Signal commit Username Integration Test
github.comI really hope this eventually leads to a situation where an adversary cant forcibly de-link you from your signal account by taking control of your phone number or intercepting an sms.
Doesn't the registration lock feature resolve this?
Nope. "If Alice registers number X and enables reglock, but Bob later proves ownership of number X (by registering and completing the SMS code), then Alice will be unregistered."
IE, if somone intercepts the SMS code, even with reglock, you can forcibly de-register somone. This means if you use loose access to your phone number, you can easily loose access to your signal account.
https://github.com/signalapp/Signal-Android/issues/12595#iss...
They justify this by saying "The intention of reglock is to prevent hijacking of numbers you actually own, not to guarantee the number for yourself for life", but its way to easy for activists and dissidents to lose ownership (temperately or permanently) of phone numbers for the phone number system to be the backbone identity system for a secure messaging platform
What are we looking at here?
Signal at the moment requires a phone number. People don't like that e.g. for privacy reasons. Signal said they'll eventually support usernames, this is a signal that there's progress.
Signal will still require a phone number for registration. You will be able to hide your phone number and use a username instead.
I hope I can finally put signal on my second phone with the same account.
You can with new molly.im update
Crap, I wish I could use it without a phone number altogether.
I was hoping this would be the case. It's the problem with telegram too, you can show a username but you must still have a phone number.
Matrix does this really well though. So I use that a lot. Unfortunately not many people do.
Session [0] is an up and coming, open source E2EE messenger that doesn't rely on phone numbers (and doesn't require them). It also routes messages through Tor. It's fast and reliable, and I always get notifications on time.
It has some disadvantages though, depending on how you use it. Your ID is a 66 character long hexadecimal hash instead of a classic username. Another disadvantage I've found is the paltry 10 MB attachment limit - trying to share a short video clip I made on my phone required several re-encodes to dip below the limit. Even some still photos will hit that limit, depending on complexity. So not very good for sharing media, but great for texting, in my experience.
That hash thing alone pretty much guarantees it will remain a geek thing unfortunately :(
> Crap, I wish I could use it without a phone number altogether.
Me too, I wonder if it's a technical difficulty/limitation or just a business decision.
I parsed that title so wrong, I thought Username Integration Test was a fault they just commited and were caught red handed.
Based on that integration test a phone number is still required.
I love Signal, but somehow they seem to have stopped developing the product. The last useful feature was being able to change number. But other than that, things like MobileCoin or Stories show that there is no product vision.
There are many useful non-social network features that they can implement and test that would greatly improve its usefulness as secure p2p communication platform.
This is a huge feature for me. I want most of my applications to stay as they are and not keep adding new features for the sake of new features!
That's also part of the issue here: we _are_ getting new [useless] features for the sake of new features lately: stickers, stories, crypto currency support are the main ones that come to mind atm.
And a formatting feature with (seemingly? would love to be wrong there) no syntax to use it without clicking/taping everywhere which makes it useless for me (and frustrating because with a syntax (say, markdown like?) I would love it).
Adding a cryptocurrency payment scheme isn’t exactly “not adding features” though, is it?
Signal is finally copying what Telegram has implemented since long ago? Do people in the West simply do not care about hiding their number (judging by WhatsApp and Signal)?
The mobile number requirement was always a feature of signal.
The friction is slight for users, but higher for scammers that might go through thousands of accounts. Telegram is too easy to sign up, so it's mostly scams.
AFAIK, Telegram always had the mobile phone number requirement so, no, the friction to sign up is the same.
I meant that Telegram doesn't display user's phone number and doesn't require sharing a number to add person to contacts. But with WhatsApp and Signal you have to disclose your number in order to talk to someone.
Never had any scam messages on telegram, but get ~1 per month on whatsapp.
Why are you comparing Signal to Telegram? Telegram keeps all of your conversations on their servers in plain text, not to mention any other metadata. Signal only keeps your registration time and last login time. Yes it uses your phone number to do this, but they don't have anything else. Not even your contact list or who sent a message, they just know a blob went somewhere.
yeah, I never really understood how people keep putting the two products in the same space. they're really not the same thing.
