My concern is that anyone can spin up a set of keys. Session had a massive DDoS attack on their open groups earlier in the year and that was because there was no limit to how many Session IDs can be spun up. We also saw Nostr get hit with the ReplyGuy spam recently as well, due to similar issues.
People love to criticize Signal for its phone number requirement but that requirement helps keep the spam and attacks on the network at a minimum. To me, the issue isn't the metadata, it's whether or not that metadata is properly encrypted and obfuscated. Signal does both thanks to features like sealed sender (which makes it virtually impossible to determine where a message came from, making it way harder to conduct any sort of MITM snooping).
I'm purple pilled but I think we have to recognize that Nostr isn't the solution to every problem, just as Bitcoin isn't the solution to every problem. Both are phenomenally powerful and important to our future, but they're not the only things we'll need to secure our digital freedom going forward, and there's no reason we need to stretch their capacity when other tech already offers the functionality we're looking for. I mean, Session itself offers all of the functionality we're talking about here, the only downside is the lack of zaps (but really, who needs zaps for private messaging?).
That being said, I DO agree that Signal having a centralized server infrastructure isn't ideal. It'd be cool if they'd open it up to volunteers hosting nodes similar to Session and SimpleX. Volunteers can already run Signal proxies so why not let them host nodes and gradually move things over to a decentralized framework? There's no reason Signal Foundation couldn't rent out cloud space during times that the network is overwhelmed, especially since being decentralized would cut down on a huge chunk of their operating costs.
Finally, I also do agree that it'd be nice if Nostr would at least set up E2EE for DMs, considering the fact that Nostr has a bit of a permanence effect on notes shared via the relays.
Replies (3)
Signal uses the same mainstream encryption protol as Meta's whatsapp. No thank you.
Telegram, with its home brew mTproto encryption was heavily criticized by the mainstream geniuses. But the governments had no issue with signal? very strange....sounds like it wasnt a threat to them at all but telegram was! telegrams encryption was clearly superior hence why it pissed them off. Too bad it was centralised for the normal messages. The E2E secret chats are probably still reliable.
But i wont trust a centralized service ever again or something like Signal that uses phone numbers, leaks meta data and uses google and meta technology.
simplex or bust
More like WhatsApp used Signal's protocol. The Signal Protocol was in existence before WhatsApp started using it. It uses that protocol because of the fact that it's the gold standard of end-to-end encryption protocols.
Telegram's protocol was criticized because it was vulnerable in various ways that Signal's protocol was not. Encryption experts cross the world pretty much universally agreed on that. The reason why governments don't go after Signal, but they went after Telegram, is because Telegram didn't encrypt all that much. In fact, it only encrypted things if you specifically told it to. There'd be no reason for governments to even try to go after Signal if everything's encrypted and that nothing can actually be taken from it. In fact, governments have tried to get data from Signal, but were unable to take anything because of how everything is encrypted except for basic data like when a person first started using the platform.
It's ironic that you're talking about all of this while supporting SimpleX, which is backed by a for-profit corporation and is relatively new to the field, thus meaning that they have not been proven quite like Signal has been. By all means, SimpleX is a very neat tool that I am very much looking forward to seeing the future of, but if you want security, you really can't get better than Signal. This isn't just my opinion either. This is the opinion of virtually every security expert, cypherpunk, etc. Edward Snowden himself recommended it, and if someone with such a high threat model is confident in using it, then average Joe on Nostr can use it.
Also, as an addendum, Signal does not leak metadata, that is blatantly false. The only metadata that anybody can get is stuff like the frequency of a message being sent, and you really can't cut down on that kind of metadata, even with SimpleX.
In fact, Signal has a feature called Sealed Sender that makes it so that, when you receive a message, anybody spying on the network can't see who that message came from. If you and all your contacts are using Sealed Sender, then there's really no way for them to truly figure out who you or your contacts are unless you doxx your contacts through other means, such as using, well, Telegram.
