It’s a shame that Signal has discontinued its support for normal SMS, hadn’t implemented RCS, is spending too much effort on “stickers” and now keeps prodding you to donate money. Then there’s the broken notification with iOS users who just don’t find out that you messaged them until they launch the app.
As a direct result my use of Signal has pretty much ceased.
Signal is supposed to be a secure alternative to SMS, iMessage, WhatsApp, etc. Compatibility with less secure protocols is antithetical to that. Adding popular features of those other apps to be more competitive is how you forward the goal. (Ofc fixing bugs should come first)
Another android user here. What you say is true but doesn’t matter. I also stopped using Signal when sms was dropped. For some people a unified app that wasn’t Google or WhatsApp was what we needed.
It’s a shame that Signal has discontinued its support for normal SMS,
While this does suck for those of us who used it, it was the cause of a few issues:
It was confusing to less “technical” users.
Because of point 1, it introduced a security/privacy weakness to its userbase in that users could be tricked into thinking their communications were secure/private.
The feature was poorly maintained due to the small team behind Signal and the decision to improve their platform vs supporting something they had minimal control over.
Signal’s SMS feature was causing real-life delivery issues with some new users as RCS started rolling out. A user’s phone would register with RCS - and if they installed signal -which then takes over SMS messaging but couldn’t (thanks to Google) support RCS - they would stop receiving RCS messages. This is a problem caused by Google to their benefit.
hadn’t implemented RCS,
Signal cannot implement RCS on Android without Google providing an API like they did with SMS. Apple doesn’t even allow alternative SMS clients so this made no sense going forward - basically SMS/MMS/RCS is a dead-end for Signal.
is spending too much effort on “stickers”
What year is this? Signal stickers were released at the end of 2019 [0] and, in the nearly five years since, the work to maintain them is so small it may as well be zero. Check github - the work they release is public and you can see exactly what they’ve been working on.
and now keeps prodding you to donate money.
Its a free service, god forbid they ask users to contribute so they can continue to exist and provide said service to those who can’t afford it? 🤷♀️
Then there’s the broken notification with iOS users who just don’t find out that you messaged them until they launch the app.
Valid criticism IF true. I don’t have an iOS device so I can’t say much here but I do message iOS users pretty frequently and haven’t had any problem with response times - not sure if that’s because they’re always on their phone or because notifications work in most cases.
As a direct result my use of Signal has pretty much ceased.
While unfortunate for your privacy, if you were primarily using Signal for SMS, you weren’t really using Signal to begin with.
I think they already fixed the IOS notification issue, at least for the beta/testflight version. But yes, I agree with you that their priorities as of late have been head-scratching.
I suppose their focus has been on bringing signal in line with other contemporary messengers to give it a similar level of appeal as something like WhatsApp, targeted towards “regular (and not necessarily privacy focused) people”.
I admit i really miss SMS integration, that sort of made it Android’s answer to iMessage, except that it’s still available cross platform.
This was never the expectation. It provided a unified messaging interface and a shallow barrier to entry for people used to SMS.
I could install Signal on a phone for a neophyte user and they could use it as their normal SMS app. Then you could securely message them in the same interface and all of a sudden their messages between you would be secure.
I always thought it was missing the bridge between “SMS on your phone” and “messages on any paired device”. Y u no sync SMS to my desktop client and allow responses :(
Because that would require your desktop sending the message to your phone and having your phone actually send it. The device with the SIM card needs to be the one that actually sends the SMS.
Isn’t that a vulnerability ? if a non-technical person has Signal as their main messaging program (including sms) aren’t they at risk of not being able to tell when their messages are actually secure and when they aren’t ?
You’re looking at it through the eyes of a competent user. It’s obvious to us. It’s not trivial to the general population. Just ask most iOS users what the difference is between green/blue bubbles - they have no idea other than “one sucks and means they use Android”
Same here re. calls not sounding. Or lately, the call connects, but my mic doesn’t work. We have to hang up and call back, then it’ll work. Infuriating.