Never really understood the privacy argument for hiding (or disconnecting) your phone number in a User-User "texting" type application. I suppose if Signal were linking my identity across a bunch of platforms I'd be worried, but their privacy policy is pretty aggressive so I'm not really worried about that. Indeed the additional friction for scammers is a benefit to me. Telegram is a morass of dodgy group chats and spam, Signal is miles better for the things I value in a messaging service (encrypted texting and group chatting with people I already know in the real world).
With WhatsApp or Signal, if you want to talk to a stranger (e.g. if selling something) you have to share your real number, while in Telegram you can share just a username.
> selling something
Whatcha selling :)
To coordinate my own anonymous commodity transactions I just use gpg to encrypt a .txt which can be delivered in all sorts of anonymous ways. I can't say that I transact anonymously too frequently though, so the additional friction with this method isn't especially onerous.
Post something like a prom dress for sale online and observe the messages you get from weird perverted men.
Then ask yourself if they should have a sellers real phone number.
But why not just use an email address or something for that case? I get how it would be ideal (and myself desire) to have one messaging tool which works in all cases, but it doesn't seem like a massive failure specifically of Signal to not work for this usage. Certainly not one large enough to warrant the torrent of comments I see any time Signal gets mentioned on HN
I regularly talk to Chinese vendors selling robot parts who want to talk over WhatsApp. This is ultimately fine for me but it’s an example of a scenario where I don’t really want to give anything more personal than necessary.
Sure that makes sense to me, however I will say that if I was a vendor selling stuff internationally I probably would want (and even require, depending on export controls) some level of de-anonymization on the buyer's part. Presumably at the very least you need to provide a shipping address to receive the goods, which is no less identifying or difficult to spoof than a phone number.
I suppose. I am happy to give them my business contact info, but my whatsapp is my personal number.
For a lot of people, signal is not simply a User-User "texting" type application, but much more akin to slack or discord or matrix.
Many, Many reporters put their signal number in twitter bio seeking tips. Many activists (including me) use signal group chats to organize volenteers and staff, and publicly share room links. In other words, we have to either share our number publicly or buy a burner phone number if we want people to interact with us on signal.
Makes sense, definitely if anonymity from conversation partners is desired then I can see how Signal's model falls short of your needs. I've also used Signal in the past for activist group chats, but in those cases my primary risk vector has been having messages read by someone outside of the group, people typically join those after being referred by someone they met face-to-face. I suppose there's always the risk of a wrecker slipping in, and having more layers of anonymity could reduce that downside risk. Hopefully this username approach is able to address your needs better! I really like the tool so would be stoked to see it cover additional use cases.
This is still bad, as any of them sees all the phones of members of the group. In Telegram you can hide your number.
Presumably if they introduced usernames they would also allow you to hide your number in a chat?
edit: I think I misunderstood you. Yes, it is the case that everyone in the chat has access to everyone else's ID, however in my use-cases group members have already been vetted before joining the group, I don't participate in publicly accessible Signal chats or use it to communicate with true strangers.
Absolutely, not to mention if you ever switch numbers you have to change the signal information. For me, its fine for verification, but I want an identifier I ever have to change.
Was gonna say: Telegram has a lot of spam and strange people starting to talk to me, scammers I suppose. Never had that on Signal.
Signal started as an e2e replacement for SMS, so it chose phone numbers on purpose to solve the discoverability problem, under the assumption that people will be communicating with all the same people who already have their number.
Telegram has always been more social and more for communities or groups of potential strangers.
The fact that people complain about Signal doxing you is in some ways a good sign, because it suggests Signal has become so popular and trusted that strangers want to use it to communicate privately.
Signal helped pave the way for mainstream society to use communication tools that respect them without being a hacker or messing with a terminal.
