Comment by nanomonkey

Comment by nanomonkey a day ago

6 replies

View on Hacker News

Good luck brute force guessing an Ed25519 keys (32 bytes).

Honestly there are so many better options than phone numbers available. If you're already using QR-codes to transmit user ids, you might as well use something that is transferable and user generated.

godelski a day ago

You're reading the problem wrong. Yeah, even considering the birthday problem you're going to have a hard time finding a valid key.

But now we have a discovery problem. How do I find my current contacts? Do I need you rebuild my social graph from scratch? Good luck getting my friends with PhDs in computer science doing this, let alone my grandma.

Entropy is a double edged sword. IMO signal is doing a good job here. We can go drop phone numbers completely when enough people are using signal. But while the userbase is low it's probably worth the 3 spam messages I get a year. I get more than that in a week on my iPhone and more than that a month when I used Android. So I'll take the trade.

And I must stress, the phone number issue is about privacy, not security. At least with regards to signal

Reply View 5 replies
  • nanomonkey a day ago

    One can still use simpler contact information like a phone number, email or QR code to transfer a user id.

    While I love what Signal has done, the compromises are significant. I use Secure Scuttlebutt, Cabal, Spritely Goblins, Tor, email and a variety of other P2P software on whatever device I like, but Signal requires a phone with Android or Apple, and requires that I lock my id to my phone number.

    Reply View 4 replies
    • godelski 20 hours ago

        > the compromises are significant.
  >  I use Secure Scuttlebutt, Cabal, Spritely Goblins, Tor,
      And which of those are you able to communicate with your grandma on?

      Honestly, I don't care how secure or how private (phone numbers are a privacy issue, not a security issue) if I have no one to communicate with. You need to solve the mass adoption problem.

      Reply View 3 replies
      • omnimus 14 hours ago

        You know Signal is doing something right when even the constant doubters use it. Exactly because it's very accessible.

        There are always compromises some of them are hard to make. Signal successfully makes private / secures the “normal” conversations that would otherwise be on some Facebook owned app. None of the alternatives manage to do that.

        Once you get Signal messages from randos without fist contact. Like airbnb hosts with password codes or IT admins or lawyers… it makes clear that they are doin it right.

        Honestly it's just shame the platforms won't allow them to be the “native” sms app like iMessage. That would be the most ideal and probably upset much of the police deparments.

        Reply View 2 replies