The thing is that there’s nothing special about Signal that makes it better than alternatives like SimpleX. I just don’t see why it should be promoted instead of them. Yes, it’s better than WhatsApp where meta has a master key and can read your messages, but why settle when you can use a platform without compromises?

Yeah, there are network effects at play here. Getting people to move off a platform is very difficult because they need their contacts to move to, and their contacts need theirs in turn. Some people are willing to use multiple messaging apps, but most don’t. I’d argue that’s why it’s important to promote alternatives to Signal. The more popular they become the easier it is to get people to move to them.

The question here is why not get people to switch to a better platform like SimpleX or even matrix with something like Element. I don’t find that Signal does anything better in practice.

For the record, I absolutely do hate living in a world where conspiracy theorists got things mostly right but for completely wrong reasons.

Pretty much yeah, and they’ve had a really good marketing campaign too. They got a whole bunch of prominent tech influencers incessantly pushing it, and it just feels like a massive astroturf campaign to me. Like you said, if a random person pitched this idea, they’d be laughed at, but you get some people with clout to do it, and it sticks because everybody respects them and trusts them.

I don’t think we’re saying anything new here. I’ve explained my point and the problem with Signal collecting phone numbers. You can make your own decisions on whether you think that’s acceptable practice or not.

Except you have no idea what’s actually running on the server. Only people who operate it know.

Citation for what exactly? Go read up on how networking works, entire textbooks are available. The server has access to all the data the client sends it. How do you think you get paired with another person to chat, by magic?

No, I don’t think we live in an ideal world. I repeatedly said you ultimately have to use the platform that your contacts use. I’m merely pointing out that you should understand the trade offs.

It’s not really a partial solution, it’s just sophistry to obscure the problem. The fact that I’ve had this same discussion with many people now, and it always takes effort to explain why sealed sender doesn’t actually address the problem leads me to believe the the actual problem it’s solving is not of making the platform more secure. The complete and obvious solution to the problem is to not collect personally identifying information in the first place.

You have a very charitable view of Signal making the base assumption that people running it are good actors. Yet, given that it has direct ties to the US government, that it’s operated in the US on a central server, and the team won’t even release the app outside proprietary platforms, that base assumption does not seem well founded to me. I do not trust the people operating this service, and I think it’s a very dangerous assumption to think that they have your best interests in mind.

I also find it really weird how aggressively Signal is being pushed everywhere, and how any criticism of it gets dismissed or ridiculed. It feels a bit like a cult at this point.

Sure, you can absolutely decide that it’s a reasonable trade off, but your original claim was that sealed sender addressed the problem. Sounds like you’re now acknowledging that’s not actually the case…

That’s precisely why organized labour has been systematically dismantled in the US. Back in the day there were strong unions, mutual support groups, and so on. These systems are key for workers to be able to take collective action like general strikes.

Again, I think people should be aware that there are alternatives to Signal, and be able to make an informed decision on the trade offs that matter to them. My personal view is that there are absolutely better platforms than Signal, but if people understand the potential risks with Signal and use it because it’s convenient or their other contacts use it, etc., that’s entirely up to them. It’s just not what I would personally recommend if people want privacy.

Again, sealed sender has nothing to do with it. If I run a server, I have access to the raw requests coming in. I can do whatever I want with them even outside Signal protocol. You can’t verify that my server is set up to work the way I say it is. You get that right?

You’re confusing what Signal team says their server does, and the open source server implementation they released with what’s actually running. The latter, you have no idea about.

The core issue is trusting the physical infrastructure rather than just the cryptography. The protocol design for sealed sender assumes the server behaves exactly as the published open source code dictates. A malicious operator can simply run modified server software that entirely ignores those privacy protections. Even if the cryptographic payload lacks a sender ID, the server still receives the raw network request and all the metadata attached to it. Your client has to talk to the server and identify itself before any messages are even sent.

When your device connects to send that sealed message, it inevitably reveals your IP address and connection timing to the server. The server also knows your IP address from when you initially registered your phone number or when you requested those temporary rate limiting tokens. By logging the raw incoming requests at the network level, a malicious server can easily correlate the IP address sending the sealed message with the IP address tied to the phone number.

Since the server must know the destination to route the message, it just links your incoming IP address to the recipient ID. Over time this builds a complete social graph of who is talking to whom. The cryptographic token merely proves you are allowed to send a message without explicitly stating who you are inside the payload. It does absolutely nothing to hide the metadata of the network connection itself from the machine receiving the data.

but in that chain what you really care about is your phone number that identifies you in the real world to your messages, right?

It doesn’t matter, what matters is that the server has a unique id for you and the person you’re talking to, and that id can then be mapped to the phone number that was initially collected. That’s all the server needs to identify the real identity of the people you communicate with.

It’s not a question of what the server needs minimally, it’s a question of what the server could be doing if it was set up maliciously. The sealed sender does not solve this problem in any way shape of form.

Again, nowhere did I talk about message history. What I’m talking about the server having unique ids for each user, which is how it connects users to each other, and having a phone number collected initially which can be tied to that id. You don’t need anything from the messages themselves to create a graph of people who talk to each other. The routing is done by the server.

Again, the only people who actually know what the phone number is used for are the people who operate the server. I don’t know why this is such a difficult concept for people to grasp. They don’t need the information contained in the messages. Once the phone number is collected, it CAN be stored and associated with your account. There is no way for you to know whether that happens or not unless you have access to that server. There is no way for you to verify that the server does what people operating it say it does. That’s what makes it a trust based system.

You just gotta love the narcissism these people have.

Nope, sealed sender does not address the problem because the phone number is collected at sign up time. The whole sealed sender concept is just another trust me bro mechanic because, once again, nobody aside from people who are actually operating the server know what it’s doing. Signal is proof that vast majority of people don’t understand the basics of privacy and security, and they don’t actually care.