[HN Gopher] Improving first impressions on Signal
___________________________________________________________________
Improving first impressions on Signal
Author : feross
Score : 74 points
Date : 2021-11-01 19:46 UTC (3 hours ago)
(HTM) web link (signal.org)
(TXT) w3m dump (signal.org)
| asethos wrote:
| Signal's message requests is a major selling point for me.
|
| I recently created a Signal account after having a bad experience
| in which someone used my phone number to harass me with SMS/calls
| (every time, from a different VOIP number). It's frustrating
| that, even in this era, there is no good way to filter out
| malicious actors from SMS/call.
|
| P.S. You can sign up with Signal via a VOIP number to avoid
| sharing your real phone number. See:
| https://theintercept.com/2017/09/28/signal-tutorial-second-p...
| dheera wrote:
| Yes, I do this. I really wish they and everyone else would stop
| using phone number as an ID and use an alphanumeric ID.
|
| Really, I don't want to give out a phone number to everyone.
| slownews45 wrote:
| I've not had this problem with iMessage really. Are you SURE
| its not possible to block out bad actors on messaging?
| alerighi wrote:
| It's complicated and can be expensive. Also people that has you
| real phone number cannot contact you on Signal, so you have to
| have two accounts, one with your real number to chat with your
| contacts and another one with the fake one to share with
| strangers that you don't trust, and as far as I know the Signal
| app doesn't support two account (yes on Android there are ways
| to have two instances of the app, on iOS you can't).
|
| To me Telegram is superior to Signal because it gives you both
| options, use your phone numbers with people that already have
| you in the contacts, and don't share your number with strangers
| in a group.
| modeless wrote:
| Just got a new phone and migrating Signal was a total disaster.
| The first thing I did was login to the new phone which is
| apparently the wrong thing to do because you lose all your old
| messages and there's no option to import after you login. You
| have to logout but _there is no logout_. Gotta uninstall and
| reinstall, or clear app data. Next I tried the account migration
| feature which requires using both phones simultaneously, hope you
| didn 't erase your old phone yet. But it doesn't work anyway,
| it's just broken. So after failing at that several times, then I
| had to manually make a backup on the old phone, write down a 20
| digit numeric code that's only displayed once on screen, transfer
| the backup file manually, type the code on the new phone, and
| then it logged me in but silently failed to import the backup.
| Had to uninstall again and did the exact same steps again and
| then it finally worked. What a travesty. Security shouldn't come
| with this kind of UX disaster.
| rlpb wrote:
| I recently moved phones and had the opposite experience. The
| Signal migration went very smoothly. Moving WhatsApp did not. I
| ended up managing to do it but not before about five attempts,
| each of which made me reauth my phone number and I hit rate
| limiting, etc.
| LogonType10 wrote:
| Sounds like you footgunned yourself. When starting Signal for
| the first time it gives the option to register OR migrate old
| account. There's no UI in the world that can totally protect
| users from themselves.
| gugagore wrote:
| That's only one part of the struggle that was mentioned. Even
| when using the migration feature, the comment reported it not
| working, and needing to manually transfer the backup file.
| pocketlim wrote:
| Recently got a new phone and the transition was super smooth.
| Tried to open Signal on the new phone, it somehow knew that I
| needed to transfer my backup, asked me to scan a QR code and
| keep the phones close together, a minute or so later, and done.
| Signal logged me out on the older device when it was finished.
|
| I've learned this lesson before though. Always keep your old
| phone around while transitioning to a new device in case you
| need to pull anything off of it.
| wpietri wrote:
| This is great! I haven't ever received Signal spam but have been
| getting say 5 junk SMS and 15 junk calls each week. They must be
| doing something right.
| noja wrote:
| Great, but...
|
| Please let people allow Signal to automatically save their media
| to their photo roll (or whatever ios calls it). The number of
| people I have met who require this and left Signal _after
| starting to use it_ is astonishing.
