[treenyc]

It is great that Whisper Systems/Signal implement cryptography properly.

However, the NEWER versions of Signal requires access to your contact to work.

For many users that is a show stopper.

Implement a way for user to search by User ID and allow user to find each other by ID in addition to phone number.

[brbsix]

Recent updates also show disconcerting "Joe is on Signal!" messages for everyone in your contacts (who is registered with Signal) regardless of whether or not you've had any contact with them. They've stated that this is not a security issue (I don't recall the specifics) but it was pretty disturbing nonetheless. I'll definitely be paying closer attention and consider switching to an alternative if this trend continues.

[asddubs]

Why specifically are you worried about that?

[brbsix]

I've recommended Signal (then TextSecure) to a number of non-technically savvy friends as a trustworthy app that takes security seriously. Moxie is somewhat unique in this respect, among the sea of proprietary apps put out by larger shops. Upon seeing these "X is on Signal" messages, I had a number of people contacting me with concerns. At least the outward appearance is that Signal is somehow leaking contact data to their servers. Presumably it is also alerting people to the fact that "Joe" is a Signal user, despite no communication with that user having taken place.

I realize that phone numbers are probably hashed before being sent, with only local contact data being displayed, but it has people concerned nonetheless. It starts to err more towards convenience, ease of use, and network building above security.

[cyphar]

I think we should push for Axolotl (the cryptosystem used by Signal, which is an improvement on OTR) support in Ricochet and get a Ricochet phone app.

Ricochet uses Tor hidden services to anonymise your social graph, which is something you don't do with Signal (not to mention that Signal does identity key lookups with phone numbers). I'm not sure there's a low-latency way to do VOIP anonymously. The best method I know of is to literally record and send audio files, which have a few seconds of latency.

[asddubs]

you can easily enumerate this data anyway, though. Just go through your contact list and try to add people. You could come up with an elaborate system where the other person has to confirm you, but everyone knows that's rubbish and users hate it. Sorry for the late response, I forgot I made this comment.

[brbsix]

Yes I'm well aware at the ease in which someone could build a client that would provide such a feature had it not been included. Moxie takes great care not to provide mere illusions of security (or in this case obscurity) such as self-destructing messages or other features of that ilk. I appreciate it, and it's a big part of why I use and recommend projects affiliated with Open Whisper. Still don't believe it was the right decision to blast users with a notification from every Signal user in your contacts. Let Telegram or Whatsapp or some other crap play that game.

[Freak_NL]

The requirement of a phone number is strange and disconcerting from a privacy standpoint. It is a red flag for me.

A well-designed encrypted chat-protocol should work on any modern networked computing device, not just smartphones or computing devices linked to a smartphone.

[Tepix]

Not on iOS. It's not Signal's fault that Android permissions are a mess. Google has no interest in providing good privacy to their customers. They only want to appear to provide privacy. In reality, they want to know everything there is to know about everything and everyone. To improve their service, of course...

[lelf]

> Not on iOS

Tried just now. It does require it and doesn't work without it.

             Sorry!

  Signal requires access to your
  contacts. We do not store your
  contacts on our servers.

         [Give access]