š£THREAD: Itās surprising to me that so many people were surprised to learn that Signal runs partly on AWS (something we can do because we use encryption to make sure no one but youānot AWS, not Signal, not anyoneācan access your comms).
Itās also concerning. 1/
The tor network has had 100% uptime. 100%
@ArneBab @davep @yawnbox Note that in the specific use case of Signal: given their threat model, "direct peer-to-peer connections by default" are not desirable. You'll need to bounce the audio&video traffic by default to make it more costly to infere who is talking with whom.
So the fact that working NAT and IPv6 help rely less on TURN servers won't help decentralize that much.
@dryak Maybe a start could be to switch to direct peer-to-peer connection if Signal sees that both sides are in the same subnet (i.e. on the same wifi).
In that case they connect to the signal server for connection with a voice-data profile *at the same time* which already gives away that they are talking, so staying in the subnet with a direct peer-to-peer connection would reduce the total privacy loss.
@dryak but firstoff, to stop discussing with too little information: the reason they use a forwarding server is that a single device canāt send video to 40 people via direct connections.
Hereās their description: https://signal.org/blog/how-to-build-encrypted-group-calls/
That also shows the level of complexity involved already.
Signal released end-to-end encrypted group calls a year ago, and since then weāve scaled from support for 5 participants all the way to 40. There is no off the shelf software that would allow us to support calls of that size while ensuring that all communication is end-to-end encrypted, so we bui...
Things may have moved on since then, "attest: Functionality for remote attestation of SGX enclaves and server-side HSMs."
@davep @ArneBab @dryak yeah, the same #proprietary shitboxes thar get hacked so often.that #Intelcyeeted that from #Consumer #CPU|s and now there's no "legal" way to play #4K #BluRayDisc|s on modern systems.
Moxie trusts too much into the silicon of parties who's goals are irreconcileable at odds with his demands.
But I guess that's normal with @signalapp folksā¦
https://infosec.space/@kkarhan/114935952643402592
https://infosec.space/@kkarhan/115492122419368937
https://infosec.space/@kkarhan/115492154062048948
My [reservations](https://infosec.space/@kkarhan/114234551915193036) and [criticism](https://infosec.space/@kkarhan/114862595629371002) re: #Signal are not just valid, but the reality is *even worse than I thought*: - The fact that @[email protected] requires not only their shitty #Android #App, and a #PhoneNumber but literally won't allow people to use their shitty #Desktop-App unless they have an Android device with a camera pointed at it makes it utterly unuseable for certain users *who don't have a fucking #camera in their Android*ā¦ Seriously, do they expect folks to deal with that shit? - It's already worse in terms of #UX than #telegram and #discord and that too makes #XMPP+#OMEMO clients like @[email protected] / #monoclesChat & @[email protected] / #gajim easier and faster to onboard #TechIlliterates onto. - Whichever asshole decided that a *replacement for #SMS* should mandate #PII like a #PhoneNumber & not be natively cross-platform should be banned from doing any #tech in their life. Trying to circumvent this shit and helping folks with it makes me so fucking angry that I'm now explicitly refusing to support it! FIX THAT SHIT, @[email protected], and if it means you need to kick some devs in their crouch then consider this a necessary *"investment"*ā¦ #sarcasm #TechSupport #TalesFromTechSupport #Enshittification #SignalSucks #TelegramSucks #Messengers
Meredith Whittaker
yawnbox
David Penfold 
ArneBab
DrYak
Kevin Karhan 