It seems like I constantly see “X secure messaging option is actually bullshit because it was purchased by Dr. Evil and Y is actually just e-mailing your messages directly to Xi Jinping.”

Is there an authoritatively “best” one I can just…download and setup easily? Is Signal good? Or do I need to solder a Raspberry Pi to the flux modulator of my home Linux NAS GUI, etc…?

  • derek@infosec.pub
    0·
    2 days ago

    Signal.

    Wired had an interview with Signal’s President last year that I found enlightening and provided an entry point for me to self educate further. Here’s an archive.org snapshot of it: https://web.archive.org/web/20240828100224/https://www.wired.com/story/meredith-whittaker-signal/

    For the click-averse here’s an excerpt I find compelling:

    Going back to your sense of Signal’s new phase: What is going to be different at this point in its life? Are you focused on truly bringing it to a billion people, the way that most Silicon Valley firms are?

    I mean, I … Yes. But not for the same reasons. For almost opposite reasons.

    Yeah. I don’t think anyone else at Signal has ever tried, at least so vocally, to emphasize this definition of Signal as the opposite of everything else in the tech industry, the only major communications platform that is not a for-profit business.

    Yeah, I mean, we don’t have a party line at Signal. But I think we should be proud of who we are and let people know that there are clear differences that matter to them. It’s not for nothing that WhatsApp is spending millions of dollars on billboards calling itself private, with the load-bearing privacy infrastructure having been created by the Signal protocol that WhatsApp uses.

    Now, we’re happy that WhatsApp integrated that, but let’s be real. It’s not by accident that WhatsApp and Apple are spending billions of dollars defining themselves as private. Because privacy is incredibly valuable. And who’s the gold standard for privacy? It’s Signal.

    I think people need to reframe their understanding of the tech industry, understanding how surveillance is so critical to its business model. And then understand how Signal stands apart, and recognize that we need to expand the space for that model to grow. Because having 70 percent of the global market for cloud in the hands of three companies globally is simply not safe. It’s Microsoft and CrowdStrike taking down half of the critical infrastructure in the world, because CrowdStrike cut corners on QA for a fucking kernel update. Are you kidding me? That’s totally insane, if you think about it, in terms of actually stewarding these infrastructures.

  • Hawk@lemmynsfw.com
    0·
    2 days ago

    As always the answer is it depends.

    Ive seen a lot of merchants of illicit products move towards sessions.

    It depends on your threat model, signal or maybe element is likely the best compromise.

  • WolfLink@sh.itjust.works
    0·
    3 days ago

    Only downsides of Signal are 1. It’s centralized 2. You have to sign up with a phone number.

    It’s secure, cross platform, and easy to set up and use.

    Probably most importantly, it’s a similar experience to using other popular texting apps and the set-up experience is familiar to anyone singing into any big-brand-name app, making it a relatively easy sell to non-techies.

    • techforwhat@lemmy.todayEnglish
      0·
      2 days ago

      To add to this:

      It’s also owned and operator by a non-profit in the United States (unlike Telegram and Whatsapp which are operated from the UAE and a for-profit company respectively).

      • mtchristo@lemm.ee
        0·
        2 days ago

        Look at openAI trying to switch to a forprofit. It’s hard to imagine signal surviving for longer especially that it is hemorrhaging a shit load of money and donations aren’t enough to keep it afloat

        • trailee@sh.itjust.works
          0·
          2 days ago

          Signal is actually trying very diligently to pioneer a novel financial model for a sustaining long term. Here’s a lemmy post from a few month ago about a Wired interview with Signal Foundation’s president covering it in some depth (and a current archive link to the article). They seem to be one of the few actually good entities left in a world of surveillance capitalism and pervasive domestic government espionage.

          Whether they succeed or not in the long term is certainly still unclear, but I expect they have many years of financial runway remaining.

      • WolfLink@sh.itjust.works
        0·
        2 days ago

        WhatsApp is owned by Meta (FaceBook), which is notorious for stooping to the level of borderline malware to steal data.

  • Bahnd Rollard@lemmy.world
    0·
    3 days ago

    If self-hosting and “Warning, some assembly required” isnt an issue, Matrix - Synapse. I spooled that up in my home lab recently and im slowly moving my group chats over to it.

  • AmbiguousProps@lemmy.todayEnglish
    0·
    3 days ago

    Signal via Molly seems like the best option at the moment. Molly is a third party client that allows for even more protections like database encryption and getting rid of Google firebase notifications, for example.

  • /home/pineapplelover@lemm.ee
    0·
    3 days ago

    Signal using the Molly fork is good. Besides that, there’s stuff like Session and Simplex for nerds out there. Matrix exists but it doesn’t encrypt all metadata iirc.

  • gkaklas@lemmy.zipEnglish
    0·
    3 days ago

    Signal has good encryption etc, is centralized, afaik needs Google Play Services except if you use Molly; but I think it’s a bit more mainstream and simple to use for end-users

    SimpleX also seems to have good encryption, post-quantum etc, and is anonymous and doesn’t even use user identifiers (they explain why that’s good on their website), so it could be good for occasional more sensitive conversations or sth (but I see people struggling with onboarding when installing it, and I still get confused by the UX sometimes). It’s kind of not even decentralized, more like peer-to-peer, with servers to just cache messages when you’re offline, I think.

    Personally for day-to-day I prefer to use Matrix with Element: decentralized (which I really value for competition and user choice), e2e, and has good support for creating communities etc, so I’m lucky to have it as our main chat platform for work, and I’ve been using it for years in our hackerspace and personal chats etc. I see end-users still struggling sometimes with onboarding, but if they’re close friends/family I usually need to set it up for them anyway

    • LH0ezVT@sh.itjust.works
      0·
      2 days ago

      Signal runs just fine without play services for me. It does drain quite a bit of battery without cloud messaging, but that is to be excepted since it needs to keep its own connection up in that case

  • edric@lemm.eeEnglish
    0·
    3 days ago

    Signal is the best balance between secure and convenience. There are more private options out there (i.e. don’t require a phone number), but they are harder to adapt especially if you want to get non-techy family and friends to switch over.

    • mnemonicmonkeys@sh.itjust.worksEnglish
      0·
      3 days ago

      Whoever built that website really needs to fix the hitbox on the ‘X’ when you’re done reading the popups. Or instead of trying to show off with JavaScript they can just have a separate page like most websites

  • mesamune@lemmy.worldEnglish
    0·
    3 days ago

    Its best not to use a phone at all honestly. The keyboard app on most phones that are default still gives info to apple/google. So even if you use signal, the data goes over. You can side-load apps that take that over (even better if you don’t use base android OS at all). But I dont know your situation.

    I know your joking but the most secure that is still usable is probably an encrypted home server and using something like irc/XMPP. A pi with yunohost can do wonders.

    Security is a spectrum so you have to chose how much inconvenience is best for your situation.

  • troed@fedia.io
    0·
    3 days ago

    Signal

    Matrix

    Those are your two choices. Signal is centralized, Matrix is federated.

    • Badabinski@kbin.earth
      0·
      3 days ago

      Claims require evidence in proportion to their extremity. There is no evidence of a backdoor in that issue. If a security researcher made a post saying “Signal is CIA backdoored, here is exactly how it works,” then I would read it and use my relevant domain knowledge as a software dev to make a decision. No explanation is provided, so I have nothing to use to decide. Therefore, my viewpoint is unchanged.

      Signal has been audited, and I believe it’s been audited multiple times. If you’re worried about your 4th amendment rights in the US, don’t turn on backups. If you have something serious to hide and your threat model includes state actors, send messages that delete themselves after a certain time period and enforce that discipline amongst your peers. The poster’s concerns sound like a skill issue to me.

    • mlfh@lemmy.sdf.org
      0·
      3 days ago

      They might have valid concerns, but when the writeup includes stuff like

      the developer of Signal wants us all to beLIEve

      it’s hard not to imagine the whole thing hand-painted on the side of a van.

      • Im_old@lemmy.world
        0·
        3 days ago

        I agree, that’s why I specified “make your own decision”. It’s better to have an informed opinion than just trust it.

  • Teknikal@eviltoast.orgEnglish
    0·
    3 days ago

    I use signal but if I could convince everyone I knew to use a messenger for security it would be Threema. No chance of that happening it’s hard enough convincing people to use signal.