Over the past days, two popular chat services have accused each other of having undisclosed government ties. According to Signal president Meredith Whittaker, Telegram is not only “notoriously insecure” but also “routinely cooperates with governments behind the scenes.” Telegram founder Pavel Durov, on the other hand, claims that “the US government spent $3M to build Signal’s encryption” and Signal’s current leaders are “activists used by the US state department for regime change abroad.”
I don’t get it at all. There are plenty of platforms like matrix, xmpp, simplex that don’t require phone numbers tied to your identity. Signal has somehow managed to convince people that it’s a private platform, despite it being a US hosted service that requires phone numbers.
Say the US government, in a worst-case scenario in which it constantly monitors all traffic that goes through Signal’s data centers, can ‘only’ see phone numbers, IP addresses and timestamps, right? Or am I forgetting something here?
Metadata and social graphs are more important than message content, esp since not many people have the time to read through individual messages to build meaning.
Signal stores phone numbers (meaning your identity, and home address), and message timestamps: who texted who and when, and who’s in chats with who else. More than enough to build social graphs and connections, and also figure out where people are through their IP addresses.
Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.
Signal doesn’t store message timestamps either.
What Signal itself knows of you is your phone number, the timestamp of your registration, the timestamp of your last connection to the server. That’s it.
Yes metadata is critical but Signal handles metadata very well. Indeed, even though I’m a fan of Matrix, better than Matrix. Matrix is a metadata nightmare due to it’s centralized structure and the way the protocol works.
Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.
This is completely false. They can absolutely see who is texting who, in fact they need it to be able to route messages. They have message timestamps, and phone numbers stored in their database.
Question, why do you “trust” signal? You can’t see what code their centralized server is running, unlike matrix which you can self-host and build from source. You don’t have to “trust” matrix, you can verify it for yourself.
Doable, but a huge pain in the ass because of conflicts in the protocol. I spent about a year trying to suss them out and come up with a fix but never figured it out.
how has no one discussed matrix here
Unable to decrypt message
Unable to decrypt message
Unable to decrypt message
Unable to decrypt message
Unable to decrypt message
Unable to decrypt message
…
That must mean it’s working! :D
I don’t get it at all. There are plenty of platforms like matrix, xmpp, simplex that don’t require phone numbers tied to your identity. Signal has somehow managed to convince people that it’s a private platform, despite it being a US hosted service that requires phone numbers.
Say the US government, in a worst-case scenario in which it constantly monitors all traffic that goes through Signal’s data centers, can ‘only’ see phone numbers, IP addresses and timestamps, right? Or am I forgetting something here?
Metadata and social graphs are more important than message content, esp since not many people have the time to read through individual messages to build meaning.
Signal stores phone numbers (meaning your identity, and home address), and message timestamps: who texted who and when, and who’s in chats with who else. More than enough to build social graphs and connections, and also figure out where people are through their IP addresses.
Do you happen to know what metadata matrix stores? I assume matrix.org specifically stores email and username, right
Yes, but I don’t think user metadata outside of your apub url, name, icon, display name, leaves your homeserver. Email or passwords don’t leave iirc.
Signal can’t see who is texting who. They can’t see which groups you are part of. Those information are end to end encrypted, same as your chats itself, your profile picture, your stories, etc.
Signal doesn’t store message timestamps either.
What Signal itself knows of you is your phone number, the timestamp of your registration, the timestamp of your last connection to the server. That’s it.
Yes metadata is critical but Signal handles metadata very well. Indeed, even though I’m a fan of Matrix, better than Matrix. Matrix is a metadata nightmare due to it’s centralized structure and the way the protocol works.
This is completely false. They can absolutely see who is texting who, in fact they need it to be able to route messages. They have message timestamps, and phone numbers stored in their database.
Question, why do you “trust” signal? You can’t see what code their centralized server is running, unlike matrix which you can self-host and build from source. You don’t have to “trust” matrix, you can verify it for yourself.
It’s a Google hosted service, which is arguably worse because they may as well be a nation-state unto themselves.
And the largest homeserver, matrix.org, is MITM’d by Crimeflare.
Fuck matrix.org, just selfhost.
Doable, but a huge pain in the ass because of conflicts in the protocol. I spent about a year trying to suss them out and come up with a fix but never figured it out.
Wasn’t Amazon involved here as well? It is another “nation-state”.
I do not think so, no. However, Amazon is certainly big enough to be un-humorously compared to nation-states as well.