Developer on Signal Desktop here.
IMO, Signal does not have an issue here, but of course I'm biased.
We go to great lengths to avoid the "metadata problem". We've been subpoenaed a few times and have been able to produce very little. We know when someone signed up for an account and when they last accessed the Signal service, but that's basically it.
We achieve this, in part, with something called "sealed sender". It's like a letter with no "from" address written on the envelope.
We also do limited logging and don't hold onto messages after they're delivered.
As others have mentioned, we're also working on adding usernames. Please know that this is a massive technical effort (the biggest I've seen in my time here) and will take some time, but it's definitely a priority.
As a developer on the Desktop app, I know full well that Signal is far from perfect. But I don't think our service suffers from the "metadata problem".
https://twitter.com/signalapp/status/1261364662840385536
> Giphy was just acquired by Facebook, but GIF searches in Signal have been protected by a privacy-preserving proxy from the very beginning. The Giphy SDK isn't included in the app at all. You can read more about our approach to handling animated GIFs here: https://signal.org/blog/signal-and-giphy-update/
It's interesting that they still have access to Facebook and WhatsApp. It is unfortunate that Signal is no longer domain fronting though I know Telegram was doing this as well (and for some reason hasn't gotten a similar letter?). I'm not a networking guy, but wouldn't encrypted DNS help resolve this issue? Not that people have access to it on their phones, but my understanding is that you'd have to shutoff access to the DNS (like CloudFlare (1.1.1.1
)or Google (8.8.8.8
)).
I just donated to them - they are a non-add / non-subscription app. If you like their platform, I would encourage anybody here to do so as well. Signal >> Donate to Signal
Signal uses the Firebase notification service which depends on Google Play Services. They do not send your messages through the Google Service, but they will use it to notify the app, that there is a new message to be downloaded. If you removed Google Play Services, then that service doesn't work in the background.
I'd recommend downloading the Signal APK installer from https://signal.org/android/apk/ which uses a custom notification service (uses more battery than the Google version) and updates itself.
They are very much involved in mass surveillance. For example
> I don’t think there is anything at this time to suggest they plan to close the source.
Also: they can't! While 3rd party contributors don't retain copyright due to the CLA, the same CLA asserts that they can make proprietary licensed derivatives, but they assert that all those contributions are always made available under an OSI approved license:
> Your Contributions and such derivative works, as well as the right to sublicense and have sublicensed all of the foregoing rights, through multiple tiers of sublicensees, provided that in all cases, Signal Messenger will make Your Contributions available under an OSI-approved open source license.
I guess they technically make a proprietary Signal client and server, but it wouldn't really make a lot of sense given that they would basically require a full-time lawyer to start separating source repositories :'-)
EDIT: IANAL
>With Signal you must tell them your Phone number.
This is just to register. The phone number is stored in a cryptographically hashed form.
​
>Signal is subject to the CLOUD Act, which allows US Federal agencies to access the data.
Signal stores three things:
Phone number (in an encrypted format)
Date and time of registration
Date of last use
See here for how useful that information is to law enforcement.
>the timestamp is not stored in the server
The date specifying the day (not to last hour) is stored on the server, as far as I know and can interpret this text.
>We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.
>
>https://signal.org/bigbrother/eastern-virginia-grand-jury/
I don’t know the answers to some of these questions but Signal has posted its response to subpoenas in the past. See: https://signal.org/bigbrother/central-california-grand-jury/
Could Signal be ordered to collect IP information secretly on a target, such as what happened to ProtonMail in Switzerland? I don’t know! It’s a good question.
It looks like the AWS DNS servers are returning 127.0.0.1 for textsecure-service.whispersystems.org.
>How are link previews retrieved? Link previews are built on the same foundation that was previously developed for the animated GIF search feature in Signal. Before you send a link preview to another Signal user, your Signal client does the following: * The TCP connection is proxied through the Signal service, which acts like a VPN to obscure client IP addresses from the site that is being previewed. * A TLS session is negotiated directly with the previewed site to ensure that the Signal service never has access to the URL. Previews are not generated for non-HTTPS links. * As described in more detail here, the preview image is retrieved using overlapping range requests so the Signal proxy service only sees repeated requests for a fixed block size when downloading an image.
https://support.signal.org/hc/en-us/articles/360022474332-Link-Previews
> Is this something to be worried about?
Not really, provided you trust how Signal handles things. And if not, then you shouldn't use Signal regardless of if they use Giphy or not.
