Jabber, Signal and communicating safely

A few people have asked me specifically about Signal, and I feel that I don’t have enough time to explain why I don’t use it, or why I host my own jabber server. I am going to write up some thoughts on this here, and maybe we can have a discussion where folks can ask questions and make informed decisions for themselves. :slight_smile:

What are these things?

When I started writing this I got about eight long paragraphs into what Signal and Jabber is, but I realize for the purposes of this discussion a very light and brief description of each should suffice. I will post more on my site, and will link here when I publish.

Signal: encrypted texting and VOIP

Signal as a product is primarily phone apps for Android and iOS mobile operating systems, which uses servers to connect with other Signal users to send and receive encrypted messages and voice calls.

It is very cool because it is easy to use for many people, is the state of the art for encrypted messaging, and is resistant to various kinds of adversaries.

It is a bummer because it uses a centralized set of servers for the main implementation, requires mobile phone markets to use, and relies on mobile company push notifications for some functionality.

Jabber: protocol and messaging framework

The easiest way to describe jabber is probably: it is similar to email, but for instant messaging. It is federated, so like email anyone can run their own server and they will communicate with each other. Jabber addresses use the same format as email (my jabber address is maiki@interi.org, incidentally).

It is very cool because it powers a substantial amount of messaging technologies you use everyday, is mature and has a lot of options, and has a variety of clients and servers to choose from. It is federated, which is itself a form of resistance to censorship and invasion of privacy.

It is a bummer because it has so many options, and as a protocol it isn’t inherently user-friendly. It requires a non-trivial amount of effort and knowledge to secure, and federation means breaches of privacy are possible in certain usages.

What does maiki use?

The short answer is: I don’t use Signal. I self-host a jabber server.

To explain why I am going to list a bunch of seemingly random datapoints, and will return to this at the end, but for now you should know that using Signal is a good idea, and you should definitely use it if you are not using anything else.

I am an outlier, and here is why, in order of selfishness to general concerns. :slight_smile:

  • I really want to host my own stuff. I do hosting and devops professionally and for fun. Running my own services is practical hands-on experience, and gives me a broader knowledge which allows me more safety.
  • Jabber is amazing for me! I can upload images to group chat, sync chat history between devices, chat from my tablets, mobile, laptop or really anything that can boot an operating system. These are not security concerns, but as I will explain later, it has the balance of features that I want, which includes privacy and security.
  • I dislike SMS, and only like voice calls slightly more. The way I communicate with my tribe is not based on text messaging or voice calls, so I don’t have much need for Signal. Note that this isn’t a prohibition, just an explanation for why I don’t use it personally.
  • I can’t install the software. Signal is open source, but for practical use it requires installing from the Apple or Google mobile stores. I don’t use iOS devices, and less than half of my Android devices have Google services installed. My next phone will likely be running Ubuntu, which means I will not have access to the Signal network.
  • Metadata. Because these apps are tied to the companies that produce the mobile operating systems, and utilize their push notification servers, they can collect some very limited information about your usage of the service. I am including this because while I believe that Signal does the best possible job, it is important to understand which third-parties are tracking you.

I had more points, but they are mostly nuances within those. The gist is that Signal doesn’t solve a problem I have, but it is likely a terrific tool for you to use.

I believe everyone that asked me about this uses an iPhone or standard Android device (meaning not jailbroken or modified away from manufacturer settings). In their situations using Signal makes a lot of sense, and for their own privacy and security needs are met; I know that everyone who asked me actively uses Facebook, which means they aren’t worried or aware of how they are being tracked.

Signal is an important step to creating a ubiquitous state of encrypted communications, superseding the default state of plain text and clear voice communication that is current. Each person that encrypts their communication adds the protection of everyone else against bad actors, and I hope to discuss that point in more detail in the future.

Questions? Insights?

talkgroup is in part a place to raise our collective knowledge on the topics we bring forth, so I want folks to be bold and ask questions they have. This is also a public space, so your questions do the open web a service as well. However, if you have concerns about security or privacy and don’t want to post them here, you can send me a private message or email me directly. :slight_smile:

And if you use either, both or something else, let us know! I have a lot to learn about how other folks are communicating.