Let's play a game that is not a game: I'm curious what people are using for secure communications these days for groups where Signal is *not* an option (ie.
-
Let's play a game that is not a game: I'm curious what people are using for secure communications these days for groups where Signal is *not* an option (ie. let's assume people in the group have devices that are not iPhone or Android with Google Services). The group in question (a real use case, though they are likely not going to make change, I'm just curious what people will recommend) has the following requirements and threat model:
-
Sam Whitedreplied to Sam Whited last edited by [email protected]
- Must work on "smart" mobile devices, but without requiring Google Play Services
- Must be able to communicate outside of the group with unknown parties who need to be verified later
- Targeted attack from low-tech attackers (ie. cop's saying "give me your phone")
- Passive attack from high-tech attackers (ie. government level keyword scanning or metadata analysis, not likely to be directly targeting this group though, for now)What am I forgetting?
-
@sam Which de-Googled Android OS are they using? Signal works fine on Graphene
-
@mikelovesbikes I'm not sure; how do you get it on Graphene? I was under the impression that Signal only allowed itself to be distributed on the play store and refused to work elsewhere / required a bunch of play services stuff?
-
@sam @mikelovesbikes Aurora Store is a play store proxy that allows anonymous access. Can't speak for whether it works without something like microG, though.
-
@edd @mikelovesbikes I've actually used Aurora Store without microG before; works okay. A lot of apps unfortunately just depend on Google Play Services so you can install them, but they they crash the first time they try to access the location service or send data home, or at best just don't work or complain without crashing. I was under the impression that Signal was this way and that you couldn't really use it, but I may be wrong.
-
@edd @mikelovesbikes (but either way, for the purpose of the question let's just say "not Signal")
-
-
@sam Matrix with Cinny (web client) could be an option
-
@arutaz Matrix is a personal pet peeve. It's one of the worst designed protocols I've ever had the misfortune of implementing (not to mention that I just don't like the VC backing). The metadata and resource consumption there is a huge problem (even if you use one of the non-official servers that actually tries to be better about resource consumption, there are just problems inherent in the protocol that make it way worse than more sensible message-passing protocols).
-
@adingbatponder I haven't tried Threema, I'll have to give it a look, thanks.
-
@arutaz I haven't tried Cinny though, I'll have to give that a look since I haven't heard of that one. Thanks!
-
Jamie Saoirse :heart_trans:replied to Sam Whited last edited by
@sam I’m going to second Matrix, but Signal’s ease of use also means you’re less likely to make mistakes that break security
-
@sam yes, it's far from perfect, but until something better comes along it's my backup if Signal stops being an option.
I'm really hoping for Veilid Chat to come out of beta, because I have high hopes for that.
But I'm not sure if it supports groups it not. -
Sam Whitedreplied to Jamie Saoirse :heart_trans: last edited by
@MousyAesthete yah, I mostly just said "No Signal" because I'm already aware of it and I assumed if I didn't put that it's the only thing anyone would mention
Matrix I am strongly opposed to personally; the protocol design is just bad and has a serious metadata problem that I think makes it not a contender here.
-
@MousyAesthete (and a serious resource consumption and VC funding problem that I think make it a non-serious choice for a federated instant messaging protocol in general, but that doesn't really matter for this use case)
-
@arutaz if the sort of security this question is about isn't something you need there are tons of better alternatives to matrix; I'm a big fan of Snikket personally (not for the use case in this question, but if you're using Matrix it would have similar properties except with a much more robust and well designed protocol under the hood, not that that's super important to you, but also a much more robust group behind it that's likely not to try to go corporate when the VC funding dries up)
-
Jamie Saoirse :heart_trans:replied to Sam Whited last edited by
@sam xmpp with encryption? I don’t think it’s plausible on mobile though
-
Sam Whitedreplied to Jamie Saoirse :heart_trans: last edited by
@MousyAesthete oh yah, XMPP works great on mobile (and pretty much always has, the "it doesn't work on mobile" was a thing that the Matrix folks started repeating at conferences when they were trying to apply for VC funding and was never a serious objection).
I'm actually not sure if it would be good here; while I'm generally a fan of Snikket (which uses XMPP) for general chat, and while it's metadata handling is better than Matrix's, I'm not sure that the encryption is "dummy proof" enough.
-
@MousyAesthete (disclaimer: I wrote the current guidelines for using XMPP on mobile, so maybe I'm just wrong and trying to justify my own work, but I don't think so
)
