←back to thread

Signal adds a payments feature with a privacy-focused cryptocurrency

(www.wired.com)
544 points josh2600 | 5 comments | 06 Apr 21 16:23 UTC | HN request time: 0.001s | source
Show context
airza ◴[06 Apr 21 17:16 UTC] No.26714603[source]
The technology is cool, but I don't really know if I want KYC regulatory risk in my encrypted messaging client. I just want italics.
replies(4): >>26714642 #>>26715653 #>>26717558 #>>26718373 #
1. lrvick ◴[06 Apr 21 18:41 UTC] No.26715653[source]
Then why use Signal at all? You had to have KYC to get a phone number in most countries which you had to give to Signal which could expose your location etc via tower pings to anyone you communicate with unless you port it to a VoIP number (how many know how to do that?)

You also had to provide a phone number to get a Google or Apple account to install Signal because anonymous signed install methods are not supported, which moxie says is intentional to collect analytics.

Signal may have end to end encryption but being anonymous is a clear non goal.

replies(1): >>26720339 #
2. fuzxi ◴[07 Apr 21 03:37 UTC] No.26720339[source]
>You also had to provide a phone number to get a Google or Apple account to install Signal because anonymous signed install methods are not supported, which moxie says is intentional to collect analytics.

Signal distributes a standalone APK for android, which does function without google play services.

https://signal.org/android/apk/

replies(2): >>26721174 #>>26721630 #
3. SwimSwimHungry ◴[07 Apr 21 06:33 UTC] No.26721174[source]
Yes it functions, like on my de-Googled Pixel 3a running GrapheneOS. But it's not particularly reliable in my experience, especially if you don't have the gapps services.
4. lrvick ◴[07 Apr 21 07:54 UTC] No.26721630[source]
Functions != secure.

You must turn on Untrusted Sources which disables meaningful signature verification.

Now you must hope you don't get MITMed every time you update.

It is a joke they seriously expect people to sideload.

They need to provide a deterministic and easily auditable F-Deoid repo or let the F-Droid team compile/sign it for them.

Neither will happen though because moxie has been very open about the fact he wants the analytics that comes with google/apple tracked installs, user privacy be damned.

replies(1): >>26722843 #
5. KAMSPioneer ◴[07 Apr 21 10:31 UTC] No.26722843{3}[source]
Not entirely true. On recent versions of Android, you are asked to give "install untrusted apps" permission on a per-source basis (e.g. I downloaded an apk from Chrome, now I have to allow Chrome to be a source of installable apks).

Also, it doesn't disable signature verification at all -- it just changes to what is essentially a TOFU model. You can verify this by installing, say, NewPipe from vanilla Fdroid, then adding the NewPipe repo and installing a build from there. It will fail unless you completely remove the original app (from all the profiles on the device!) and install the new one afterwards. This is due to different signatures between repos.

In any case, I agree with your wider point about Signal's rather concerning distribution strategy. I would like to see inclusion in Fdroid, or at least a custom third-party repository. Unlikely though.