This comment reads kind of weird, as if you feel personally snubbed that they “ignored” your concerns when in reality the app developers just had different ideas about what direction the app would go in.
Like, that’s totally fine! At the end of the day if you were only interested in a replacement SMS app then Signal just wasn’t for you. As someone whose primary interest is the security and privacy guaranteed by Signal not only encrypting messages but also message metadata (something Google’s RCS explicitly does NOT do) I’m perfectly satisfied with how it functions.
That said, I don’t care about stickers or the weird crypto integration, but it satisfies my other needs and includes a desktop client to boot, so I have nothing to complain about.
I wrote it to preempt comments about complaining without telling anyone about my concerns.
I completely understand your view and agree that Signal went in a different direction than I wanted or needed.
I didn’t use it as a primary SMS replacement, rather that was the “hook” to get a bigger customer base amongst my contacts whilst sneaking encryption capabilities in by the back door.
I mentioned RCS because a messaging app that integrates with the common platform of SMS and RCS would bring end-to-end encryption capabilities to even more people. I could imagine integration with other messaging protocols too.
The original UI for Signal made it very clear if something was encrypted or not. Right until someone decided to introduce custom colour for each chat, essentially killing the clearest indication of security level.
A smarter person would have changed colour depending on level of privacy for example.
The crypto donation was just weird and put me off ever even considering making one.
I really wish Signal still had SMS support because the network effect was a lot more powerful, and it was easier to “sell” to my friends, back when it was that way.
both you and the people you are chatting with on Signal will need to be using the most updated version of the app to take advantage of them
If someone isn’t using the latest app, does this mean they will still be able to see any accounts phone number? I suppose if you don’t update, you can’t add anyone without knowing their beforehand anyway
Also from the article (clicking the dots in the text)
Each version of the Signal app expires after about 90 days, after which people on the older version will need to update to the latest version of Signal. This means that in about 90 days, your phone number privacy settings will be honored by everyone using an official Signal app.
I love Signal, but I’ve had two main issues: video chat sucks, I haven’t gotten a good clean call with it yet and have to look at other options. Also transferring messages between apps or phones is a pain. The application does not support backup from Android and restore to iOS.
Signal made a foolish decision to remove SMS support from their app. It was a good way to get people in to use the app and build the user base - it's easier to say to people "try signal, it also replaces your text messaging app" than to say "try this other messenger in addition to your texting app and whatsapp and etc..."
When they made the decision it was also announced on a pompous and self congratulatory way in my opinion. They posted a long post talking about being more secure rather than recognising that they were inconveniencing their users by removing a feature. Users can't decide how someone is going to send them a message but they can be advocates for adopting signal when they receive an SMS from someone.
There seems to be a lack of awareness in the Signal team of the strategic benefit of supporting SMS, when you're competing with other convenient but not as secure popular systems like WhatsApp you need a unique selling point. An all-in-one approach was a good trojan horse way of getting signals secure comms into people's lives.
While I believe in Signal I find myself defaulting to WhatsApp and my SMS messenger. Even people I know who do have signal, and who I conversed with previously are preferring to contact me via WhatsApp now. Signal is the more secure and independent option but it's convenience that really drives adoption for a lot of users.
It was not foolish. It was a security decision and the right one. The goal of signal isn’t to have billions of users, the goal is to become a privacy and security centered app. If a feature prevents that it should be immediately removed.
Minor UI tweaks would have been sufficient, like dark patterns to encourage sending secure messages to other signal users by default. Instead, they removed a stand-out feature that made new-user adoption so much easier than other apps. Now, they're just one of many secure messaging apps, and they're not the best one in any way.
I recently switched back to android, i was excited to use signal as my SMS client and then encourage my friends to use it as well. Now there's no reason to choose Signal at all.
