haven
haven copied to clipboard
guardianproject
[feature request] support GNU Ring, not Signal
~~GNU Ring~~ Jami is the de facto non-controversial secure IM tool for tree-hugging hippy freedom lovers and has support on phones and desktops. The Android app is on f-droid.org. This is a conflict-free open community tool that should be supported.
Signal is apparently supported because of its popularity and/or Snowden's endorsement. But it's a poor choice for many reasons:
- Signal forces Android users into the private walled-garden of Google Playstore just to obtain the APK blob, which is unavailable outside of that jail; consequently: ** excludes people who bought an Android w/out a PlayStore (tm) license ** excludes people who refuse to give their phone number to Google (to create the required acct) ** abuses user privacy through Google tracking (Google keeps track of apps you download and your IMEI number) ** denies source code (most likely... I've not done a thorough search though)
- Signal's Debian release is unofficial. This is likely because it would not pass the quality scrutiny of Debian repository inclusion. It also means users have to do manual steps for the installation.
- Signal's Debian installation is broken (404 error on the package URL). And the "debian" install instructions are actually for Ubuntu.
- Signal's support page is CloudFlared, which: ** subjects people to a private walled-garden that blocks Tor users (a net neutrality abuse) ** and abuses the privacy of those who can use the page by sharing all traffic with CloudFlare Inc., whilst deceiving those users at the same time by showing them an SSL padlock (the tunnel actually terminates at CloudFlare's server not that of the webhost).
That's a lot of evil right there. I suggest:
- giving a low priority to fixing any non-security-critical Signal bug reports (glad to see this seems to already be happening)
- ditching Signal support when a security-critical Signal bug is discovered
- giving a high priority to implementing a GNU Ring feature
(update) The above is obsolete. See https://github.com/privacytoolsIO/privacytools.io/issues/779 for current OWS Signal privacy abuses
is this still accurate? i thought Signal was available as a plain APK download now... https://signal.org/android/apk/
(can't speak to your other criticisms regarding Signal's support page being blocked by Tor, however)
Looks like users are being advised to use the Playstore, but not required. I think I saw the "Danger Zone" section before, but ignored it because nothing appeared below the "danger zone" label (due to noscript). Now I can see that the APK is available outside of Google's jail, so the first bullet along with it's sub-bullets is not strictly correct. It's still considerable though because they've deliberately made the APK hard to find and designed the website so most users will think they must use the PlayStore. Note that the fingerprint did not match the APK when I checked it.
CloudFlare problems expanded in https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544
Signal is centralized in Amazon AWS, a privacy abuser. Even if Signal is secure enough that users need not trust Amazon, Amazon is still benefiting financially from Signal. At a minimum Amazon gets the IP addresses of Signal users and can then cross-reference that IP address with other tables. Haven users can possibly be de-anonymized if they use the Signal mechanism by comparing timings of onion traffic with AWS traffic (investigation needed).
I'm also disappointed that the options are SMS or Signal. I'd very much like to see support for the Matrix protocol. In this case you can configure your own server if you like, need no phone number, and get notification on any device. https://en.wikipedia.org/wiki/Matrix_(protocol)
We will be adding Matrix support, as well as a pure Onion-to-Onion sync between multiple Haven apps.
(Guardian Project has a secure matrix client project underway called Keanu: https://gitlab.com/keanuapp)
Jami seems to use google firebase and also has a firebase tracker in the app https://reports.exodus-privacy.eu.org/en/reports/63024/ There has also been a lot of reports of messages being lost and bad audio/video quality (not sure if these are true anymore. I have not used jami in a while)
They are at F-Droid so maybe they have a separate variant without those.
- https://f-droid.org/en/packages/cx.ring/
They are at F-Droid so maybe they have a separate variant without those.
I just tested the F-Droid version using exodus-standalone. The output:
=== Information
- APK path: cx.ring_144.apk
- APK sum: b7e8c2654ae7d788e62f699d053426c4f22cb84410bbce240fcc3934b31964bb
- App version: 20190103
- App version code: 144
- App UID: 28E35987AE316D25D5761E00267FF6F86525C708
- App name: Jami
- App package: cx.ring
- App permissions: 21
- android.permission.INTERNET
- android.permission.RECORD_AUDIO
- android.permission.MODIFY_AUDIO_SETTINGS
- android.permission.PROCESS_OUTGOING_CALLS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.ACCESS_WIFI_STATE
- android.permission.ACCESS_NETWORK_STATE
- android.permission.READ_CONTACTS
- android.permission.READ_PROFILE
- android.permission.BLUETOOTH
- android.permission.VIBRATE
- android.permission.READ_CALL_LOG
- android.permission.WRITE_CALL_LOG
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WAKE_LOCK
- android.permission.CAMERA
- android.permission.CHANGE_WIFI_STATE
- android.permission.READ_PHONE_STATE
- android.permission.FOREGROUND_SERVICE
- App libraries:
- Certificates: 1
- Issuer: countryName=UK, stateOrProvinceName=ORG, localityName=ORG, organizationName=fdroid.org, organizationalUnitName=FDroid, commonName=FDroid
Subject: countryName=UK, stateOrProvinceName=ORG, localityName=ORG, organizationName=fdroid.org, organizationalUnitName=FDroid, commonName=FDroid
Fingerprint: 3f47e291c57b7d55cb0d4e28ea792ce96a207c76
Serial: 1402691044
=== Found trackers: 0
So there should perhaps be a warning advising users to favor the F-Droid version.