Signal Messaging App Now Testing Usernames (pcmag.com) 52
Michael Kan reports via PCMag: Encrypted messaging service Signal is now testing usernames, which will offer people a more private way to share their contact details on the app. Signal kicked off the public test today through a new beta build available in its community forums. "After rounds of internal testing, we have hit the point where we think the community that powers these forums can help us test even further before public launch," says Signal VP of Engineering Jim O'Leary.
The development is a big deal since Signal -- an end-to-end encrypted messaging app -- has long required users to sign up with a phone number. That same number also needs to be shared in order to message other users on the app. This can be problematic since sharing your phone number exposes you to privacy and hacking risks. For example, a contact on Signal could choose to call and message your number over an unencrypted cellular network or pass off the number to someone else.
The development is a big deal since Signal -- an end-to-end encrypted messaging app -- has long required users to sign up with a phone number. That same number also needs to be shared in order to message other users on the app. This can be problematic since sharing your phone number exposes you to privacy and hacking risks. For example, a contact on Signal could choose to call and message your number over an unencrypted cellular network or pass off the number to someone else.
Finally. (Score:5, Interesting)
Always found it hilarious that an app that supposedly cared about privacy made you give your normal phone number to people if you wanted to talk to them.
Re:Finally. (Score:5, Insightful)
It's sill pretty bad that you need a phone number to register, and to transfer your account to a new device. To transfer it has to be the same phone number, so no using a burner SIM.
You just have to trust that Signal Inc. will never disclose your phone number, or get hacked. Well, they are probably already hacked, by government security agencies like the NSA and GCHQ.
Overall the Signal app isn't very good for protecting your privacy. End-to-end encryption doesn't prevent your IP address being observed by the Signal servers, tied to your phone number and account because they have to block unofficial clients and servers that want to federate. Better apps use the Tor network to prevent the server knowing your IP address, and don't require a phone number.
Re: (Score:2, Insightful)
You just have to trust that Signal Inc. will never disclose your phone number, or get hacked.
Curious, if you don't disclose your own phone number, either by calling others on signal or so others can call you, what is the point of signing up for signal?
Isn't that a bit like saying you need to sign up for an email account for the purpose of emailing, yet don't want to give your email address out?
If you don't give the email address out, why did you need to sign up for email?
That's the entire problem here.
"Identification" / "Authentication", the first part of that is not intended (or can be) a secret.
W
I own my email address, not my phone number (Score:2)
Curious, if you don't disclose your own phone number, either by calling others on signal or so others can call you, what is the point of signing up for signal?
Isn't that a bit like saying you need to sign up for an email account for the purpose of emailing, yet don't want to give your email address out?
I own my email address because I own my domain name. I don't own my phone number; the mobile carrier does. A domain name is also less expensive to keep active in perpetuity than a phone number.
Teens seeking to use the service may not have a phone number, instead using their parents' house phone. This means that the parent who pays the phone bill is eligible to use Signal and the teen living with them is not.
Re: (Score:2)
Isn't that a bit like saying you need to sign up for an email account for the purpose of emailing, yet don't want to give your email address out? If you don't give the email address out, why did you need to sign up for email?
Signal is not restricted to a mobile phone usage only. It is available for PC and Mac as well as iOS and Android tablets. The first app might have been on phones but the requirement of a phone is a reasonable question.
Re: Finally. (Score:2)
Re: (Score:1)
See also https://berty.tech/ [berty.tech]
Re:Finally. (Score:5, Insightful)
Classic error. Privacy != Anonymity.
Why should I care if my friends and family have my phone number?
All I care about is if the communication is encrypted and there is sufficient guarantees that the person I'm talking with is the same person they were yesterday and the day before.
This change will only invite more scrutiny from the vocal minority that continue to make signal worse every year.
Re:Finally. (Score:5, Informative)
The reasons are even in the summary. If the other party has your phone number, they can more easily screw up and text you something sensitive rather than using Signal.
Consider that you are someone interesting enough to have a really skilled adversary with some resources. You're a journalist some powerful person or company doesn't like.
If someone compromises the person on the other end of your chats, they now have your phone number. They can now use your phone number for all sorts of phishing attacks, and have a much wider set of paths to attack *your* device. If they just have your Signal username, it's much less useful to them.
It's also often wanted for a much less technical sort of privacy. Women in particular give out fake numbers all the time, and many prefer to share Instagram and the like instead of a phone number. You can just block someone on Instagram, if they have your phone number, that at least feels much more permanent.
