all repos — site @ master

source for my site, found at icyphox.sh

pages/blog/signal.md (view raw)

 1---
 2template:
 3slug: signal
 4title: We can do better than Signal
 5subtitle: Centralized silos are never the solution
 6date: 2021-01-17
 7---
 8
 9Signal is possibly the most recommended pro-privacy instant
10communication app -- one that was commonplace in the hacker community,
11and has now gained a lot of mainstream traction, thanks to WhatsApp
12deciding to screw its userbase over. It certainly presents a more
13compelling alternative than others in the same space, like WhatsApp
14itself, Telegram, etc. They engineered the [Signal
15Protocol](https://en.wikipedia.org/wiki/Signal_Protocol), which has
16found its way into other messaging systems, and has been the base for
17the likes of OMEMO and Matrix.[^1] While I admire the tech behind
18Signal, I still believe we can do better, and we ought to.
19
20[^1]: https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm
21
22I have a few gripes with Signal -- the biggest of them all is it's
23centralized, and in the US no less. This alone makes it not that
24different from WhatsApp -- we're simply moving from one silo to another.
25What's to say that Signal will uphold its values, continue operating
26_and_ evade censorship and potential compromise? To top it off, they're
27becoming a fairly high value target off late. And if that isn't
28convincing enough, Signal's massive outage lasting nearly a day[^2]
29should be enough evidence against centralization. Further, Signal is
30known to use AWS[^3] as their cloud provider -- what if another
31Parler[^4] happens and the rug is pulled from under Signal's feet?
32
33[^2]: https://twitter.com/signalapp/status/1350595202872823809
34[^3]: https://signal.org/blog/looking-back-on-the-front/
35[^4]: https://en.wikipedia.org/wiki/Parler#Shutdown_by_service_providers
36
37A common defense in favor of Signal is, "But it's all open source!".
38Sure is, but on what basis do I trust them? I don't mean to sound
39conspiratorial, but what's to say that the server in production hasn't
40been backdoored? In fact, the [Signal server
41code](https://github.com/signalapp/Signal-Server) hasn't even been
42updated since April 2020. You're telling me it's undergone _no_ changes?
43
44Another response I usually see is "But Signal is all we have!". While
45that is somewhat true -- at least by the metric of "secure messengers
46your granny can use", there are some promising alternatives who are
47especially focused on decentralizing E2EE communications.
48
491. [Matrix](https://matrix.org): Matrix has improved a whole lot, and I
50   like that they're working to disprove that end-to-end encryption
51   cannot be decentralized[^5].
522. [Session](https://getsession.org): While it involves some cryptoshit,
53   and hasn't been verified yet, it's an interesting alternative to keep
54   an eye out for.
55
56[^5]: https://matrix.org/blog/2020/01/02/on-privacy-versus-freedom
57
58All things said, Signal is the shiniest turd we have -- it fits most
59threat models, and does the job alright; I will continue to use it.
60However, here's something to think about: while privacy preserving tech
61is commendable, does it have to come at the cost of user freedoms? Hint:
62it doesn't, and it shouldn't.