| dewey wrote:
| Do you think that's really the reason they are abandoning it? I
| think the bigger issue is probably that most of their friends
| are not on there and they use it less frequently until they
| abandon it.
| csydas wrote:
| This surprises me greatly, as it's my biggest annoyance with
| WhatsApp and Google Hangouts or whatever they call it now (I've
| not yet accepted the new app, so it still calls itself
| hangouts, but clearly is using the new chat app backend...)
|
| I despise that it shows up in my main photos whenever someone
| sends a photo/gif/vid on these apps. Telegram segregates its
| local storage to a separate folder that Android doesn't seem to
| grab for the photo-roll and I want it this way; my photoroll
| should only be __my__ pictures, not random stuff my friends
| send me.
|
| I talk to different people on different apps in very different
| ways; the ways I joke with my best friends is absolutely not
| appropriate for the ways I talk with the older people in my
| life, and vice versa. And it's absolutely not about me testing
| these waters; that's not for an App/OS to decide, that's for me
| to decide, and mixing these photos into one central location
| makes it more annoying and precarious for me to accidentally
| tap and share something I never meant to because the App/OS
| saved it to a central location that it never should have.
|
| I don't even agree with "give people the option";
| photocell/gallery/whatever are for __my pictures__. Downloads
| are for just that; Downloads. Apps should stay away from the
| pre-defined user space and put it in correctly named locations.
|
| I realize I'm "reeeeee-ing" here, but it's honestly a huge pet
| peeve of mine to see all the photos from the chat apps I use to
| keep in touch with a small handful of people dump themselves
| into a user space that isn't theirs.
|
| Telegram does it right, and apparently Signal does too -- I
| cannot understand why other chat-apps feel the need to behave
| otherwise; finding said photos is a matter of a single system
| call, so it's not like discoverability is a challenge for them.
| The users __will learn__, it's not hard to summon the file
| manager even with locked down permissions.
| dan-robertson wrote:
| For WhatsApp it is just settings->chats->save to camera roll
| which doesn't feel like a huge burden.
|
| I think the way I think about it is that your phone's
| 'photos' app should have all the things you would think of as
| photos and things people sent you are included in that.
| Though I'm not sure what iMessage does (I think they don't
| show up in photos. At least, things you take don't show up).
| I also wish the app were better at differentiating between
| photos you took and photos that WhatsApp added, e.g. I once
| found a video of my feet walking through the snow in flip
| flops and I couldn't remember where I was or why I did it,
| until I had worked out that it was my brother's feet and came
| from WhatsApp. It would be nice to have some source
| metadata[1] and maybe a deep link back to WhatsApp, or at
| least have the app say "this is in the WhatsApp album by the
| way"
|
| [1] ok, this actually exists for more recent photos and
| started exactly when I last upgraded my phone. So I am
| somewhat happy there I guess.
| Canada wrote:
| Not looking forward to this... I use bots and I bet this will
| make them stop working at some inconvenient time.
|
| I wish I could put up collateral, say stablecoin in a smart
| contract, where Signal can ban my account and keep the money if I
| abuse, but otherwise do not break my automation.
| awiuerqwoieru wrote:
| Why are you not using elements?
| ISL wrote:
| Is it strictly-true that anti-spam algorithms must be hidden to
| be effective?
|
| It would seem that initially, spammers would have the upper hand,
| but in the long run, coordinated and open effort against spammers
| has the potential to pay off.
|
| Furthermore, to have a closed algorithm that cuts off the ability
| for people to communicate opens the door to institutionalized
| censorship -- designating a political opponent's communication as
| spam could limit their ability to be heard.
| Arnt wrote:
| I've fought spam in other contexts and found that to be true. A
| change stopped spam until spammers learned what the change was,
| which made them adapt. The adaption might not be perfect, but
| it would happen, so prolonging the blocked period was
| essential. If one can do something that's effective and that
| the spammers don't understand for months, that's _great._ If
| they can spam for days and then blocked for a longer period and
| that repeats, they 'll go away and attack an easier target
| instead (well, some of them will look back later).
