Over the past few years I have gone through a bunch of different apps and protocols to find the best one for “securely” communicating with my family and friends.
I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.
Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.
It’s been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.
Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.
But the capabilities of XMPP makes it better.
Signal Cons (immediete)
- Centralized
- Single app
- Phone numbers
XMPP/Jabber Cons
- Picking server
- Apps are sort of less friendly
What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I’ve heard really wants us to use their server.
If XMPP gets more attention I’m sure we can get people supporting projects and creating better apps.
I keep seeing people recommended Signal instead.
This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.
There’s nothing wrong with Signal’s centralization model in a worrying sense. It acts only as a clueless message relay, and it has near-zero information on any of its users, even as it delivers messages from person to person. The only information Signal knows is if a phone number is registered and the last time it connected to the server. There is great care taken to make sure everything else is completely end-to-end encrypted and unknowable, even by subpoena.
The only real issue with Signal’s centralization is that if Signal the company goes down, then all clients can no longer work until someone stands up a new server to act as a relay again. Signal isn’t the endgame of privacy, but it’s the best we have right now for a lot of usecases, and it’s the only one I’ve had any luck converting normies to as it’s very polished and has a lot of features. IMO, by the time the central Signal server turns into an actual problem we’ll hopefully have excellent options available to migrate to.
Also TMK, the only reason you still need a phone number for Signal is to combat spam. You can disable your phone number being shown to anyone else in the app and only use temporary invite codes to connect with people, so I don’t count the phone number as a huge problem, though the requirement does still annoy me as it makes having multiple accounts more difficult and asserts a certain level of privilege.
I like signal but they do probably know who you talk to, when you talk to them, your IP, their IP, and size of your messages. The fact that they are pretending they can’t get this info with just server side changes worries me
Check their transparency log for subpoenas etc: https://signal.org/bigbrother/
Are they legally required to publish that?
No, and in fact they have fought to unseal and publish the articles they have. The point is that if you read the subpoenas, they request a lot of data from Signal and Signal can only ever return the phone number, account creation date, and last connected timestamp. So either Signal is consistently lying to various governments or they actually don’t have any of that data. Signal’s client is also open-source and has been audited, and they have published many blogposts about how the technology works.
I’d strongly recommend digging deeper into this and trusting the auditors and experts instead of dismissing it based on lazy and cynical guesses. If you don’t trust anyone you’re welcome to read the source code of the client yourself. Soatok recently posted an 8-part series going through Signal’s encryption that you can read as a primer: https://soatok.blog/2025/02/18/reviewing-the-cryptography-used-by-signal/.
Since they are not required to publish these they could be publishing only the ones that make them look good. You might also notice that they haven’t published any for over a year. I know how siglan works and I trust the client and the security. I even recommend it. But let’s not pretend they are INCAPABLE of building your social graph
Since you’ve clearly not read or comprehended any of the subpoenas that I linked, nor the encryption analysis, nor read any of Signal’s blogposts, I see no point with responding any further. You are spreading FUD, and I question your motives.
From the blog you provided. Next time. Read your sources
And
Edit: removed the word “moron”. I’m not a native English speaker and I thought it meant something else. It seems its like “retard” which I wouldn’t use as an insult. I’ve used it so much…
I’m not the one that is not listening. I don’t care about the ones they post. I care about the ones they don’t. I trust they client code. I don’t trust ANYONES server side code. Their encryption is top of the line and an industry standard. But is DOES NOT hide your IP, the time of the day you send messages
ONCE AGAIN (this is the third time I’m saying this) I like and recommend signal. I have no evil motives nor I’m trying to be paranoid. But let’s not pretend they are perfect.
If you are hurt because I said mean things about a company you base your personality on, that is not my problem.