Why I don't use Signal

February 10, 2021 by Noah

Signal is an end-to-end encrypted messenger app for smartphones that has been recommended by the likes of Edward Snowden and has seen an especially large influx of new users in recent months who are suddenly more concerned about Facebook or other tech companies reading or censoring their chat messages.

It's a fairly good app for what it does and it would probably fit the needs of your "average user" very well, but it doesn't work well for my needs and I still use Telegram in its place.

Now, I would like to use Signal instead of Telegram, because Signal's technology is more sound and the chats are truly end-to-end encrypted (where Signal Co. would be incapable of reading my chats even if they wanted to). Telegram in comparison uses some home-made cryptography (and you should never roll your own crypto) and their chats are not end-to-end encrypted by default, but Telegram does have some good quality-of-life usability features that makes it more appealing to me than Signal for now.

Signal as compared to Telegram

Both Signal and Telegram are "smartphone first" messengers and they base your user account around your cell phone number. Signing up for either messenger is as simple as receiving an SMS text message with a verification code, and you're good to go.

Signal is 100% end-to-end encrypted which means the company running the servers can't access your chat messages, but it also means that your encryption keys for your chats need to be handled specially. With Signal:

  • There is a "primary app" (Signal on your Android or iOS device) which is where you registered your account, and then you can link one or more "secondary apps" such as Signal Desktop to chat with your contacts from your PC.
  • Signal Desktop (secondary apps) pairs with your primary app and uses it as a "proxy" to get on Signal's network. That is: if I power down my Android phone, then Signal Desktop stops working because only my Android has the encryption keys for my chat messages.
  • If you lose your phone, or buy a new phone, or reinstall your Android OS or such: re-registering your Signal account means all your old chats are lost and you roll new encryption keys and all your chat contacts are informed that your keys have changed (which may be useful info to them in case your Signal account were taken over by an attacker). Only ONE primary Signal app can be registered at a time for your cell phone number.

Telegram on the other hand trades the strong E2E encryption for a more traditional client/server model:

  • Any device can create a Telegram account for your cell number. I created mine using the Telegram Desktop app, and later logged into it on Android and on my Pinephone. No matter which device was logging in, all my old chats were accessible on the cloud.
  • Telegram does have optional E2E encryption called "Secret Chats" but these do not sync between devices. It seems most of my "Secret Chats" have bound themselves to my Android device and I can't see these on Desktop or on Pinephone.

Problems with Signal

The first problem is that Signal IDs are the same as my cell phone number. If I wanted to chat with a rando from the Internet over Signal, I have to give them my cell number which is personal information that they shouldn't have.

Telegram uses cell numbers too, but you can also create a username to share with rando's so they can chat with you without knowing your phone number.

Signal reportedly is working on a username system, too, but it's not there just yet.

The other problem is the "master app on Android/companion app on Desktop" model that Signal has.

Android and Pinephone

I'm looking at the Pinephone to be my new daily driver over my older Android phone. The Pinephone runs mainline GNU/Linux software and doesn't yet have an official Signal app available for it.

The Axolotl app on Linux looks like the best contender in that space: it can serve as a "primary" Signal app and register your account. But, doing so would de-register Signal on Android and I can't have Signal in both places at the same time. At least with Telegram I can be signed in on both Android and Pinephone together.

Ideally I would use neither Signal nor Telegram

Signal may be more secure/better than Telegram but really neither one of them is ideal. Signal is 100% open source, but in practice, it uses centralized servers controlled by Signal's company and they don't want third-party Signal client apps to use their servers. You can stand up your own Signal server, but that completely isolates you from the greater Signal network -- it's not a federated protocol.

Telegram's client software is open source too, but uses the centralized servers controlled by Telegram and the server is not open source, and so it has similar problems to Signal there.

The best solution would be to use an open standard like Matrix or the older XMPP: something where the servers are open source, the client apps are open source, and anybody can run their own server and the network is federated and there is no need for a central company. XMPP is not end-to-end encrypted, though, and while Matrix supports that it's not "on by default" there either.

And either way: I'd have to convince my contacts to switch to Matrix which involves them finding a server they want to sign up on, which is somehow a much larger obstacle than getting them to switch to Signal or Telegram or other "easy" centralized messenger.



There are 2 comments on this page. Add yours.

Avatar image
Anonymous posted on February 18, 2021 @ 01:32 UTC

If only Jami worked reliably.

Avatar image
Anonymous posted on March 7, 2022 @ 08:11 UTC

XMPP is not end-to-end encrypted

XMPP is end-to-end encrypted!

Add a Comment

Used for your Gravatar and optional thread subscription. Privacy policy.
You may format your message using GitHub Flavored Markdown syntax.