|
| Let me try an argument other than "it's been my experience",
| though.
|
| Suppose that it's not true. In that case, the anti-spam filter
| provides a publicly visible definition of spam in its code, and
| it's one that isn't grounded in the recipients' opinions. If
| the filter is to be effective, spammers must not be able to
| adapt their behaviour in a way that users consider spam but
| isn't according to the definition. Many people have tried to
| provide such a definition since 1995 and AIUI all have failed.
| I think the persisten failure indicates that it's extremely
| unlikely that one can be found, and therefore it's extremely
| unlikely that a publicly visible spam filter can be as
| effective as one that can be updated in secret.
| correct_horse wrote:
| Do you think an eventually open style spam filter could work?
| One where the implemntation is released say 2 years after it
| was first written (including modifications)
| pornel wrote:
| Depends how high is your bar for "effective". For example
| there's nothing secret in rate limiting and IP bans, and these
| are fundamental techniques.
|
| However, there are plenty of opportunities to catch spammers
| when they make stupid mistakes. I've worked with web bot spam.
| I could catch a very popular bot brand by observing that it
| sent Accept header with content that was implausible for the
| User-Agent it sent. If the code was public, spammers could see
| `if (browser == safari && accept != safari-like) { spam }` and
| fix their header in minutes.
|
| There's also a middle ground where the algorithm is public, but
| it's powered by secret data: blacklists, databases for
| classifiers, ML models. From accountability point of view data
| being secret is as problematic as secret code.
| zimpenfish wrote:
| > Is it strictly-true that anti-spam algorithms must be hidden
| to be effective?
|
| Can't answer that but there were, for a long time, services
| that would run your "targeted emails" through spamassassin et
| al for you and give you advice on how to tweak them to lower
| the resultant score.
| Waterluvian wrote:
| Edit: I'm out of date for most of this. Way to go Signal team!
| See comments below my complainy post.
|
| Forcing me to recite my PIN every few weeks is one of the most
| irritating UX I've seen.
|
| I'm sure there's some smart engineer explanation in terms of
| cryptography and being unable to recover it if lost. But just let
| me disable it if I'm okay losing my entire account if I forget
| it.
|
| Also last time I checked the binding of a phone number to Signal
| was really bad. I had a friend abandon Signal and I could never
| sms them ever again.
| Aulig wrote:
| Huh? You can disable the PIN reminder in the settings if you
| want to. Or is that not available everywhere? It's working for
| me on Android and Windows.
|
| I've disabled it as I store my PIN in my password manager.
| Waterluvian wrote:
| Either that's new or I'm just a loud bozo. Thanks for
| sharing!
| Aulig wrote:
| I've been using the feature for a couple months, but I
| haven't been using signal for much longer so I'm not sure.
| Before I thought of looking in the settings to disable the
| pin checks they really annoyed me too :)
| JasonFruit wrote:
| Your last paragraph provides an insight I hadn't had; that is a
| serious problem. I personally appreciate the PIN repetition, as
| it encouraged me to use a code I had not used before, since I
| knew If be reminded to practice it now and then.
| gdrift wrote:
| To send an SMS to a signal contact, press and hold the send
| button then from the popup select `Insecure SMS`.
| Waterluvian wrote:
| Cool!
|
| Is there a way to say "always use SMS because this signal
| contact isn't on signal anymore"
| Aulig wrote:
| It looks to me like it's a per contact switch, so I think
| that's what you want, yea :)
| girzel wrote:
| When you stop using signal, you can log in to the signal
| website and say "I'm no longer using Signal"; that will
| solve the problem with your Signal-using contacts. I just
| checked and it looks life you have to deregister your
| account from within the Signal app (ie, can't uninstall
| first). I'm pretty sure it used to be more lenient: I
| remember friends being able to deregister their numbers
| after the fact.
