phone numbers also really nice to have but not mandatory.
Our main threat is riot police and pro government thugs taking protesters phones and forcing people to unlock them or running away before the phone is locked then snooping around. Very rarely are people alone when this happens so we almost always get a notification that X is compromised, so we clear chats and kick them out of the group before their phones are really compromised.
I don't think the government is running sophisticated deep packet inspection. I don't think our group has been infiltrated but that is always a possibility.
We are also trying to find some free device management solution to remotely track / lock and maybe wipe phones when they get taken.
Sorry for the wall of text... just though now might be a good time to ask...
https://en.wikipedia.org/wiki/Comparison_of_cross-platform_i...
You can sort the table by clicking on the column headers. The "E2EE group chat" column should be useful.
But it uses SMS to authenticate new sessions... we were a target of attack that exposed our group.
A few users had not set up two factor authentication so they woke to a warning from telegram that someone is logged in to their account from across the world.
> Note that a user who has acquired a group’s GroupMasterKey and then leaves the group (or is deleted) retains the ability to collude with a malicious server to encrypt and decrypt group entries. We deem this risk acceptable for now due to the complexities in rapid and reliable rekey of the GroupMasterKey.
Does this mean that the server and a deleted user can always collude to get the deleted user readded to the group? Also, is there no provable audit trail of who added or deleted whom? Unless I'm misunderstanding, it seems like deleting a user is therefore enforced only via server trust, but please correct me if I'm wrong.
No, the members of the group would be able to see that the deleted user is back, or whatever else has happened to the list. Signal's server isn't responsible for deciding who gets the group messages, only for storing the agreed list in encrypted form. So members don't need to trust that the server did as it was told.
Certainly if you have a group where you suspect a member of colluding with the Signal server to betray the group you should probably NOT remove that member but instead take the extra trouble to explicitly form a new group (without that member obviously).
Your point that the deleted user and the server can collude to add a rando to the group seems like a bigger deal, since it would be harder to catch.
To make the same point more critically, if the members need to constantly recheck the mapping of group name to membership list (to stop server cheating), then the scheme might not be buying much.
If we replace "the signal server" with "the authentication/authorization service ("the AD service" / the organization's internal certificate authority")...?
Maybe I'm just needlessly afraid of the complexity of managing a real world certificate authority (keeping it secure, keeping it running, keeping as much as possible off line..).
People advocate for Signal because it's arguably the least offensive of the available e2e options. Also the founder for Signal has a long history of doing good work in this area.
Just like Signal.
> I'm not sure if I'd trust the Telegram founders, and their commitment to open source seems questionable to me
Meanwhile Moxie Marlinspike's opposition to free software is evident. You use the client he dictates or fuck off. There's closed source software that respects freedom more than Signal.
The only reason I use Whatsapp is because it's what all my contacts use. It's everywhere. It's the de facto standard for text communication. And I hate the app. I hate its guts.
I read that whatsapp implemented the signal protocol, does that mean anything with respect to being able to communicate with people using a different app? Because I was hoping so, but I can't find a way to see my whatsapp messages in signal.
