this post was submitted on 22 Jul 2023
29 points (87.2% liked)

Privacy

31876 readers
599 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
29
Molly v.s. Signal (mander.xyz)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 

I am not comfortable that signal depends proprietary google library. However, I find that Molly lags significantly behind signal (around 1 to 2 weeks, so maybe not as significant as I thought), but I am just concerned that if there is a security fix in signal, molly will not be able to react as fast.

I am also quite frustrated with the general lack of communication from the signal team (for example the lack of communication regarding username). I doubt they will have the good will to help molly when there is a critical security fix.

It is frustrating that signal no longer seems like the gold standard for privacy any more; unfortunately, all my friends are on there (ironic, isn't it...).

top 46 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 1 year ago (1 children)

I love Signal, and I have persuaded people to use it a lot. That said, it is definitely not the gold standard for privacy. It's a good-enough compromise between actual unbreakable encryption and trivial for anyone to use. It's always been valuable for that reason, and still is.

Don't worry about Molly - it uses a variation of the same code that Signal does, so they don't need "help" to get critical fixes that Signal receives. Use it if you like it!

The actual gold standard for privacy would be logging in through TOR and sending GPG-encrypted messages that way. And there's an app which does this, too - it's called Briar. (No phone number needed, either!) It's not as seamless to set up as Signal is, though.

[–] [email protected] 5 points 1 year ago (2 children)

And there’s an app which does this, too - it’s called Briar.

Cool I had not heard of this, thanks!

[–] [email protected] 7 points 1 year ago (1 children)

@hoodlem

You can also do private groups, forums, and blogs on #Briar.

@SteleTrovilo

[–] [email protected] 1 points 1 year ago
[–] [email protected] 5 points 1 year ago (1 children)

Do you know about SimpleX?

@Nimbus @SteleTrovilo

[–] [email protected] 2 points 1 year ago (1 children)

@[email protected] not.coffee I did not, super interesting.

[–] [email protected] 5 points 1 year ago (1 children)

I gave up Briar for SimpleX, as really good as Briar is, because of only having one ID. On SimpleX, if you enable incognito, it will create a new random ID for each new contact that you message, so no 2 persons will see the same ID for you, they each see you as a different name.

Also SimpleX is on iOS and Android, Briar is only for Android, and SimpleX does calling with contacts.

[–] [email protected] 2 points 1 year ago (1 children)

How do you backup SimpleX? Considering you changed your phone or factory reseted, can a normal person continue to contact their previous list? They don't have a problem with Signal since it uses the phone number. Can I convince my family / friends on SimpleX, as I barely managed it on Signal? Because SimpleX looks much nicer and I'd love to use it.

[–] [email protected] 3 points 1 year ago (1 children)

In SimpleX app settings, if you have already set a database passphrase, you can do a data backup or export to a file, when SimpleX is installed again, you import database.

[–] [email protected] 2 points 1 year ago (1 children)

I see, thanks for the reply. I guess this is still not so viable for tech-illiterate people, unless the devs find an optional and more streamlined process for this. I barely made people use Signal, they couldn't managed Matrix for example.

[–] [email protected] 3 points 1 year ago (1 children)

Let them stick with Molly/Signal, that will give them a lot of privacy, and nothing for them to figure out how to use.

Leave SimpleX for people more skilled to handle how to do configurations. SimpleX does have superior privacy over Signal, but mabe they can't do SimpleX. Take it in stages with what they can handle, don't jump to the end.

I'm not willing to Matrix and I don't recommend anyone use it if they wat privacy and anonymity. I'm content only using Molly and SimpleX with everybody I know and no other apps or messaging services.

[–] [email protected] 2 points 1 year ago (1 children)

I agree. Though I think 1v1 on Matrix is fine if encrypted prior, but I mostly use Matrix as tech news/forum. Federated services are not good for privacy anyway, they are not meant to be.

Currently I tell people to install Signal if they want to message me, I guess it would be a couple people for SimpleX. Most of my Signal list came when WhatsApp ToS made it to the news, some of them uninstalled Signal after a while but I'm okay with it. Well, I'm happy with Molly-FOSS for now. I would love to use SimpleX but it's something.

[–] [email protected] 2 points 1 year ago (1 children)

I wish Mastodon had encrypted DM's. I've been focusing on using Mostodon as my main place for media.

I can't find a Matrix client in F-Droid to use because when I turn off all of the anti-features, it seems Matrix is not an option to install something.

Have you not tried SimpleX yet? If not, I would suggest when the new release for 5.2 is in F-Droid you should install it. I could give you an invite link to message there but I don't want others on here using the link.

[–] [email protected] 0 points 1 year ago (1 children)

That's a wanted feature I guess but I doubt if they will implement it.

Did you check FluffyChat? Not sure about all the anti-features though.

Well, I installed it some time ago but haven't really used it. Thanks for the offer but no need to expose your privacy here, even with incognito mode. I must try it with someone I know first anyway.

[–] [email protected] 0 points 1 year ago (1 children)

I'm registered with FluffyChat, it seems fine.

[–] [email protected] 1 points 1 year ago (1 children)

Just wondered by the way, what feature about Element you do not like?

[–] [email protected] 1 points 1 year ago (1 children)

I think my dislike comes from the hype about Matrix being federated so people think it's safe, the fact that a company owns the matrix protocol, seeing the various apos that have non-free dependencies, when I looked before it seemed alk personal Matrix history is permanent, it seemed to be a combination of not the freedom people think it is and no clear sense of what the purpose of matrix is for, but don't now that I had an account previously to validate all of that.

If you want, we could talk on matrix but we both post our ID's here publicly to make sure it matches who we message on there?