> The Signal service essentially acts as a VPN for GIPHY traffic: the Signal service knows who you are, but not what you’re searching for or selecting. The GIPHY API service sees the search term, but not who you are. https://signal.org/blog/giphy-experiment/
The owner will need to get an exception from the Terms of Service that prohibit "sending illegal or impermissible communications such as bulk messaging, auto-messaging", and any other applicable terms. They should have read the terms before starting such a service.
Unfortunately, there is currently no way for the server to know if a user has uninstalled Signal.
Your friend's account will eventually be deactivated, but only if they haven't connected to the server in an entire year. If you don't want to wait an entire year, ask your friend to unregister:
They also have the last day you contacted the server.
OP, you can verify what information they have by looking at Signal’s responses to subpoenas they have received.
I interpreted it as "[Having the ads published] was never their goal. It was about getting publicity [from them being rejected]" due to how much conversation has been generated about the topic since.
This got posted many places on reddit, for example.
In case you haven't donated yet, imo the guys at Signal have earned some coffee or a few pizzas for the pile of work they have atm to get everything running again :-) https://signal.org/donate/ ...and an additional per-month donation will surely do some good concerning the exploding user-base they currently have. Would be nice if they get out of this server issue not only better in terms of technical but also financial stability.
Your contact probably had Signal installed and then deleted the app off his phone without unregistering their account. Have your friend go to this link, they'll get a text message with a code and they'll have to enter the code on this site.
Signal doesn't collect any data that can be used for advertising. But your operating system, your keyboard, whatever apps you have installed; all of those are constantly collecting data, cross-referencing and selling it to advertisers.
Signal is a tool like a kitchen knife is a tool. Yes there will be people abusing it but the vast majority of people will use it for everyday communication.
As for moderation, Signal servers do not see who sent a message, only the recipient (it's called sealed sender). This means any sort of moderation would have to happen on the end-host, i.e. the Police apprehending a suspect and manually searching their unlocked device.
Let's show Signal and the rest of the world what normal people really value: privacy and the transparency of open source messaging. Please help Signal thrive with a donation.
I suggest reading his essay before you jump to any conclusions. He wasn't even the first person to think that GPG/PGP is cumbersome. Did you know that ten years earlier, the initial introductory paper for the OTR protocol was subtitled "or, Why Not To Use PGP"?
Sounds like they haven't unregistered. https://signal.org/signal/unregister/
What are they trying to use to send you messages? There's no reason that Signal would block messages sent by other means. You should also be able to force Signal to send an SMS by long-pressing the send button.
That's not what that setting does. If enabled, it means that someone can send you a message with sealed sender without first exchanging your profile or delivery token.
​
That doesn't apply to the situation described in this blog post, where the spam is coming in the form of a message request except that at least under the way it worked previously, having that "Allow from anyone" setting enabled would in theory make it more difficult for them to recognize and defeat spam/harassment directed to you. (I'm not sure if that's still the case in light of this new system.)
Both you and your chat partner need to go to Signal > Settings > Privacy > Advanced and turn OFF the settings to "Always relay calls."
If either of you have that on it will reduce quality and route through whatever server signal is using.
Note that even if it's off, calls may still route through a server to establish the call, but should switch to P2P if both of your settings allow.
Also note that even if the calls go through a server they are End-to-end encrypted by the phone/PC client and no server or switch it passes through can read it.
https://signal.org/bigbrother/central-california-grand-jury/
See this link for more about how traffic is routed.
Well done Signal!
I set up a monthly, recurring donation this morning, I recommend that everyone consider doing so as well:
Mine is about $5/mo. To me, that seems very fair, for the great service Signal provides.
Previously, undelivered Signal messages would have to sit on Signal's servers with the sender’s identity in cleartext. Now they don't, because the sender’s identity can automatically be encrypted along with the message contents before the messages are sent to the servers.
There’s more information in the official blog post:
TL;DR: No, they are not closed source.
When the ability to make voice calls was first added to Signal, they used the RedPhone protocol. This relied on the GCM push messaging framework for establishing calls, so people couldn’t use Signal on devices that didn’t include support for GCM. Your device included support for GCM only if you had the proprietary Google Play Services package or something like OpenGApps installed. That was the only reason people called Signal’s voice calling feature "closed source”: It relied on a proprietary service to establish the calls. The client-side software was always open source and the calls were verifiably end-to-end encrypted with ZRTP, so there was never any doubt as to whether or not the calls were confidential.
