Since 2016, decentralize.today has been keeping an eye on which messenger is the best to use. The biggest questions are always; is this service private and how easy is it to use?
One messaging service that made it from humble beginnings and shot to become one of the biggest providers around is undoubtedly Signal, the subject of this (update) review.
Signal is one of just a few messengers that we have covered from the very beginning, principally because it gets better over time and is always second to none when it comes to encryption, but a lot has changed since we last looked into Signal, and we'd like to cover it all!
Signal started as TextSecure
Moxie Marlinspike and Stuart Andersen launched a new service called TextSecure in 2010. It was a service focused on securing both regular SMS traffic and TextSecure messengers, all going via the internet. It was initially launched on Android and in 2015, TextSecure was renamed Signal and shortly afterwards it launched its iOS version.
E2EE
The Signal Protocol (originaly refered to as the Axolotl-Protocol) was developed in 2013 by Trevor Perrin and Marlinspike and is recognised as the Gold Standard when it comes to encryption. Some people prefer Element or other more decentralized applications. We do all agree that that self hosted is better, but we also need to acknowledge that Marlinspike's encryption protocol, open-source by the way, is second to none. It's Zero-Knowledge-Proof, which means that not even Signal can see your messages, nor with whom you're communicating.
Sealed Sender and Private-Contact-Discovery are both unique to Signal and worth reading up here.
For further assurance, this file is 'A Formal Security Analysis of the Signal Messaging Protocol - Extended Version, July 2019'.
https://eprint.iacr.org/2016/1013.pdf
All communications are E2EE (End-To-End-Encrypted) on both one-on-one as well as Group Chats with Signal applying the Forward Secrecy (PFS Perfect-forward-secrecy) .
So far so good?
This all sounds great, and as I mentioned Signal's E2EE protocls are second to none, yet its first major shortcoming is that it is centralized. And so are the servers Signal uses!. For group messaging, those servers are owned by Google, and for one-on-one messages by AWS (Amazon), two companies that have no right to be in the privacy business.
It is guaranteed that these providers will not cancel their agreements or take the service down at any time, however, there are clear concerns that they may restrict IPs from countries where people are demonstrating or working together with law enforcement to block users access in certain regions. These are massive concerns.
Leaving server factors aside, as Signal explained the Zero-Knowladge-Proof is robust, and technically it is not possible for Amazon or Google to read your messages, yet it could capture your IP address and other metadata (but only a minimal amount, as Signal explains).
Just as with any open-source code published on GitHub, we need to also trust Signal that this is the code that is actually uploaded to the Google PlayStore and Apple App store.
For people without the PlayStore you can download Signal, and not have to rely on Google's push notifications, via the website:
https://signal.org/android/apk/
Signal doesn't rely on push notifications from Google on this version, so, it is perfect for ROMs that don't rely on Google, such as GrapheneOS.
Note: you may receive warnings that your battery life is draining because it has no Google Services installed, but fear not! I do not, personally, believe that battery life is impacted, I think you actually get a better battery life out of it because of the missing Google Services.
If you are an Android user, you can also use Molly, which is a fork of Signal and has a full FOSS version. Molly-FOSS is the community effort to make it 100% free and open-source. Molly has the option to encrypt your chats and password protect them. Something Signal skipped over years ago.
Molly
Privacy
Over the years, Signal has received multiple subpoenas (legal requests) to release data from its users.
Yet, there was not much Signal could share ;)
"All message contents are end-to-end encrypted, so we don’t have that information either."
One of the other shortcomings, when it comes to privacy, is the use of a telephone number. Your messages are private, yet you are not anonymous. Even though Signal started to introduce Signal Pins to switch from telephone numbers to usernames years ago, Signal never made the full move, so we are stuck with telephone numbers as the identifier.
You have a way around this which is by getting a one-time telephone number online and using that for your Signal account. Some great options are linked below:
All of them can be paid with Bitcoin or XMR (the latter being untraceable).
To set up Signal or Molly, you need to enter your telephone number (or your newly acquired one) and confirm the pin sent to that number. After receiving the confirmation code, the number will be your identifier. You can enter a username, which is shown to others and a profile picture as well as a small about yourself from your profile. This can then be seen by users with whom you connect.
Signal will use your address book to check if other users are using the service, this is all done hashed, so you do not need to worry that AWS or Google sees your address book.
At the same time, people who already have Signal and have you in their address book will receive a push notification that you've joined Signal.
We recommend verifying devices, if you have the chance. Scan the QR code of your friends and business partners to make sure you're connecting to the right person. After you have scanned a chat partner, you will see a check next to their name to confirm this.
Signal was sponsored via donations from the start. Donors include the Freedom of Press Foundation, Knight Foundation, Brian Acton (WhatsApp founder), Shuttleworth Foundation and the Open Technology Fund. The latter is known to finance Non-Profit-Organizations like the Tor-Project, WireGuard, Certbot, NoScript and even DeltaChat which we have reviewed in the past.
https://support.signal.org/hc/en-us/articles/360031949872-Donor-FAQs
And Signal have recently added 'become a Signal sustainer' to the list of funding options.
One thing that is kind of strange to many users is the addition of payments. It is still in beta and not yet activated but the strange feeling comes from them not offering a possibly great solution in Bitcoin, but going with MobileCoin, instead.
I believe they should focus on messaging and perfecting this, there is no need for every company to come in with its own payment offering. If you want to give the option to have crypto payments included in the app, chose Bitcoin, it would be used by more people and could have become a useful addition for many.
Signal improvements and features
Over the years Signal has come a long way, you now have a full-blown iPad app, desktop apps for Linux, macOS, and Windows. All of these work as secondary devices and need to be scanned with the mobile phone you set Signal up with. That said, you do not need your phone any more once its setup. This means you can use your desktop as your main account! ;)
Signal had for the last few years now a one-on-one call function, as well as a video call function. This has not only been much improved but Signal now has the option to make group calls/video calls with up to 40 people, totally encrypted and in great quality!
When someone texts you for the first time, you can block, delete or accept the text. If you block it, the other end will have no way of contacting you, via text or call.
Another great feature is disappearing messages. You can set these individually per chat, or you can set them for all incoming chats. If you send a message and want to remove the message you can also delete it, either for yourself or for everyone.
Signal has great group chats, however, it might initially be a hassle to invite everyone manually. If you want, for example, a chat for your website, blog or perhaps sport club, you can generate a link, then share the URL. Members can be auto-approved, or you can set it to be approved by one of the administrators.
Which brings me to administrators, the person who created the group chat can select other members of the same group to become administrators and have the same authority as the group owner.
Of course, you can have different ringtones and messaging tones for each group or member on Android. All other devices will have one sound for all groups or individual chats, regardless of whether it's iOS, macOS, Linux, or Windows.
And if you're a sticker fanpeep, Signal has you covered.
Finally, you can activate links to show a description and a picture, however, this feature has drawbacks when it comes to privacy and security. As we know, Pegasus, for example, sends messages with this technology to hack iPhones. Yet, since you approve the friends you chat with, you can usually trust them. It's a feature that makes links more interesting, and in some cases it's all you need anyway. For example, a football result, or a tweet ( but use nitter.net :-)).
New Year, New CEO
Signal will be active this year and we'll probably see some changes. decentralize.today will keep you posted on anything happening on Signal and, of course, any major concerns, privacy-wise.
Verdict
The verdict is simple, Signal has one of the best E2EE systems on the market, it does falls short when it comes to decentralization, yet with Zero-Knowledge on Signal's end that shouldn't bother us too much.
One thing that is a top selling point is how close Signal is to WhatsApp or iMessage. You can easily get people and family members to join. It is hassle-free and while most people don't care about about privacy as much as you might, having an easy way to convince them to switch helps. Signal lets you send attachments, leave voice messages, lets you call and even video call with others. And just for the hell of it, it even has stickers. Onboarding is dead simple, which makes it easier to convince others.
I've learned that when you try to convince someone from WhatsApp or Facebook Messenger to switch to Element (Matrix) or any decentralized or federated chat system you run into questions/issues, and I usually get "...but I already have WhatsApp". I typically say "...and I already have Signal, so if you want to connect with me, that's what you need to use".
Alternatively, I also have Threema and Matrix, but Signal is truly an easy-to-use, confidence-providing and secure way to go!
Stay secure!