Re: (Score:2)
I always found it hilarious that people who want to communicate are desperate not to hand over a number which exists for the express purpose of communicating with them.
Someone with your number can drain your account (Score:2)
Historically, mobile carriers in the United States and Canadian markets have billed subscribers for each outgoing voice minute, each incoming voice minute, each outgoing text message, and each incoming text message. Giving a mobile number to a malicious person lets said person cost you money. All they have to do is send enough text messages to your number to cause the mobile carrier to shut down your account for having zero balance. After this, you cannot make or receive calls nor send or receive text messa
Re: (Score:2)
I always found it hilarious that people who want to communicate are desperate not to hand over a number which exists for the express purpose of communicating with them.
People should be able to choose the method they want to communicate in my opinion. I hope that is not some sort of controversial opinion where you live. I mean by that logic, people should not object to others getting their physical address if they email someone.
Threat model (Score:2)
that supposedly cared about privacy
You have to take into account what's the threat model addressed by the app.
Signal doesn't target the "The NSA, GCHQ, Mossad and FSB are all after my ass" or "I am an Uighur living in in China" crowd - where a highly motivated threat actor with vast means is specifically targetting the user.
Signal mostly targets users who would like their private communication to stay private and not get accidentally spilled out by a server hack (which is what end-to-end encryption covers), by a stolen phone, etc. i.e.: most
Reverting back (Score:4, Informative)
Re:Reverting back (Score:4, Informative)
Nobody's reverting. It's an option.
How you can claim to be a privacy-aware messaging app when literally everyone you talk to gets your phone number is beyond me.
Simplicity is all well and good, and Whatsapp could easily make it required for sign-up but optional for discovering users (and why can't I just have as many aliases as I like, ala Bitcoin wallets) which can't be linked - so when I do have to Whatsapp a company's support lines or my boss wants to chat to me on Whatsapp, I don't have to give out my phone number to people that I don't want to have it?
Whatsapp even gives out all the numbers you have on your phone - if you're Dual SIM, every contact in Whatsapp gets both your numbers, which defeats the purpose of having separate numbers.
Re:Reverting back (Score:4)
Nobody's reverting. It's an option.
How you can claim to be a privacy-aware messaging app when literally everyone you talk to gets your phone number is beyond me.
If people truly cared about privacy, they wouldn't be carrying around a 24/7 personal tracking device tied to a phone number they freely give out anyway.
Kills me that some assume consumers treat their phone number like it's some kind of secret. Please. A criminal would give that shit out to the app tracking the package delivering a ski mask before a bank robbery. Just to highlight the ignorance and irony.
Re: (Score:2)
How you can claim to be a privacy-aware messaging app when literally everyone you talk to gets your phone number is beyond me.
You are not your phone number any more than you are your username. Your UID is low enough that you should remember a time when we printed everyone's number along with their name in a big BIG book and gave it out for free.
You know... so people could communicate with you.
Incoming calls on land lines were free of charge (Score:2)
Your UID is low enough that you should remember a time when we printed everyone's number along with their name in a big BIG book and gave it out for free.
You know... so people could communicate with you.
Only land lines were included in the directory. Incoming calls on land lines have always been free of charge in the U.S. market. Incoming calls and texts on mobile devices are not, at least until you upgrade to an unlimited service plan that costs several hundred dollars per year.
Re: (Score:2)
Several hundred a year. Sure, $25 or $30 a month for unlimited. If you can't afford that, you can get a free low income phone. Teens that can't get together $25 a month aren't trying very hard...Probably just use whatsapp anyway.
Teen labor law (Score:2)
Teens that can't get together $25 a month aren't trying very hard
That or they have a high school principal who refuses to sign work permits except for students with perfect attendance and at least an A- average.
Re: (Score:2)
Your UID is low enough that you should remember a time when we printed everyone's number along with their name in a big BIG book and gave it out for free.
My UID is low enough that I can remember when everyone's number was etched into cuneiform tablets.
Re:Reverting back (Score:5, Informative)
WhatsApp is also mobile-only (and at first there wasn't even the web interface that went through your phone anyway) and there is no option to just close the program without signing out completely or uninstalling. None of the other IMs at the time, from Skype to really anything had this "anti-feature", but it also meant you could reach someone on Whatsapp as opposed to getting them on Skype whenever they feel like logging in, possibly months (!) later.