When Signal added the ability to make end-to-end encrypted video calls using WebRTC + Signal Protocol, they simultaneously moved the entire calling system from RedPhone to WebRTC. WebRTC is a P2P technology, so there are no proprietary services involved. Signal voice and video calls are end-to-end encrypted using the Signal Protocol instead of ZRTP, and can be established even if the recipient’s device does not include support for GCM.
More information:
Signal uses the proximity sensor of your phone to turn off the screen during a call. The rational is to turn it off when you hold your phone to your ear. If you remove it from your ear and the sensor detects this, then the screen should be turned on again. It could be that the sensor of your phone is reporting wrong numbers, e.g. because it is broken or because something, such as phone a case, is blocking it off. To test this you could use one of the many sensor testing apps on the Play Store, e.g. https://play.google.com/store/apps/details?id=ru.andr7e.sensortest. For my phone the sensor reports either "5cm" when there is nothing above the top half of the front side of my phone. If I put my hand above the top half of the phone at some distance the sensor reports "0cm", indicating that it works.
> member losing his phone, someone gets his old phone, checks in as him, and then the member gets a new phone and wonders what's going on
That's exactly what happened - you cannot just join a Signal group that you have no previous knowledge of, there's a lot of complicated cryptography and security going on:
Signal told you to verify the contact, nothing is going to help your eyes if the sign says "DO NOT LOOK AT LASER WITH REMAINING EYE"
Download it from the Signal website. It'll self-update and fall back to websocket if there's no Google Services. Aurora Store is also an option. It is as you said: Google Play but anonymous.
https://www.instagram.com/p/CJ_IbAOpwzG/?utm_source=ig_web_copy_link has profiles by signal themselves with different languages saying "message me on signal"
if you're opposed to opening instagram at all here is a privacy preserving front end
Would they be willing to reinstall temporarily? Then they could unregister from settings > advanced and then uninstall.
They can also go to https://signal.org/signal/unregister/ and unregister there.
>I'd like to reinstall my phone without anything google. Now i heard from a friend that signal uses some google services. 1) is this true?
Yes, but only if your Android phone already has it enabled through Google Play Services or something like Open GApps or microG. Even then, Signal would only use GCM to send an empty push notification to your phone in order to wake it up if there is something queued on the server:
If you register on Signal and your Android phone does not have Google Play Services enabled, the app will fall back on a WebSocket connection.
>2) Can I still install and use signal if i dont install open gapps on my phone?
Yes. If you don't install Open GApps on your phone, it will probably not include the Google Play Store. In that case, you can download the Signal Android APK directly from the official website:
The APK should work on any device as long as it has an Internet connection and can run Android apps. It is reproducible and does not rely on Google Play Services. It's also designed to automatically download and prompt you to install the latest update.
Either:
A) You downloaded the Beta version by accident, which has more frequent updates
B) Your install is broken
C) Your install is fraudulent/comprimsed (make sure you only download directly from signal)
Signal Desktop is based on a framework called Electron, which allows for web apps to be wrapped with a browser layer (which is powered by Chromium) and turned into desktop apps. Electron is getting pretty popular nowadays, and is used in many apps like Slack, Atom, and VS Code. Here is more info on Electron if you're interested. :)
The symbol next to the check mark is a "sealed sender" indicator. It allows you to see whether the message was sent using the sealed sender technique. The icon itself is meant to represent a return address label that is being peeled off the outside of an envelope.
If you enable the "display indicators" option in Signal's privacy settings and don't see these icons in a particular conversation, it could mean that your contact hasn't shared their Signal Profile with you or that one or more devices in the conversation still need to be updated.
Your Signal Profile is automatically shared with any contacts you have saved in your address book, any people or groups in conversations you create, and any people or groups you explicitly approve.
The security of the voice communication needs to be both encrypted, to make sure no one else can listen in, and authenticated, to make sure you're talking to who you expect.
The old Signal used ZRTP to derive cryptographic material to encrypt the call and used two short authentication strings to allows the users to authenticate the setup.
Now with new Signal, the setup messages for a call are sent using the same encryption protocol as normal text messages. This means that the voice/video calls are secured in exactly the same way as text messages without any additional burden on the user.
Those strings were always kind of confusing as people didn't really know how to handle them, and it made it difficult to translate into other languages. Also the list is fixed by the powers that be, so sometimes some strange combinations/words could show up and cause even more confusion.