[–] [email protected] 0 points 1 year ago (1 children)

I guess that's a common misconception with the federated services. Yes you can own your data if you join the federation with your own server, but once you write something on a community, it's federated and on other servers from that moment. This is the best way to keep forums intact as long as possible, so years later someone can check those and find whatever they searched for. Reddit was great as a forum however after the recent incidents people deleted their posts and unless someone recorded that page on web archive before you won't find anything when someone redirects you there. What people should know here, federated services are meant to be anonymous, not private.

Again, no need to expose anything here, and well, I'm not much of a talker anyway. :)

It's fine to talk here, as long as it isn't something personal.

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 0 points 1 year ago (1 children)

There is also a desktop app now? That's great. Thanks for the info. I'm looking forward to it.

[–] [email protected] 2 points 1 year ago

I'm planning to watch it and ask a question.

[–] [email protected] 15 points 1 year ago* (last edited 1 year ago)

Should note that their GitHub says:

We update Molly every two weeks to include the latest features and bug fixes from Signal. The exceptions are security issues, which are patched as soon as fixes become available.

I’m not sure on their track record, but if their claims are true, this could be a fine, secure client.

[–] [email protected] 12 points 1 year ago (2 children)

There's a FOSS fork of Signal which removes Google dependencies from the software.

Signal-FOSS

A fork of Signal for Android with proprietary Google binary blobs removed. Uses OpenStreetMap for maps and a websocket server connection, instead of Google Maps and Firebase Cloud Messaging.

https://github.com/tw-hx/Signal-Android

[–] [email protected] 3 points 1 year ago

Is there any advantage of using this instead of molly?

[–] [email protected] 2 points 1 year ago (1 children)

Hasn't been updated in a year and is over 3000 commits behind Signal. I wouldn't use

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)
[–] [email protected] 11 points 1 year ago (1 children)

Molly, like Signal, uses Google’s proprietary code to support some features.

Right at the top of the Molly page.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

AFAIK, they have a FOSS variant

To support a 100% free and auditable app, Molly comes in two flavors: one with proprietary blobs like Signal and one without. They are called Molly and Molly-FOSS, respectively. You can install the flavor of your choice at any time, and it will replace any previously installed version. The data and settings will be preserved so that you do not have to re-register.

Also the line right after your quote:

Versions

Molly, like Signal, uses Google’s proprietary code to support some features.

Molly-FOSS is the community effort to make it 100% free and open-source.

[–] [email protected] 10 points 1 year ago (1 children)

For some reason I also was able to get most of my friends and family on Signal and just a year later I set up Matrix and now nobody wants no move anymore.

[–] [email protected] 6 points 1 year ago (2 children)

my god, what is your secret to getting people on Signal?

[–] [email protected] 11 points 1 year ago (1 children)

It used to be - this is an improved texting client. Then they removed SMS, and I think people are drifting away which sucks.

[–] [email protected] 3 points 1 year ago

As a "absolutely few apps as possible" person, I would be long gone if there was a working alternative.

I found Element with SMS bridges came close, but was never as reliable as I need.

[–] [email protected] 6 points 1 year ago

I guess I was just persistent and very lucky that WhatsApp did some changes so some of my family members were upset and then a group of friends were looking for something to include people who are not on facebook so I proposed it, etc.

[–] [email protected] 6 points 1 year ago (2 children)

@baseless_discourse The gold standard has always been XMPP. It's the IETF Internet Standard for messaging, no walled gardens, ability to self-host, no phone numbers required and modern clients use the same end-to-end encryption protocol as Signal does.

[–] [email protected] 5 points 1 year ago (1 children)

Is there a community for XMPP? I would like to know what clients people use on iOS. So far I found them all to be pretty insufficient.

[–] [email protected] 2 points 1 year ago

@matricaria There is a community around XMPP. Of course you will find most of them in public XMPP channels, but many are also active in the Fediverse/Mastodon. I don't have any Apple devices, but a few of my friends use Monal ( @Monal ) which seems to be the most reliable client on iOS currently.

[–] [email protected] 1 points 1 year ago

It's not the same encryption, it's based on the same double ratchet design that's it

[–] [email protected] 6 points 1 year ago

XMPP or Matrix. I'm on Matrix only because I have my family there and I was there before I knew of XMPP and at this point I can't turn that boat.

Signal was/is (idk if they still are) into crypto, they don't let you run your own server or client, and they have a proprietary shim in place to combat spam (or so they say, it can't be audited because it's proprietary).

I was all in on Signal until the above.

[–] [email protected] 4 points 1 year ago (1 children)

“prosperity”

Do you mean proprietary?

[–] [email protected] 2 points 1 year ago

Sorry, i think it is fixed.

[–] [email protected] 3 points 1 year ago

What's your threat model?

Signal as a gold standard for encrypted messaging is based on many factors. Ease of use, UI/UX, protocol, platform support and so on.

Even though I'm a hard core FOSS person I'm also a realist. Sticking to a common platform is worth a lot. Bridging stuff with Matrix is cool but will not take off among most people.

Signal using Google blobs is a problem but let's face it, the UI will be presented on a Google branded Android phone or a iOS device anyhow. Sure you can use GrapheneOS and Molly or you can switch to another app altogether but heck you'll have no other to talk to then.

[–] [email protected] 2 points 1 year ago

I use molly and it seems to be fine. You do make a fair point about a delay like that but i am not personally that concerned. If it were a month or more i would be apprehensive, but not a couple weeks.

[–] [email protected] 2 points 1 year ago

I've been using it for close to a year because I can't link Signal to my desktop using QR code, Molly allows to provide the link directly and thus I use it. Everything works great.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

For me Molly works but one can't use Signal betas (obviously) and backups are currupted for me for months.

[–] [email protected] 1 points 1 year ago

I see similar complains in their issues. That unfortunately sounds like a deal breaker...

load more comments
view more: next ›