1/ In defense of #Signal. Yes, I'm a guy that just posted a roundup of distributed/mesh messengers https://changelog.complete.org/archives/10205-roundup-of-secure-messengers-with-off-the-grid-capabilities-distributed-mesh-messengers of which #Signal was obviously not part. I am really excited about the potential of those.
But to the general public, I still recommend Signal. Here's why.
3/ I am a huge fan of #Matrix/#Element and even run my own instance. It has huge promise. But it is Not. There. Yet. Some reasons:
#Synapse, the only currently viable Matrix server, is not ready. My Matrix instance hosts ONE person, me. Synapse uses many GB of RAM and 10+GB of disk space, with little tuning for either. It's caused OOMs more than once. And this is AFTER extensive tuning. It cannot be hosted on a Raspberry Pi or even one of the cheaper VPSs.
4/ Choosing a #Matrix instance. Well you could just tell a person to use matrix.org. But then it spent a good portion of last year unable to federate with other popular nodes due to Synapse limitations. Or you could pick a random node, but will it be up when someone needs to say "my car broke down?" Some are run from a dorm computer, some by a team in a datacenter, some by one person with EC2, and you can't really know. Will it be stable and long-lived? Hard to say.
6/ #Matrix is so hard to set up on a server that there is matrix-docker-ansible-deploy https://matrix.org/docs/projects/other/matrix-docker-ansible-deploy/ . This makes it much better but it is STILL terribly hard to deploy, and very simple things like "how do I delete a user" or "let me shrink down this 30GB database" are barely there yet, if at all.
7/ Encryption is not mandatory in #Matrix. E2EE has been getting DRAMATICALLY better in the last few releases, but it is still optional, especially for what people would call "group chats" (rooms). Signal is ALWAYS encrypted. Always. (Unless, I guess, you set it as your SMS provider on Android). You've got to take the responsibility off the user to verify encryption status and make it the one and only way to use the ecosystem.
8/ Again, I LOVE #Matrix. I use it every day to interact with Matrix, IRC, Slack, and Discord channels. It has a TON of promise. But would I count on it to carry a "my car's broken down and I'm stranded" message? No.
9/ What about some of the other options out there? #Briar is fantastic and its offline options are novel and promising. But in common usage, it can't deliver a message unless both devices are online simultaneously, and doesn't run on iOS (though both are being worked on). It also can't send photos or do voice or video calling.
10/ Some of those same limitations apply to most of the alternatives also. Either that, or they are encryption-optional, or terribly hard to set up and use. Just today, I boosted a post about #Status, which shows a ton of promise also. But it's got no voice or video calling capabilities. How about #Scuttlebutt? Fantastic protocol, extremely difficult onboarding (lengthy process, error-prone finding a sub, multi-GB initial download, etc)
11/ So #Signal gives people: dead-simple setup, store-and-forward delivery, encrypted everything, encrypted voice/video calls, ability to send photos/video encrypted. If you are going to tell someone "it's so EASY to get your texts away from Facebook and AT&T", THIS IS THE THING you've got to point them to. It may not be in 2 years, but for now, it is. Do not let the perfect be the enemy of the good. It advances the status quo without harming usability, which nothing else does yet.
12/ I am aware of all of the very legitimate criticisms of #Signal. They are real and they are why I am excited that there are so many alternatives with promise, some of which I use actively. Let us technical people use, debug, contribute, and evangelize the alternatives.
And while we're doing that, tell Grandma to contact us on Signal.
@jgoerzen Thank you for the great summary!! 🙂 I think you really hit the core of that question very well. In many discussions about that topic, tech users don't consider the average user enough, or even at all, or have a wrong image of them.
@jgoerzen hi John, regarding #Signal here I have a fun poll https://floss.social/@ademalsasa/105587887622215525 I invite you to join. It's already 700 people participating already with hundred of comments.
@ademalsasa Hello, instance-neighbor! Thank you for the link; very interesting conversation.
I used XMPP extensively for awhile, but haven't now for a few years.
Also, I learned of #Jami there. I hadn't heard of Jami before, but sadly the website has no detail on how it achieves connections or if both endpoints must be online simultaneously for messages to be sent.
Just some sample on the website
Just on the website
+ all the docs via https://docs.jami.net with lot of answers about how all is working like
@jgoerzen But to summarize quickly, DHT for discovering, then ICE to negotiate a TLS link between peers, then the protocols like SIP for example for calls/messages.
Both peers should be online to communicate, but with swarm, one other device of the conversation should be online for syncing history.
The similarities to #briar are many, though it looks like it trades the ability to do voice and video calls for anonymity (briar running over Tor hidden services; Jami using direct TCP/UDP connections between peers). I must say, I like the #Tor approach, but it may introduce unacceptable lag for video
@jgoerzen Tor should be usable, however for now it's too much based on UDP for medias (I explained this here: https://git.jami.net/savoirfairelinux/ring-project/-/wikis/tutorials/Frequently-Asked-Questions#tor)
@AmarOk Understood. One difference between your eval and briar is that briar uses Tor exclusively; that is, no exit node, since nodes find each other using onion addresses.
Still, Jami looks very interesting and I'm checking it out later today. I think it would more easily have wide adoption than briar at this point. Thanks for your work on it!
I love the decentralization, though leaking IPs to contacts makes me uncomfortable, as it often amounts to leaking coarse location.
@AmarOk Also I fairly frequently find wifi networks that permit outbound on only port 80 and 443, TCP. Can Jami work with those constraints?
@jgoerzen yes and no. One of my universities did thar. In that case, dhtproxy (for avoid dht usage) + torify work, but this needs some Config and media will not work. Or just use a distant device with forwarding... But it's not magic. If you bloc all traffic, traffic will not pass through.
Exploring alternative options like decentralization (or even anything other than Facebook) still tends to make people ask, “what are you trying to hide,” or “how does that work for you down in your bunker?,” etc. Those are terrible reasons to just give up on the right to #privacy.
Can help to reach ppl where they 'do care':
The big picture:
Not only is our personal data being used "against us" (social media background checks, financial credit scores, even raising of health/car insurance rates (based on our data/outdoor hobbies).
It's also the building of deep psychological profiles, advertisers/political contractors manipulating our ability to make our own next decision/s.
This is how I've reached ppl close to me.
@jgoerzen honestly if it wasn't for signal being my SMS app I wouldn't be using it. The number of my contacts that use it is so low it would be hard to justify.
@jgoerzen a lot of groups don't need or shouldn't have encryption. Especially groups about some Foss projects where the chat history should be visible for new members. Also it makes bridges easier.
@jawsh It very well may (I don't use Signal as an SMS client) but the point is that SMS is not E2E encrypted.
@jgoerzen you can say the same about most fediverse nodes. (I know, fediverse is not for IM.) I'd go with briar. Why no mention of telegram?
@vesperto I'd agree about the Fediverse nodes; it is an obstacle. Telegram isn't E2E-only, and TBH I haven't heard of most security-conscious people seriously considering it. I am always open to learning more, however!
@jgoerzen hmm i think it's not on by default or something, you're right. Also at least part of their code is not open source yet, i think.
@kristof I am very excited about its potential. They are tracking progress with "are we synapse yet" -- see the homepage at https://github.com/matrix-org/dendrite -- but it very well may be close enough for some. I strongly suspect it or something like it will become the defacto server in the future.
For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).