Well, it's different kind of things, on tgram you have usernames but lack privacy bc usual chats most ppl use are not e2ee. On signal you have nr as piblic info but all messages are e2ee. Also signal's backup& sync mechanism is very bad. Closest app to tgram is Whatsapp, without encryption downside. Next is maybe Element based on matrix protocol with signal type encryption for groups
It’s a feature. You get an instant social graph by being able to piggyback on people’s contacts.
Also the original purpose of signal was secure sms, so using phone numbers make perfect sense.
Signal has an interesting article describing how, while contact discovery allows users to populate an instant social graph, Signal's servers still do not have access to that information, even as they send "so-and-so is now on Signal!" notifications:
https://signal.org/blog/private-contact-discovery/
Of course, they have the ability to push a new client that hoovers up whatever they want, especially with their time-bomb policy of preventing old clients from sending messages until they're updated. But I was impressed by the lengths that they go to to build this privacy-preserving contact discovery service. I was especially interested to see their use of remote attestation "for good" and to preserve privacy and freedom, rather than systems like DRM and WEI that seek to compromise those.
I meant in Telegram you don't need to share your phone number with your contants or members of a public chat you've joined. While in WhatsApp or Signal your contacts know your number and can easily find out your identity and where you live if you write something they don't like.
I use Signal to talk to friends and family. Everyone I message on Signal are people who already know where I live.
Bringing up Telegram in this context makes it quite funny, since Telegram users seem not to care about the safety of the contents of their chats at all in this shady black box.
Phone numbers are a quite ridiculously small problem compared to that.
No. If you join a public chat in Telegram you don't have to share your phone number with other members so you don't have to be afraid that they will find you in real life. You can write anything you want. But with WhatsApp or Signal you have to share a phone number with everyone which means they can easily find who you are and where you live (this data is cheaply sold on black market).
Your group chats go into a black box unencrypted. You don't know what happens to it because it's not E2E. You also gave your phone number to this shady company who runs those servers which keep everything you wrote.
Even Whatsapp is better than this.
And what is that phone number fetish? It's not like it is some magic identifier. There are bots out there testing every number out there and sending you SNS spam. Your phone number is worthless.
As far as I remember, you can still find people on Telegram by searching for phone numbers. Isn't there even an automatic discovery feature?
The Telegram salt around those announcements seems like the final cry of Telegram fans to me because after that, there is absolutely nothing which would even remotely paint Telegram as a safe or secure messenger. Especially because everybody know why you are on Telegram. It's a different use case. I talk on Signal to people I know personally. They already have my number. People I know go on Telegram for porn and piracy over here. They still have Whatsapp or Signal to talk to their friends and family. They actually are ashamed that they have Telegram because everybody here know why they have it ;)
In WhatsApp or Signal your number is visible and anyone in a public group can know who you are and burn down your house if you write something they didn't like. Yes, Telegram knows your number and your messages but it is unlikely that they will give them out to random weirdo^W manly person with strong sense of injustice.
There are no "public groups" in Signal. Don't know about Whatsapp since I don't have it anymore. All of my groups consist of people I know. You still don't understand the use case.
> elegram knows your number and your messages but it is unlikely that they will give them out
How do you know that? Do you know the people personally or where is your knowledge coming from because if you don't know them, you are just another user who gave out all of their chat contents AND the phone number to "some people somewhere". Nothing else. You have no guarantee for anything, and you should already know that they do act upon requests from governments. Google it.
Group Settings > Group Link
Then share the link publicly. Signal Public Groups.
Which are...where?
Who does this?
How is the spread of this compared to Telegram groups?
Why do you keep on pushing for the wrong use case?
Telegram is not only used for porn and piracy. In fact there's much better places to get those things.
I just use it to follow events at clubs in interested in. There's a bit of an overlap with Instagram but I find the telegram experience nicer. Less ads, no stupid 'reels' forced upon me.
Yeah, I'm sure there is even some guy out there who talks to his grandmother using Telegram.