Now it's much easier and also extended to video calls which is great.
You can read some more here as well
I don't think this is the official Signal app.
Make sure you're getting your app from the app store and that it's by OpenWhisperSystems
https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms
As a side note, Telegram is doing it too. I posted this awhile ago but mods removed it because it was off topic (posted during the MOB discussions). We'll see if u/mad-de's post gets removed for the same reason too.
Yea, not that long ago:
There isn't really enough information on OP's link, and I can't find much mention about what the relationship there is other than this:
https://signal.org/blog/signal-foundation/
Seems like that fundraiser might have been started before the Signal Foundation and the $50M happened.
IF you installed signal from playstore or from a trusted source before it is safe to update from aptoid. Android only installs if signature match.
You can download from "danger zone" original apk here https://signal.org/android/apk/
The devs didn't mention this in the Play Store changelog, but the 4.32 release also fixes a bug in the website APK's tap-to-upgrade process:
If you're using an older version of the website APK, you may need to download and install the 4.32 update manually:
Then go for it!!
That is not code per se, but the output of the command diff
from git
. <code>git</code> is a software widely used for version control - it was developed by Linus for Linux.
Basically, lines with -
is what was removed/changed from, and +
is what was added/changed to.
I don't have any information on Facetime, but here's info on Signal's encryption and security model for VoIP and video calls.
Video calls for Signal now in public beta
Facetime is a proprietary Apple product, and we have to take their word for it that their encryption is good, and implemented properly. Signal, on the other hand, is an open-source project subject to audit by anyone at any time. And it has been professionally audited, as well.
I shared status on Messenger:
>I'm moving my messaging activities to open source and secure software.
>
>I'm turning off notifications for Messenger and WhatsApp. Please consider joining me on Signal.
>
>https://signal.org/install
Than I copied it on Wapp as a status, while putting second paragraph+link cropped as a profile picture. My name/descriptions are also indicating I've switched my messaging platform and I can't be reached on old places, anymore.
​
Not sure if it was good or bad. I also messaged people who I'm close to, being careful to be casual and to suggest it as a 'better' app which is on the rise.
I'm avoiding going deep, or at all (unless asked), into the problems of existing alternatives and I'm really worried if we campaign heavily, it could turn to Jehova Witnesses or vegans of technology and have counterproductive effects.
I'd really appreciate input of someone who's better versed into this than me.
From their blog post:
> The Signal Foundation's mission is to develop open source privacy technology that protects free expression and enables secure global communication. As more and more of our lives happen online, data protection and privacy are critical.
In my brief search, I couldn't find anything super-technical about WhatsApp and how it is "bad".
This lifehacker article explains what I have been hearing about for the past while. This stackexchange answer is another explanation.
From what I can tell, the consensus is that WhatsApp's implementation of E2EE, the Signal protocol, is great. They did that all properly. Which means that the encryption itself is the exact same as Signal's. If Signal's encryption is secure, I would bet money that WhatsApp's is also secure. The two things that Signal has over WhatsApp is (a) WhatsApp is owned by Facebook, which we don't like to trust because of the anti-privacy profit motive, whereas the Signal Foundation is a non-profit and doesnt have that. The other thing is (b) Signal's privacy policy is much, much more protective than WhatsApp's- WhatsApp has all sorts of metadata on you that they store on their servers- when you log in, whom you talk to, etc etc. This could be hacked by criminals, demanded by governments, and handed to Facebook for who knows what. Signal doesn't store any of that.
As far as me personally, I try to stay away from WhatsApp simply for the Facebook reason. But I still use it and recommend it over unencrypted SMS and phone calls.
You can't use the android tablet as a linked device, but if your friend wants to use Signal on a tablet instead of on his phone, (and he still has a phone number to use it with, whether cellular, landline, or a VOIP service like google voice) then I would think he ought to be able to sideload the signal app on his tablet and register with his number.
​
I've never tried to do this on an android tablet, but I recently got it to work this way on a chromebook's android container so I don't see why it shouldn't be the exact same.
​
The app you had him try was the one at https://signal.org/android/apk/?
From Signal's privacy policy:
>Signal cannot decrypt or otherwise access the content of your messages or calls. Signal queues end-to-end encrypted messages on its servers for delivery to devices that are temporarily offline (e.g. a phone whose battery has died). Your message history is stored on your own devices.
