Stéphane Bortzmeyer

Je suis un homme du siècle dernier, j’essaie de m’adapter, mais je n’en ai pas vraiment envie.

    • There are many similar instant messaging systems, and each person can only handle so many of them. And they don’t talk to each other. So if you’re in touch with two people who use Signal and another three use Wire and you want to chat with all five of them, how do you do it? Email has the advantage of universal interoperability.

      Email are interoperable because there is well-documented standard behind it. And it is federated.
      XMPP is well-documented and federated too.

      The collapse of domain fronting means that some network operators can, and do, block Signal, Telegram, and other centralized messaging services like them. People stuck behind those networks simply can’t use these tools at all.

      Domain fronting is required because Signal is centralized. In a federated network, one has to block all possible communication channels between two arbitrary people. It is much harder to block a federated network unless you are willing to maintain a whitelist.

      Some people can only be contacted by email and have no public Signal number. For example, the EFF’s contact page lists email addresses (with PGP fingerprints) and office phone numbers, but no Signal numbers. If I’ve switched off end-to-end email security in favor of Signal, how am I supposed to communicate with the EFF securely?

      That’s bad practice from EFF. Not a first. But it cannot be attributed to Signal.

      Signal requires registration to a phone number. Not everyone has a phone number, knows the phone number of the person they want to contact, or is willing to share their phone number with other people.

      XMPP uses arbitrary identifiers. Phone numbers are possibly sensitive and allow som eattackers to track people geolocation. Phone numbers are bad. Arbitrary identifiers are good. This has been discussed at the last CCC conference as well.

      Some versions of the Signal app have similar problems to those outlined in EFail.

      No, they don’t have similar problems, except if the “similar problems” are “having a vulnerability”. This is bad phrasing. Signal has many problems but none that are as bad as emails.

      My advice, as always, is: use XMPP with OMEMO. There are Windows, GNU/Linux, Mac, Android and iOS clients. You can have a free account at https://jabber.lqdn.fr or a paying one at conversations.im. Conversations for Android has excellent ideas regarding seamless secure communication. More on that here: https://www.ssi.gouv.fr/publication/chiffrement-de-messagerie-quasi-instantanee-a-quel-protocole-se-vouer