I can’t imagine any messenger is private if you invite random people into a group chat 🤦♂️
Layer 8 security issue
error: problem between keyboard and chair
but nowadays maybe it works better with screen
PEBCAK Problem Exists Between Chair And Keyboard!
Knew of an IT help desk employee who used this as a resolution in a ticket. Yeah, he got fired as soon as the customer looked up what it meant.
Also known verbally as an “I. D. Ten T.” error (id10t error).
EVERYONE SHOULD DOWNLOAD SIGNAL for PHONE-NUMBER-based communication, tho. Proper RCS is not here yet (and won’t be in a long while), so let’s try to mobilize people to Signal.
DeltaChat is cooler for non-phone based communications, IMO, and decentralization makes it way sexier and worth this tradeoff.
The exact reason why it’s bad for top secret communications is why individuals should use it or something like it. That is government auditability.
No, it is not. 🚮
All I’ll say is Threema. You pay once for a licence, so there’s less bullshit people on it and they are based in Switzerland with it’s privacy laws.
Proprietary?
Not sure, but probably. But looking at their history I think they have a good track record and it’s used by the government as well in certain cases.
What kind of private communication can we talk about if you must have a valid phone number to use Signal?! Lol
Privacy != anonymous
Signal recently implemented “usernames” instead of phone numbers
Pretty sure you still need a phone number for an account, though - the usernames are just for sharing your contact with other people.
Most peoples’ phone numbers are easily linked to their identity. Which means the government knows who’s using Signal.
Usernames are definitely an improvement, but this is a fundamental limitation in Signal’s design.
If you want to get really technical, each Signal account actually has a ‘secret’ account number that the phone number is linked to. The phone number requirement is actually a means to reduce spam and scam accounts.
So they could have replaced it with, like, email verification or something, but they instead stuck to the design that lets governments identify all users?
<Insert rampant and unfounded speculation about FBI compromise here>
Wherever Signal is mentioned, I shall mention SimpleX-Chat.
Zero user ID needed to use. No phone numbers and no username.
SimpleX-Chat!!!
Out of band key exchange is great -as long as people can physically meet and exchange QR codes. In reality, they are often sent via less secure means. As always, the humans are the weakest security link.
Fair point, it always feels dirty to send invite-link through WhatsApp, the dominant messenger in EU.
How would one go to solve the invite problem? How does Signal handle this?
Phone number and trust-on-first-use for most people, with out-of-band fingerprint verification for the paranoid. It really depends on the threat model and the security practices/awareness of your colleagues, but a link shared on some social media or lower-security chat network is more vulnerable to a man-in-the-middle attack than a phone number for your average Joe. There are a lot of ways a person could get a manipulated invite link.
