I'm a massive Matrix fan and have high hopes for it but in experiments we've done with activist and journalist partners we've found the Riot.im client often gets a bit complicated for people to use. I think the main issue people have is related to keys. As I techie I love the options but I find many don't like having all the options. Signal of course is a lot easier as it hides many of those issues in the UI/UX.
The root problem is the requirement to verify that you are talking to who you think you are talking to. If you skip the identity verification stuff then you are inherently trusting a 3rd party. So if you are not exchanging your key fingerprints (safety numbers in Signal terms) then you are kidding yourself.
Exactly. That's the root problem and it's a problem that won't easily go away UI/UX and useability vs Security. To be honest right now most people have voted with their useability thumbs.
Even without verifying safety numbers, you’re still better off on Signal then you would be on another platform that doesn’t even offer the option of verification. If you’re looking to MITM a conversation on Signal you can only guess whether or not the recipients have verified each other, whereas on a platform like iMessage you know they haven’t because it’s not an available option.
SS7 spoofing is not a hard thing to do. Who knows if you really are initiating to +14055551212 who you think they are. I guess using multiple techs in serial could obfuscate the initiation correctly (voice, IM, Social Media, etc)
PGPFone had a neat thing where it'd show each participant of a voice call a short string they'd read out loud, and then the crypto would use those for handshaking. MITM'ing voice, as part of a freeform conversation, especially between friends, is a lot harder.
Out of curiousity, did you ever try keybase? It always struck me that usability as well as security were their primary focus. And I think they did the whole key management / chain of trust thing really well.
Hopefully none of that changes now that they've been acquired by zoom.
It's gotten better - I'm dual-running Riot/Matrix and Signal. Cross-signing has fixed the main issues affecting encrypted chat usability but there's still plenty of UI improvements to make.
I just opened my Signal desktop app that I had synced previously. It asked me to resync again with my mobile device, which needs camera permissions to take a picture of a QR code. I had previously removed Signal from my mobile device. Low and behold, my account no longer existed and I had to sign back up with a phone number. I then clicked sync and most of my messages on my desktop are gone. I don't see how this is easy by any standard.
If I understand your description, you reset your account. They delete the messages for safety when you reset. An attacker could reset by getting ahold of your phone number by sim jacking or the govt getting your text. It's a safety method so no one can take you texts. Of course many people want to carry their texts along, but this is a safety risk if you lost control over your number. So that's what signal is doing. If I recall when I had to reset my own number they did say they were deleting my old messages.
Signal allows backing up messages (though the UI and workflow for it is still rather clunky), so you should be able to restore them even if you switch to a different phone number entirely.
No, I had removed the app from my mobile previously, not deleted my account. When I resynced, they had removed my account and the messages saved on my desktop disappeared.
That is the same thing. The messages were stored on your phone never on any "account". The desktop was only ever a mirror of the phone. This is explicitly how Signal works. WhatsApp works the same way.
If you did not delete the Signal directory on your phone then there should be some old backups with your messages there. These will be encrypted so you will need to original password to unencrypt them.
