@sir I like how they don't mention the need for phone numbers to use either, which puts a direct homing beacon on what is supposed to be an otherwise secure service.

@sir On one hand I really dislike Signal's behavior, on the other hand it's...kind of the right approach?
Not the "forcing users to use proprietary software if they want updates" and "refusing to use f-droid" parts of the approach, but a single client is kind of necessary for what Signal is aiming to do, isn't it?
@sir Signal's goal is security for everyone, and when you look at the code quality of alternative clients for platforms that allow it, you see things like...

* Mail clients that embed a web engine on top of another web engine (basically all GUI mail clients, including from "trusted" projects)

* Web browsers that push things like scripts, Java Applets and Flash (basically forcing them as de facto standards or to be implemented as real standards)

* Poor implementations of crypto (see: Enigmail)

* Bloated and worse-than-reference implementations of crypto (see: any implementation of DJB's work that doesn't come from DJB)

* Chat clients that have collapsible code blocks, making clients that don't implement them have to start parsing messages to make chat tolerable again

For something where the primary goal isn't to be "secure," this is fine, if irritating. That HTML mail and DRM in web browsers is standard now because irritating companies strong-armed it is a pretty good example, I think.

The entire goal of Signal was "messenger that even a random child reasonably assume to be secure using," but when people aren't forced to the latest version of a single client, this breaks crowd immunity (people on up-to-date versions of the reference implementation get harmed by people on outdated or non-reference clients).

Of course, Signal fucks it up by relying on centralized, trackable infrastructure to function (secure but not anonymous), so I think 99% of it is wrong, but I don't see how "Only allow one client" is a bad idea.
@sir By "'trusted' projects" I meant projects that have high user trust (deservedly or not), like GNOME, KDE, Microsoft & company.
@sir

> So my recommendation is just to ignore Signal, as they ignore us.

I love it.
@communist @sir Matrix has a terrible reference implementation, the spec isn't even a real spec, the project's eponymous homeserver is filled with problems, none of the clients are decent, E2E isn't turned on by default for dumb reasons, it has terrible onboarding, Matrix's development is entirely tied to a venture-funded for-profit enterprise, I can think of some more problems with Matrix, if you want.

@kick @communist @sir Yeah, to be honest, while I like the idea of Matrix and the concept of it, the actual implementations leave tons and tons to be desired. That basic management bits are still missing after several years (but hey, we have “communities” now!) says a lot about their development methods and such :(

@sir do you have a preferred secure instant messaging platform that works reasonably well on mobile phones?

@old97 @sir xmpp, using conversation.im? at least this is what my friends with mobile phones tell me, I talk with them from a PC with a text-only client, and no phone number had to be exchanged ever.

@valhalla @sir thanks for the suggestion! I'll take a look into it. I also thought if Matrix but the UX leaves a lot to be desired.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!