undefined | Better HN

0 pointsmaqp2mo ago0 comments

Or, he took a barely niché messaging app plugin (OTR), improved it to provide forward secrecy for non-round trips, and deployed the current state-of-the art end-to-end encryption to over 3,000,000,000 users, as Signal isn't the only tool to use double-ratchet E2EE.

>broken SGX metadata protections

Citation needed. Also, SGX is just there to try to verify what the server is doing, including that the server isn't collecting metadata. The real talking is done by the responses to warrants https://signal.org/bigbrother/ where they've been able to hand over only two timestamps of when the user created their account and when they were last seen. If that's not good enough for you, you're better off using Tor-p2p messengers that don't have servers collecting your metadata at all, such as Cwtch or Quiet.

>weak supply chain integrity

You can download the app as an .apk from their website if you don't trust Google Play Store.

>a mandate everyone supply their phone numbers

That's how you combat spam. It sucks but there are very few options outside the corner of Zooko's triangle that has your username look like "4sci35xrhp2d45gbm3qpta7ogfedonuw2mucmc36jxemucd7fmgzj3ad".

>and agree to Apple or Google terms of service to use it?

Yeah that's what happens when you create a phone app for the masses.

0 comments

stavros2mo ago

Exactly. These arguments are so weak that they read more like a smear campaign than an actual technical discussion.

"You have to agree to Apple's terms to use it"? What's Signal meant to do, jailbreak your phone before installing itself on it?

kelipso2mo ago

Moxie Marlinspike sounds like some 90s intelligence guy’s understanding of what an appealing name to hacker groups would sound like. Put a guy like that as so-called creator of some encryption protocol for messaging and promote the app like it’s for secret conversations and you think people won’t be suspicious? It screams honeypot like nothing else.

fasterik2mo ago

>Moxie Marlinspike sounds like some 90s intelligence guy’s understanding of what an appealing name to hacker groups would sound like. Put a guy like that as so-called creator of some encryption protocol for messaging and promote the app like it’s for secret conversations and you think people won’t be suspicious? It screams honeypot like nothing else.

This criticism has absolutely zero substance and honestly just reads like paranoid rambling. The Signal protocol has been independently formally analyzed [1] and has no known security issues.

[1] https://eprint.iacr.org/2016/1013

1 more reply

kfreds2mo ago

He IS a hacker from the 90s. It’s an assumed name. Plenty of hackers from the 90s have pseudonyms.

> so-called creator of some encryption protocol

All evidence points to him being one of the protocol’s designers, along with Trevor Perrin.

I’ve met both of them. The first time I met Moxie and talked about axolotl (as it was called back then) was in 2014. Moxie and Trevor strike me as having more integrity and conviction than most. There is no doubt in my mind that they are real and genuine.

Interestingly enough, some of the work Trevor did related to Signal’s cryptography was later used by Jason Donenfeld in the design of WireGuard.

> It screams honeypot like nothing else.

As you can see there is plenty of evidence suggesting otherwise.

stavros2mo ago

So the argument against Signal is now "the creator's nickname sounds odd"? I mean, OK? Keep using WhatsApp, Telegram or Instagram if you think those are more private than Signal.

2 more replies

fsflover2mo ago

>> and agree to Apple or Google terms of service to use it?

> Yeah that's what happens when you create a phone app for the masses.

No, that's what happens when you actively forbid alternative clients and servers, prevent (secure) alternative methods of delivery for your app and force people to rely on the American megacorps known for helping governmental spying on users, https://news.ycombinator.com/item?id=38555810

josephg2mo ago

> You can download the app as an .apk from their website if you don't trust Google Play Store.

I wish apple & google provided a way to verify that an app was actually compiled from some specific git SHA. Right now applications can claim they're opensource, and claim that you can read the source code yourself. But there's no way to check that the authors haven't added any extra nasties into the code before building and submitting the APK / ios application bundle.

