The thing with chat apps is that if everyone/most people I care about aren't going to use it, its useless for me.

I know nobody who uses XMPP, Session, or Simplex. I do know people who use signal and have convinced a few to use it. But that's it.

If nobody else, or very few people I know are using it, I'm not going to bother using it. This is a network effect type problem I believe.

    My family and a few close friends, are all on signal, anyone else who wants my number, well they need to download Session. And if they don't- then I guess they don't really need to chat with me.

    Be a grain of sand in the workings of surveillance capitalism

      zkz

      Indeed, also depends of the country, in mine Whatsapp is the most used, then Telegram used for groups.
      I think most of the people has not privacity concerns, big tech knows how to exploit that vein of gold.

      If I'm honest, I don't think governments agree that a percentage of users cannot be spied on, there are excuses such as terrorism, jihadism, pedophilia, etc.... to keep us all under surveillance. They are not going to allow this to change, they handed over user data to the government, when they said it was impossible for that to happen. Remember Protonmail, one of the most secure email servers, delivering user data to the government when they said that was not impossible.

        Icecube JS based browser emails like Proton, Tuta, Posteo, etc. are not secure from a targeted guv attack. They can inject code into the JS in your browser and get your key. However, we all need email, and the ones I mentioned are better than the alternatives. Companies put ad trackers in the pixels of their corporate logo in an email to you. Proton blocks these. It helps and if you are not targeted by guv for a high level hack, having your emails encrypted at rest no matter who you email means Proton is not using them for ads. Use Signal or Session or your messenger choice e2e for high threat model. No useful metadata with Signal. The e2e emails have a fair bit of metadata.

        As for OP, I just flashed my 6a to GOS for the first time a few months ago. Downloaded the Signal APK from their GitHub. No CAPTCHA.

          Icecube Remember Protonmail, one of the most secure email servers, delivering user data to the government when they said that was not impossible

          Can you cite specifically what information was given to the government?

            MoonshineMidnight And, when I say JS attacks I am talking browser based e2e emails on laptops and desktops. For their apps on an Android/GOS phone their is no JS so they are very secure that way from a targeted guv attack. However, they all leave metadata like who you emailed and received email from. With a court order the guv gets that and will figure out who you are.

            router99 I can. France wanted the IP of some environmental terrorist, they went through the Swiss court system, which ordered Proton to give up the IP. Proton does not store IPs, but they can get them. Same with all e2e emails. The guy the guv wanted was stupid not to have signed-up for Proton and used it with an always on VPN with kill switch. That's how I have always used Proton and Tuta.

              router99 I mentioned my solution. For Proton only download it and use it with an always on VPN with kill swatch. Only use e2e email providers on Android/GOS as the apps don't use JS. You are subject to a JS attack browser based on a laptop to get your key. Even then all the e2e email providers leave a fair amount of metadata which will bite you on court order.

              e2e emails are not for high threat model. Use Signal or Session. No useful metadata and Signal has had the encryption code independently audited and their open source encryption code has been gone over by all sorts of security pros and is rock solid. Plus, not only can Signal not see your phone number, they can't see your IP like the e2e email providers can. Snowden recommends Signal. If the phone number is a prob for anyone, use Session. I'm not very high threat model, and like I posted earlier, I want my contacts to see if I use Signal and I want to see if they are. The more the merrier. You can turn off sharing your phone number (I think it downloads without sharing by default) with contacts on Signal and the number you signed up with is a truncated hash on an encrypted Signal server. Signal can't access it and does not know your number.

                MoonshineMidnight

                Mailbox allow you to use your own private key, but you need to trust them to use your public key first without keep a copy of the messages. Mailbox has an important lack with 2FA.

                Yubikey proton's implementation is a joke, i think tutanota did a better work. With Protonmail youcan't disable OTP code and is overpriced.
                Posteo hasn't support for own domains, isn't in the top of privacy mails.

                  Icecube Yeah, I mentioned I use Proton and Tuta. Not perfect but better than the alternatives in my view. Like a posted above, e2e email providers are not for high threat model.

                  If your threat model involves concerns that Hilldawg level people are interested in you then you shouldn't be using email at all. The highest echelon of perfect opsec 100% of the time in use of supposed private email services will still fall short of what default configurations of newer communication protocols such as Signal and Session offer.

                  • zkz likes this.

                  So if Signal asks for captcha identification when creating an account it is like sharing some of your information with e.g. Google? What is captcha identification? Who manages it?

                    Javcek
                    I tried it last night again. Installed the .apk from Signal's website. They have migrated to hCaptcha. Still unacceptable to me, never really liked Signal, tbh. As for whether Google was getting some information back when Signal was using its captcha, I don't know, but any company that would put this in their app is a no-go in my book.

                      AlanZ So you are assuming that any app or website that asks for captcha identification may be sharing some data about you?

                        I agree with the general “stay away from email if at all possible” approach.

                        Proton Mail is only okay if both parties are using it, and even then, I try to shy away.

                        I have friends who are real troglodytes, do not text, carry a dumb flip phone, leave it in the vehicle, because it’s for emergencies only. Too old and stubborn to change.

                          beammer335d I would also use molly-FOSS if it wasn't draining the battery. Signal with google services uses 3% of the battery overnight i.e. for 7h. In addition I add 2% of running google services which gives a total of 5 to 6% for 7h of sleep. Without google services Molly was using between 15 and 20% for 7h of sleep for me. I should add that this is all on LTE all the time.