Re: (Score:2)
This isn't an anti-feature, it's their core purpose. Many moons ago WhatsApp didn't even allow you to send messages. It was literally a way of transmitting your active status on iPhone to your other iPhone contacts. That's it. Only when that idea flopped did they add messaging features and reinvent themselves.
immediate failure (Score:3)
followed the link. clicked the "windows" link, which downloads the regular installer .exe, whereupon I am immediately prompted to open the Signal app on my phone.
so. what exactly has changed here??
Re: (Score:1)
The link to signal-desktop apt alpha is a 404. You'd think before putting out a message encouraging people to download... they... would... test the links.
Re: (Score:2)
yep.
the page does in fact invite people to compile from source, but then it also provides this link for Windows users, which is useless. anyway... I've been waiting for this feature for several years. I'll just wait a bit longer!
Re: (Score:2)
SMS crypto isn't end-to-end (Score:2)
As I understand it, Short Message Service (SMS) is encrypted over the air. However, once it gets to the tower, the encryption is compromised in the sense that both the sender's carrier and the recipient's carrier can read message cleartext.
Signal gave no content data to Turkey (Score:2)
If you're going to make something up, at least post a link, any link to some reputable news source that says the same thing.
Google says no such thing happened.
Re:Signal encrypted messaging service (Score:4, Insightful)
Re: (Score:2)
I've used https://getsession.org/ [getsession.org] as a e2e messaging app. The initial setup to connect with people isn't as smooth as Signal but once you are established, it just works.
What do people really want? Probably not anonymity (Score:5, Insightful)
Signal seems to not quite know where they are going. The decision to stop working as an ordinary SMS client, for example. Sure, in that case, SMS messages were not encrypted - but you could show that in the UI. Now, everyone needs one more messaging client, which leads to the danger of sending unencrypted SMS when you actually meant to use signal.
Some comments complain about the phone number requirement. Yes, that means you are not anonymous. However, your messages are still private. What is your use case? Do you really want to be anonymous to your friends, family and colleagues? I don't, and I also want to know who I am corresponding with. In this sense, allowing the user-name option is (imho) a poor idea. I hope they make it obvious in the UI whether or not the person has had to enter a phone number.
If you want the option to be fully anonymous, Signal is probably not the right app. However, anonymity is not what most people really want.
Re: What do people really want? Probably not anony (Score:2)
I want to be anonymous to the corporation running this service and any government entity which is required to have access to their database.
Re: (Score:2)
Pass off? (Score:1, Offtopic)
Pass off the number? Or did you mean pass on the number?
I'm not sure what kind of passing off you could do with it.
Pissing off, certainly. That goes without saying!
Can you use signal without a phone number? (Score:4, Interesting)
As long as you can't use signal without a phone number and a mobile phone, it's going to suck.
I should be able to register by creating a username and password, and use it on a PC without having to piggy back on a phone.
Can you use Internet without a phone number? (Score:2)
I should be able to register by creating a username and password, and use it on a PC without having to piggy back on a phone.
Then let's nail down what a replacement for Signal that does not require a phone number would look like. For comparison, let's use Element [element.io] as an example of what exists. Element requires Internet access on the device where it is used in order to send and receive messages. Say you're using Element on a PC. In this hypothetical situation, how would you order an Internet access subscription for the PC without using a phone?
Re: (Score:3)
Say you're using Element on a PC. In this hypothetical situation, how would you order an Internet access subscription for the PC without using a phone?
Out of topic, but you typically order Internet using another Internet connection. That how I did it the last 5 times.
But if you prefer, you can also walk to your ISP's office and some may allow you to order from there. You can also use someone else's phone, a pay phone, a landline without SMS function to order as well.
Re: (Score:2)
Re: (Score:2)
Maybe you just don't need one, especially if you want to somehow fly under the radar and you'd just use free wifi that you can find in tons of places nowadays? Or it might come as part of your lodging arrangements? Or of course as someone else answered already just over internet or in the shop.
I would like this ten digit numeral username (Score:1)
Now add support for more than one mobile device (Score:2)
Will there be a username rush? (Score:1)
it looks like you get some random digits added to your username... "myname.69" for exmple. this is to make it harder for attackers to guess according to the app...
does this mean there can be multiple people with "myname" but with different numbers? or is myname unique?
Very good but at a cost (Score:2)
Spend some time in China or Iran (Score:2)
I know people who have been disappeared... Privacy and anonymity are more important than ever before. Don't assume "everything is fine" just because you live in a first world country. Your illusions of freedom and rights can be taken away at any moment and have been many times in the past.
I liked it when I could use it for everything (Score:1)
Usernames. (Score:2)