Comment by qskousen
1 year ago
Stealing someone's phone number wouldn't give you any Signal data, as all the messages have perfect forward secrecy, though, right? And all contacts would see an alert that your security number had changed. Not completely foolproof, and I would like Signal to use something other than phone numbers for accounts, but it's pretty good.
Knowing someone's phone number is enough to potentially compromise it. Sophisticated methods can involve zero-click attacks, where just sending you an SMS that you won’t even see can lead to a compromised device. You can check how Tucker got his Signal conversation exposed.
Matrix is far better in terms of security than Signal, but Matrix is far behind compared to Telegram features.
You seem to be living on this weird balance of having no threat model. This is what your post implies
1. Signal is bad and insecure because registering user account requires giving a phone number. 2. Matrix is better, it fixes this by registering with emails (although emails also have zero click vulnerabilities) 3. Telegram is better than Matrix, it's more usable (even though it also requires a phone number like Signal)
So pick a lane, is requiring a phone-number a litmus-test for you or not. Is zero-click vulnerability something that needs to be addressed? How do you deal with malicious contacts or people in public groups sending zero-click links?
It isn’t about me picking a lane; I’m just stating things as they are. If you want a feature-rich chat and social app that has a user base too, but you don’t care much about security, go for Telegram. Although some might argue that chats aren’t encrypted, no one known has gotten in trouble because Telegram handed over their data. However, you should never rely on that and don’t trust any cloud-based service in general. Knowing that in advance makes it better so you treat it as you would any social media.
If you want security on the other hand but with fewer features and a smaller user base, go with Matrix. You don’t need an email, by the way; it’s optional (1).
Signal is just in the middle, lacking Telegram's features and Matrix's security, resulting in a weird abomination that I would never recommend to anyone. For a normal non-techie person, I would say go with Telegram, and if you care about security, use Matrix. Recommending Signal might give a false sense of security.
(1) https://ems-docs.element.io/books/element-support/page/creat....
1 reply →
That's a good point. I looked into using Matrix before I switched to Signal, but the user experience just in creating an account was pretty abysmal, at least at the time. As I was recommending it to non-tech people, I ended up going with Signal.
> but the user experience just in creating an account was pretty abysmal
I agree it was, probably better now, but for the average person, it’s too much to “process” compared to just adding your phone number and signing up.
One does not need to keep the SIM card with the phone number required for registration in the phone.
Also telegram has an additional password option if you want to login which avoids phone number hijack. Also if you hijack an account the secret chats don’t appear. They are bounded to the device.
There's also an option in the settings that translates into taking over a phone number on a separate device isn't enough, you also need to enter the pin. (Not on by default though.)