Well, Sander Venema is not the only one criticizing Signal. Security expert Mike Kuketz, who was part of the team that revealed the WOT scam, criticizes Signal for pretty much the same reasons. His favorite messenger for Android right now is Conversations which uses the XMPP protocol. For the encryption it supports (in addition to OTR and OpenPGP) OMEMO which is the XMPP implementation of Axolotl which was developped by Moxie Marlinspike and is used in Signal. Hence, Conversations is as secure as Signal without having the criticized disadvantages. OMEMO can also be used in Gajim, and its implementation is planned for ChatSecure.
It included some info I didn't know, and I fully support him. First time I felt dubious about Signal is when they upgraded to Signal from Redphone & Textsecure. It now requires too much permission and giving my phone number become mandatory. After reading, I now am sure that Signal & OWS is going wrong way. A fact there's no better alternative is another thing, but such app is really needed. It seems they're more focussing on popularity and not much on user privacy and making internet better. I have no experience about all of them, could you tell me if any of them can be used simple text messaging app like Textsecure (preferably only for that w/out more function like chat)?
I haven't used ChatSecure but mentioned it only because Conversations is not available for iOS. So the coming ChatSecure version would be an interesting iOS messenger with OMEMO. And yes, Conversations can be used as a simple text messenger. A short introduction what you can do with it can be found on its homepage. What's different is compared to Signal (or or Threema or WhatsApp) that you have to create an account on an XMPP server. Conversations offers to create one on their own server which costs 8 € per year but you can use any other XMPP server. That's the federation aspect mentioned in Sander Venema's post.
Well, it still needs a phone number which might be a no go for many. Wire uses the same protocol and you can use it with an email address, no phone number needed.
Thank you very much! It's interesting tool and I didn't know OMEMO too. It seems he repeated his claim of need for keeping up w/ latest, and seems to suggest its essential to privacy. But I wonder if such rapid change (somewhat similar to current modern browser release cycle?) is really for privacy, but not mostly for other demands...ofc I understand they need to satisfy user demands as a company, but seeing that JPG feature which I haven't used in any messaging and will never, I think I had to say they're going a way which is quite different from what I wished (and I wish I can use it on CopperheadOS w/out Google). I admit OpenPGP's problem he gave as an example, it's nearly obsolete. But it's arguable if rapid change to meet latest technology is really, really good for encryption software. I don't recommned to use GPG in default setting which is obviously obsolete, but if carefully used it will be quite secure. Such slown change OTOH gives time to test, if it keeps changing every month there won't be 'time-tested' product, like current browser which always comes w/ new vuln. As an another example, Tutanota went to develop their own method to encrypt email's metadata (good thing) but this also introduced vuln. Who knows if it's really better?
Thanks, that's good to know but I think that nobody questioned the cryptographic security (that's why it's also used in OMEMO). The other issues brought up by Sander Venema are definitely worth being discussed, and Moxie's answers are not really convincing to me. For example, until lately there was a Signal fork without dependency on Google Cloud Messaging. So it's technically possible, and it would have the advantage that you could use Signal on, e.g., Cyanogenmod without the need to install the GApps.
Signal circumvents block in countries like Egypt and UAE (more to follow) https://whispersystems.org/blog/doodles-stickers-censorship/
