I have used Signal for a while, alongside Telegram and Whatsapp. I find the fact that they are chrome apps / require your phone to be online very annoying. Also I find signal regularly messes with the order of messages.
Right now I am testing with Wire, and waiting for proper pasting from clipboard. Although I am concerned with privacy, and I applaud the efforts from OWS, usability is more important to me. It will always be some sort of a tradeoff I guess. Although things seem to be getting better I am saddened by the lack of federation.
Signal-Desktop does NOT require your phone to be on! After initial setup, it can be used completely independently of the phone (it only talks to the phone for contact sync, not messages). The opposite is often claimed on here and seems to be self-perpetuating, but it's wrong.
1. Register and set up Signal Android or Signal iOS
2. Download and install Google Chrome or use Chromium
+++++++
EDIT: Having to buy and throw away a phone to use a service that's intent is to provide privacy is what it is; worth noting you revised your comment after I posted mine.
Sorry if I wasn't clear enough - you need a phone for initial setup. After that, you can throw away the phone (or put it in airplane mode for a less permanent solution) and the Desktop client will keep working. In contrast, WhatsApp Web sends messages via your phone, so your phone needs to be on and connected to use it. Not so with Signal.
That said, registration independent of a phone number comes up a lot here. Signal is primarily a mobile messenger, so the assumption that its users have a smart phone running Android or iOS is a valid one imho. It would be nice if people without a smart phone could use it, too, but implementing this in a way that maintains Signal's ease of use for all participants isn't exactly trivial (contact discovery is a big one). I'd appreciate it, but I can also understand why it's not #1 on OWS' list of priorities.
>implementing this in a way that maintains Signal's ease of use for all participants isn't exactly trivial (contact discovery is a big one).
I disagree, as long as it's an OPTIONAL and non-default method.
Many people (billions?) have been registering to various messaging services (from email to Skype and all kinds of IMs) and finding each other just fine, without using a phone/phone number.
Phone based authentication has a couple of advantages too, but when a "privacy oriented" messaging app has this as the only option it's fair to point it out.
I have been toying with this idea, I haven't actually done it myself but I know people that have.
1) get a VOIP provider to give you a free iNum number
2) download signal to your smartphone or ipod of choice
3) during the registration phase, delete the number that it suggests, replace it with the iNum number from step 1.
4) make sure to have the registration process do the "voice call" method where it calls you and reads you off the registration number.
5) register.
Assuming that you already own a cellphone and you use a free voip app like csipsimple or linphone. iNums are free from most voip providers. Then this process costs nothing.
> I find the fact that they are chrome apps...very annoying
That's my biggest issue with Signal as well. I very recently (as in, over the past two days) completely dropped Google from my life[1]. I switched from Gmail to FastMail for email, calendar, and contacts, and FastMail also offers 10GB of file storage at their middle tier, which is about five times as much space as I was using in Google Drive. I switched from Chrome/Chromium to Firefox, and I'm currently trying to decide which photo backup service to use to replace Google Photos. I'll probably run CollaboraOnline via a local Nextcloud server for a good Google Docs replacement. I'm using StartPage for search, as I find its results to be more relevant than DDG.
All of that said to say this: It's absolutely refreshing to break out of the Google tar pit, and I'm very interested in a secure messaging app that doesn't depend on them at all. Being free from 24/7/365 tracking, no matter if it's "just for advertising purposes", is a breath of fresh air, as is knowing that all my eggs are spread out among several baskets now.
[1] I do still have an Android phone (Nexus 6) but I switched from the official Google ROM to the latest stable Cyanogenmod, and opted to not install the Google apps bundle. My battery life has gone from about 30 hours between charges to nearly 70 hours (as predicted by the battery meter; I haven't had to charge it since I installed CM on Monday night and I'm at 81% as of Wednesday morning). I've been using F-Droid for some great replacements for many of my everyday apps, and the Amazon App Store for a few necessities like Paypal and Fing. As on the desktop, I'm using Firefox on the phone mostly for the syncing capability, though I will say the built-in browser on CM is fantastic. Of course, I'm actively seeking a non-Android, non-Apple alternative for a mobile phone, and right now the DragonBox Pyra is a front-runner, with the Neo900 a close second.