You can switch off read receipts by going to Signal Settings > Privacy > Read Receipts. Your contacts will still be able to see if their message was delivered to your device, but not if/when you opened/read their message. Switching off read receipts will also prevent you from being able to receive read receipts from your contacts.
You can unregister your number to prevent it from being recognized as a Signal number. However, this does not prevent people with your number from contacting you via insecure SMS/MMS.
That's a feature Signal once had. Here is an article explaining why they discontinued their solution for encrypted SMS in 2015:
iOS has two developers and Android seems like one and a half at the moment. Moxie does a lot of other stuff as well... There are more people now working on different aspects of Signal than it used to be for a long time, but they are still a small team.
But most important - they are hiring! https://signal.org/workworkwork/ So if you know somebody, spread the word!
No that's the exact approach and perspective to have with Signal and more specifically with disappearing messages.
Signal themselves mention this in their blog post
https://signal.org/blog/disappearing-messages/
I think a lot of people assume that since messages cannot be intercepted in transit then this means the messages are also secure on the end devices. That's not strictly the same thing, or even the same problem that Signal is working to address.
>I currently own an iPhone but it really anoys me with the constant surveillance...
I was under the impression that Apple is one of the more privacy respecting companies currently on the market. This is the first time I've heard of them "contantly surveilling" anyone. Care to explain?
>...and just wanted to know if there are any alternatives to smartphones either now or any plans to move in that direction? I assume signal will be supported on the coming alternatives like Librem and eelo?
If you decide to switch phones in the future and your device does not include the Google Play Store, you can download the Signal Android APK directly from the official website:
The APK should work on any device as long as it has an Internet connection and can run Android apps. It is reproducible and does not rely on Google Play Services. It's also designed to automatically download and prompt you to install the latest update.
It's just adding another layer of encryption between your device and Nord VPN's server. Once the packets exit NordVPN, they'd still be encrypted with Signal's encryption. So depending on where your adversary is on the network, they'd have to compromise either 1 or 2 layers of encryption.
There's also reading on Signal's website that talks a bit about the methods used as well (Diffie Hellman, which a lot of things are based on, like openssh
).
The Simple Wikipedia entry for Diffie-Hellman is also a great read.
They (probably) used Wickr because at the time of the shows production that app had a reputation of being really popular among criminals, it was only a few years after the Snowden leaks and privacy movements/software weren't as big so knowledge about what is objectively the best software to use wasn't as known as today, Wickr was good enough for the little things it was used. Also Wickr isn't open-source, only their encryption protocol is open-source, here is a comparison of Wickr and Signal.
Signal:
Source code: open-source
Trackers: None
Data it can give to law enforcement: * Date and time the account was created * Date of last use
https://signal.org/bigbrother/eastern-virginia-grand-jury/
Wickr:
Source code: closed-source
Trackers: 3 (Countly, Bugsnag and Google Firebase Analytics)
Data it can give to law enforcement:
* Date the account was created
* Type of device(s) on which such account was used
* Date of last use
* Total number of sent/received messages
* Privacy list mode setting (allow/block list enabled/disabled)
* Number of users on the privacy list
* Number of external ID’s (email addresses and phone numbers) connected to the account, but not the plaintext external IDs themselves
* Limited records of recent changes to account settings such as changes to privacy list mode to block or allow users (does not include message content or routing and delivery information)
* Wickr version number
If you sent a message to someone, Signal doesn't even know that "You" sent them a message. The most they know that a message, intended for a particular recipient, originated from some IP address, but the actual Signal account it was sent from is hidden.
​
That doesn't mean they couldn't add an online indicator, but it would probably have to take the form of periodic messages sent to each of your contacts, similar to typing indicators (but without needing to type). Personally, I wonder if it would be worth it? For most people you are always "online" on signal anyway in the sense that your phone is probably on and you will probably get a notification if someone sends you a message.
​
What's also funny here is that Signal's main technological advancement in the first place was getting encrypted messaging to work asynchronously. Now it's becoming so popular that people want it to have more "synchronous" features!
What do you mean by publicly shared?
In a blog announcement they describe that they are encrypted. However, if you send the stickerpack to anyone, they will be able to distribute it further to whomever.
