A lot of recent (and upcoming) blog posts I’ve written, and Fediverse discussions I’ve participated in, have been about the security of communication products. My criticism of these pro…
This is a very technology focused view. In any user system, the users themselves have to be a consideration too. I don’t use most of them for the fact I don’t have a smartphone. So for my use case, any chat application that requires one might as well not exist, so read the rest of this with that in mind.
People fall into a few categories:
The don’t cares. They use whatever everyone else uses, because that’s what they need to use to talk to who they want to talk to.
The open and defederated. If they can’t self host, it fails.
The anti-corporate. If it is run by a big organization, regardless of technology its a no.
The technological illiterate. Basically the same as the first group, but if its not really user friendly they can’t figure it out.
I’m sure there are others, but these are what comes to mind first. While signal might be the one that has the best technology for many that doesn’t mean, and will never mean it is the “best” because their decision matrix doesn’t weigh technology as highly as you, and their knowledge doesn’t allow them to understand the nuances you talk about.
Agreed. Interpersonal relationships are stronger bonds then us tech dudes (myself included) tend to appreciate.
People are still on Facebook despite all their unacceptable actions over the years, because the alternative is to completely uproot your whole social circle (everyone all at once, good luck with that) or seriously risk cutting off people you care about.
Almost the same applies to Furs still on Telegram, though afaik TG hasn’t ever done anything remotely as bad as Zuck, Elon or Spez
EDIT: sidestepping the uprooting part is what’s fantastic about the Fediverse btw; compat and futureproofing between diff websites being a must-have from the start, and that’s awesome <3
From a “don’t care” position, Elon is probably the only one who has impacted them. For Spez a majority of users probably just use the desktop site, or official app and would be more annoyed with the mods impacting their experience than Spez for making changes. Zuck did a bunch of behind the scenes manipulations, but again the don’t cares wouldn’t have noticed.
The fediverse itself might be resistant to overall control, but you are still tied to an instance, so a rouge admin, or some spam in activity pub could still cause uprooting.
My whole thing is applied cryptography! When I’m discussing what the bar is to qualify as a real competitor to a private messaging app renowned for its security, I’m ONLY TALKING ABOUT CRYPTOGRAPHIC SECURITY.
This isn’t a more broad discussion. This isn’t about product or UX decisions, or the Network Effect.
Those are valid discussions to have, but NOT in reply to this specific post, which was very narrowly scoped to outlining the specific minimum technical requirements other products need to have to even deserve a seat at the table.
I understand, but its all about framing. “What does it Mean to be A Signal Competitor”, well that is chat apps as that is the space signal occupies. That might not be what space it occupies to you, but that is the space it occupies. “What does it take to compete with Signal’s Security” frames the argument to one component, and I would probably have a very different response to that framing. Because of the framing, your argument comes across as “don’t talk about use case, its not worth my time.” I understand this is because your focus is the cryptographic security, but threat modeling and Human factors has to be a consideration of an overall security posture. Congratulations, you have the best cryptography, but if its not usable, the cryptography doesn’t matter, if the users are the weakness, the cryptography doesn’t matter, if nobody is willing to use it because its missing a key user feature, the cryptography doesn’t matter.
I know enough about cryptography to know to leave it to the experts. I know about hardware power side channels, I know several exploits have been implementation based and not cryptography based, and I know vulnerability does not always mean an exploit
If it doesn’t have all these properties, it’s not a Signal competitor. It’s disqualified and everyone should shut the fuck up about it when I’m talking about Signal.
That’s the entire point of this post. That’s the entire framing of this post.
If that’s not personally useful, move on to other things.
I understand your point of view, but whether you like it or not, your title will be viewed as the framing. “What Does It Mean To Be A Signal Competitor?” At a surface reading, it seems to me what that means to you is very different from what that means to others.
I assume you probably wrote it along the lines of “What does it mean for an E2E encrypted protocol to compete with Signal on a technical level”
Others read it as “what does it mean to compete with the signal app” and there is no additional depth to security.
I think what they mean is that someone unfamiliar with your line of work might even read the entire post and come away with it with the view of “Okay, and?” since the title told them this was going to be about “What Does It Mean To Be A Signal Competitor?”
The problem there is that what Signal is is different to different people, someone might for example use it like any other chat application, in which case even something like Telegram (ew) or Discord could be an alternative to them.
Again, if someone is familiar with your blog, they’ll know what you mean, but the blog post can be viewed by someone in isolation, in which case it won’t be so clear, especially since it’s also in relation to moving off of Telegram, which is not an E2EE platform at all by default
This is a very technology focused view. In any user system, the users themselves have to be a consideration too. I don’t use most of them for the fact I don’t have a smartphone. So for my use case, any chat application that requires one might as well not exist, so read the rest of this with that in mind.
People fall into a few categories:
I’m sure there are others, but these are what comes to mind first. While signal might be the one that has the best technology for many that doesn’t mean, and will never mean it is the “best” because their decision matrix doesn’t weigh technology as highly as you, and their knowledge doesn’t allow them to understand the nuances you talk about.
Agreed. Interpersonal relationships are stronger bonds then us tech dudes (myself included) tend to appreciate.
People are still on Facebook despite all their unacceptable actions over the years, because the alternative is to completely uproot your whole social circle (everyone all at once, good luck with that) or seriously risk cutting off people you care about.
Almost the same applies to Furs still on Telegram, though afaik TG hasn’t ever done anything remotely as bad as Zuck, Elon or Spez
EDIT: sidestepping the uprooting part is what’s fantastic about the Fediverse btw; compat and futureproofing between diff websites being a must-have from the start, and that’s awesome <3
From a “don’t care” position, Elon is probably the only one who has impacted them. For Spez a majority of users probably just use the desktop site, or official app and would be more annoyed with the mods impacting their experience than Spez for making changes. Zuck did a bunch of behind the scenes manipulations, but again the don’t cares wouldn’t have noticed.
The fediverse itself might be resistant to overall control, but you are still tied to an instance, so a rouge admin, or some spam in activity pub could still cause uprooting.
As I wrote here: https://furry.engineer/@soatok/112883040405408545
My whole thing is applied cryptography! When I’m discussing what the bar is to qualify as a real competitor to a private messaging app renowned for its security, I’m ONLY TALKING ABOUT CRYPTOGRAPHIC SECURITY.
This isn’t a more broad discussion. This isn’t about product or UX decisions, or the Network Effect.
Those are valid discussions to have, but NOT in reply to this specific post, which was very narrowly scoped to outlining the specific minimum technical requirements other products need to have to even deserve a seat at the table.
I understand, but its all about framing. “What does it Mean to be A Signal Competitor”, well that is chat apps as that is the space signal occupies. That might not be what space it occupies to you, but that is the space it occupies. “What does it take to compete with Signal’s Security” frames the argument to one component, and I would probably have a very different response to that framing. Because of the framing, your argument comes across as “don’t talk about use case, its not worth my time.” I understand this is because your focus is the cryptographic security, but threat modeling and Human factors has to be a consideration of an overall security posture. Congratulations, you have the best cryptography, but if its not usable, the cryptography doesn’t matter, if the users are the weakness, the cryptography doesn’t matter, if nobody is willing to use it because its missing a key user feature, the cryptography doesn’t matter.
I know enough about cryptography to know to leave it to the experts. I know about hardware power side channels, I know several exploits have been implementation based and not cryptography based, and I know vulnerability does not always mean an exploit
The framing is as follows:
Matrix, OMEMO, whatever.
If it doesn’t have all these properties, it’s not a Signal competitor. It’s disqualified and everyone should shut the fuck up about it when I’m talking about Signal.
That’s the entire point of this post. That’s the entire framing of this post.
If that’s not personally useful, move on to other things.
I understand your point of view, but whether you like it or not, your title will be viewed as the framing. “What Does It Mean To Be A Signal Competitor?” At a surface reading, it seems to me what that means to you is very different from what that means to others.
I assume you probably wrote it along the lines of “What does it mean for an E2E encrypted protocol to compete with Signal on a technical level”
Others read it as “what does it mean to compete with the signal app” and there is no additional depth to security.
Anyone incapable of reading past the title is not worth listening to
I think what they mean is that someone unfamiliar with your line of work might even read the entire post and come away with it with the view of “Okay, and?” since the title told them this was going to be about “What Does It Mean To Be A Signal Competitor?”
The problem there is that what Signal is is different to different people, someone might for example use it like any other chat application, in which case even something like Telegram (ew) or Discord could be an alternative to them.
Again, if someone is familiar with your blog, they’ll know what you mean, but the blog post can be viewed by someone in isolation, in which case it won’t be so clear, especially since it’s also in relation to moving off of Telegram, which is not an E2EE platform at all by default
If they actually read the whole thing, including the addendum, there should no longer be any confusion.
As a rule, I never change titles after pressing Publish.