this post was submitted on 20 Oct 2024
30 points (76.8% liked)

Technology

59696 readers
2743 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
  • Signal forks can have unexpected behaviours like retaining deleted messages and also they don't get updated at the same rate that Signal get updated.

  • Every couple of years I hear a story about hackers disturbing signal with backdoors, which would be impossible or very hard to be done If they blocked third party clients. (Ex: 1)

  • The amount of people who use third party Signal clients are very few anyway.

I saw what WhatsApp did to forbid modification of it's app which works in stopping a lot of distributions, why doesn't Signal do the same?

top 18 comments
sorted by: hot top controversial new old
[–] AllNewTypeFace@leminal.space 34 points 1 month ago (1 children)

IIRC, they do forbid third-party clients from their network. You can build it from source, but you won’t be able to connect to production Signal servers.

Third-party clients would not necessarily be a bad thing. Signal has limited resources, and as such has to cut corners. I for one would love a native desktop client that’s not Electron bloatware.

[–] Dot@feddit.org 3 points 1 month ago* (last edited 1 month ago) (3 children)

There are already 2 third party forks I know of, Molly and Signal-JW.

They both use and access the main production Signal servers.

As I said, a compromise here would be to have a client security certification program, where no other clients outside it would be able to use Signal.

[–] Static_Rocket@lemmy.world 11 points 1 month ago

I could appreciate a client certification that is optional, like a list of approved clients on their website or something along those lines.

It should not be enforced by killing the client. I like security, but I enjoy software freedom more.

[–] just_another_person@lemmy.world 2 points 1 month ago

It takes resources to run and maintain such things. Probably not something they feel they can or want to take on.

[–] rottingleaf@lemmy.world 0 points 1 month ago (1 children)

As I said, a compromise here would be to have a client security certification program, where no other clients outside it would be able to use Signal.

You mean running a trojan "as a mean of security", similar to anticheats? Are you sure this is a good idea?

Or if by "program" you mean having some allowed clients as opposite to only the official one allowed, it's a social thing, not a technical one. So it still won't prevent anyone from connecting with another client.

[–] Dot@feddit.org 3 points 1 month ago (1 children)

I mean having a list of allowed clients.

As I said in my post, WhatsApp already enforce forbidding third party client and it seems to work well.

I don't see why wouldn't Signal improve the security of their users by implementing this, while upsetting the very few users who use third party clients.

[–] rottingleaf@lemmy.world 1 points 1 month ago

How do you imagine this working?

[–] tekato@lemmy.world 19 points 1 month ago (1 children)

They don’t allow 3rd party clients, as per their ToS:

You must not (or assist others to) access, use, modify, distribute, transfer, or exploit our Services in unauthorized manners, or in ways that harm Signal, our Services, or systems. For example you must not (a) gain or try to gain unauthorized access to our Services or systems; (b) disrupt the integrity or performance of our Services; (c) create accounts for our Services through unauthorized or automated means; (d) collect information about our users in any unauthorized manner; or (e) sell, rent, or charge for our Services.

You need authorization to access Signal servers, which they don’t give:

we really don't want forked versions of the app maintained by other parties connecting to our servers. Not only could the users using the forked version have a subpar experience, but the people they're talking to (using official clients) could also have a subpar experience (for example, an official client could try to send a new kind of message that the fork, having fallen out of date, doesn't support). I know you say you'd advocate for a build expiry, but you know how things go. Of course you have our full support if you'd like to fork Signal, name it something else, and use your own servers.

In my opinion, this is a horrible decision from Signal.

[–] visor841@lemmy.world 13 points 1 month ago* (last edited 1 month ago)

Yeah this is a big part why I'm very skeptical of Signal. It feels a lot like Ubuntu's snap store, it's technically open but you can't really interact with the main corporate controlled ecosystem.

[–] hummingbird@lemmy.world 16 points 1 month ago* (last edited 1 month ago) (1 children)

Signal forks can have unexpected behaviours like retaining deleted messages and also they don’t get updated at the same rate that Signal get updated.

There are ways to save messages before they are deleted even if the stock app is used. Do not ever rely on this feature to work in a "safe" way.

Every couple of years I hear a story about hackers disturbing signal with backdoors, which would be impossible or very hard to be done If they blocked third party clients. (Ex: 1)

That is a problem the users who prefer 3rd party clients have to deal with. Obviously if you care enough to not use the official build, you of cause have to take care of using a trustworthy source. That is not "your problem" though.

The amount of people who use third party Signal clients are very few anyway.

That sounds a lot like "I don't use it, so none else needs it either" argument. In my opinion, none of your arguments above are a good reason to combat 3rd party clients.

[–] LodeMike 1 points 1 month ago

That's a lot of flack from an application which refuses to distribute itself outside the play store.

[–] jet@hackertalks.com 10 points 1 month ago (1 children)
[–] progandy@feddit.org 2 points 1 month ago* (last edited 1 month ago) (1 children)

This is the way. I might be open to switch back if they [signal] added [official] support for unified push, though

[–] jet@hackertalks.com 1 points 1 month ago (1 children)
[–] progandy@feddit.org 2 points 1 month ago* (last edited 1 month ago)

I know. I meant switch back to signal if signal added official support.

[–] 0x0@programming.dev 2 points 1 month ago

SimpleX Chat seems to be the new kid on the block.

[–] EngineerGaming@feddit.nl 2 points 1 month ago* (last edited 1 month ago)

At least until the official client allows registration from desktop without VM shenanigans, and allows an arbitrary SOCKS proxy instead of just their own, and doesn't depend on Google services on mobile, there NEED to be third-party clients like signal-cli or Molly.

[–] avidamoeba@lemmy.ca 1 points 1 month ago* (last edited 1 month ago)

How do Signal stop forks from connecting to their servers?