>Sticker packs in Signal are fully encrypted. Every sticker pack consists of a random ID and a symmetric “pack key” that encrypts the pack name, author name, and sticker media. This pack key is never stored on the Signal service. Instead, users automatically exchange pack keys with each other when they send stickers through the encrypted Signal Protocol messaging channel.
https://signal.org/blog/make-privacy-stick/
I understand this isn't specific to your request, but if anyone wants to donate to Signal, they may do so here:
I'm not aware of any current bug/feature bounty program, although they used to have https://signal.org/blog/bithub/. I suspect they suspended this after creating the Signal Technology Foundation and accepting donations that way, but I could be wrong.
If you are into privacy, I think a good option is to buy android smartphone and install copperhead OS on it (Google-less android focused on privacy) but keep in mind that now it only supports a handful of devices listed on their website https://copperhead.co/android/
Sorry to hear about your mum...
Anyways, if you want to offer her the tool she is expecting to use when "the internet goes down" (and providing you all have android devices), tell her she needs to download Briar. It's p2p and relays communications through your Bluetooth and LAN network - not through the internet.
Just a reminder to go into Settings => Privacy to find the new Sealed Sender options:
1) Display Indicators
2) Allow From Anyone - "users who want to live on the edge can enable an optional setting that allows them to receive incoming “sealed sender” messages from non-contacts and people with whom they haven’t shared their profile or delivery token. This comes at the increased risk of abuse, but allows for every incoming message to be sent with “sealed sender,” without requiring any normal message traffic to first discover a profile key"
https://signal.org/blog/sealed-sender/
Doesn't hurt to enable Display Indicators, but "Allow From Anyone" may not be for everyone.
I'm curious if they are migrating to a new host. They received a cease and desist letter from amazon about spoofing their traffic (domain fronting) through AWS. So perhaps they are moving to a new host since it's the end of the month now and they aren't going to comply with amazons terms of service.
Edit: Here is the blog post about it.
To answer your first question, here is an excerpt from Signal's privacy policy:
>Signal provides end-to-end encrypted calling and messaging. We cannot decrypt or otherwise access the content of a call or a message.
>Certain information (e.g. a recipient’s identifier, an encrypted message body, etc.) is transmitted to us solely for the purpose of placing calls or transmitting messages. Unless otherwise stated below, this information is only kept as long as necessary to place each call or transmit each message, and is not used for any other purpose.
If you manually delete a message in a chat, it will only be deleted from that particular device. It will not be deleted from other devices that you've linked to your account (Signal Desktop) or the recipient's device(s).
Ha ha i hope there isn't a Google backdoor, since they're advertising Signal all of a sudden, HA HA.
Browser in the picture: Firefox Preview
At the risk of not being helpful as I suspect your intention is to receive the sustainer badge in return. You're able to setup monthly donations via the website in both currency or crypto, obvious downside is I don't believe you'd receive a badge. https://signal.org/donate/
Her phone isn’t sending those notifications.
Existing Signal users who already have her number in their address books can see which of their contacts they can message on Signal.
You can read more about Signal contact discovery here:
https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts-
and in more detail here:
yes you can in fact see references to number in the server code that handles registration as they do need to send an SMS verification code when signing up, however notice all the references to getHashedAuthenticationToken()
The number is hashed for storage but not during the sign up process
as for how signal would know where to send a message I'd assume you'd be able to hash the recipient's phone number on device and send it to the server, which could then check the hash and deliver the message accordingly
Hashes were generated on device and does store hashed phone numbers.
Now I believe it's being handled by SGX which is basically reverse DRM (client sending encrypted content to an enclave on the server to which the host operating system and kernal cannot interact)
Right, I'll try to explain it tou you as nicely as i can
First of all, this is not an official community, It says so in the description.
Second of all, "Not available in your region" text is not something that can be changed, as it it imposed by google play.
Now onto the APK installation, you can get the APK here: https://signal.org/android/apk
Now after you download the apk file go into you downloads folder and locate it.
Tap on the apk file and you phone will either show a popup saying that you can't download the app from unknow sources with an option to take you to settings, or you might be directly taken to settings.
The settings window should be titled "Install unknown apps" (or similar) it should be displaying your File Manager and a toggle with a title "allow from this source", make sure to enable "allow from this source".
After you confirm that "allow from this source" is toggled on, navigate back to your file manager and tap on the APK file, It should present a popup or a window saying [signal icon] Signal "Do you want to install an update to this existing application? Your exisiting data will not be lost.", it should also present two options "cancel" and "install", select install, and signal will install like a normal app, updating your exisiting signal app.
Pretty straight forward, no computer or CLI required.