They can pat themselves on the back all they want, but im convinced they made the change for the same reason causing so much enshitification of the internet these days: they want to lock-in their users.
How is it locking in if it is obvious they did something that 1) many people don’t like and thus left signal for and 2) as you pointed out, they have many identical competitors? That’s not convincing at all given the other parts of your argument.
Is there any evidence of this? Because if anything, anecdotally, I’ve seen an increase in my circles and I’ve stopped trying to get people over after I convinced my small circle to hop on.
If your contacts use Signal, and you don't want to use signal anymore, you'll need to convince your contacts to switch to another messenger now. You used to be able to stop using signal if you wanted without inconveniencing your friends, now you're locked in.
So why do they only allow users to signup to Signal with a phone number? If they really were about privacy and security, they should allow signups via username+password only.
There so much money to be made for just knowing who is talking to who. Who is using the app and when. Even if they can't get at the content of your messages.
The person I'm talking to is allowed to know who I am so I'm not anonymous. Signal doesn't need to know who I am. It doesn't matter what you call it, that's the feature I'm waiting for to motivate a switch.
That said, I looked up sealed senders. They really do go above and beyond to end2end encrypt as much as they possibly can.
It's just a shame that they insist so hard to tie user accounts to phone numbers.
Signal doesn’t know who you are. A number don’t reveal your identity, and, usually, you should be just a gov. entities to discover that. Does matter what you call it: Signal is for privacy (they have your number, but they don’t know who you are, who you write and what you write), not for (full) anonymity (they don’t have any information, including number, on you).
Secondly, they are one of the few orgs (maybe only?) that have been subpoenaed multiple times and they’ve published documented evidence [0] that even when compelled by law to present all the info they have on any specific user, all they know is:
The date you created an account
The last day (not time) one of your clients messaged their
Feel free to trust whoever you want, but the source code to Signal’s clients and server are open for anyone to criticize, and they have been. They’re not perfect, nobody is, but they’re also one of the few orgs out there showing that they’re willing to put up or shut up.
Criticize in a constructive manner. Don’t be dismissive and spread FUD by stating “I don’t trust them” without backing up understanding the Signal threat model and mixing up privacy & anonymity.
The SMS based pone number verification is one. Another one is google for reCaptcha used to create a signal account. There is also some google dependency for the face blurring. There may be more.
Thanks for reply! I have a Samsung phone that De-Googled %100~ (exclude some important Android depencies based on Google). I restored GMS for auth in Signal. After the auth, I uninstalled it back. There is no Youtube, no Google - Chrome, no Spotify etc. Just FOSSed and de-Googled phone. Do I still using Google Services indirect ways because of Signal? Is it possible to be another third-party sharing except phone verification?
To be honest, I’m not sure. Signal does not have an official f-droid build. They distribute an APK on their website for degoogled devices which allows for websockets to be used as the google notifications systems is not used on degoogled devices, but I’m unsure what it means for the rest of the dependency. Some dependencies can be shipped with the apk so do not require google services to be installed, but an expert should probably shime in to shed some light in this situation specifically.
I believe Signal uses Google Services Framework to send notifications. If you want am even more degoogled Signal, Molly is an amazing project. It’s available on Fdroid, possibly using the izzy repository.
It is a bit complex but at least we can say its safer than Meta. Still looking for sources and if I find something clear, I will add here for other Lemmiers. Thank you and Goodbye.
No. Signal doesn’t have Google service dependencies. Although, you have other problem here that you probably heard before, using a Samsung phone “de-Googled” won’t make you free from Google. You should check if possible to get an Pixel with GrapheneOS.
Thanks for reply. I know I can’t be totally free from Google. I mean de-Googled as the packages and direct services. My phone model is don’t compatible with popular Custom ROMs like Graphene, Lineage, Calyx and /e/ etc. And don’t want to use unofficial ones. I mind buying a compatible phone or Pixel. Thanks for advice. Goodbye.
