submitted 1 month ago by UNIX84@beehaw.org to c/foss@beehaw.org

Finally, we can have usernames in Signal instead of giving our phone number to everybody.

top 40 comments
sorted by: hot top new old
[-] Rikj000@discuss.tchncs.de 30 points 1 month ago* (last edited 1 month ago)

Sign-up still requires a phone number.. -.-"

Checkout Matrix/Element ~~or Session~~,
there you can actually enjoy privacy by signing-up without a phone number/email:

Edit: Due to Session's company residing in Australia,
which appareantly has bad privacy laws,
i don't feel comfortable with recommending it anymore

[-] starflower@lemmy.blahaj.zone 29 points 1 month ago

Ah yes, Signal, known anti-privacy company

[-] helenslunch@feddit.nl 20 points 1 month ago* (last edited 1 month ago)

You're referring to anonymity, not privacy.

Matrix/Element is slower than shit. I don't understand why anyone recommends this.

Session is also slow but that's not even a problem because I don't know anyone who's even heard of it, much less used it, and that's mostly because it doesn't have phone numbers.

At least some people I know are on Signal and I can easily discover them by phone #. Or at least I used to.

[-] debanqued@beehaw.org 7 points 1 month ago

You’re referring to anonymity, not privacy.

Anonymity is part of privacy; not a dichotomy.

[-] helenslunch@feddit.nl 3 points 1 month ago

No it's not.

[-] derin@lemmy.beru.co 4 points 1 month ago

Been using matrix as my primary communication method (including bridges to other networks for things like Slack and WhatsApp) for over 3 years now, doesn't feel slow?

[-] helenslunch@feddit.nl 1 points 1 month ago* (last edited 1 month ago)

I can only tell you my experience using several different softwares across several different hardwares across several different servers on several different networks.

At some point I got fed up with waiting 10-20 seconds for new messages to load every time I opened the apps.

And I'm not the only one.

[-] derin@lemmy.beru.co 1 points 1 month ago* (last edited 1 month ago)

Might need to check your setup. But, I will concede that after 2 years in - a point at which the DB grew into something massive, what with the massive Matrix rooms I was idling in - I started to notice slowdowns. The whole sliding sync proxy thing (with the new generation Element X clients) fixed everything.

You shouldn't be having 10-20 second syncs with a new deploy (and limiting the amount of massive rooms your users can join, depending on your hardware), might be something awry relating to your config. If you're absolutely certain it's not that, check out the sliding sync proxy until it gets merged into the main spec - it's great.

[-] helenslunch@feddit.nl 1 points 1 month ago

I've just told you I've "checked my setup" a thousand times. I've also stated dozens of people also agree with me. So either you put some fancy wizardry into your system or you're just in denial.

Either way, I'm done being gaslighted and trying to fix a "setup" that don't exist.

[-] derin@lemmy.beru.co 1 points 1 month ago* (last edited 1 month ago)

Sorry man, I don't know what to tell you. I've got a pretty medium end VPS on which I host my Matrix instance - only had to add an extension for storage after the first few years when the DB got too big. Things were never as bad as you said early on, and as time passed I absolutely got to the point where it would take 10-20 seconds to sync - but this was after 2 years or so of constant use.

The reason why it takes long is because of the size of the sync payload - logically, for a new server/user, this really shouldn't be that big (unless you're in rooms like Matrix HQ). So, genuinely, look into optimization: postgres, your web server (nginx, apache, caddy), and limiting your users from accessing "problematic" rooms.

Barring that just deploy the sliding sync proxy and be done with it. It's not really a problem that requires you to attempt it a thousand times.

So either you put some fancy wizardry into your system or you’re just in denial.

It's called pure Debian, baby. Also, you'll need a decent chunk of RAM if you don't have that yet. Avoid a pagefile if you can.

[-] helenslunch@feddit.nl 2 points 1 month ago

So, genuinely, look into optimization: postgres, your web server (nginx, apache, caddy), and limiting your users from accessing "problematic" rooms.

Genuinely: no. I'm done.

