this post was submitted on 28 Aug 2024
601 points (97.9% liked)
Technology
58117 readers
4133 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You can use a username only for finding and adding friends, you only need the phone number to create an account. That's probably because Signal started as an alternative to Messages (or whatever it was called back then), so you could send SMS if you wanted, or secure messages to friends w/ Signal. The whole point was to be a gentle transition from SMS to private messaging. However, they eventually dropped the SMS feature, but it seems they kept the phone number as username thing.
It kind of sucks, but I think that's a reasonable limitation since the vast majority of people using this service will have a phone number. You could probably even sign up for a free trial of something (e.g. Google Fi) to sign up for Signal, set up the username, and then drop the phone number service. I don't know if there are any problems with this, but I don't think they do anything with your phone number after everything is set up.
I think another reason they use a phone number is that it can mitigate issues with people or bots creating hundred of accounts maybe
But there are plenty of other services that don't require a phone number that also seem to mitigate that issue, so while it may be a convenient option, it's hardly the only option.
Yeah. And I don't fault them for this route. I just with I could sign up without a phone number. Maybe the username thing is a predecessor to allowing usernam-only registration in the future.
Yeah, hopefully. It would also be awesome to have a web login so I could access messages and whatnot when using someone else's computer w/o having to install something.
I don't know what direction they're going, but I'm honestly okay with the caveats that currently exist.
Having web logon would mean they would need to hold the decryption key in some form (or have a weak decryption key, your credentials), so, while convenient, I think it would degrade security and possibly privacy. Unless you mean to receive new messages, the way the desktop app works?
Not if they used WebAssembly to do all the decryption locally.
I can't tell if you're joking haha
Why would they be joking? There's really not a big difference between how their mobile and desktop apps work and what's possible in the web. It can fetch the keys from my computer or my phone just like their other apps work, and store the keys and whatnot encrypted in temporary local storage, just like on the phone. WebAssembly could allow them to share the code and retain similar performance.
I honestly don't see an issue here. If they need help, I'd be happy to lend a hand.
Why? C++ does wasm and I'm pretty sure the signal client is already written in C++. It definitely wouldn't be something that could be pulled off quickly, but the ability to securely run code like this is kind of the whole point of wasm as I understand it, no?
I'd be more interested in allowing more than one Android device at a time like MySudo. They let you link Windows with a phone so I wouldn't think it would be too hard to implement.
Big concern with your number being recycled and a new user receiving the signal activation key on that number.
Sure, and I think that would send a message to all of your contacts that a new account is using that number, but I'm honestly not sure. If you have an active account (i.e. on a desktop or something), I think you can just change your number if that happens (i.e. get another temp number).
It's certainly more convenient if you use a longer-term number, but I think it's feasible with a throwaway number. Once your account is set up, Signal doesn't need your number for anything if you disable publishing that.
It does send a "your safety number has been updated with user" message. But not as an automated message. Only when a new signal thread is started.
Haven't tried when only logged in to desktop and changing devices / numbers so I can't speak to that.
You need to enter your Signal Pin, otherwise you will get removed from all groups etc
Another issue with phone numbers is that it makes it easier to censor - from what I heard, in Iran the confirmation SMS just would not arrive, making rentals the only option (thus making you risk your account being deleted by the new owner).
My personal biggest issue with Signal, though, was the inability to register from the official desktop client. They were pushing to register on mobile instead. There are ways around it, like Signal-Cli (what I used) and Android VMs. However, the fact that they push people onto mobile at all is worrying, because phones are much harder to make private (while you can install Linux onto pretty much any given laptop/desktop, only certain phones are compatible with alternative OSes, and mine wasn't so I could not trust it with my chats).
Hmm, I guess then you'd need to get a VPN that works in your country (not sure how hard that is in Iran) and find a VOIP service that either doesn't require any payment, or accepts payments from Iran.
It's certainly not ideal, and I wish they'd eliminate the dependency on phone numbers, but until then, there are options for most people to create an account w/o having a permanent number.
You can use Monero for payment, I started doing this ever since sanctions began. Free services are not really viable because they're far more likely to have all their numbers already used up.
But yea, the overall point is that it is a large inconvenience and a possible point of failure (the next number user deleting the account).
Yeah, it's certainly problematic, and I'd very much prefer that it not have that dependency. But I think it's still worth using Signal despite needing a number, because it's a really low barrier to getting new users on it.
If you want something truly private w/o the dependency on a number, there are better options, such as SimpleX. However, the barrier to entry there is a bit higher.
I have a few problems with Simplex (I worry about it being effectively centralized for now and that the VC funding may get it to either enshittify or stop development)... But I do use it quite a bit and even have the servers (which were very easy to set up and don't consume a lot of resources). I like a lot of what it does (including being very easy to use), and hope it succeeds as it matures!
Google is a very bad choice because it requires a phone number on its own. Also heard that there may be additional KYC.
Are you suggesting you need a phone number to get a phone number from Google Fi?
And yeah, it'll definitely to KYC, because that's a federal regulation. My point is that you don't need the number long-term, so the number will only be associated with you for like a week while the trial period lasts. So sign up for Google Fi trial, create a Signal account, then cancel the trial. That sounds pretty reasonable to me.
Yea. Don't you need a Google account first to use such a service? Those do need phone numbers to register.
And also KYC is unacceptable in this case, imo. If the number is needed only for a short time, there are similar, non-KYC options like what you would find on kycnot.me.
Yeah, I think you'll create a Google account as part of the Google Fi account creation process.
If that really bothers you, use a different MVNO. Some offer free trials, but even if not, it's not too bad to buy a month of service. My provider is Tello, and the minimum service that'll give you SMS is $5/month. If you're clever, you can probably also find a VOIP provider that does SMS for really cheap.
My point isn't that Google Fi specifically is what you should use, just that it's an example of a service that offers a free trial, so you can sign up for Signal for free.
I get the point, I just said how bad of an example this is, lol