@kmicu @Michcioperz

Alternatives that are mainstream and readily available?

@jeff @kmicu @Michcioperz readily available: Briar briarproject.org/

Mainstream: none. Support Briar.

And if you're using WhatsApp, Telegram, Viber, etc, move to Signal. It's not perfect, but still going to be *way* better, security- and privacy-wise. Harm reduction is a thing.

@rysiek @kmicu @Michcioperz

That was my point. I cannot tell my extended family or the random that asks to go use a program they have never heard of and that nobody else they know uses. Also, Briar does not have an iOS application so in the US at least that rules it out entirely for a large percentage of people, myself included.

When you talk about federation you are only as secure as the least secure of those that you federate with.

@jeff @rysiek @kmicu @Michcioperz

My friends prefer Apple Messages or Facebook Messenger. Work prefers Slack.

Even if I installed all of the suggested applications I would have nobody to text with.

We may have to give up on normal humans using Signal or Briar.

I wonder if use of a nonstandard chat application in some places flags you for further investigation

Encrypted text via email for the win?

@sillystring @jeff @kmicu @Michcioperz well, if even you can't be bothered to install Signal, then yeah, I guess.

I mean, somewhere one of your colleagues or friends probably made the same argument about nobody in their circle having Signal.

You have to start somewhere. Most of my colleagues and friends are on Signal now.

But yeah, with that attitude? We might as well give up, sure.

@rysiek @jeff @kmicu @Michcioperz

Apologies! No attitude intended.

I have tried Signal and did get two friends to install it but it never really caught.

@sillystring @rysiek @kmicu @Michcioperz

We are fighting an uphill battle, but I believe that privacy will become a more mainstream fight as companies like Google and Facebook try to claim more and more of the data aggregation pie.

Keep fighting the good fight!

@sillystring @kmicu @rysiek @jeff If I remember correctly, Matrix still has a resource usage problem when it comes to running the server

@sillystring @jeff @rysiek @kmicu @Michcioperz

+1 for matrix

has everything one needs, very stable, multi device in sync, using riot client full e2e enc support. using it for messaging and collaboration. even multi user rooms are able to use e2e enc. and you can setup your own homeserver too.

@sillystring @jeff @kmicu @Michcioperz end device security is an unsolved problem and neither Signal nor Telegram claim they solve it.

It doesn't matter that much if the message store is encrypted. If the attacker has access to your device, that's the ballgame. Screenshots and keyloggers are just a few ways to get around encrypted message storage.

Briar requires the user to type-in a password, which has security benefits, but usability trade-offs. And is still vulnerable to keyloggers.

@sillystring @jeff @kmicu @Michcioperz I do prefer Briar's way of doing things, but I understand why Signal made the choice they made. Telegram... well, I steer clear of that one.

There's really no good answer here.

@jeff @rysiek @Michcioperz There are inherent trade-offs in both solutions. Federation cannot provide ‘convenient security’ as good as centralization. That’s the price to pay for independence.
Signal’s severs can be turned off at once for everyone. That could happen in a crucial moment. A single point of failure is the price for conveniences of centralization.

We have an individual decision to make on what we want or can sacrifice.

I already made mine ― I choose freedom first then security.

@kmicu @rysiek @Michcioperz

Lack of security can result in someone losing their freedom though. It is very much an individual decision not to be taken lightly. Everyone's threat model will be different and great care should be taken to know the risk vs benefits for your own situation.

At least we can all agree that getting off of Whatsapp is probably a good decision though.

@jeff @kmicu @rysiek @Michcioperz Going off WhatsApp and onto Telegram is a dubious "harm reduction" strategy, though...

@riking @kmicu @rysiek @Michcioperz

Since Telegram was founded by Russian persons in Russia as used by a lot of Russia I wouldn’t go anywhere near it. If nothing else it makes you a target of potential information ops by the GRU or FSB.

@jeff @riking @rysiek @Michcioperz I’m sorry; I couldn’t resist:
“Since Signal was founded by USA persons in USA as used by a lot of USA I wouldn’t go anywhere near it. If nothing else it makes you a target of potential information ops by the CIA or NSA.”

@jeff @kmicu @rysiek @Michcioperz the problem is that its crypto is wacky and bad, and the developers have no shame so they pretend everything's fine

@riking @jeff @rysiek @Michcioperz [Joking cuz it’s late here] So on one side we have ‘wacky and bad’ crypto but w/o binary blobs in APK¹ and on the other side ‘solid and good’ crypto but w/ binary blobs in APK.

So FSB/GRU attack by breaking cypto and NSA/CIA by having backdoors in Google’s Android and it’s blobs.

A strange game. The only winning move is not to play. 😺

¹ f-droid.org/en/packages/org.te

@jeff @kmicu I accidentally dragged my parents onto XMPP and now they use it to text me, although it's not without issues, even when I'm the one running the server there are some weird edge cases where the server misdelivers the messages :(
@jeff @kmicu I recognize that there isn't anything I could recommend
I was only saying that I'm sad that the supposedly best options are centralized

@jeff We use Telegram and it 'saved' the communication in our family with a variety of devices and OS'es. So,no, sorry. We also use Wire instead of Skype.

@jeff it is one more reason. Actually, everybody should have switched when Facebook bought WhatsApp since they were getting all peoples phone number.

@jeff

"WhatsApp Status has become very popular, even surpassing Snapchat usage."

I've never seen anyone using it in Finland. Not a single time.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.