[-] derin@lemmy.beru.co 1 points 1 month ago

Well, at least you gave it your best!

[-] Onii-Chan@kbin.social 9 points 1 month ago

Is Session actually secure though? I know they're based in Australia, and as an Aussie myself, holy fuck would I not trust this country for even a fraction of a picosecond with anything private or sensitive. We have some of the world's most draconian and far-reaching digital privacy and surveillance laws, and I'm not ready to accept that Session hasn't been secretly compromised by the AFP, given the law against revealing government backdoors.

Happy to be proven wrong, but I always err on the side of extreme caution when it comes to Australia. Digitally, we're closer to the CCP than any of our fellow western nations.

[-] Rikj000@discuss.tchncs.de 2 points 1 month ago

Wasn't aware of that, would love to hear about it if someome could shine some more light onto the matter :)

If that's the case, I have to stop using/recommending Session

[-] HyperMegaNet@lemm.ee 3 points 1 month ago

I'm not the person you responded to, but the Assistance and Access Act 2018 is probably a good place to start. Here is a page from the Aus Government about it, but the very short version is that the government can ask tech providers to assist them with building capabilities into their systems to allow the government to access data to help with the investigation of certain crimes. In some cases these will be voluntary requests, in other cases they will be requests that must be fulfilled, including asking providers to add capabilities that the government has developed.

There's a lot more detail about it, and the government insists that they won't ask providers to create systematic weaknesses or to decrypt communications entirely, but it's not clear to me exactly how those ideas are actually implemented. Unfortunately, much of the process (likely the entire process) is not made public, so as far as I'm aware there aren't any good examples of requests that the government has made and what sorts of things have or haven't been implemented.

[-] debanqued@beehaw.org 6 points 1 month ago

Sign-up still requires a phone number… -.-"

Thanks for the warning -- that was my first question. It is my top reason (among many other reasons) for avoiding Signal.

Checkout Matrix/Element or Session,

All 3 of the sites you linked are Cloudflare sites (thus antithetical to privacy). Yes, I know you can use some of that tech without touching CF, but when they run CF websites it reveals hypocrisy & not understanding the goals of their audience.

[-] Radiant_sir_radiant@beehaw.org 4 points 1 month ago

If that's a concern you could also always use Threema, which has been built from the ground up to use anonymous random IDs and optionally lets you link a phone number or e-mail address to that ID. The company has also won important court cases against having to store metadata preemptively and responding to blanket requests by law enforcement.

[-] Rikj000@discuss.tchncs.de 1 points 1 month ago* (last edited 1 month ago)

I never heard about Threema before,
quickly glanced at it's Github repo,
but I think I prefer Matrix/Element over it.

Threema seems to largely rely om GMS (Google Messaging Service),
meaning that most messages will go through Google's servers,
albeit end-to-end encrypted for now,
I would not be suprised if Google would participate in "Harvest now, Decrypt later".

[-] Radiant_sir_radiant@beehaw.org 2 points 1 month ago* (last edited 1 month ago)

There's actually an option to turn GMS off entirely if that's a concern (Settings-->About-->Advanced). It comes at the cost of slightly increased battery usage. Sadly Google does have a bit of a monopoly on mainstream Android there.
Having said that, the messages themselves should never pass Google's servers, just a packet saying "check your Threema server, there's new stuff waiting for you."

[-] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 23 points 1 month ago* (last edited 1 month ago)

Too little too late, I'm afraid.

I would love to use Signal more, but I have it for only 1 friend. No one else I know uses it. And the fact that they don't support SMS is I imagine a large contributing factor.

(Yes, I know SMS is inherently insecure & unprivate, but having that support is a good way to get users' foots in the door, and also what good is a totally secure platform if no one uses it?)

[-] Killing_Spark@feddit.de 11 points 1 month ago

Is this a regional thing? I don't know anyone that actually uses SMS anymore

[-] smileyhead@discuss.tchncs.de 5 points 1 month ago

In my region everyone uses Facebook Messenger. And if you don't use it, to contant people that won't install an app for you (like meeting you for first time), the only option is SMS.