Did you only delete the app or did you fully unregister?
Signal on Android can be used for both Signal messages and SMS, so it's likely that your friend is still sending Signal messages instead of switching it to SMS. Unregistering your number should stop your friend's app from sending Signal messages and you should get the SMS messages again!
This blog post explains how certain group information would be (and now is) stored securely on a central server.
There is a secondary point about whether they should be supporting google/amazon by using their servers, but the sense I get is that in our current society there aren't really reliable alternatives.
That could easily create issues if someone connects relatively sporadically. There is already an "Unregister" function and people aren't using it. Hell, there's a webpage they can use if they've already uninstalled and forgot to unregister. iirc, WhatsApp has the same issue, so this isn't really limited to Signal.
Agreed, automatic fallback would not be good. The ability to control manually per message/per conversation would be decent feature. Something. I really want signal to be my deafault messaging app to be secure when possible, but current design forced me back to another sms app to continue sms for the duration of the outage.
Please donate: https://signal.org/donate/
Edit: Hold send and I can send sms per message. I see it now. Thank you.
They didn't disable end-to-end encryption in WhatsApp, and you don't need Google Play services for Signal.
You can download the apk file from https://signal.org/android/apk/ and install it with Google Play services switched off. It will then warn you there are no Google Play services and let you install. Signal will auto-update itself, so no problems :)
I had the same problem as you, they should make it much clearer how to install on a phone without Google infestation.
Signal does store one's number (cause otherwise how would anyone know that you have an account) but it does not store your contact list nor does it know who is talking to whom. So, not feasible to even make a heatmap.
Like it or not, there is a built-in check on spam and harassment/abuse due to the fact that there is some time or monetary barrier to acquire more than the one or two phone numbers a person already has.
I wouldn't want to see Signal remove phone number registration unless they were able to find a way to prevent what would seem to be the inevitable uptick of abuse. I personally doubt it would even be possible, without some other kind of privacy-compromising trade-off.
​
However, even if you signed up with your phone number, when you send someone a message, the sealed sender feature means that Signal actually doesn't know it's your account that sent the message. And in the near future you will be able to hide your phone number from contacts in signal as well. These might be good enough for "a luddite like yourself"?
I don't know what the Calyx Institute is and what if any modifications they make to the Signal app. I also don't know if the version on F-Droid has been modified. In both cases you could check it against the signing key for the version on the Signal website.
​
If you are looking for a version of Signal without Google libraries, it's probably safer to build it yourself rather than trust whoever has uploaded an app anyway. I've seen some discussion about this on the Signal forums so this would be a good place to start, but I haven't tried to do this myself so I can't vouch for it other than to point you in that direction.
You dont have to have an account, you can still use the search engine on twitter to find out that others are whining about downtime and then you will notice that the official twitterchannel is signalapp and in case you dont want to visit twitter.com you get the same info through nitter at https://nitter.net/signalapp
For users based in the EU or UK, this is also a violation of the GDPR article 7 (4) <https://gdpr-info.eu/art-7-gdpr/>
You can report it to your country's data protection authority, as well as complain to WhatsApp Inc directly: <https://www.whatsapp.com/contact/?subject=privacy>
Signal does end to end encrypt group conversations. It is a little different than their regular end to end encryption, and you can read about it on their site here
No, your contact does not need to have your number saved in their phone's address book in order for you to see that they are using Signal:
There’s a great video by Computerphile on YouTube about the forward and backwards security of the Signal protocol and the blog of the Signal developers is a great read as well
Here is a blog post from Moxie talking about federation in general
> When someone recently asked me about federating an unrelated
communication platform into the Signal network, I told them that I
thought we’d be unlikely to ever federate with clients and servers we
don’t control.
All Signal messages are end-to-end encrypted. They can be thought of as sealed envelopes, which can only be opened by their intended recipients. All messages need to have a destination written on the outside in order to be delivered to the correct recipients. Ideally, the service doesn’t need to know anything else about the messages. Messages that are sent with the sealed sender technique have the sender’s identifier sent on the inside of the envelope instead of the outside.
This technique is normally only enabled for messages that you receive from other users whose numbers are saved in your phone’s address book or with whom you have shared your Signal Profile. Your Signal Profile is automatically shared with any contacts you have saved in your address book, any people or groups in conversations you create, and any people or groups you explicitly approve.
