[dewey]

Not directly related to the topic but how is it that Threema is the only popular secure messenger where you have a random ID to give to people to communicate with and not a phone number (Signal) or have your name show up across all your contacts / groups (Telegram)?

[tptacek]

You're right; this isn't directly related to the topic. It's a recapitulation of every thread we have ever had about Signal, on a story that has very little to do with Signal and that unveils new cryptography research.

Unfortunately, this is a big dynamic on HN, not just on cryptography threads, but especially on threads rooted in stories with intense technical details. It's time consuming to bring yourself up to speed with what the paper says, but it's easy to have something to say about, say, Signal phone numbers. Which means comments here will be heavily biased towards superficial and tangential stuff.

[dewey]

I get your point but this is not a thread about Signal. Threema is a lot less common of a topic on HN than Signal and the only reason I’m using it and am familiar with it is this feature so I don’t think it’s such an off topic question to ask.

[pvg]

Repetitive discussions are off-topic so hanging one off a different, more specific topic is a lot more than somewhat off-topic, it end up being thread vandalism, however well-intentioned or outright unintentional.

[godelski]

It makes sense to talk about Signal in these types of threads, despite not being about Signal, because Signal is still the de facto private messenger. The userbase is much larger than that of Threema so it is worthwhile to compare how these platforms are doing things differently. Especially in the context of if users should switch. Just like how in threads about Signal it is similarly appropriate to discuss WhatsApp and Telegram (and vise versa). Though I'll admit that these conversations can degrade into flame wars and get off topic quickly.

[tptacek]

Compare with respect to the research? Sure. Compare in all other respects? No.

[_8j50]

To be fair, they also mentioned telegram and the subject of the comment was a really good feature of threema.

[tptacek]

The thread is about new cryptographic research. Or it was, and should be.

[_8j50]

I don't disagree but I don't think asking what the point of good cryptography is, if it is practically unusable, entirely offtopic but a discussion about the specifics of the research is what I think should take place as well.

[gnramires]

Another one is Tox (completely distributed, no servers involved!): https://tox.chat/

I do like this feature a lot. I think converting to passphrases (random words) as well could be a good idea (to make it easier to share) -- I think it's a good simple way to make decentralized/secure systems.

[TechBro8615]

Telegram is an obvious law enforcement honeypot. Trust me bro, just upload all your contacts to our servers bro, we won't share them with anyone, promise...

Hey, me and the guys are planning a riot at the Capitol. Wanna come? Join my telegram group and we can talk about it in secret thanks to end-to-end encryption! Here's the public link...

[grammers]

Not sure, but it seems like from a usability perspective it's easier for apps to 'just connect' people in your contacts via the phone number. From a privacy perspective, though, it's much better what Threema does.

That's also why I use Tutanota, one of the very few mail providers that you can use without a phone number.

[godelski]

I agree here, but I think there is a simple and obvious middle ground. Allow for contacts to be connected through the address book (one time or continuous) but ALSO allow for contacts to be added without phone numbers. This could be through usernames or one time codes (like a QR or temp username). But importantly, there needs to be chat level handle specification. I don't want all my contacts to know I'm Godelski and I don't want all my contacts to know I'm [redacted]. I might also have other handles. It shouldn't be a difficult challenge to handle chat level handles (with a default option). It seems like just such an obvious solution. But I'm not a security person so maybe someone can tell me why I'm being naive.

[lxgr]

> [...] 'just connect' people in your contacts via the phone number [...]

Threema also allows that.

I think they really nailed that aspect: Tie the primary identity to a key, not a phone number, and then add a discovery layer on top of that.

[sundbry]

It's not, there's also Session https://getsession.org/

[dustyharddrive]

Attached to some cryptocurrency BS :(

[alibert]

There is also https://www.olvid.io

Tech paper for anyone interested: https://www.olvid.io/assets/documents/2020-12-15_Olvid-speci...

[sampa]

Matrix uses email-style ids

[Melatonic]

Wickr was decently popular but unfortunately is now owned by Amazon

[jtbayly]

And new users can’t sign up anymore and it’s being totally turned off at the end of this year.

[godelski]

I think Signal takes its community temperature from their forums rather than other places that people normally talk on the internet like HN, Reddit, or Twitter. It is rather odd and those forums are pretty trash if I'm to be honest. There are a lot of people that fight tooth an nail on there to make Signal as static as possible, meaning no new features or anything else. A particularly interesting one I saw was a user saying Signal has pretty much solved the E2EE part and needs to focus more on privacy and anonymity[0] and a user just said that's not what Signal is about. I've seen users argue about deletion as "well you can't guarantee message wasn't seen, so don't 'trick users'" and argue that data sent to you is unequivocally yours and no one else's (even saying if someone accidentally sends you a nude that this is justification to not delete. Because they want the nude). So I've stopped going there because the environment is toxic at best. But on the other hand, I think places like Reddit/Twitter (and even HN) are critical on Signal in ways that don't make sense. Just creates too much noise (Twitter threads are just full of users asking about usernames no matter the topic. Come on people. I'm frustrated too, but you're just noise).

I love Signal and think it is a great problem. I think it is too slow (e.g. username rollouts...) -- especially with Moxie's famous fuck decentralization speech -- and needs to actually adapt to the moving ecosystem, but people complain about it in weird ways. For better or for worse, right now it is the best game in town simply because messaging apps require networks. We'll see if they last though, because they aren't adapting fast enough. I think this would be a shame. But it is also a shame that Signal is failing so hard.

[0] https://community.signalusers.org/t/signal-needs-to-shift-to...