It would be pretty easy to do. Just have a build process at apple / google which you can point to a git repo, and let them build the application. Or - even easier - just have a way to see the application's signature in the app store. Then opensource app developers could compile their APK / ios app using github actions. And 3rd parties could check the SHA matches the app binaries in the store.

rcxdude2mo ago

This is what F-droid does (well, I suspect most apps don't have reproducable builds that would allow 3rd-party verification), but Signal does not want 3rd-party builds of their client anyhow.

actionfromafar2mo ago

They could still figure out a way to attest their builds against source.

1 more reply

Maken2mo ago

>over 3,000,000,000 users

Is that a typo or are you really implying half the human population use Signal?

Edit: I misread, you are counting almost every messaging app user.

maqpOP2mo ago

Just WhatsApp. Moxie's ideas are used in plenty of other messengers. The context was "what Moxie did for the field of instant messaging".

rcxdude2mo ago

Yeah, whatsapp uses the same protocol.

lrvick2mo ago

Well, we do not really have any idea what Whatsapp uses, because it is proprietary.

sudahtigabulan2mo ago

>>broken SGX metadata protections

>Citation needed.

https://sgx.fail

https://en.wikipedia.org/wiki/Software_Guard_Extensions#List...

j / k navigate · click thread line to collapse

0 pointsmaqp2mo ago0 comments

>broken SGX metadata protections

>weak supply chain integrity

You can download the app as an .apk from their website if you don't trust Google Play Store.

>a mandate everyone supply their phone numbers

That's how you combat spam. It sucks but there are very few options outside the corner of Zooko's triangle that has your username look like "4sci35xrhp2d45gbm3qpta7ogfedonuw2mucmc36jxemucd7fmgzj3ad".

>and agree to Apple or Google terms of service to use it?

Yeah that's what happens when you create a phone app for the masses.

0 comments

stavros2mo ago

Exactly. These arguments are so weak that they read more like a smear campaign than an actual technical discussion.

"You have to agree to Apple's terms to use it"? What's Signal meant to do, jailbreak your phone before installing itself on it?

kelipso2mo ago

fasterik2mo ago

This criticism has absolutely zero substance and honestly just reads like paranoid rambling. The Signal protocol has been independently formally analyzed [1] and has no known security issues.

[1] https://eprint.iacr.org/2016/1013

1 more reply

kfreds2mo ago

He IS a hacker from the 90s. It’s an assumed name. Plenty of hackers from the 90s have pseudonyms.

> so-called creator of some encryption protocol

All evidence points to him being one of the protocol’s designers, along with Trevor Perrin.

Interestingly enough, some of the work Trevor did related to Signal’s cryptography was later used by Jason Donenfeld in the design of WireGuard.

> It screams honeypot like nothing else.

As you can see there is plenty of evidence suggesting otherwise.

stavros2mo ago

So the argument against Signal is now "the creator's nickname sounds odd"? I mean, OK? Keep using WhatsApp, Telegram or Instagram if you think those are more private than Signal.

2 more replies

fsflover2mo ago

>> and agree to Apple or Google terms of service to use it?

> Yeah that's what happens when you create a phone app for the masses.

josephg2mo ago

> You can download the app as an .apk from their website if you don't trust Google Play Store.

rcxdude2mo ago

This is what F-droid does (well, I suspect most apps don't have reproducable builds that would allow 3rd-party verification), but Signal does not want 3rd-party builds of their client anyhow.

actionfromafar2mo ago

They could still figure out a way to attest their builds against source.

1 more reply

Maken2mo ago

>over 3,000,000,000 users

Is that a typo or are you really implying half the human population use Signal?

Edit: I misread, you are counting almost every messaging app user.

maqpOP2mo ago

Just WhatsApp. Moxie's ideas are used in plenty of other messengers. The context was "what Moxie did for the field of instant messaging".

rcxdude2mo ago

Yeah, whatsapp uses the same protocol.

lrvick2mo ago