• 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍@midwest.social
    link
    fedilink
    arrow-up
    0
    arrow-down
    3
    ·
    2 years ago

    TFA claims Signal is the gold standard, which raises my eyebrows, especially as th] author - in the same breath - admits Signal leaks metadata.

    There are chat clients, less popular, less well funded, that don’t leak metadata. Signal may be a good choice for the average non-techie, but it’s hardly the gold standard for private chat.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      2 years ago

      I’ve read from SME’s that Signal is the gold standard for encrypted private messaging. I haven’t seen that claim of any other messenger. What are the alternatives?

      I’ve tried Briar and that seems like it may be good in 5+ years, but not something I’d ask non-techy people to use in its current form. Sessions dropped Perfect Forward Secrecy because it was too hard to make it work. I don’t want security features dropped just because they’re “hard” so that’s an immediate no from me. What are viable alternatives that don’t leak metadata?

      • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍@midwest.social
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        2 years ago

        “Popular,” and even “ease of use,” are not relevant for the label of Gold Standard when we’re talking about security. Functionality for purpose is relevant, but if we’re allowing for weaker security in trade for ease of use then I’d say just use SMS; sure, it’s not as secure as Signal, but it’s a lot easier.

        Reductio ad absurdum aside, there are by my count about a half-dozen systems which are more secure than Signal. Systems which don’t require you to give up your phone number, or publish it, or leak other personal metadata. You mentioned one, Briar, and there’s SimpleX Chat, Tox, and Jami (the latter two have been around for a few years, and IIRC Jami’s been audited). There are any number of apps (web and mobile) that claim encryption and anonymity such as Confide, Onion Chat, ChatS, Speek!, Peekno, and Threema. Ocelot and retroshare.io are peer-to-peer with no central servers, and are probably (metadata) secure.

        I wouldn’t call any of these individually the gold standard, but several are obviously more secure than Signal.

        I can’t get over how any system that required such a tracable and abusable piece of PII as a cell phone number could be considered the gold standard for privacy.

    • TheAnonymouseJoker@lemmy.ml
      link
      fedilink
      arrow-up
      0
      arrow-down
      2
      ·
      2 years ago

      No messaging platform exists where zero metadata exchange will happen, and the only way to reduce metadata exchange is via centralisation. Federated platforms by design will leak a lot of metadata. It is only for developers and users to decide what is acceptable.

      • It’s not about metadata exchange, but metadata exposure.

        Two of those platforms use self-hosted node servers. Behind a VPN with multiple customers, this is virtually untraceable. And certainly far less easily traced than by giving away your cell phone number to a company.

        • TheAnonymouseJoker@lemmy.ml
          link
          fedilink
          arrow-up
          0
          arrow-down
          2
          ·
          2 years ago

          This is why I said it is for developers and users to decide what is acceptable. The sensitivity of what you are doing, and the required threat model, determines what elements are acceptable to leak.