I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message “hi <name entered>” could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

  • rottingleaf@lemmy.world
    0·
    2 days ago

    1. Yes, and in that time you would visit a website with your own IP address likely, likely over HTTP without SSL/TLS, likely with your vulnerable browser fingerprint. Point?

    2. Privacy, not anonymity. Two completely different things.

    3. Because the way Signal is built hosting it requires a lot of resources (storage especially), so they want spam prevention and fewer accounts per person.

    • solrize@lemmy.world
      0·
      2 days ago

      1. I haven’t seen a non-TLS website in years.

      2. Your asserting “two completely different things” doesn’t make it true. Privacy and anonymity are not synonyms but they are overlapping areas. Also ISTM you are redefining terms to suit your purposes. Anonymity to me means the message recipient can’t tell who you are. If a THIRD PARTY (the server operator) can ALSO tell who you are, that’s a privacy failure, not just an anonymity one.

      3. Why does it take so much storage per user? Does it have video uploads or anything like that? A user account should basically just be a row in a database.

      From https://en.wikipedia.org/wiki/Signal_(software) :

      In August 2022, Signal notified 1900 users that their data had been affected by the Twilio breach including user phone numbers and SMS verification codes.[105] At least one journalist had his account re-registered to a device he did not control as a result of the attack.[106] …

      This mandatory connection to a telephone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a “major issue” for privacy-conscious users who are not comfortable with giving out their private number.[142] A workaround is to use a secondary phone number.[142] The ability to choose a public, changeable username instead of sharing one’s phone number was a widely-requested feature.[142][144][145] This feature was added to the beta version of Signal in February 2024.[146]

      Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number.[142] A similar vulnerability was used to attack at least one user in August 2022, though the attack was performed via the provider of Signal’s SMS services, not any user’s provider.[105] The threat of this attack can be mitigated by enabling Signal’s Registration Lock feature, a form of two-factor authentication that requires the user to enter a PIN to register the phone number on a new device.[147]

      • rottingleaf@lemmy.world
        0·
        2 days ago
        1. When people would complain about JS on webpages, they were not.
        2. Completely different things overlap all the time.
        3. Because your status updates and messages are encrypted and stored (until retrieved, of course) once for every recipient, and that includes your other devices and their other devices.
        • solrize@lemmy.world
          0·
          2 days ago

          Because your status updates and messages are encrypted and stored (until retrieved, of course) once for every recipient, and that includes your other devices and their other devices.

          I’d like to see a numerical estimate of how much data this is. But, it sounds to me like more reason to want to self-host.

          I don’t see any point to rehashing the other stuff. Non-TLS websites mostly went away once DNS spoofing at wifi hotspots became widespread.

          • rottingleaf@lemmy.world
            0·
            1 day ago

            But, it sounds to me like more reason to want to self-host.

            So do that. You can do that with Signal.

            I don’t see any point to rehashing the other stuff. Non-TLS websites mostly went away once DNS spoofing at wifi hotspots became widespread.

            Maybe I wasn’t clear, someone said that back in the day registration on a website was a new and bad thing, connecting it with privacy and comparing to Signal asking for phone number. I answered with the idea that not much commonly thought from that time about privacy has aged well. You wouldn’t register on websites, but you would communicate with them over plaintext. I hope that makes it clearer.

            • solrize@lemmy.world
              1·
              12 hours ago

              So do that. You can do that with Signal.

              Do you know of anyone doing it? Other people have said there are difficulties.

              You wouldn’t register on websites, but you would communicate with them over plaintext. I hope that makes it clearer.

              It is ok, in that era (dialup or wired internet) unencrypted http was basically as secure as unencrypted landlne phone calls. People still have unencrypted phone calls all the time. Typicalally sites would show public content (like product pages on an e-commerce site) by http, then switch to https for checkout to protect stuff like credit card numbers. Encrypting everything became important when wifi became widespread. Wifi hotspots would hijack DNS and spoof entire web sites to steal credentials. Also, LetsEncrypt made it possible to bypass the CA scam industry, making https-everywhere more popular. Public awareness also increased due to Snowden’s disclosures.

              The RSA encryption patent also expired in 2000. Before that, US website operators were potentially exposed to hassle if they didn’t use a commercial server with an RSA license ($$$). But, it didn’t apply outside the US and FOSS SSL servers existed for those wanting them.