That's probably the only reason I clicked it. Honestly, kinda regret that I did because the author just seems like a dude yelling at the sky because he's wildly critical of the smallest things but doesn't offer up any solutions.
I (wrongly) assumed that if he was hilarious to have made that graphic, that he'd maybe be more reasonable, hopefully funny. I was disappoint.
It did kick off me spending about 2 hours comparing Signal to SimpleX, and Briar, and a bunch of others, and I can only conclude Signal is the best out of them. The security community seems to be REALLY paranoid about every, single, tiny little thing - but I understand that they must be.
SimpleX doesn't do any kind of IP address masking or have quantum resistant double ratchet encryption.
Briar doesn't account for rogue-tor nodes, etc.
There's just always some big glaring flaw in one of them.
There are six bullet points. Which ones are no longer true?
The only one I know of is point 4, in that you can now choose not to share your phone number. But, IIUC, the app uses the dark pattern of forever nagging you to share it, hoping you’ll eventually accidentally click the wrong choice.
Unless Signal's policies recently changed, Molly is not interoperable, since Signal does not allow third-party clients to use their servers/network. That would make point 2 correct.
If that policy has changed, then someone please link the announcement so I can update my notes.
They've been allowing Molly to continue to function for multiple years. Notably, from Molly's readme:
Molly connects to Signal's servers, so you can chat with your Signal contacts seamlessly.
I looked over the terms of service linked there and don't see anything specifically calling out third party clients. Is that elsewhere in another terms page somewhere or is it just not being specifically mentioned?
It was a few years ago when I read Signal's statement about this, so I'm afraid I don't have a link for you.
I believe you when you say Molly functions, but it's important to note that without Signal's blessing, anyone using Molly can be locked out of the network (and their chats and contacts) at any moment. It's not the same as official interoperability.
I wonder if the Digital Markets Act will eventually force it.
Absolutely, and I'm not trying to say they don't own their infra or have the ability to cut off the Molly users. Luckily, if that were to happen, you could use the automated backups to restore back into Signal, since they're functionally the same.
Regardless, both apps have reproducible builds. It's the infra that isn't reproducible.
4 and 5, from what I remember you have to opt into being discoverable by number even if you give it your contacts.
that said I don't fw signal for the other reasons stated, it's basically just the easiest secure alternative to texting.
Just about. JWZ is known for his cynical hot takes on tech in general.
I don't think any of his complaints are invalid, though his conclusions are uncharitable at best. Making a communication tool that's both reasonably secure and sufficiently palatable to people who don't know how to use computers to achieve broad adoption is a hard problem with no perfect solutions. If he has a better idea, well... he's a skilled and somewhat famous programmer; he's better equipped than most to implement it.
There are some fairly good solutions tho. Matrix is still kinda half-baked (specifically thinking about 2.0 and Element X) and Conversations has limited capabilities, but they are fairly easy to use
Edit: Although I would really wish Matrix had a 'normie-mode', with secure and reasonably easy to handle defaults
I use Matrix, and I've moved some conversations with people I met in public rooms there to Signal because it kept failing to transfer keys rendering it unable to decrypt messages. I haven't seen that in a while so maybe it's fixed, but I haven't been using it for one-to-one conversations lately.
Unfortunately, I've found most people have a lot of resistance to adding another messaging app. I don't really understand why that is, but it's true. Asking someone to install a messaging app when I'm their only contact who uses it and they have another way to contact me has a success rate near zero.
You just need to chose a Matrix instance, create an account with username and password that have nothing to do with what follows, log in (not that), generate keys, ideally back up those keys (which you could ignore, but you are prompted to), then it bothers you with cross-signing (which you can also ignore, except you kinda can't, depending on you contacts, so log in again and confirm the devices), then chose another, unrelated instance to be discoverable via mail/phone (which again is optional, except if you want to be or don't want to explain how adding via domain + name works), than add mail or phone number and activate it and boom, you are golden. Except you are not, because if you want Element X, well, you still have no push notifications, which just require you to... Oh, create another account, neat!
Meanwhile on Signal you do what? Punch in your number, confirm, optionally set a PIN, optionally enable backups, done. Yeah, that's not as private, and missing online massage backups, I know, but it's also a 1-3 step setup without any alarming prompts, telling you to do non-straightforward stuff that could very well compromise your privacy. Or having to dig through options and make choices and handle keys you don't understand.
Do you need a reminder that 123456789 is a popular password and 2FA commonly considered a nuisance? Matrix is complicated enough to confuse even (non-ITSec) IT people.