| jakecopp wrote:
| > To keep Signal a free global communication service without
| spam, we must depart from our totally-open posture and develop
| one piece of the server in private: a system for detecting and
| disrupting spam campaigns.
|
| Interesting. Matrix solves this problem by not associating a
| username with a phone number or email address (unless you opt in
| to). Does anyone have views on if this will work into the future?
|
| I'm moved ~90 of my friends onto Matrix (along with plenty of
| group chats), and most of them quite like the Element [1] app
| (though there are rough edges on iOS I'm hearing).
|
| [1]: https://element.io/
| tandav wrote:
| Still requiring SIM, no go if you care about privacy
| Tistron wrote:
| Is there a reason, when they have control of the client software
| and the protocol, that they don't introduce computational cost to
| establishing contact? Like, if I send a message to a particular
| number, and their client receives a message from me for the first
| time, it responds with "prove that it's worth it for you to
| message me: find an `n` character string that together with
| `random string` hashes to 5 leading zeroes", or something like
| that. Somehow I imagine that doing a few seconds of computation
| per initiated first message is unproblematic, but doing it for
| thousands or millions of numbers starts to be a problem.
|
| Why is this not done?
| tptacek wrote:
| If the server is mediating that proof-of-work system, then the
| server is building a list of contacts, and not doing that is
| the #2 goal for the whole Signal project.
|
| If the client is doing it, you need to come up with a system
| that is resilient to people using a bunch of different devices,
| getting new phones, etc.
|
| This is a theme about building Signal: they're doing everything
| on hard mode, because they start from the premise that they
| don't get to know everyone's contacts. Virtually every other
| mainstream messaging system, including the ground-up E2E
| encrypted ones, keep a complete plaintext contact database
| serverside.
| myself248 wrote:
| These all seem like useful changes, but I've never received spam
| over Signal. I'm glad that solves a problem for someone.
|
| What I have received were creepy messages from long-lost
| acquaintances who had been suddenly reminded, by virtue of my
| having installed the Signal app, that I existed and that I was
| attending a security-focused event at the time.
|
| And last I heard, Signal was adamantly opposed to removing these
| notifications. That's a big problem, IMHO.
| MaxGanzII wrote:
| Signal was superb for a long time, and then received a hefty
| chunk of funding, and, although I may be wrong, has declined
| since then, and in fact jumped the shark about a year ago.
|
| They attempted ever more forcefully to make users to set a PIN to
| protect server-side state; it started with a dialog at the bottom
| of the screen, obscuring about 20% of the user list, which could
| not be dimissed, and then after a few weeks progressed to the a
| full page dialog, which could not be dismissed - rendering the
| app unusable.
|
| All you saw upon starting was the full page dialog demanding you
| set a PIN to continue using Signal.
|
| I did not want any server-side state, and so did not set a PIN,
| and stopped using Signal. After a few weeks, the full-page dialog
| went away, and I found I could use Signal again.
|
| Signal actually blocked usage of the app to force users to adopt
| unwanted new functionality. It's hard to imagine any app doing
| well with such mis-management.
|
| I opened a thread discussing the problem on their support/public
| discussion forum, which was deleted. I also at first opened a bug
| report on Git, before I understood it was all intentional, this
| was also deleted.
|
| Since this experience, I've regarded Signal as on the way out,
| but it's still the best there is right now.
| leevlad wrote:
| Correct me if I'm wrong, but I believe your comment is
| misguided.
|
| The PIN is a security option that prevents a SIM-swapping
| attacker from registering a new device under your phone number
| unless they know the PIN. You can opt out of it (and it might
| be opt-in to begin with). You can also easily opt out of PIN
| reminders. Both of these options are in Settings -> Account.
|
| As for server state - my understanding is that Signal attempts
| to be zero-knowledge overall, but they definitely store some
| state on the server. I believe it's encrypted using your
| private key that's not backed up to the server. Setting the PIN
| does not change that.
