23 August 2018

On trusting Signal

An article has been doing the rounds suggesting that Signal is closed for selfish reasons and suggesting that it can’t be trusted. The article carefully omits any mention of the reasons why Signal is the way it is, so here are those reasons.

Signal is a closed system because of its focus on (a) user experience and (b) security for ordinary users.

First, user experience. If you want people to use your secure messaging app rather than whatever comes with their phone, it has to use push messaging in order to receive messages without the app running and without draining the user’s phone battery.

Telegram is one of the most efficient open messaging apps as far as battery drain, and even so you’ll find plenty of threads of people complaining about it. When you’re Facebook or Skype, you can afford to chew battery because people feel they have no choice but to use your system; that’s not the case for Signal. If Signal abandoned push messaging and started turning up in users’ battery stats, people would start uninstalling it. I used XMPP secure messaging for a while, but I gave up partly because of the battery drain. As it is, Signal uses less battery than Apple’s iOS Messages on my phone, which is impressive.

So, for Signal to be used by as many people as possible, it needs to be light on battery, which means it must use push messaging. That, in turn, means it needs to use Google’s push notification infrastructure, or Apple’s, as appropriate. In the case of Google, that means you need Google Play Services and to be on the Google Play Store. In the case of Apple, that means your app needs to be in the official app store and signed by Apple.

Note that Signal doesn’t trust Google push notifications, and your messages aren’t sent over Google’s or Apple’s cloud. The vendor cloud services are just used to wake up the Signal app on your phone and tell it that there’s a message, so it can go fetch the message from Signal’s servers, and then go back to sleep and stop using your battery.

So, that’s why Signal requires Google Play Services and isn’t distributed on third party app stores. It’s so that the app doesn’t drain battery.

The second reason why Signal is the way it is, is security.

As I mentioned, I tried using XMPP with secure messaging extensions. I stopped partly because of battery drain, but also because the user experience was awful. Because XMPP is a completely open and federated system, you have no guarantees about how security is going to work with the other person’s chat app – or even how security will work between your own chat apps on different devices. I would constantly get error messages, and text messages that failed to decrypt.

The thing is, if you want to keep people secure you need to be able to patch security holes, roll out new versions with new encryption capabilities, and ensure that everybody is forced to upgrade. And yes, Signal does this – several times I’ve been notified of a forced upgrade to a new version if I want to connect.

Simply handing the problem off to end users isn’t good enough. When faced with a claim like “You need to upgrade your client to support block chain poly-chacha 420” they aren’t qualified to determine whether that’s valid. It would be all too easy to entice users to switch to modified clients which leaked their messages, either deliberately or accidentally (because secure software is hard). The goal of Signal is a secure messaging app that’s good enough and easy enough for ordinary non-technical users.

So, to keep Signal users secure, you need to be able to force software upgrades and lock out malware. That means you need to be able to control who can connect at network level. And that means you can’t federate with everyone and their dog.

So, that’s why Signal doesn’t federate. It’s to keep your mom secure. My mother doesn’t use it – she prefers WhatsApp – but most of my friends do. That’s something no other secure messaging app has managed to achieve.

Now, I get that federation is good. That’s why I post on both Mastodon and Friendica, federating to GNU Status and Diaspora, as well as providing an Atom feed for my web site. I want to see federated systems totally replace closed proprietary social networks.

But – and it’s a big but – secure federated systems are really hard to build. Making them usable enough for ordinary people to pick in preference to the proprietary alternatives is even harder. Then you need to make them multi-platform, and have all the key functionality of the unfederated alternatives – including typing notifications, return receipts, file transfers, the ability to have more than one client open at once, and so on.

I’m all for switching to an open federated system, once there is one which meets ordinary people’s expectations while keeping them secure. The F-Droid fork of Signal does not do so. Tox does not do so yet either. Matrix is pretty good too, I’ve used Riot a bit, but it also isn’t ready to take over from Apple Messages, Signal, and WhatsApp.

If you dislike Signal’s closed nature, the productive thing to do is to work on improving the open federated alternatives until they are better than Signal. FUD is not productive, people won’t downgrade to something hard to use or battery-sucking but notionally more secure. Rather, if you get them to distrust Signal, they’ll just go back to Facebook Messenger, reasoning that if nobody can be trusted then why even try.

© mathew 2017