We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate—and this is very lean compared to other popular messaging apps that don’t respect your privacy.
There’s an IETF internet standard for federated messaging called XMPP. Just be compatible with the standard. It also allows for extensions if you offer more than the core spec.
Signal incurs expenses when people download Signal and sign up for an account, or when they re-register on a new device. We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. This is a critical step in helping to prevent spam accounts from signing up for the service and rendering it completely unusable—a non-trivial problem for any popular messaging app.
SMS verification is expensive.
Obviously, running the infrastructure to support the entire user base is also expensive. Decentralized protocols like Matrix sidestep this problem by allowing anyone to host their own infrastructure to use the network. Even if the largest Matrix server shuts down, the network will live on, and people can migrate to another server or host their own. This distributes the costs and allows for different business models to support those costs – commercial, non-profit, cooperative, whatever. Corporations can (and do) host their own Matrix servers for their employees, for instance. I wouldn’t be surprised to see universities do the same, like they frequently do with email.
I’m all for decentralised networks, but they do have their flaws. I use Matrix every day, and there are a lot of times the keys need to be resent, messages don’t get sent or deleted on shaky internet, etc. Issues like this make it seem broken to normies. Signal Just Works™️
Until you drop your phone in the swimming pool, and every message/photo you’ve ever received is just… gone. Forever.
Sorry but I don’t buy any claim that Signal “just works”. It’s pretty clear they care about security more than anything else even when that means making decisions that are user hostile. And that’s fine - if you feel like you need that level of security I’m glad Signal exists. But it doesn’t really align with the general public and Signal is never going to be a mass market messaging service unless something changes (Signal or the general public).
What’s weird to me is an app that excludes itself from phone backups considers SMS a valid form of authentication when a user links a device to a phone number - especially when you can necessarily link a device to a number that is already tied to someone else’s device. Like how is that ever going to be secure? Spoiler: it’s not. It’d make a lot more sense to me if users simply crated a username and shared it with other people instead of a phone number… and if they forget their password… come up with new username.
Signal provides a backup option. The auto backup for SMS on android is provided by google and likely uses google drive. I don’t know for certain but I would guess the encryption options and security of that route would be impossible to guarantee and the public backlash of signal users knowing their data was being sent to Google’s servers would be massive.
I’ve setup my signal backups to a local folder on my phone. I then have SyncThing running on my phone and home computer so it automatically gets sent once it’s created.
Absolutely, and I use Signal for a few things. It’s not a perfect solution, but it’s far better than most (looking at you, Facebook’s WhatsApp, with your previous Pegasus attack vector).
the phone number is still going to be required for making an account, you can just choose to not share it with others and give them your username instead.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
They could save a lot on infrastructure costs if they decentralised their network and stopped using phone numbers as unique identifiers.
How?
There’s a few forks that have done it. You could also look to Matrix to see how they’ve done it.
There’s an IETF internet standard for federated messaging called XMPP. Just be compatible with the standard. It also allows for extensions if you offer more than the core spec.
Quote from the blog post:
SMS verification is expensive.
Obviously, running the infrastructure to support the entire user base is also expensive. Decentralized protocols like Matrix sidestep this problem by allowing anyone to host their own infrastructure to use the network. Even if the largest Matrix server shuts down, the network will live on, and people can migrate to another server or host their own. This distributes the costs and allows for different business models to support those costs – commercial, non-profit, cooperative, whatever. Corporations can (and do) host their own Matrix servers for their employees, for instance. I wouldn’t be surprised to see universities do the same, like they frequently do with email.
I’m all for decentralised networks, but they do have their flaws. I use Matrix every day, and there are a lot of times the keys need to be resent, messages don’t get sent or deleted on shaky internet, etc. Issues like this make it seem broken to normies. Signal Just Works™️
Until you drop your phone in the swimming pool, and every message/photo you’ve ever received is just… gone. Forever.
Sorry but I don’t buy any claim that Signal “just works”. It’s pretty clear they care about security more than anything else even when that means making decisions that are user hostile. And that’s fine - if you feel like you need that level of security I’m glad Signal exists. But it doesn’t really align with the general public and Signal is never going to be a mass market messaging service unless something changes (Signal or the general public).
What’s weird to me is an app that excludes itself from phone backups considers SMS a valid form of authentication when a user links a device to a phone number - especially when you can necessarily link a device to a number that is already tied to someone else’s device. Like how is that ever going to be secure? Spoiler: it’s not. It’d make a lot more sense to me if users simply crated a username and shared it with other people instead of a phone number… and if they forget their password… come up with new username.
You want SimpleX then. No number needed.
+1 for this. From my tests, SimpleX seems fast, reliable, secure, and private. I haven’t tried daily driving it, though.
Downside is minor bugs re inviting friends:
Gets confused by invites from Facebook (can’t automatically strip the trailing tracking code from the URL).
Fails scan of QR invite with your maybe camera app. Must scan from app.
deleted by creator
Signal provides a backup option. The auto backup for SMS on android is provided by google and likely uses google drive. I don’t know for certain but I would guess the encryption options and security of that route would be impossible to guarantee and the public backlash of signal users knowing their data was being sent to Google’s servers would be massive.
I’ve setup my signal backups to a local folder on my phone. I then have SyncThing running on my phone and home computer so it automatically gets sent once it’s created.
Absolutely, and I use Signal for a few things. It’s not a perfect solution, but it’s far better than most (looking at you, Facebook’s WhatsApp, with your previous Pegasus attack vector).
November 9th, the verge: Signal tests usernames so you can avoid sharing your phone number
the phone number is still going to be required for making an account, you can just choose to not share it with others and give them your username instead.
Yes but you still need one and you still lose access to your account if you lose your number.