I’m using Signal, but after I found out that it’s not as privacy-friendly as it claims, I’m uneasy about sharing my address there. I trust the person who asked for my address, but not the service. What’s a safe way to share? I was thinking of something like a self-destructing pastebin, but surely you have better ideas.

  • Dessalines@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    3 years ago

    Yes, we should absolutely put extra scrutiny on radio free asia funded projects. But is briar a single, centralized US hosted service? Does it require you, like signal, to give it info that links to your real identity? Did it close its server source code off for a year? Is it possible to download it from f-droid so you can verify its builds are secure? Does it depend on google or amazon? Does it bundle in a cryptocurrency? Is it possible to verify what the server is running?

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      3
      arrow-down
      3
      ·
      edit-2
      3 years ago

      But is briar a single, centralized US hosted service?

      No. But Briar runs over the Tor network, another project funded by the OTF [0]. Side note, the Tor Project has received $3 million USD from the OTF/CIA, can you trust it when a researcher was able to identify Tor users 100% of the time in a lab experiment and 81% of the time in real-world tests [1][2]?

      Does it require you, like signal, to give it info that links to your real identity

      Signal never touted anonymity, only privacy. You need to understand your threat model to make an informed decision. Also, if a single researcher was able to de-anonymize Tor users 80% of the time in real life, what chance do you have with a more powerful nation-state, unlimited funds, and ownership of various exit nodes?

      Did it close its server source code off for a year?

      “Never attribute to malice that which is adequately explained by stupidity” - in this case, we can replace stupidity with a million things that have nothing to do with compromising your privacy, the client is still completely E2EE, open source and has reproducible builds.

      Is it possible to download it from f-droid so you can verify its builds are secure

      You can download the app directly from Signal [3] or even build it yourself [4] to verify the build in the play store matches the code on github

      Does it depend on google or amazon?

      If you’re using an Android phone, you’re likely already depending on Google, although you can still run it on a de-google’d phone. I’m using Signal on a Pixel with stock Android and a OnePlus without any ties to Google using LineageOS, it works great on both phones! It does run on Amazon infrastructure, but again, we’ve seen Tor is not guaranteeing anyone anonymity anyways.

      Does it bundle in a cryptocurrency?

      How is this a negative? Some people want this and if you don’t want it, don’t use it.

      Is it possible to verify what the server is running?

      The server is basically plumbing/a router. The bulk of the Signal “magic” happens in the E2EE app. Can you verify that your Briar messages aren’t hopping through government run Tor bridges/relays/exit nodes?

      [0] https://www.opentech.fund/results/supported-projects/tor-project/

      [1] https://www.vice.com/en/article/4x3qnj/how-the-nsa-or-anyone-else-can-crack-tors-anonymity

      [2] PDF warning: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf

      [3] https://signal.org/android/apk/

      [4] https://signal.org/blog/reproducible-android/

      EDIT: I do want to add - I’m 100% pro-Briar. It’s really easy to attempt to discredit something if you don’t understand a threat model, link legit sources, and speak to real flaws, nothing is 100% secure. That said, in today’s climate, message privacy is something that Signal can provide with very few compromises in usability.

      I’ll say it again, I want Briar to succeed and everything I’ve posted above is just a “devil’s advocate” stance to point out that Signal is, today, just as good if not better than most options out there.

      • ancom@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        can you trust it when a researcher was able to identify Tor users 100% of the time in a lab experiment and 81% of the time in real-world tests [1][2]?

        I know that you are doing this conspiracy thinking on purpose to confront Dessalines about their bias, but while this is not obvious to everyone:

        While it is true what you say, it is beyond meaning for the most usage of Briar. The researchers result depended on a honeypot that served a large file. Don’t have contacts that act as honeypot and you’re safe. When chatting with strangers, the technique discovered by that researcher might not be relevant to Briar, but I have not enough knowledge to make a claim about that.