> As on the desktop, I'm using Firefox on the phone mostly for the syncing capability
Be aware that if your Mozilla account password is not a fully-secure, unmemorable, random string then it is possible to break into Sync: unlike previously, the only thing securing your Sync data is your password.
Also be aware that at any time Mozilla can push a piece of targeted JavaScript to you alone, which would reveal your password to them.
The first issue is solvable by using an appropriately-secure password, e.g. apQzICxawJKkU0t7SNqnPd; the second issue is unsolvable unless you fully trust Mozilla the organisation, all its employees and every government which is able to compel its actions.
Good to know, thanks. I do use a fairly secure password scheme; basically I memorize several smaller passwords made of random letters, numbers, and symbols, and I concatenate them in ways that make sense to me but (hopefully) are gibberish to anyone else. I try to use the maximum allowable string for each service, or as close as I can get with my system.
> as is knowing that all my eggs are spread out among several baskets now.
This is what i want (and what i'm actively working towards)! The "banned from Google" talk has really harmed them in my eyes.. at least for people like me. I hadn't really questioned Google in the past, but now i'm looking to spread out my eggs as much as possible. Very important to me.
Any info on how to do this with the various Google services?
-- Android Photo backup
-- All Google Apps
-- Everything that Chrome Syncs
-- Android backup/recovery
I can't speak for the above poster, but I will say that some GPS apps, such as OsMand, are quite good. The catch is that you have to download the map for your region to local storage and you totally lose search queries like "Find the nearest Wafflehouse". In addition, OsMand specifically has a bit of a learning curve to it where GMaps, among others, are search and go.
While it doesn't have natural language searching yet, OsmAnd actually has very powerful POI searching. You can search for POIs by name or category, and have them displayed as either a list or points on the map.
I knew I forgot to mention some things. So far MAPS.ME has been an acceptable replacement for navigation, and its performance has been surprisingly good. I still don't like being tied to a closed source mapping app though, so I'm going to give OSMAnd a spin as well.
The battery life surprised the hell out of me, especially since I spent a couple of hours getting the launcher set up the way I like it. It's telling how much battery and data are used when your phone is constantly in contact with the mothership versus a device that only connects to a service when you strictly allow it.
If you are interested in federation, riot.im [1] / matrix.org seems to have comparable security properties to Signal, allows federation of servers and does not require your phone number or Google Play.
I also use Telegram, it is currently my favourite messaging platform actually. It is not even so much the registering with a telephone I mind personally, but WhatsApp requires your phone to be online whilst using the desktop app. Jumping WiFi and VPN throughout the day this sometimes gets annoying. Testing wire for being Swiss based as well as being an implementation of the Axolotl/Signal protocol.
The wire desktop client currently does not support pasting an image from the clipboard. It is listed as a feature request though, so I expect it to be implemented in the near future.
Oh, I thought it's something about the mobile client. I also noticed it doesn't support drag/drop with an image, probably because it's an electron app and things like that has to be coded specifically.
Ironic that Moxie, who doesn't go by his real name and is the founder of Signal, wants all of his users to identify themselves by providing their phone number and IMEI numbers; IMEI or 'International Mobile Equipment Identity' is a unique 15-digit number assigned to all cellular devices.
I find usernames a lot easier to communicate than phone numbers, and they are cheaper to move to another phone provider. And don't require me to share my phone number, which is an extremely high priority channel, with everybody I might want to send a message to.
And if it is face2face, scanning a barcode like e.g. Threema supports is even quicker.
It would be nice if we could avoid that fragmentation, and to be clear, I am not against Signal offering phone number sync or even making it the default.
I'm not convinced that "just put my phone number 0394859489 in" is so much easier than "I don't have my phone number in there, just type in horse-battery-staple" that not having the second option is a large usability win. Or "give me your phone number and i'll add you" ;)
It's very laudable that Signal tries to be perfectly easy, with as few options as possible, but on the other hand I feel the overdo it in many cases where a slightly more manual, hidden way would help to mitigate issues. If it works for you it's fine, if it doesn't (either through convention or actual bugs, the latter ones are a bigger issue for me) you are out of luck. That's not great for adoption either.
