Moxie is open to someone writing an alternative to GCM, but nobody has stepped up and do it. It's much easier to complain about GCM, then to replace it.
Signal's use of GCM does NOT reveal who you are sending signals to, or what is in the message.
I didn't mean to critique anybody, but just pointed out why a specific solution is not okay for me. Take it as an assessment of the situation to understand what we have and were we want to go.
I might be ignorant about GCM. My understanding is that first you need to register with GCM and have the connection stay online permanent. That requires Google's Apps, which open the system to Google's Access, which clearly is not acceptable. Secondly, Google knows that way always where I am. I do not want a permanent connection to Google servers. Also, how does GCM know where to deliver my messages when it can't know who I'm contacting? I'm not saying that that is an impossible task, but to my knowledge Google isn't reliably (reliable in the sense of keeping my privacy even if Google were to become the attacker) solving it. [0]
Each of the three reasons given above are enough to not use GCM.
OK, if GCM delivers the data to Signal's servers, then Google doesn't know who I'm contacting, but the administrator of Signals server does. The two other points stay valid, though.
He said he would consider "a clean, well written, and well tested" pull request that would add WebSocket support to the Android version of Signal". That would replace GCM.
Don't confuse the issue with LibreSignal. Problem is Moxie is worried about the security of random 3rd parties publishing signal clients. Doubly so if published by f-droid (which doesn't' sign package with the developers key). Additionally he wasn't want these 3rd party client that may or may not be secure using the whisper systems infrastructure.
So it seems that signal could get a GCM replacement, if someone writes one.
Signal's use of GCM may not be particularly intrusive, but it still requires a phone with Google's services running. LibreSignal works on a Google-free phone, and Moxie told them to fuck off.
> If you think running servers is difficult and expensive (you're right), ask yourself why you feel entitled for us to run them for your product.
Moxie knowingly and willingly runs a free service. Why should he feel entitled to tell people how they interact with his service? What's the point of publishing your source code under the GPL if no one can do anything with it? Keep in mind the phone server still isn't open source either, so the client source on its own is about as useful as a literal brick for phone calls.
1) he doesn't want the signal community to fracture with incompatibilities (like say XMPP)
2) he doesn't want the security of signal users compromised with less secure clients. Thus he's against SMS since it leaks metadata like crazy to 100s or 1000s of entities.
3) he doesn't particularly trust f-droid to distribute clients since they use a central key (an attractive target) instead of the developers key.
4) he wants to be able to quickly iterate improving the clients and server in sync, on his own schedule.
So generally he wants to target a large number of users with a very secure client and doesn't want to sponsor anyone that takes his source with free server infrastructure.
So he believes in audits, security, and opensource. He even will allow a GCM replacement, as long as it only runs when GCM is not available. He expects the battery life and user experience to be terrible. The main problem seems to be that google negotiates with cellular providers to not time out connections to GCM, but they silently do that (without an RST) to other connections. Thus any GCM replacement will have to spend much more power/battery maintaining a connection. Moxie specifically mentioned that even 50 seconds was too long and that some providers time out connections even quicker than that.
Y'know, every time Signal comes up on here, a small group of people show up and shit all over both it and its creator, then recommend a variety of half-baked alternatives. And Moxie pops by and patiently explains all over again why the preferred approach of that group won't work and what the options are. And you're claiming his tone is unacceptable? I mean, sure, you're free to choose. But he's shown a lot more patience than I would.
Google and Facebook started using the same protocol as Signal in the latest versions of their messengers, but they don't interact in any way.
By the same logic you should also stop using HN because it also uses HTTP, just like those big guys.