Instead of just adding a link at the bottom “Signal Configuration and Hardening”
Molly has a really great track record with almost immediate updates with Signal upstream.
it is also recommended by GOS x.com
< volunteer note: changed the title from “Recommend Molly instead of Signal” to “Recommend Molly alongside Signal” to represent the actual change made to the site for any readers passing by >
While I generally think Molly is safe, it’s yet another party you have to put your trust in. Also, if you like the original software, you should probably use that or sponsor it, instead of a fork, so the project keeps getting maintained.
Molly forked Signal because Moxie (signal dev) didn’t want to implement local database encryption because “it will be stored in memory forever at first unlock” which Molly dev proved him wrong Signal vs Molly vs Molly-FOSS - GrapheneOS Discussion Forum and with a lot of other features.
The real killer feature of Molly is that it uses much less battery to get notifications without Play Services.
The devs of Signal posted this shady comment about such forks, so I don’t think recommending Molly is good idea, even if it is somehow better.
Hey there! Just some background on the website release: it was never intended to be completely free of any Google Play dependencies – instead, all our builds have a fallback such that during registration, if we detect there’s no Play Services, we will fallback to using a websocket for notifications. Using FCM for notification delivery still provides the most reliable user experience and is something we’d prefer to use if the user has Play Services available on their device.
Concerning F-Droid, we already providing an auto-updating APK directly from our site, and we really don’t want forked versions of the app maintained by other parties connecting to our servers. Not only could the users using the forked version have a subpar experience, but the people they’re talking to (using official clients) could also have a subpar experience (for example, an official client could try to send a new kind of message that the fork, having fallen out of date, doesn’t support). I know you say you’d advocate for a build expiry, but you know how things go. Of course you have our full support if you’d like to fork Signal, name it something else, and use your own servers.
I think the rest of the discussion can happen on #9644. Thanks!
One of the reasons I’m kind of against this is because people should know that Molly uses the Signal network and isn’t just based off it. Signal has strong branding and I don’t think we should confuse people by pretending Molly is something else entirely.
Without Signal, Molly would not exist not just development wise but in the physicals sense too.
It did however get moved off into the blog article about hardening Signal though.
well you could just base of the Signal description to recommend using Molly client.
And documented the reasons.
We’re definitely not going to recommend Molly instead of Signal, but I think we could probably add it in to Signal’s listing the same way we list Vaultwarden.
That’s what I had in mind.
@jonah @dngray Mentioning that you don’t have to use your real phone number and that VoIP works fine with Signal at The Best Private Instant Messengers - Privacy Guides is important imo.
Features that Molly has but Signal lacks:
Uses OpenStreetMap for maps and not Google maps unlike Signal.
Supports UnifiedPush for Push notifications. If you got no Play services on your phone, Molly falls back to WebSocket which is more efficient than Signal and drains less battery power.
(Fully FOSS) Contains no proprietary blobs, unlike Signal (Molly-FOSS version).
(Local encryption) Protects database with passphrase encryption.
(Automatic locking) Locks down the app automatically when you are gone for a set period of time.
(RAM Shredding) Securely shreds sensitive data from RAM.
(Backup scheduling) Automatic backups on a daily or weekly basis.
Supports SOCKS proxy and Tor via Orbot. Before you say Signal supports “proxy” it is just for their TLS signal server proxies.
And a lot more…
What Molly is working on or planning to work on:
Use a private crypto wallet (Monero) for payments integrated in app, unlike MobileCoin that is currently in Signal app that is a well known scam.
Remote attestation (based on auditor)
Sandboxing WebRTC
Text only mode
It is actually funny how you think these features should be present in the official Android client as Signal “prioritizes privacy and security”, but Signal have clearly refused to implement any of those.
Molly devs are planning on getting an audit soon.
The question I’m asking myself is why is Signal refusing to implement Molly’s features in their applications, even though they are widely requested by the community?
For people who use Signal as their main messenger including sending videos and pictures, this can definitely be a plus. Unnecessarily having to backup 10+ GB each day sucks. There are no incremental backups in place in signal and only the option to do it every day or not at all.
Because things like implementing stories and MobileCoin are more important. /s
This requires running the server counterpart as well: GitHub - mollyim/mollysocket: MollySocket allows getting Signal notifications via UnifiedPush.
Anyone on GrapheneOS or 64-bit DivestOS will be using the GrapheneOS hardened memory allocator which zeros ram on free anyway.
Would love to see this, but I haven’t seen anyone actually start working on it yet.
(to be clear I think valldrac has done a great job with Molly over the years)
I think molly is only available for android, right? No iOS or desktop app.
Yeah, I’m pretty sure a lot of people are using MollySocket - adminForge
Yes.
Yes, but you can still use Signal desktop app even though you use Molly
But the Desktop app is insecure mess.
Hopefully with the attention that Signal got over that quite recently, they will do something about it.
But as has been stated earlier, Mobilecoin is probably more important to them.
Personally, I would like Molly to make a browser plugin that works with Signal. That way you get the security updates of a browser rather than having to rely on updating Electron.