[-] Killing_Spark@feddit.de 1 points 1 month ago

I mean to be honest to only reason to use messengers is just costs, I wish SMS where as cheap as internet flatrates... But that might very well be a regional issue too

[-] smileyhead@discuss.tchncs.de 2 points 1 month ago

Just cost? Absolutely no. Internet protocols are better in so many ways that phone based messaging should be obsolete for years.

[-] Killing_Spark@feddit.de 5 points 1 month ago

Internet protocols are better in so many ways

This is VERY debatable because statements that broad are almost always false. There is no need to have a cellular->IP->cellular bridge for 1:1 communication involving more servers, more service providers. If anyone wanted to they could implement at least the 1:1 signal protocol and probably even the messaging layer security protocol on top of SMS to get e2ee group communications.

Nobody wants to because cell providers sell SMS for horrendous prices compared to internet access.

[-] snowsuit2654@lemmy.blahaj.zone 11 points 1 month ago* (last edited 1 month ago)

I still luckily have a nice group of friends using Signal but I agree that dropping SMS support was a mistake. There was a good issue explaining why dropping SMS support was bad on their GitHub: https://github.com/signalapp/Signal-Android/issues/12560

[-] explodicle@local106.com 2 points 1 month ago

In hindsight it's sad how very right he was. Now when I think "I want to send Alice a message", I just go to the app I know will work, instead of trying to remember if Alice still uses Signal too.

I genuinely appreciate that there are some people who have the benefit of a group of contacts who are willing to use it. I'm happy for you.

Also, that's an interesting thread. Thanks for sharing it. :)

[-] sfera@beehaw.org 6 points 1 month ago

It's never too late. "Back then", when I started using Signal (called TextSecure), only one other single friend used it. Nowadays, almost all my personal contacts use it. Every additional Signal user adds a contact in someone other's address book as a potential Signal contact. It just takes time. Good luck!

[-] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 2 points 1 month ago* (last edited 1 month ago)

Okay, then, let me reiterate, for now it seems to be too little too late.

And thank you.

[-] mox@lemmy.sdf.org 21 points 1 month ago

Apparently still requires giving Signal your phone number, so not exactly keeping it private.

[-] helenslunch@feddit.nl 13 points 1 month ago

You're thinking of anonymous, not private. Signal is as private as it gets.

[-] jawsua@lemmy.one 7 points 1 month ago

There's anonymity and privacy. This keeps you private from other users, and they already keep you private from themselves other than the initial sign up. What this service isn't, and never has been, is anonymous. They don't want that and there are big usability issues with an extended anonymous user base. Decide for yourself what you need

[-] debanqued@beehaw.org 5 points 1 month ago* (last edited 1 month ago)

Anonymity is part of privacy.

Specifically, anonymity is confidentiality of identity. Confidentiality is part of privacy, which is a broad concept. So when a tool or mechanism works against anonymity, it works against privacy. It may not work against a privacy aspect that you care about, but it’s privacy nonetheless.

[-] bbbhltz@beehaw.org 9 points 1 month ago

Step in the right direction, which is appreciated...

But: https://fosstodon.org/@link2xt/111965597727225353

Server can look up account identifier (username) and also phone number by username.

[-] onlinepersona@programming.dev 8 points 1 month ago

As usual, people are never satisfied. Never stop complaining.


[-] rah@feddit.uk 7 points 1 month ago
[-] UNIX84@beehaw.org 4 points 1 month ago

This is a big complaint for me. I know that there is the official standalone APK, but if I am running a de-Googled phone, I want to be able to use Signal and have it update on a regular basis.

[-] DdCno1@beehaw.org 1 points 1 month ago

The app does remind you of updates.

[-] jherazob@beehaw.org 5 points 1 month ago

Many years late, and still requires having your number. Good first step though, we'll see once a phone number is not required.

this post was submitted on 02 Feb 2024
158 points (100.0% liked)

Free and Open Source Software

9 readers
2 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago