Comment by godelski

Comment by godelski 16 hours ago

5 replies

View on Hacker News

  > identification via a phone number.
Identification of what? That you have a signal account?[0] I'll admit that that's not ideal but I'm unconvinced this is a big issue.

  > an authoritarian governments too may take ownership of a number at any moment.
Suppose they did hijack the account. This would not give them the message history. You know that, right? It also kicks out the original owner, warning them they've been pwned.

Don't get me wrong, Signal has issues and we should be critical and hold them to high standards. BUT *they are only E2EE and low metadata Messenger that my grandma can use.* That's a big fucking deal. If we want secure communication to be common place we need to make sure it's usable. Sure, there's more secure and more private services, but none that my grandma could use.

I very much think signal should shift focus to privacy as they've got the security side pretty well handled (as this blog illustrates). But also these comments at the top of any signal thread feel a bit out of touch. Maybe I'm reading too much into it but there's a lot of people who confidently act like this compromises security or places harm on a user. The existence of a registered signal account means very little, especially as you note numbers can be spoofed. You need more than a number to hijack an account and hijacking only reveals messages moving forward while telling the compromised user they're compromised.

So can we focus on bigger issues? Can we critique while still recommending? I have no problem saying I have issues with signal and wish they did more while acknowledging that it is strongly my preferred means of contact and I try to convince others to talk to me that way. These things are not at odds. I've gone so far as donating to them several times because I use the service so much

[0] https://signal.org/bigbrother/

WolfeReader 16 hours ago

Imagine being someone who would downvote this without a comment.

Is it:

"I disagree but am not literate enough to state why"

Or is it:

"This person is right, but I don't want people to know it (insert motive here), so I will try to make their comment invisible"

Either way they're cowards, and you are correct. Signal is the best intersection of genuine security and ease-of-use I've seen.

Reply View 1 reply
  • godelski 12 hours ago

    My points are positive now but the variance has been huge. I'm surprised how often a comment like mine swings or gets entirely downvoted without a reply. I do not know if it is zealots, bots, or people just feel like the issue is "so obvious" that it needs no addressing. But I'm not sure how that's different than the first item.

    It is also crazy to see how on HN of all places there's still a lot of confusion between the difference of privacy and security. People are saying phone numbers are a security issue. That's flat out wrong. It is a privacy issue.

    Reply View 0 replies
XorNot 16 hours ago

Having run some family through the Signal onboarding process lately I'm actually kind of disappointed though: the CAPTCHA requirements are a big turn off, and it was relatively difficult to get them to see "look I'm on Signal!" In their existing contacts.

To wit: phone numbers have to stay. That's how I even get people to use it with me, and that's enormously valuable.

But also: there really needs to be a way I can use my own account to vouch for a new user and skip that CAPTCHA (maybe there is? What happens if I do an in app invite?)

Reply View 2 replies
  • godelski 12 hours ago

    Yeah the onboarding process isn't the best but... is CAPTCHA requirements really that big of a deal? Where on the internet can you go where you don't face these? Maybe my grandma can't handle that, but my already retired parents can (and that's a pretty low bar if you know them). For my grandma, yeah, I'll set it up. For my parents and anyone under 70 I think CAPATCHA is not too high of a bar.

    I think your threshold is too high. How high off the floor is a CAPATCHA? Because it looks like a bar rolling on the ground to me. You can trip over it but it is almost trivial to get over.

    Reply View 0 replies
  • hahn-kev 14 hours ago

    Except Captcha is to make it harder for spammers, if they just have to do Captcha once and then invite more accounts it kinda defeats the purpose.

    Reply View 0 replies