> I think signal:wtbob works just as well as tel:+15551212
That doesn't work as well for auto-discovery of other Signal users, though. The latter enables auto-discovery based on people whose phone numbers are already in one's contact books. With the former, one needs to collect other people's usernames. It's not a tough thing to do, but it does make auto-discovery difficult.
> That doesn't work as well for auto-discovery of other Signal users, though.
It does if one's Contacts app stores Signal contact information for one's contacts; then one could simply query using non-Signal information as the key (e.g. one could ask, 'give me Signal contact information for tel:+15551212, mailto:fizzbuzz@barquux.org and http://plus.google.com/SomeUserName').
> one could simply query using non-Signal information as the key (e.g. one could ask, 'give me Signal contact information for tel:+15551212, mailto:fizzbuzz@barquux.org and http://plus.google.com/SomeUserName').
That doesn't seem like a very good tradeoff because then it requires Signal to store/compare _more_ personally identifying information (though I guess you could make many of those things pseudo-anonymous).
> Can you expand on that? I'm not sure quite what you mean.
Sure! It derives from the SDSI/SPKI work of the late 90s, which demonstrated how one can use petnames (i.e., local nicknames) for people, and then refer to a contact's petnames via one's petname for that contact.
Agree that the majority of users desire for anonymity is without merit, but so is requiring users to identify themselves.
If a user is willing to put up with a less useful and usable version of Signal - they should be allowed to use it without identifying themselves.
Beyond this issue, there are others that me show a troubling pattern. For example, Moxie has refused to post a "warrant canary" for US National Security Letters.
In spirit, I like Moxie, in practice, I feel like he's the captain of ship flying a false flag.
Anonymity isn't Signal's goal, simple as that. If you're looking for anonymous messaging, you'll have to search elsewhere.
OWS recently received a subpoena and fought to be able to publish it (and their response), the only data they could provide were registration and last contact timestamps.
I'm sensitive to this concern, but remember that the phone number you register with Signal doesn't have to be your real phone number or identical to the phone number of your primary Signal device.
You can just get a VOIP number or burner phone somewhere in a relatively anonymous manner, register it with Signal on your android phone, and go about your business if anonymity is an important requirement for you.
Isn't that risky? The subscriber number will sooner or later be recycled for another device (in the case of burner phones) or customer (in the case of voip). They could in turn disrupt your Signal use.
I think I misspoke. Rather than a true burner phone you'd want to use a prepaid phone with minutes that don't expire, or that you can keep active by using a minute every 90 days etc.
Definitely a hassle, but for anyone for whom a phone number is insufficiently anonymous I would imagine they're used to it.
I admittedly don't know as much about the options for VOIP but I've got to to believe there's a way to get a phone number on the internet where you can receive SMS and keep it active indefinitely.
I want to add this here...very recently, my family was looking for a new chatting app to use (I tried to get them to use Slack, but they found it a bit too complicated). I really really wanted to use Signal (even with it not having a bots API), but the fact that you need a phone number to sign up is a no-go.
My question is..why do you need a phone number (which imo is way more personal, than say an email?). Being security focused...would it not make sense to have as much less info on the person as possible?
We have settled on kik for now. (although call support is lacking, i feel like it'll be added eventually)
To make sure your connections are secure. You want to make sure the recipient is who they are. So phone Numbers. Also probably because signal isn't a chat app.
To me it feels Signal just wants to become the new WhatsApp more than anything. Yes, I'm basing this on the gif support and that it requires a phone number. The security argument only worked as long as whatsapp and co. did not roll out e2ee. I could support a sincere attempt that want to do good which OWS seemed to be doing, but now that they are competing on the emoji front they have lost their edge for me*
*I don't really have a horse in this as I use none of them
How does one know that the app being installed through an app store comes from the public source code? Shouldn't I need to create and install my own APK from source?
If you haven't noticed, check out my comments in the article. I provide a concerned, critical response arguing for why Signal might not be a good idea. Or in the least, Mr. Shelton should explain the possible risks and dangers.
Right now I am testing with Wire, and waiting for proper pasting from clipboard. Although I am concerned with privacy, and I applaud the efforts from OWS, usability is more important to me. It will always be some sort of a tradeoff I guess. Although things seem to be getting better I am saddened by the lack of federation.