What If: Signal Was Part of the Fediverse?

Was that the punch in the face, or was it all the morons intentionally misinterpreting this argument and saying "but why would u want to send nonsecure messages are you aware SMS isn't secure it's like so insecure to send SMS bro it's not secure it's like literally a security risk bro SMS isn't secure at all and also are you aware SMS security is poor"

Same here. It's pretty frustrating.

My family still uses it vs texting. We like the video calls as well. :)

Well, yes. But when all your friends are already on Facebook Messenger, good luck getting them to install Signal only to talk with you. Network effects are important; a messaging app has no use when you have nobody to message on the app. Supporting SMS was taking advantage of its network effect, and I don't think their network was big enough to be self-sustaining for most users (it wasn't in my case, my only contact in there is my wife).

I don't think you understand why current servers operate the way they do.

Matrix server implementations function on the idea that your data lives in the server, so of course it needs that information (who is here, who is talking to whom) - or else, as an example, if you lost your devices you wouldn't be able to recover your info (like on Signal).

I don't want Signal's Peer-to-Peer solution. I own my server, so I'm okay with keeping my own metadata. I want my communications with others to be encrypted, but recoverable if I lose access to my devices.

I think what you want is a Peer to Peer encrypted solution, which Matrix is working on, but isn't available yet.

Follow this site for info on Matrix's progress in that space: https://arewep2pyet.com/ What you're looking for is info on Pinecone.

TLDR: poop wants a peer-to-peer encrypted network, Matrix is not that (yet).

Further reading:

Matrix's architecture today means that the servers can see who their users are talking to, and when - but not what (assuming it's end-to-end encrypted). Just like a PGP mail service like Protonmail. Because Matrix stores conversation history on the server (unlike Signal) so you can get at it when from multiple logins, you end up with that metadata stored on the server.

We're fixing this by working on P2P Matrix (as per the blog post - it's one of the main initiatives that the funding is going towards). https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix explains how P2P addresses the metadata problem.

(...)

Genuine question: where are you guys on Beeper, privacy-wise?

Yes it is. But there are also unencrypted chats/rooms

True

Maybe, but if I want to privately talk to randos from the internet, then using my phone number like with Signal is a no-go from the start. Threema is paid and only partially open source.

Session is fully decentralised and while you can think of crypto whatever, at least it gives people the incentive to run nodes, unlike Tor where the incentives are all over the place, or centralised messengers which are fully reliant on one entity.

https://getsession.org/

Try Matrix or XMPP.

That's fair! If you're on these type of forums, there are a lot of Signal haters and a lot of Matrix lovers, and sometimes they like to make confusing or just straight up inaccurate statements. The crux of the issue is not about the encryption of the text of messages themselves, which both platforms are capable of doing. Personally, I wish there was something like Signal but without the centralization, but the reality is such a thing doesn't exist.

Signal (as in the Signal server and by extension the legal entity behind Signal) does not know what groups you're in, does not know who's in your contact list, does not know which groups you are sending messages to, doesn't know which groups exist, and can't tell the difference between a message, a reaction, a read receipt, a remote delete ("delete for everyone"), an edit... etc. Signal doesn't have a way to send anything between two parties that the server can see. Signal has received a number of subpoenas which they typically fight, and if/when they lose they over all of the information they have about the subject of the subpoena, which tends to be whether or not they have a Signal account, when they registered the account and when they last used it. You can see these at https://signal.org/bigbrother/

Matrix (as in the Matrix server you're registered on as well as the servers of whoever you're talking to, for groups that means everyone in the group, notably this is not necessarily the same as the legal entity behind Matrix, but in practice a LOT of people use matrix.org for their home server so it frequently is) can see basically all of the things I listed above. The text of normal messages is encrypted. The group membership list isn't encrypted. reactions aren't encrypted. read receipts aren't encrypted. Group membership lists are stored in plain text.

Facebook Messenger offers optional end to end encryption just like Matrix. Just like Matrix, the server knows who you're talking to, what groups your in, who else is in those groups, how many messages you sent to which group, who's messages you react to, etc. But the actual text of the message is technically encrypted so Facebook can't respond to subpoenas for your messages. I use Facebook Messenger as an example because Facebook is (correctly) generally considered not private or safe.

"theoretically" being the operative word here. Most people don't. And if they did, they wouldn't be able to talk to anyone else without the metadata getting copied to that person's server. Probably okay if it's between two information security experts who operate their secure own servers, but in reality most people don't do that. This could be summarized as: Matrix offers a lot of easy ways to be less secure, Signal does not.

As for WhatsApp, I know they have paid or maybe still do pay Signal for their encryption. I believe Facebook Messenger did or does as well. I'm not sure what the actual implementation looks like and neither is anyone else, because it's closed source.