It does offer an example of the services they use third parties to provide in the next sentence. So they’re obviously giving out the phone number you provided at sign-up to the verification code people. I don’t think there’s any reason to believe they’re giving away your contact list from this paragraph anyway.
It has end-to-end encryption for messages and its clear. But, I haven’t looked at their source code yet and don’t know which types data they send. Not only contacts, maybe more spesific things that is not encrypted. Just wanted to know it. But its exact that they give our numbers for verification. Thanks for comment. Goodbye.
If you can figure out how to have signal on two phones for the same account, let me know here. As far as I have been able to determine, that’s not yet technically possible.
Did the CEO put out this Frankenstein hitpiece because of the news of Telegram leaking location data, or the news of Telegram censoring queer groups?
Regardless, the evidence “Signal refused to” do anything is not very good. Telegram fans might be less upset (at Signal) if they could (or did) actually read the linked GitHub page.
And for no reason at all, I wonder what Telegram fans would think of when it comes to being treated like this by the company: tsf.telegram.org/manuals/e2ee-simple
Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones.
A few things to keep in mind:
Apple’s build process makes reproducible builds near-impossible.
All the effort Telegram went through and it doesn’t completely validate the entire build - there are components that are not fully reproducible [0] and as we saw with the recent XZ backdoor, these could potentially be leveraged to hide a backdoor while claiming to be secure - so was anything gained other than “these things are validated but this black box, which could contain malware, was not validated because we can’t check them”?
Developing Signal is difficult.
Signal is developed by a small team and has to prioritize and coordinate efforts to deliver results - look at how long usernames took or even private contact discovery [1] - nearly 3 years (as a preview) after Signal was created.
Signal has no built-in telemetry, any issues are not automatically logged and reported. The end user has to manually submit debug logs and provide an adequate description of the issue for the devs to even attempt to understand what the issue is and how to fix it. Telegram may also have this issue in their very limited private chats, but as most chats aren’t E2EE, they can already see all your traffic anyways, making things significantly easier in terms of development speed.
Considering the two points above, it’s not irrational to come to state the following:
Signal has been prioritizing a fully end-to-end encrypted (E2EE) platform that shares zero data with anyone but the intended recipient and this decision has slowed down their development speed. Non-E2EE chat solutions have existed for decades and can iterate and progress significantly faster as they don’t have to work on difficult privacy/security/encryption related issues.
Telegram has not been prioritizing a fully E2EE platform and by default do collect most of their user’s data. This makes it much easier to develop Telegram and is why E2EE group messages don’t even exist on the platform - the Telegram devs have spent more time talking about privacy and security than actually implementing it
Given the two statements above, assuming both projects need to balance resource constraints, it’s safe to conclude, :
Signal has spent zero effort working on reproducible builds on iOS because its impossible to completely reproduce a build and would take development resources working on enhancing the platform for minimal gains, as Telegram has proven [0]. Signal has instead placed their efforts on reproducible builds on a platform where it is possible [2].
Telegram, instead of working towards implementing security and privacy by default, have decided to work on security theater by working on reproducible builds for iOS that are not even completely reproducible.
Signal refused to add reproducible builds for iOS, closing a GitHub request from the community.
It was closed because they use Github for bug reports, not feature requests [4]. The dev even pointed them to the right place. That said, I do agree it would be great if there was some progress made on this front for Signal, but realize its a huge effort and may be best avoided for now as the iOS client still needs some “catching up” to do, compared to the Android version.
And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤
Agreed.
Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪
Telegram collects all your data by default in a way that’s accessible to anyone with enough privileges to their infrastructure.
I agree that Telegram has a conflict of interest here, and I also trust Signal WAY more than Telegram. BUT there is at least one good point about reproducible builds. Being able to validate that the code you’re running matches the open source code is important. If that can’t be done, it’s functionally no different than closed source.
signal
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.