As a professional software developer, I consider Matrix/Element to be quite user-unfriendly (and anecdotally also quite buggy)
Edit: Some clarifications. Describing this easy process was kinda confusing for silly ol' me
Could you explain/elaborate to a know-nothing (me) on the following from your link?:
Caveats of federation: Metadata leaking
When using federation, Matrix’s room states (containing a lot of Metadata) get replicated and stored indefinitely on every homeserver any user connects with or connects to. While this is a feature for enabling distributed chat rooms, it comes at a serious privacy cost.
To avoid this, you can either disable federation, or make sure that your users signed up with no linkable identifiers other than their user names.
Matrix is not really a chat system, but rather a distributed database that pretends to be a chat system. As a result all servers participating in a room get a full copy of the room metadata all the way back to when the room was created, which is a serious privacy issue.
This is not a general problem of federated systems though, and XMPP for example basically only shares the metadata that other participating servers strictly need to function.
The main difference is that XMPP (like most other federated systems) is based on passing messages, so if a new server joins a chat, it gets send messages from that point onwards.
In Matrix that is different. When a new server joins a chat it exchanges the entire database for that chat, and for DAG consistency reasons this means all the metadata since the chat was first created, often years ago.
That could work, it looks like it was a lot of features like reacts and video calls. How easy it is to setup and 'plug-and-play' will determine whether I'll be able to convince people to use it
Last time I tried SimpleX, you had to scan a QR code to go from Desktop to mobile and vice versa, any chance of them changing that? Otherwise it did look promising.
yeah you can only use one device at a time because simplex doesn't have accounts, just devices. but you can make another account per device and add them to your chats
it is using double ratchet but heres the most recent tob. the fact that they use distributed self hostable relays and no user identifiers is more secure imo
Man, I haven't seen a goat.se in years
That's probably the only reason I clicked it. Honestly, kinda regret that I did because the author just seems like a dude yelling at the sky because he's wildly critical of the smallest things but doesn't offer up any solutions.
So you're disappoint it wasn't a rickroll of the original image?
I (wrongly) assumed that if he was hilarious to have made that graphic, that he'd maybe be more reasonable, hopefully funny. I was disappoint.
It did kick off me spending about 2 hours comparing Signal to SimpleX, and Briar, and a bunch of others, and I can only conclude Signal is the best out of them. The security community seems to be REALLY paranoid about every, single, tiny little thing - but I understand that they must be.
SimpleX doesn't do any kind of IP address masking or have quantum resistant double ratchet encryption.
Briar doesn't account for rogue-tor nodes, etc.
There's just always some big glaring flaw in one of them.
Not trying to be pedantic, but the original was goatse.cx
Yeah everyone likes to call it "Goat-see" or "Goat-say", but it was originally supposed to be "goat-secx" i.e. "goat sex".
I think part of the confusion may be that when the site was taken down, the mirrors that sprung up were things like goat.se, etc.
I've heard it pronounced "goatsee" and said that myself back when the original site was live. You are 100% right on the intent of the name though.
Is this a random thought or should I not click the link?!?
Edit: oeuf. There it is. Nice.
mostsome of the stuff on that list isn't even true (at least not anymore) lolThere are six bullet points. Which ones are no longer true?
The only one I know of is point 4, in that you can now choose not to share your phone number. But, IIUC, the app uses the dark pattern of forever nagging you to share it, hoping you’ll eventually accidentally click the wrong choice.
Point 2 is mostly not true, in that Molly exists and you can do reproducible builds with either implementation.
Unless Signal's policies recently changed, Molly is not interoperable, since Signal does not allow third-party clients to use their servers/network. That would make point 2 correct.
If that policy has changed, then someone please link the announcement so I can update my notes.
They've been allowing Molly to continue to function for multiple years. Notably, from Molly's readme:
I looked over the terms of service linked there and don't see anything specifically calling out third party clients. Is that elsewhere in another terms page somewhere or is it just not being specifically mentioned?
It was a few years ago when I read Signal's statement about this, so I'm afraid I don't have a link for you.
I believe you when you say Molly functions, but it's important to note that without Signal's blessing, anyone using Molly can be locked out of the network (and their chats and contacts) at any moment. It's not the same as official interoperability.
I wonder if the Digital Markets Act will eventually force it.
Absolutely, and I'm not trying to say they don't own their infra or have the ability to cut off the Molly users. Luckily, if that were to happen, you could use the automated backups to restore back into Signal, since they're functionally the same.
Regardless, both apps have reproducible builds. It's the infra that isn't reproducible.
4 and 5, from what I remember you have to opt into being discoverable by number even if you give it your contacts. that said I don't fw signal for the other reasons stated, it's basically just the easiest secure alternative to texting.
