[nanomonkey]

Good luck brute force guessing an Ed25519 keys (32 bytes).

Honestly there are so many better options than phone numbers available. If you're already using QR-codes to transmit user ids, you might as well use something that is transferable and user generated.

[godelski]

You're reading the problem wrong. Yeah, even considering the birthday problem you're going to have a hard time finding a valid key.

But now we have a discovery problem. How do I find my current contacts? Do I need you rebuild my social graph from scratch? Good luck getting my friends with PhDs in computer science doing this, let alone my grandma.

Entropy is a double edged sword. IMO signal is doing a good job here. We can go drop phone numbers completely when enough people are using signal. But while the userbase is low it's probably worth the 3 spam messages I get a year. I get more than that in a week on my iPhone and more than that a month when I used Android. So I'll take the trade.

And I must stress, the phone number issue is about privacy, not security. At least with regards to signal

[nanomonkey]

One can still use simpler contact information like a phone number, email or QR code to transfer a user id.

While I love what Signal has done, the compromises are significant. I use Secure Scuttlebutt, Cabal, Spritely Goblins, Tor, email and a variety of other P2P software on whatever device I like, but Signal requires a phone with Android or Apple, and requires that I lock my id to my phone number.

[godelski]

  > the compromises are significant.
  >  I use Secure Scuttlebutt, Cabal, Spritely Goblins, Tor,

And which of those are you able to communicate with your grandma on?

Honestly, I don't care how secure or how private (phone numbers are a privacy issue, not a security issue) if I have no one to communicate with. You need to solve the mass adoption problem.

[omnimus]

You know Signal is doing something right when even the constant doubters use it. Exactly because it's very accessible.

There are always compromises some of them are hard to make. Signal successfully makes private / secures the “normal” conversations that would otherwise be on some Facebook owned app. None of the alternatives manage to do that.

Once you get Signal messages from randos without fist contact. Like airbnb hosts with password codes or IT admins or lawyers… it makes clear that they are doin it right.

Honestly it's just shame the platforms won't allow them to be the “native” sms app like iMessage. That would be the most ideal and probably upset much of the police deparments.

[godelski]

It's always the same complaints and they are trivial. Phone numbers, onboarding is hard because capatcha (wtf?!), signal is pwned because they got money from a government grant, moxie did some weekend hacking to integrate a cryptocurrency and so it's all shit.

I've never understood these. Even the non conspiracy stuff is just... nothing. Like do what? That's a roadblock for you? Then you shouldn't be on HN or be using a phone in the first place. Best to get off the internet all together.

I just don't understand why there's so much passionate hate. It feels like bots and trolls running a disinformation campaign but I actually think it's real people

[omnimus]

Perfect is the enemy of good.

It's sad because the people who are doubting tradeoffs Signal deliberately made don't seem to realize that it's these tradeoffs that make Signal work. They also usually don't offer any good faith critique, answers or solutions.