People who choose to share their Signal number publicly (e.g. by including it in their Twitter bio) are more likely to receive spam simply because their number is public. If these same people enable the option to receive sealed sender messages from anyone (i.e. people who are not in their contacts and don’t have access to their Signal Profile), it is less likely that Signal’s developers can take steps to limit this spam.
It might also help to think about this from another perspective: How could the Signal developers limit abuse if you do not enable this option? It only makes sense to implement server-side rate limiting based on sender’s identifiers, and this can’t happen for a particular recipient if they’ve enabled the option to receive sealed sender messages from anyone.
If your messages are not being delivered because the recipient decided to uninstall Signal, you can ask them to unregister their number through this website:
Edit: Your messages should start going through once they’ve unregistered.
(If you're on Android and want to send an insecure SMS message to another Signal user, you can do so by long-pressing the blue send icon and selecting the grey send icon.)
This video talks about how a part of the Signal Protocol which is called the (Extended) Triple Diffie-Hellman (X3DH) key agreement protocol can allow instant messaging apps to perform end-to-end encryption even when one phone may not even be switched on yet.
For people who are interested in reading more about this, Signal's developers have published a document describing the X3DH key agreement protocol here. Quoting the intro:
>X3DH establishes a shared secret key between two parties who mutually authenticate each other based on public keys. X3DH provides forward secrecy and cryptographic deniability. > >X3DH is designed for asynchronous settings where one user ("Bob") is offline but has published some information to a server. Another user ("Alice") wants to use that information to send encrypted data to Bob, and also establish a shared secret key for future communication.
A future Computerphile video will talk about another part of the Signal Protocol, which is called the Double Ratchet algorithm.
>[...] could another user see through their Signal app that I’m available to receive messages?
No. I think the closest thing to a "last seen" indicator right now are read receipts. If both you and your contact have them enabled, your contact will be able to see if you have read their message.
>I ask, because sometimes the moment I open my smartphone, I receive notifications in iOS that a message was sent to me from another Signal user.
There may be something preventing the notifications from showing up earlier. Go to your phone's Settings > Signal and make sure you have these permissions enabled: Notifications, Background App Refresh, and Cellular Data.
If you have ideas for how the new design could be improved, feel free to share them on the community forum. The developers have said that they are still closely following feedback and have planned to make additional updates. Regarding hiring UX/UI designers, there are several open positions at the moment.
Safety numbers are explained in this blog post:
They are derived from the public keys of each conversation participant and do not need to be kept secret.
Unfortunately, there is currently no way for the server to know if a user has uninstalled Signal.
Your contacts' accounts will eventually be deactivated, but only if they haven't connected to the server in an entire year. If you don't want to wait an entire year, ask the contacts who have uninstalled Signal to unregister:
In the meantime, you can send regular SMS messages to these contacts by long-pressing the blue send icon:
The beta version has not been closed, even though the production version has been released. The beta version is designed to install side-by-side with the production version.
Long time ago, TextSecure (basically the old Signal) used to do exactly what you're describing. It used to use SMS as the underlying messaging protocol, and it added E2E encryption on top of it. TextSecure removed SMS support at some point, which prompted some people to create a separate fork called SMSSecure. This fork is dedicated to adding E2E encryption to SMS/MMS.
SMSSecure was renamed to Silence, which is still available to this day. You can download it on your Android phone from the Google Play store.
Agreed. My device has a PIN already, a PIN is needed to boot, too. A messenger behind another authentication makes it inconvenient.
This isn't my bank account, and it's a daily driver. If the user wants it accessible, and they already have device level security, don't get in their way.
Edit: Review bomb them. Maybe they'll pay attention to that.
According to this stackoverflow answer, Chrome apps and extensions will automatically check every 5 hours if there is an update available. You can update them manually by ticking the Developer mode checkbox at the top right, then pressing the Update extensions now button.
You are making a conclusion that is not stated anywhere in that post. I have already participated there. This is no different from 1:1 chats besides the fact that there are additional recipients included in the same message. The speculation there is that a malicious server would be able to determine through network analysis who those users are, which is only different to the previous implementation in that you don't have to seperate the barrage of messages from a normal 1:1. The participants are still unknown. Please read the following: https://signal.org/blog/sealed-sender/ The overarching protocol is the same for both with the exception that it is fanned out for group messages.
That has nothing at all to do with it. That setting is strictly for 'sealed sender' which you can learn more about here. Anyone can message you signal-to-signal if they have your phone number, and you have to either accept the request, delete it, or block it.