My grandma uses WhatsApp Web and Facebook hasn't taken down the WhatsApp Web snap yet. Both are end to end encrypted and based on the same transport but one of them used copyright law to take down a redistribution of their application.
If "a messenger that works" is a narrow lens, then sure. WhatsApp is still as secure as it ever was and everyone is already on it.
Signal had one feature it did better than its competitors and that's allowing integration of SMS. That feature is now getting killed because of RCS issues. With all my contacts on similar chat apps, I don't see why I should keep Signal installed once they remove the SMS feature, let alone why I should convince my grandma to make the switch.
"But Facebook is evil and wants to control you and wants to suck your blood" yes and so do the companies that made our phones and mobile operating systems. What's the point of Signal's openness (well, "open", they did stop uploading the source code for a while when they were adding in their crypto scheme) if you still use it on a proprietary phone.
And no, Linux on neither mobile devices nor the desktop is grandma-ready.
You mix up concepts. The client app is responsible for e2ee, you don't have to care about the server.
So you can actually audit the client code and make sure it is e2ee, which you cannot do with WhatsApp. In other words, for e2ee you must trust WhatsApp, not Signal.
I presume that for the outdated code, you think about the server code. That's different and would imply metadata, not message content.
Signal is e2ee, and you don't have to trust them for that.
> Signal is e2ee, and you don't have to trust them for that.
Only if both sides are using clients that are self-compiled, independently-compiled (and audited), deterministic/reproducible or third-party.
The problem is that the network and the app are the same people, and worse than that; they send binaries and expect you to trust them.
I know lip service is paid to reproducibility but afaik the instructions for doing that are 404ing.
I just get a greasy feeling from the lock-in, the heavy marketing, the fact that everyone refuses to speak critically of them unless it’s about anonymous usernames.
A truly good secure client would have worked on any network, it wouldn’t rely on transporting your data over their servers, it would be a protocol that was open to third parties to implement, it would also be reproducible or independently compiled by trusted third parties (like OS maintainers, who already audit a lot of the code that gets built and signed).
> I just get a greasy feeling from the lock-in, the heavy marketing, the fact that everyone refuses to speak critically of them unless it’s about anonymous usernames.
There are two things: First, say the Android apk they distribute has a backdoor, and someone realizes that (it's distributed to millions of people, could be that someone checks). Then that's the end of Signal, right? So that's a big risk for them. That's for the "mass surveillance" scenario. Not perfect, but that's something. Second, if you fear a targeted attack, then self-compile Signal. It's not that difficult if you care about it.
Look at how signal vs meta make their money. Meta's entire business model is built around directly violating people's privacy, and conspiring with other businesses to violate people's privacy.
Meta is a publicly traded company. Signal is a 501c3, it's a completely different kind of organization.
I already said that meta has an incentive to snarf up your data.
There is credibility to the notion that signal is designed to ensure that people who are paranoid would prefer it.
The fact that it exists and is convenient prevents more secure messengers from existing as the lions share simply goes to signal, and this is what I mean by marketing. It is conventional wisdom that signal is the bees knees and looking further or scrutinising it is folly.
A lot of funding comes from the government to signal too; and since it’s an American company it must comply to the best of its ability with US law. They tell us that they can only comply in small ways, but given that there is no independent verification of the server (that it even runs the FOSS code) and the hostility in having unofficial clients on the network I am left pondering.
Beyond that, metadata can be every bit as interesting as the actual conversation. Alice only talks to Bob on the weekend. Charlie sending a message to Dave cascades to Dave talking to Eric, Francis, and Gavin. Herald is only online from this business' IP address during opening hours.
The list goes on (and on), but the point is that Facebook gets to be the good guy and claim E2EE, while gathering all that metadata.
It's extremely expensive outside the US and can't be sent over wifi - so if you're communicating with someone abroad it's not a very convenient option. You're also missing out on E2EE and, lastly, Apple has corrupted the utility of it as a communication method for half of the devices out there.
I'm not in US, and unlimited sms is included in monthly subscription.
And years before that sms was cheaper than data.
Also sms is cheaper when roaming in Europe (in my case it has zero cost besides the monthly subscription price).
Sure IM are etter if you need group chat or communication abroad. But that is not the case for majority of population where 1 to 1 communication is used inside a single country.
Moxie is no longer active in signal afaik. This is the new leadership.