Hard to take them seriously, if they can't even use a search engine to realize most of this is complete bullshit. What is this? A Twitter post?
Just about. JWZ is known for his cynical hot takes on tech in general.
I don't think any of his complaints are invalid, though his conclusions are uncharitable at best. Making a communication tool that's both reasonably secure and sufficiently palatable to people who don't know how to use computers to achieve broad adoption is a hard problem with no perfect solutions. If he has a better idea, well... he's a skilled and somewhat famous programmer; he's better equipped than most to implement it.
There are some fairly good solutions tho. Matrix is still kinda half-baked (specifically thinking about 2.0 and Element X) and Conversations has limited capabilities, but they are fairly easy to use
Edit: Although I would really wish Matrix had a 'normie-mode', with secure and reasonably easy to handle defaults
I use Matrix, and I've moved some conversations with people I met in public rooms there to Signal because it kept failing to transfer keys rendering it unable to decrypt messages. I haven't seen that in a while so maybe it's fixed, but I haven't been using it for one-to-one conversations lately.
Unfortunately, I've found most people have a lot of resistance to adding another messaging app. I don't really understand why that is, but it's true. Asking someone to install a messaging app when I'm their only contact who uses it and they have another way to contact me has a success rate near zero.
Yeah, Element is super easy to use.
You just need to chose a Matrix instance, create an account with username and password that have nothing to do with what follows, log in (not that), generate keys, ideally back up those keys (which you could ignore, but you are prompted to), then it bothers you with cross-signing (which you can also ignore, except you kinda can't, depending on you contacts, so log in again and confirm the devices), then chose another, unrelated instance to be discoverable via mail/phone (which again is optional, except if you want to be or don't want to explain how adding via domain + name works), than add mail or phone number and activate it and boom, you are golden. Except you are not, because if you want Element X, well, you still have no push notifications, which just require you to... Oh, create another account, neat!
Meanwhile on Signal you do what? Punch in your number, confirm, optionally set a PIN, optionally enable backups, done. Yeah, that's not as private, and missing online massage backups, I know, but it's also a 1-3 step setup without any alarming prompts, telling you to do non-straightforward stuff that could very well compromise your privacy. Or having to dig through options and make choices and handle keys you don't understand.
Do you need a reminder that 123456789 is a popular password and 2FA commonly considered a nuisance? Matrix is complicated enough to confuse even (non-ITSec) IT people.
As a professional software developer, I consider Matrix/Element to be quite user-unfriendly (and anecdotally also quite buggy)
Edit: Some clarifications. Describing this easy process was kinda confusing for silly ol' me
Is there a better alternative? I don't see anything conclusive in the link on that front
I sure don’t know. SimpleX is suggested, among others: https://dessalines.github.io/essays/why_not_signal.html#good-alternatives
Could you explain/elaborate to a know-nothing (me) on the following from your link?:
The author of that essay (@[email protected]) is one of the main devs of lemmy, so you’re asking in the right place lmao
Matrix is not really a chat system, but rather a distributed database that pretends to be a chat system. As a result all servers participating in a room get a full copy of the room metadata all the way back to when the room was created, which is a serious privacy issue.
This is not a general problem of federated systems though, and XMPP for example basically only shares the metadata that other participating servers strictly need to function.
Yes in a local database, not a distributed one.
The main difference is that XMPP (like most other federated systems) is based on passing messages, so if a new server joins a chat, it gets send messages from that point onwards.
In Matrix that is different. When a new server joins a chat it exchanges the entire database for that chat, and for DAG consistency reasons this means all the metadata since the chat was first created, often years ago.
I’ve never looked into how Matrix works at all, so I can’t really speak to that.
That could work, it looks like it was a lot of features like reacts and video calls. How easy it is to setup and 'plug-and-play' will determine whether I'll be able to convince people to use it
Last time I tried SimpleX, you had to scan a QR code to go from Desktop to mobile and vice versa, any chance of them changing that? Otherwise it did look promising.
yeah you can only use one device at a time because simplex doesn't have accounts, just devices. but you can make another account per device and add them to your chats
yeah it's annoying, but they're pretty committed to the no user id thing
it is using double ratchet but heres the most recent tob. the fact that they use distributed self hostable relays and no user identifiers is more secure imo
Conversations is very simple
Kids these days...
Every interaction I’ve had with that person is insane. Who even are they?
Among many other things, the person who created Mozilla/Firefox.
Thanks! I only knew them as yelling, cursing, and attacking others on mastodon person
He’s old and cranky like me 🤷
Haha! How did you simpsonify a photo of yourself?? That's so cool!
I know him as the guy who made his webserver respond to everything with a ballsack in an eggcup if your Referer is hacker news. Seems childish