Hacker News new | ask | show | jobs
by antibuddy 1983 days ago
I still try to find the advantage over Whatsapp in the long-term. I get that Signal is not Facebook, so it has that going for it, however beside that it leaks the same data (which Signal says it is not storing however). You could probably compare it to Whatsapp before it was sold to Facebook.

So I have to ask myself: What happens if Signal has financial issues?

edit: Signal is open-source and non-profit as commenters pointed out. That's indeed advantageous.
4 comments
zulln 1983 days ago
Signal is registered as a 501c3 nonprofit, there should be challenges to buy that. Granted, I have not investigated if someone else holds a trademark or so that maybe still allows for something to be sold.

Signal not only encrypts messages (Whatsapp does as well), but also seem to make sure there is as little meta data available as possible. This should make it less interesting for eg. Facebook to buy them.

link
antibuddy 1983 days ago
I do not know about their attempts at minimizing meta-data however I guess the usual meta-data like who texted whom and when is still there. Maybe it is not stored, but I have to take their word for it (and I tend to believe them), but the data is still there.

This data is there at any rate however confederated chat apps can use different servers (so data is not congregated) and you can also change accounts easily (it's harder to change phone number).

link
zulln 1983 days ago
I have not looked into how it works, other then reading the blog post, but it seems like they are trying to figure out that part as well: https://signal.org/blog/sealed-sender/

But yeah, as long as they own the servers I am sure they could puzzle it together if they wanted.

link
grlass 1983 days ago
worth looking that the cwtch.im alpha chat app, that attempts to mitigate the metadata problem with TOR, and having untrusted servers that host group chats.

Similar philosophy to Signal of trying to really get usability right (looking at you, Element). Though still early in alpha development, wouldn't trust current alpha builds to be reliable.

link
grlass 1983 days ago
Short-medium term you have the advantage that the Signal codebases are open source, thus much easier to audit.

There have been a number of independent security audits over the years, which are easy to find. WhatsApp code was never open, even pre-Facebook.

link
JosephRedfern 1983 days ago
I'm a big fan of Signal and have been encouraging friends and family to use it.

That said, I (like others) am a bit concerned about the lack of updates to Signal-Server (https://github.com/signalapp/Signal-Server/commits/master). Commits seemed to suddenly stop April last year, and I'd be very surprised if the actual Signal Server that's running in production hasn't been updated over such a long period. Would be very happy to be proven wrong here, or to be pointed in the direction of anything that might explain the lack of activity.

link
antibuddy 1983 days ago
Okay, that is indeed an advantage I forgot about.
link
AshamedCaptain 1983 days ago
A bit for the worse in practice due to the non-federated server meaning you have to trust they run the server code they claim to run.

On the client side I find their interest on self-updating problematic (since they may silently push updates to specific users), but at least you do have the option to remove it.

link
StavrosK 1983 days ago
Signal doesn't even know when you send messages, due to sealed sender. It can only know when you receive messages, but not whom they're from.
link
AshamedCaptain 1983 days ago
How does "sealed sender" actually guarantee that without some type of bizarre onion-style routing?

At the end of the day they literally control the only in-pipe and the only out-pipe and can measure whatever the heck they want from it. Including from which address the message came from.

link
StavrosK 1983 days ago
Because they can't tell which user is sending messages just from the IP address.
link
AshamedCaptain 1983 days ago
Just correlate with the latest user who logged on from that IP?
link
StavrosK 1983 days ago
Define "logged on".
link
AshamedCaptain 1983 days ago
Any activity that leaks identity to the server, such as phone number validation, asking it for X profile, asking it for whatever key is needed to encrypt messages for X, etc.
link
f1refly 1983 days ago
Signal is available from f-droid, that alone is a big step from most other messaging solutions
link
upofadown 1983 days ago
Previous discussion about why Signal is not in F-droid:

* https://news.ycombinator.com/item?id=16432454

link
f1refly 1983 days ago
Yeah, you guys are right. I must've installed it via apk at some point and completely forgotten it's not on f-droid. Sorry for being dumb.
link
levosmetalo 1983 days ago
Signal is not available on the f-droid at the time. The Development team claims they have no interest in spending their resources on it.
link
em-bee 1983 days ago
because signal depends on non-free libraries, and replacing those is a considerable effort:

https://forum.f-droid.org/t/signal-wickr-on-f-droid-2021/122...

link
FriedrichN 1983 days ago
I can't find Signal in F-Droid. Telegram is available though.
link