• Signal Fault

last modified January 6 by strypey

Signal is a centralized chat app, which is used mainly on Android and iOS, and requires users to own one of these devices and provide their phone number to set up an account. Like most modern chat apps, it allows users to create a lists of chat contacts, and communicate with them using text, voice calls, and video calls. Like Skype, FarceBook Messenger, Hangouts/ Ello, FaceTime, Telegram, and many others, Signal is controlled by one organization that runs the servers, and distributes the apps people use to connect with them, and you can't communicate with users on any other service.

The Slacking Off page contains some replacement suggestions aimed at team chat, but some of them may also be useful as a replacement for these centralized services, depending on how you use them. Ideally, users on all chat apps will one day be able to connect and chat with each using an open standard like XMPP or Matrix, and there are already many apps and servers supporting these. There are also P2P chat apps like GNU Jami (formerly Ring), Tox, Briar, and Serval Mesh, which don't need any server. I (Strypey) haven't tested the others yet, but I was able to make a voice call with Jami using Bishop, my ancient 32-bit netbook. But I can't honestly recommend any of these yet as a drop-in replacement for the user-friendly chat apps most people are used to.

In the meantime, I recommend Wire as an improvement on Signal. The Wire app is user-friendly (at least compared to most free code chat apps), and easily usable by non-geek family and friends. Like Signal, the service provides E2EE, and both the app and server source code are available under a free code license. But unlike Signal it's Swiss-based, so it's not subject to the 5 Eyes surveillance agencies and it is bound by the EU's General Data Protection Regulations (or GDPR). Unlike Signal, you don't have to give Wire your phone number to set up an account, and you don't need to own a mobile device to use it. Unlike Signal, who consider federated networks obsolete, Wire are working on allowing users to run their own federated Wire server, which can they will be able to use to talk to users on the main server run by the company, or other independent Wire servers.

More About Signal

The Signal service is run under the direction of celebrity cypherpunk Moxie Marlinspike, under the funding umbrella of a US-based non-profit foundation called Open Whisper Systems (OWS). The technology behind Signal has its origins in proprietary software (TextSecure and RedPhone) written by Marlinspike's company Whisper Systems, which was acquired by Twitter. The source code for the end user apps was released under a free code license, and Marlinspike left Twitter and formed OWS to continue development.

What initially distinguished Signal from other centralized chat services was a protocol sometimes known as "Axylotyl" (although it's now officially the Signal protocol), that tries to prevent anyone (including Signal themselves) from spying on users' chat sessions using End-to-End Encryption (E2EE).  WhatsApp, FB Messenger, Ello, Telegram, and others now claim to offer E2EE using "Axylotl" too (either the full Signal Protocol or the Double Ratchet Algorithm component), but since the source code of their server software isn't available to be audited, it's hard to be sure. Because of this, under pressure from the software freedom community, OWS eventually released the source code for the Signal server software.

But the Signal Android app still depended on some proprietary code owned by Google, so a fork called LibreSignal was created to remove non-free dependencies. On May 6, 2016, a user asked for LibreSignal to be included in F-Droid, the free code app library for Android. This lead to an infamous debate on the F-Droid issue tracker, in which Moxie demanded that developers stop using the word "signal" in the names of any forks, and stop using them to connect to Signal's servers. On May 10, 2016, a couple of days after his last comment in the infamous F-Droid discussion thread, Moxie published a post on the Signal blog called 'The Ecosystem is Moving'.

In November that year, Moxie started experimenting with allowing Signal users' to access a GIF search system called GIPHY, which he acknowledges was an odd choice for a chat app whose elevator pitch is encryption and security:

"This is of some concern. While it might seem silly to worry about GIF search confidentiality, what you search for is in some sense the 'content' of your message. Instead of sending 'I’m excited,' you searched 'I’m excited'."

In 2018, software engineer Drew Devault (creator of web-based code forge sr.ht) published a blog post entitled 'I Don't Trust Signal', which addresses some of claims Moxie makes in both the F-Droid that and the blog post. Drew's pretty much sums up my thoughts on the subject. Drew knows a lot more about the technical in and outs of this than I do, but the post is pretty readable by Jo Users.

Signal fans don't like Drew's post, and when presented with some of the many reasons why Signal isn't safe to use for sensitive communications by people who are potentially being targeted by governmental adversaries, they tend to claim that's not what Signal is meant for. But this is precisely the elevator pitch of Signal; that it's a secure, encrypted communication system, suitable for use by future Edward Snowdens, and Snowden regularly praises the app. As recently as mid-2017, people were publishing lists of "Basic security precautions" recommending the use Signal or WhatsApp "for non-profits and journalists in the United States" (emphasis mine)". This isn't just use confusion either. In another comment on the F-Droid thread, Moxie also claimed that:

"... all the dissidents, activists, NGOs, and journalists that I've met are not willing to put up with that. It's why they use Signal."

 Critical articles about Signal:

Fediverse debates about Signal

  • https://mastodon.nzoss.nz/@strypey/101368165804910431

Signal Court Documents

  • https://signal.org/bigbrother/eastern-virginia-grand-jury/
  • https://www.aclu.org/blog/national-security/secrecy/new-documents-reveal-government-effort-impose-secrecy-encryption