Maybe this is a US thing? I heard messaging apps are wildly different in the US. For example nobody uses iMessage here (Spain), literally nobody, not even people with iPhones. Which are admittedly very few people because they are so expensive here. Most people use budget android phones like $150 redmi's. I never get SMS either, only system/bank/2FA notifications. If someone SMSed me I would tell them to use something else because it would cost me money to reply :P
Here it's WhatsApp for 1:1 and small groups, and telegram for big public groups because WhatsApp sucks for those. I (and most of my friends!) even use WhatsApp for making calls these days. The only time I make a legacy phone call is to call a business that doesn't have WhatsApp. 95% of the calls I receive are spam harrassment so I ignore calls unless I know the number.
But Telegram is quite common for normal use to follow clubs, to follow tattoo artists, to get notifications of stock of Nvidia cards, for cybersecurity information, for our makerspace.. We really use it a shitload.
I don't use telegram for porn or piracy at all. Nor do I know anyone that does. Even though I do those things a lot, but I have much better places for it.
But perhaps in the US it's used very differently? I don't know. Here it's really quite mainstream.
It depends on the country. In Russia many people use Telegram for work and for personal communication (almost every young person has it so you cannot say it is used mainly by criminals unless you count everyone as a criminal). Telegram also has channels, so you can for example read news or (if you are young enough) funny memes there. Also, Telegram is uncensored unlike web, so you can watch videos with exploding tanks if you are into this kind of stuff. But at the same time in Japan it has a negative image of an app used for shady things.
I use telegram mostly for chats to public groups that anyone can join anyway. So the end to end point is kinda moot. Same with IRC for example. This is why nobody complains about it not having that.
You can’t have a social network without usernames!
Signal isn’t a social network… it’s a messaging app.
I mean, I dont agree with the person you are replying to, but signal absolutely is a social network. Its a network you use to communicate socially.
You can argue its not social media, but I think the stories feature definitely puts it on the social media spectrum to some degree.
Does anyone actually use the stories feature?
My friends on Signal do, but I have no idea how widespread it is across their whole userbase. It's not as in-your-face as Instagram, which is actually kind of nice, but like it's being said - signal is social media. you can choose to not use that feature but that's on you. To look at you and your friend group and extrapolate from there is not science, or data driven. the plural of anecdote is not data.
It's like saying no one uses Facebook or Google anymore. That's true for certain bubbles, and it's hard to know when you're in one, but, say least for those two, it's not too hard to look outside your bubble.
Now the cryptocurrency integration, that one I do wonder about. (Since my friend group doesn't use it and I'm extrapolating :) ).
I disabled that feature as soon as it appeared (the less I use a messaging app, the best it is) and forgot about it.
Your comment makes me curious: I do really wonder how this feature is used. Signal announced it was really something users were looking for. I wonder if it was a weak attempt at convincing the Instagram crowd or if it is really popular with some population.
In the end, I’m still angry that they removed SMS support. That was really useful to have only one messaging app on my phone.
My friend group uses Signal for cross-platform group texting and the stories feature is super popular. Great for putting up non-intrusive pet pics or memes. IDK the rationale for introducing it, but I do think it's a fun feature that makes it feel more like a WhatsApp/social messaging replacement, rather than just something people download to coordinate protests or sell drugs.
Thanks for this comment. It makes me understand better how it could be used (never saw the need myself, even when I was on Whatsapp. I probably too old)
> Your comment makes me curious: I do really wonder how this feature is used.
This is why I don't begrudge sending telemetry for how I'm using software. As a developer myself, I really want to know if the code I'm writing is at all appreciated or if I'm just coding into the void, so I'm happy to send stats on how some one else's software is getting used.
> To look at you and your friend group and extrapolate from there is not science, or data driven. the plural of anecdote is not data.
Calm down there buddy, I just asked a question.
I'm not sure where you're reading anger. the question was written in such a way that indicates that your cohort doesn't use the feature. I was merely indicating that it is foolish to look at your cohort and extrapolate to the rest of the population unless you've got outside data.
I turned it off as soon as it was debuted.
Same thing. Parent comment doesn't make much sense though!
You mean: it wasn’t.
If it walks like a duck.