• [deleted]

zkz It depends if its privacy respecting enough

How convenient of you. If Signal and Threema were my only two options I'd have no social life.

    AlanZ hCaptcha has nothing to do with Google. As Signal has grown (massively when Elon Musk Tweeted "Use Signal") they are getting hit up with tons of spam and bots.

    "hCaptcha processes data close to the user in more than 250 locations and has always focused on de-identifying, discarding and aggregating all data as rapidly as possible, ensuring maximum compliance with privacy laws via our privacy-first design."

    https://www.hcaptcha.com/post/protecting-user-privacy-is-not-optional

    • [deleted]

    MoonshineMidnight Plus, not only can Signal not see your phone number, they can't see your IP like the e2e email providers can.

    An Phone number is required to use Signal. IP address is very basic info used to identify a device, So Signal servers will obviously have your IP address.

      I'm using both Molly-FOSS and Briar.
      I can use Molly in conjunction with Orbot, you can enable the TOR function within the Molly settings. (I am not sure it is very useful because the phone number is still an identifyer, even through TOR)
      I wonder if client-side scanning (if being implemented) is going to affect Molly due to it being based on Signal, even though PGP-based messages are still possible (it is great for whistleblowers dissidents, etc.) or even PGP-based solutions like the app Kryptey is offering.
      Briar (no phone number) can work through a mesh-network (offline) and it has a TOR connection build in for online usage.
      I do have to login every time I reboot my phone, that is however a security feature of Briar, I am just not sure if my contacts are willing to login every time though.
      Briar is also good during disasters for close-range communications. (Unless there are enough Briar-users around in the local area between you and the recipient, then longer range communications can also be established, albeit it possibly being slow)
      The Briar APK-file can be shared from within Briar itself, and Briar supports a local forum and weblog of sorts. (Haven't tried that out myself as of yet)
      Just don't forget to enable split-tunneling for both Molly, Orbot and Briar within the VPN (if supported) if you don't want to route your TOR connection through a VPN. (Also turn off "block connections without a VPN" within the GrapheneOS VPN settings when using split-tunneling)

      [deleted] Signal processes your IP address to make connections (even with a VPN), but it never touches disk and and is deleted immediately after use by the Signal Protocol. That's why they can't see your IP address.

      Note in the below subpoena, the guv asks for everything - including IP address. Note Signal responds with only date app downloaded and last used. That's all Signal can see. Signal does not provide an IP address. Subpoena and Signal's response at bottom of page. As for the phone numbers, the guv provided them to Signal. If you give them a specific phone number, their system allows them (only) to see when that phone number downloaded the app and last used it.

      https://signal.org/bigbrother/cd-california-grand-jury/

        • [deleted]

        • Edited

        MoonshineMidnight Signal processes your IP address to make connections (even with a VPN)

        Wait, do you mean that Signal sends your actual IP Address byassing the VPN, or just the IP address provided by the VPN?

        MoonshineMidnight but it never touches disk and and is deleted immediately after use by the Signal Protocol.

        But Signal servers still do have the ability to log the IP address right?

          [deleted] Signal uses an IP they themselves can't see or access as it is only on RAM and never hits a disk on an encrypted Signal server. If you are using a VPN they use your VPN IP to make connections. This is even better because even if Signal could see your IP (they can't) they just see a VPN IP. If you are using your real IP, they still still can't see or access it as I described.

          Signal servers as configured don't log your IP address (just like solid VPNs don't) as I described. It stays on RAM and never hits a server disk and then the IP is deleted. Signal did this with their own open source e2e Signal Protocol - which is the newer encryption they developed to solve the problems with older PGP which leaves a lot of metadata like IP and who you contacted and who contacted you.

          By the nature of browser based email, most of the e2e email providers use older PGP encryption. They have not been able to implement the more secure open source Signal Protocol. I'm hoping in the future some e2e email provider can develop a fork of open source Signal Protocol and get rid of the PGP metadata on e2e emails, but for now e2e emails are not high threat model and Signal is. Like I posted, you don't have to share the fact you are using Signal via phone number with contacts if you don't want to and your phone number remains a truncated hash on an encrypted Signal server. For this reason I don't see a big deal with Signal requiring a phone number as they do not have access to it or your contacts (or anything on the app). But hey, if a phone number bothers you, use Session with its small user base. Session works if you have a couple of people who also want to use it with you. If you make your phone number available to contacts on Signal, you can have e2e calls/texts to more people. And, Signal can not see your contacts and they can not see which ones use Signal. All calls/texts are e2e with the key on your phones, so Signal has no access to that. Again, Signal has no access to anything except date app download and date app last used if guv give them a specific phone number via subpoena.

            • [deleted]

            MoonshineMidnight Signal uses an IP they themselves can't see or access as it is only on RAM and never hits a disk on an encrypted Signal server.

            Why should we assume that the Signal Foundation doesn't have access to the RAM?

              • [deleted]

              MoonshineMidnight As for the phone numbers, the guv provided them to Signal. If you give them a specific phone number, their system allows them (only) to see when that phone number downloaded the app and last used it.

              This was recently reiterated by Meredith Whittaker in Signal President Meredith Whittaker on resisting government threats to privacy:

              We fight the subpoena requests we get. And if we aren’t able to fight them, we then provide the data we have, which is the fact that a given phone number registered a Signal account, when that phone number was registered for a Signal account, and when they last logged into Signal.

              If you download Signal APK from their official website. Does it support updates manually or automatic? Does notifications work cross profiles?

                • [deleted]

                PMUSR Website APK self updates, Play/Aurora version does not. Cross profile notifications are not specific to any app.

                  [deleted] Thanks. What about Session and Simplex? Do you know if they update itself if you download APK from their official website? I cant find this about them. Im not on GOS yet so I cant test by myself.