Doesn’t signal have to do this as well? They clearly state on their privacy policy:
Other instances where Signal may need to share your data
- To meet any applicable law, regulation, legal process or enforceable governmental request.
The thing that people forget is that Telegram can access data and doesn’t want to comply with the law, whereas Signal, like any other company, has to comply with the law, except that they can’t access data.
There’s a difference between wanting to and being able to, Telegram can but hasn’t wanted to cooperate and Signal is cooperating with the law but can’t provide the data.
3 Likes
They only have two non-E2EE pieces of data, Unix timestamps for when each account was created and the date that each account last connected to the Signal service. Signal >> Government Communication
See this However much they care or don't care about it, the salience of this NDSS paper i... | Hacker News for this feature
Telegram can access messages in clear and has not wanted to give out the exchanges, whereas Signal cannot access them or give a history of conversations.
1 Like
Why did you link me to this?
All I can see is a comment where someone is simping for Signal, then a comment where someone is being reasonable, and then a comment where someone is simping for Telegram. What was the point of this link?
1 Like
It’s about the study you linked.
Yeah, this guy that is one of many Signal stans.
Why did you link this?
All I can see is a paper detailing a attack that can be done on Tor, SimpleX, and any other service where adversary can infiltrate the entire network or a major part of it. Even Mullvad and other VPNs are vulnerable to this, which is why they are bringing stuff like DAITA. What’s the point of this link, except getting a “no shit Sherlock” from anyone who follows these attacks?
The part above you detailing the difference in compliance by Telegram and Signal is factually correct and verifiable by court documents. Anything else is hypothetical attacks that can occur anywhere, or FUD. Please don’t link unrelated topics, keep the discussion on topic.
Not true, SimpleX and Tor are decentralized, it much harder to controls all nodes, unlike Signal which is centralized. Signal or AWS can trivially do it if they want to.
2 Likes
Forgive me if I don’t drink the decentralization cool-aid. There is a large crowd in privacy community that thinks decentralization is a positive for privacy, and thus constantly pushes projects like Signal to compromise by allowing every tom, bill, and Harry to roll their own server. This is about as correct as the push for Open-Source. Both are actually orthogonal to actual privacy. Let’s review decentralization in SimpleX:
- Does SimpleX have reproducible builds for their client apps? No.
Reproducible builds – this is the limitation of the development stack, but we will be investing into solving this problem. Users can still build all applications and services from the source code.
- Who hosts the majority of current SimpleX servers? SimpleX.
- Who will host the majority of SimpleX servers if it does take off? Institutions that can bear the cost (economic, legal, and social), so mostly the ones that run Tor nodes right now: Governments and random entities that can be shell companies and malicious exit nodes. (Signal ensures you only need to trust one entity) (But…but…, decentralized right? I don’t need to trust servers??? No, you do, see point 4)
- Are publicly hosted servers verified to run SimpleX code? Not really, they have no way to verify. (BTW, Signal SGX actually solves this better than SimpleX currently does)
- Can they protect against malicious servers or end users trying to identify you? Not really, they themselves state servers can collect a lot of information, like your IP. (Source) (Source 2)
Same problems with decentralization constantly hurt Tor (2021 attack) (Case where a single bad entity controlled 23% of exit nodes. Imagine multiple bad entities collaborating)
I really like SimpleX. I want it to succeed. Same for Cwtch. But stop hand waving away actual criticisms by citing “decentralized”, or “FOSS”.
Signal and SimpleX have different threat models and priorities. Let’s stop spreading half baked ideas about them, and actually ensure they have large enough networks to make network analysis attacks economically tough to do.
This is more for the benefit of readers than the flag waving evangelists, who anyways have their preferences set, and want to feel “right” rather than be.
1 Like
Irrelevant to decentralization, and they are planning on supporting it.
-
answered in point 3
-
There are Server transparency.
-
Signal-Server code not public since April 22 2020 (Last commit on codebase) and Proper secure value security: PINs are too easy to brute force, SGX is not reliable enough
Your info about SimpleX Chat is very outdated. Stating that Signal is centralized is a true fact and they stopped caring that much about improving their client & protocol security, there’s a reason why a lot of people that care about client security & privacy use Molly.
1 Like
Molly developers are also working on this: GitHub - mollyim/sweetlies-server: Server prototype for hosting a private Signal network.
What’s different about the servers Molly works on and Signal’s?
Signal’s source code: code over the wall.
Molly’s source code: actually usable and useful.
1 Like
I don’t understand the meaning of this sentence, even with DeepL “code over the wall”. Can you elaborate?
What I meant is that even if you can see the code, it’s useless.
OK, I thought that Signal’s servers, as well as being open source, were easily reproducible etc. I’m thinking of switching to Molly for good.
It is relevant though? Reproducible builds are essential for building trust in binaries released by a project, which is directly relevant to how much the community actually wishes to co tribute to decentralization.
Not answered it at all. There is no answer. SimpleX is not decentralized enough at this moment. And it probably won’t be even a fraction of Tor network at this point, which is also plagued by the same problems. Quoting replies does not mean you answered anything.
Also, please correct your understanding. Server transparency is not a solution, it is passing the buck to the end user. “You can select the server you like”, but they also say “we can’t ensure they run our code or are actually who they say they are”. It’s in the post you linked lmao. It’s a fundamental problem with decentralized networks, you can’t solve it by fanboying.
Also your point about SGX and then comparing it to server transparency and other initiatives is insane. You are effectively saying no security (server transparency) is better than low security (signal infra).
Released in June 4, 2024. Not exactly old. Imagine thinking hiding user IP is groundbreaking in 2024. Please just stop embarrassing yourself and digging deeper. It’s like saying Proton can solve email issues: The problem is not the company, it’s the underlying structure and assumptions with decentralization. Just educate yourself, can’t spoonfeed you basics.
Your information seems old too, from the time of moxie lol. See here: Commits · signalapp/Signal-Server · GitHub . What a bum, I thought you were actually serious.
It means they don’t build software on GitHub/gitlab, or other public avenues. They code it internally, and then throw it over the wall into the public avenue. It’s a bad practice for FOSS projects, since you cannot actually see the gradual changes and reasonings, but only see huge releases.