Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For truly sensitive communication, it’s better to use Signal: https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/


You're a fool if you believe handing over metadata like your personal phone number so you can be tracked is an improvement. That's not email and not a replacement for GPG, something that actually works properly. Session is a superior app for text replacement. I think you need to find new blogs that don't offer crap advice.


What kind of threat model do you operate under where Signal Technology Foundation knowing (one of) your phone numbers is a large risk?


The fact that signal knows my phone number doesn't bother me.

The fact that anyone who knows my phone number can know that I use signal does bother me.


Settings > Privacy > Phone number has two options:

- "Who can see my number". If you choose "Nobody", then your phone number will not be visible to anyone unless they have it saved in their phone's contacts.

- "Who can find me by number". If you choose "Nobody", then nobody will be able to see you're on Signal unless you message them or have an existing chat with them.


May I ask why you’re bothered by this fact?


[Not op] People (newbs) join signal and it shows I'm on. So they message me "hi!". If I wanted whatsapp etc chats, I'd be on them, but signal is for my real friends, and essential contacts. I chose for several reasons, and being visible on everyone's list is not one of them.


You can turn that off in settings


Session started as a fork of the Signal client/server to use identifiers that are not phone numbers (perfectly sensible) but having deviated from the known primitives of the Signal protocol and omitting PFS gives me pause.


Session was the go to couple years ago but now SimpleX chat is imo superior with proper PFS even quantum resistent and better UX.


And how is the situation with desktop clients? Last I saw the situation was not exactly great.


no problem so far


And now Signal allows you to use identifiers that are not phone numbers (except for your registration to the server).


They resisted this change for years, but eventually gave in and fixed it. You no longer need to hand out your phone number.

https://signal.org/blog/phone-number-privacy-usernames/


> They resisted this change for years, but eventually gave in and fixed it.

I believe that one big reason for that is that it was not trivial to get with the quality they wanted. I respect the fact that they "resisted" instead of just adding some bad implementation for the sake of it.


Nitpick: AFAIK, revealing a phone number is required for registration. But it’s no longer required in order to communicate with other Signal users.


There is no reason to tell people they are fools. Especially when you believe that email with PGP "actually works properly" w.r.t. metadata.


You mean the company with a HQ in the US?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: