Signal

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

Signal, caratteristiche principali

for Android
for iOS
for Windows, Linux and macOS
Open source
End-to-end encryption
free
messaging app with excellent graphics and good user experience. The transition from WhatsApp was decidedly not traumatic
you can send and receive money with the MobileCoin cryptocurrency
ignore some requests, certainly a minority, of the community such as not using Google Maps, not requesting a telephone number and allowing notifications without Google Play Services
security audits

We continue the review of reviews of messaging applications. After telling you about Matrix and the applications connected to it and after having amazed you with the beautiful Delta Chat the time has come to say a few words about Signal, the alternative, with End-to-end encryption, better known in Whatsapp.

If you remember well we have already made an article on differences between WhatsApp, Signal and Telegram where we tried to explain for example that you don't necessarily need to choose between Telegram And Signal because these two applications are complementary and not entirely interchangeable.

Signal, the alternative Open source to WhatsApp

In fact, in our opinion, it is wrong to pit Signal against Telegram and we will never arrive at a "winner" because the two applications have different objectives and are truly very different from each other. However, a different matter if we compare Signal with WhatsApp. In fact, Signal was born precisely from the meeting between Moxie Marlinspike And Brian Acton, one of the founders of WhatsApp ¹ and it is in every way an excellent alternative to the latter.

On Signal you can find more or less all the features used by most people such as single chats, groups, video calls, stickers and animated GIFs. As well as WhatsApp Signal also uses the End-to-end encryption. Not only that, not everyone knows that in reality they also use the same encryption protocol, namely the Signal Protocol (adopted in 2014).

However, this does not mean that the two applications are identical, for example while Signal does not maintain, and we are sure this is the case, any metadata on its servers ^{2 3 4}, Whatsapp instead he seems to do whatever he wants with it ⁵. If you want to learn more about WhatsApp controversies, we'll turn to you this page on Wikipedia it is certainly very interesting.

Furthermore Signal it's an application Open source and the server-side code is too (although he's had some trouble with this in the past because he hasn't updated the code for almost a year ⁶).

Beyond this however and the impossibility of knowing whether WhatsApp is really as safe as it is sold, its collection of metadata is enough to tell you to stay away from it. We leave you with some articles, including one written by us, to understand why metadata is as important as the content of the message itself.

• Why Metadata Matters, EFF
• 'We Kill People Based on Metadata', The New York Review
• The importance of metadata, The Alternatives

How to sign up for Signal

Signal is not an application designed to guarantee anonymity but to guarantee the privacy of those who use it. So to register you need to give your phone number which will be associated with your account. Once you sign up for Signal, as happens for Telegram, your contacts will know that you have installed Signal and will be notified.

However, there was an important change starting from Signal 7.0 ⁷: to add a contact you can now give a nickname and not necessarily your phone number. A fundamental innovation in our opinion which also led us to create a Le Alternative group on Signal.

The functionalities

As mentioned, Signal offers more or less all the features you can expect from a messaging application nowadays (even if WhatsApp recently put the turbo on new features ^{8 9}). Perhaps the only real option missing, but which will perhaps be introduced sooner or later ¹⁰, is the ability to share your location in real time. While you can send your current location and that's it.

The other features within the chat are the ability to send photographs and videos, animated stickers, vocal notes, files and animated GIFs. Speaking of animated GIFs, we would like to tell you that although the GIFs all come from Giphy (which has received more than one advances from Meta ¹¹ and now belongs to Shutterstock ¹²) your privacy is not at risk because Signal will from shield for you ¹³ essentially making the requests for you.

Disappearing messages are also available, i.e. messages that disappear after a certain number of seconds/minutes/hours/days, messages can be programmed and it is also possible to change the color and backgrounds of individual chats.

Video calls and stories

You can make both individual and group (up to 40 people) end-to-end encrypted calls and video calls. During video calls you can also share your screen (on Signal Desktop).

Not long ago there was also a section dedicated to stories where you can share updates with photos and short videos with all your contacts exactly like WhatsApp.

Backups and more

Unlike WhatsApp, backups cannot be made on external solutions such as Google Drive but encrypted backups will only be made locally. The moment you activate them you will be given a numeric password (very long) not to be lost and to be used to restore the backup. We recommend that you save it in a safe place via Cryptomator, Bitwarden or end-to-end notepads like Standard Notes or even physically print it. Backups are automatic and you can decide what time of day they should be done.

As we said before all conversations, including metadata, are encrypted end-to-end and are never saved on the server. What does this mean exactly? That WhatsApp knows what time you texted someone, if you sent them a GIF (and probably also Which) and how much you talk to a person while Signal absolutely doesn't. As said before, although this may not seem like much, it is absolutely not the case and we refer you to the previous readings: Why Metadata Matters, 'We Kill People Based on Metadata' And The importance of metadata.

How Signal makes money

Signal is free and accepting donations.

Criticism of Signal

Like any self-respecting famous application, Signal is also a good target for criticism whatever he does. We leave the final judgment to you, as we often do.

In addition to the classic general criticisms about the fact that Signal is not federated as it is for example Matrix (and therefore you always end up depending on someone), there were also criticisms during the implementation of the MobileCoin cryptocurrency ¹⁴ and on the fact that it is necessary to have a telephone number in order to register and be able to use it. Among other things, criticism has also been raised regarding the fact that some time ago for months the source code on GitHub has not been updated ¹⁵.

Other criticisms are raised by the community and concern the excessive lightness with which Google services are used for notifications and the Google Maps API for sharing one's position. This is why sending your location risks not working if you don't have Google services installed.

The use of Amazon Web Services and more

Another criticism that we often read about Signal is the use of AWS (Amazon Web Services) to host its infrastructure and distribute messages. Here in our opinion it is not so much a security problem (remember the encryption and the almost total absence of metadata), however if Signal does not have a "plan B" ready, relying exclusively on Amazon does not make it resilient in the event of a closing the taps by Amazon for any reason. Let's remember for example when AWS closed the taps to Parler ¹⁶, we have been in this world long enough to know that an excuse to make a possible block on Signal somehow digestible for most people can always be found.

The developer of DivestOS However points out that not only AWS is used but there are various services that are used to make Signal work currently: in addition to Amazon there is Akamai, Google, Cloudflare And Microsoft Azure. The previous discussion, however, does not change: they can afford to do it as everything is encrypted.

Intel SGX

As we will also report below and in relation to the previous paragraph, Signal adopts SVR technology based on Intel SGX and since Signal does not manage its own servers, but as mentioned uses AWS, technically Amazon could exploit the flaws in SGX by accessing some data (not the saved chats but for example contacts).

The Fork FOSS of Signal

If you really aren't comfortable with some parts of Google inserted into the Signal code then you could give it a try Molly, a completely version FOSS of Signal where there is no location sharing and there is no code that gives priority to notifications via Play Services.

Apart from this Molly scrapped all MobileCoin implementation and made other interesting security implementations that found at this address.

Find a nice discussion, in English, on the differences between Signal, Molly and Molly-FOSS to this address: Signal vs Molly vs Molly-FOSS (archive).

Found Molly on F-Droid.

How to set up Signal

There generally isn't much to do on Signal, it's already an excellent application for daily use by a person with a threat model that isn't overly demanding. However on PrivacyGuides you will find a configuration guide to improve security such as the constant use of ephemeral messages or disabling the preview in links. All things which, however, are not really dangerous unless your threat model is particularly high and can have a negative influence on daily experience.

Your questions about Signal

For this article we experimented with something new: we anticipated the arrival of this article on Mastodon and on Twitter and asked you if you had any questions in particular. So here are the answers to what you asked us.

Are messages encrypted end-to-end?

Yes, as written, Signal's encryption is not questioned and the metadata is reduced to the bare bones.

How does the key exchange take place?

When you send a message to a contact, a shared secret key is created that is used to encrypt and decrypt the message. The Signal protocol's ephemeral key system allows you to generate a new shared key after each message ¹⁷. Here you will find the complete technical explanation.

Is it possible to have an account without a phone number?

Unfortunately, this is not possible today.

Is there interoperability with other systems, such as IFTTT? Are there open APIs?

It does not appear to be compatible with IFTTT nor that there are APIs that can be used for any automation.

Are there any bridges between Signal and Telegram?

We know of no bridges between Signal and Telegram. It can be used Element One or the bridge offered for free by Tchncs to read all the messages about the Matrix. However, keep in mind that this operation will undo Signal encryption.

Learn more about the Intel SGX module that is used

It is difficult to summarize a similar topic in an article and on a deliberately non-technical site like ours, there are several links to learn more about, such as the official white paper or the Signal blog.

Among other things, there are doubts, including ethical and not just technical ones, about the fact that Signal is so dependent on this. Like the fact that SGX is the exact opposite of libero e Open source since it is a proprietary technology. This post on Reddit (Teddit) from a few years ago is interesting for example.

Download and use Signal

As we have seen, Signal is truly an excellent application with few defects. However, we always prefer the federation when it comes to messaging (and social media) applications to avoid lock-in within yet another company. For this reason we generally recommend the use of Matrix, XMPP or Delta Chat but this does not mean that Signal is insecure, the reason is precisely another.

1. History on Wikipedia[↩]
2. Battle of the Secure Messaging Apps: How Signal Beats WhatsApp[↩]
3. Grand jury subpoena for Signal user data, Eastern District of Virginia[↩]
4. Government requests[↩]
5. How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users And FBI Document Says the Feds Can Get Your WhatsApp Data — in Real Time[↩]
6. Signal updates open-source server code after it failed for nearly a year[↩]
7. Keep your phone number private with Signal usernames[↩]
8. WhatsApp launches Channels today, here's what they are and how they work[↩]
9. Now you can edit your WhatsApp messages[↩]
10. Live location sharing[↩]
11. Attempted acquisition by Meta Platforms[↩]
12. Following UK antitrust order, Meta sells Giphy to Shutterstock for $53M after buying it for $400M[↩]
13. Expanding Signal GIF search[↩]
14. MobileCoin closes on $66 million in equity in Series B round[↩]
15. Signal finally updates public server code after months of silence[↩]
16. Why Amazon's Move to Drop Parler Is a Big Deal for the Future of the Internet[↩]
17. Hacker Lexicon: What Is the Signal Encryption Protocol?[↩]

Join communities