|
| Server state comment aside, it seems your main complaint is
| about a pop-up PIN entry UI that can be opted out of? I get
| that it might seem annoying, but it feels like a fairly weak
| criticism of a messaging platform, certainly not one that
| should warrant an impression that Signal is "on the way out"?
| bilal4hmed wrote:
| My complaint with them is the whole thing with mobilecoin.
| They hid that integration for a year, by not pushing server
| updates and when the news hit, they promised to do an AMA
| explaining it all. Its been months since that has happened
| and the AMA never happened.
|
| Moxies involvement is very muddy and never clarified, it was
| a pump n dump at
| best.https://amycastor.com/2021/04/07/signal-adopts-
| mobilecoin-a-...
|
| That incident, they lost a lot of respect for me.
| slownews45 wrote:
| No kidding - what garbage that was. That said, I think they
| were able to pump mobilecoin (as a nonprofit!) to something
| like 6x before the dumps came.
|
| After that I was gone.
| MaxGanzII wrote:
| I think we may be talking about different PINs.
|
| I am not talking about the PIN you would have to enter when
| starting Signal, to get into Signal.
|
| I Googled a bit and found an approachable blog post from the
| time this all happened, here;
|
| https://blog.cryptographyengineering.com/2020/07/10/a-few-
| th...
|
| This has refreshed my memory of events.
|
| In short, Signal wanted to store what had been purely client-
| side information (contact lists, for example) on their
| server, but - in principle at least - in a form Signal could
| not access.
|
| The PIN in question is used to provide access to that
| information.
|
| > Server state comment aside, it seems your main complaint is
| about a pop-up PIN entry UI that can be opted out of?
|
| The dialog to force the user to set the server-side PIN
| disabled the app. You either had to do it, or stop using
| Signal. There was no opt-out.
|
| I had a look at the app now. I found the settings you
| mentioned. It's not clear to me from what I see there is this
| if an app-locking PIN, a SIM protection PIN, or a server-side
| state PIN, or all three rolled into one.
|
| In any event, at the time it happened, the presented dialog
| was full-screen and could not be dimissed; even if there had
| been options to disable this (and there were not prior to the
| full-screen dialog - I looked, in an effort to dismiss the
| permanent partial-screen dialog) you could not get to them,
| because it was a full-screen dialog which you could not
| dismiss; you could not get to the app, and so could not get
| to settings.
|
| The only option was to stop using Signal or provide a PIN so
| your client-side state could be stored server-side.
| leevlad wrote:
| Fair. And I think I know what you're referring to.
|
| Yes, they do upload your contact list, but I believe
| there's a prompt at setup time that allows you to opt out?
| It might even be an OS-level prompt to the tune of "Signal
| would like to access your Contacts". Not 100% sure on that
| one as I haven't set up a brand new Signal installation in
| years.
|
| It's done to help their user acquisition. It uploads your
| contacts to match against other contact lists and let you
| know who's on Signal. I recall seeing a blog post
| explaining how they are doing it in a fully encrypted way,
| possibly using Secure Enclave (? though I think the 2021
| version of that would probably involve ZK
| proofs/homomorphic encryption of some kind, and I hope they
| put some time into that).
|
| I don't recall ever having to set a PIN specifically for
| that. And besides, a 4-6 digit PIN would be a terribly
| insecure way to "encrypt" anything server-side :) But yes,
| that would be a shame if it were the case.
| MaxGanzII wrote:
| > It's done to help their user acquisition. It uploads
| your contacts to match against other contact lists and
| let you know who's on Signal.
|
| I may be wrong, but I think this functionality existed
| prior to the server-side state effort. I recall when
| people in my contact list joined Signal, I was notified.
|
| However, these days I do not keep contacts in the phone
| contact list. It's too big and juicy a target.
|
| > And besides, a 4-6 digit PIN would be a terribly
| insecure way to "encrypt" anything server-side :)
|
| Very much so. That does seem odd.
___________________________________________________________________
(page generated 2021-11-01 23:01 UTC)