[joshuamorton]

Here's the Signal version of the riseup.net article:

> Purchase a modern android or iOS device and install Signal. Your communications are now secure.

Given the security provided by signal, why do I need to understand the message authentication schemes, private key management, keyservers, versions, etc.

> The simplicity and strength of PGP is hard to beat. Riseup.net has an entire section mostly about OpenPGP:

Given that, in practice, basically no one's use of PGP provides security or privacy beyond what I get when using Gmail or Outlook, I beg to disagree.

How in god's name can you claim that a 6 page article describing the ~20-30 steps to correctly set up a keyring (oh and then keep up your opsec for the life of your communication because pgp doesn't provide forward secrecy and the protocol makes it possible to transfer plaintexts unencrypted) is simpler than "Install signal, and send messages"?

[int_19h]

They're secure right up until the point someone with the ability to do so spoofs your phone number.

And yeah, Signal will detect that and inform the other side that "security number has changed". At which point they'll promptly confirm the new one, because they don't understand its purpose anymore so than private key management etc - because they simply installed the app from the store, and expect it to "just work".

[joshuamorton]

> Signal will detect that and inform the other side that "security number has changed"

Specifically, it will say "Your safety number has changed...This could either mean that someone is trying to intercept your communication, or that <other party> reinstalled signal."

Even for a layperson, if they have reason to be concerned about a powerful attacker that's reason enough to stop.

[int_19h]

I have switched quite a few casual users to Signal by now, and in my experience, none of them have paid any attention to those regardless. They don't even bother asking the person through some other channel - just confirm the new number.

[joshuamorton]

Assuredly, but most people aren't actually that concerned about state sponsored attacks on their communications, and for those people Signal is still as good as (or better than) PGP email, but they can safely ignore these notifications because, well, the likelyhood (and the risk due to) a state sponsored attack is relatively low.

[upofadown]

Signal can't work on an air gapped system. So it is entirely subject to all the available attacks on the rest of the system it is running on. Someone risking their life no the overall security of something like, say, a smart phone is not being wise.

Something like Signal is OK for most people, particularly if they trust the Signal company. But when things get serious you have to:

1. Know what you are doing.

2. Keep the device that is doing the encrypting as separated from the rest of the world as possible.

[joshuamorton]

> Signal can't work on an air gapped system

If this is the kind of thing you're resorting to claiming, we're well beyond reasonable forms of argument, and so I think it's safe to say that you agree that signal is better.

No communication protocol works on an air gapped system, and a modern Android or iOS device is going to be secure enough that you really don't need to use a special device for your messaging.

The riseup article doesn't mention anything about using a special device for your secure messaging, so I'm not sure why you think it's so important all of a sudden.