I didn’t know my city was cool enough to put signal flyers.
Cool but I wouldnt exactly trust a random qr code
QR codes essentially just encode text, as long as you’re using a sensible QR code reader and check any URLs before opening them there’s minimal risk to scanning a QR code.
I still wouldn’t trust it because of homograph attacks.
Respectfully I think this is a minimal attack vector in this case due to the limited character set of urls. But thanks for the callout, I didn’t know there was a name for this sort of attack.
Modern browsers happily show you the actual characters, while sending their encoded entities to the server. So, from a user perspective there is no ASCII limitation. Case in point: söhne.at (just some random website, I have no idea what they are or if they are legitimate)
They’d still resolve via DNS to an address in ASCII though, right? Wouldn’t that only be an issue if ICANN didn’t have a monopoly on DNS registration? i.e what we already depend on for a semblance of convenience without totally compromising opsec
It utilizes punycode under the hood. The actual DNS entries still use ASCII.
Punycode enables you to encode any Unicode character as ASCII. Almost all browsers support this.
Or xss/sqli/etc attacks on vulnerable sites that don’t sanitize url query parameters
Or maybe a fraudulent signal app.
I mean, generally speaking, just don’t click on random links. This is a random link. Qr codes are valuable but we’re conditioning society to just be cool with clicking on random shit without putting much thought into it.
Oh is that like bankofarnerica.com or whatever, hoping the r and n look enough like an m for at least some people to click?
edit: under absolutely no circumstances click on the above link. Your bank will be robbed and your foreskin soldered shut. To very don’t.
That’s fair
Well not really, it’s a good way to do a IDN homograph attack
I may have in the past put lyrics from “Never Gonna You Up” or links to the music video on YouTube in QR codes I printed on blank business cards and left them in public places around town.
You should a tracking link that has been shortened
You could still enter the URL manually if you are concerned.
That’s wanderful!
Surely it’s legit
EDIT: It actually is
What is it? Just signal’s webapge? I’m a coward.
Yup. I cropped the QR code and checked it with an online reader, and it’s literally signal.org
I wander what it means
It probably it is a person putting up flyers
I guess I mean someone in my city not the government.
Okay, but who’s is doing guerrilla advertising for a centralized service that requires a SIM card & an Android/iOS primary device or no account for thee. …At least in the past I convinced grandma this is the new SMS app you can use as I knew she would treat it as such, but now I wish I hadn’t since even that useful feature was lost. I want to drop Android entirely, but I need access to my contacts locked in the Signal system–which centralized system lock-in is one of the things we privacy-concerned folks want to avoid.
Signal isn’t perfect but it’s still one of the best options.
It’s the bare minimum for passable due to E2EE, not being owned by a corporation, & mostly open source–not “best”. We have better.
what?
XMPP is an extensible protocol that has over a decade of battle testing from the casual chat to massive industrial communications applications (Zoom, Jitsi, almost certainly any online game you’ve played). It has E2EE in modern clients. It’s decentralized by nature & relatively easy to self-host. Both servers & clients use very few resources like bandwidth, storage, processing, memory (consider conditions of the time of invention). It doesn’t take minutes to join & sync chatrooms (MUCs). Gateways allow folks to talk across non-XMPP platforms. Governance is distributed in the open & not tied to a single entity. There are even projects like Snikket that can be rolled out for a family that is close to turn-key for set up. Along with something like Movim can create a self-hosted social network built atop an XMPP server for posts to share stories & media for a longer-term storage.
If E2EE encryption isn’t seen as a must relying on TLS + self-hosting: lighter, simpler IRC (good feature set with v3) which has been around since the ’80s can be a good choice. Zulip which is a forum/chat platform that has the most usable UX for trying to actually hybridize both (it’s not amazing UX, but better than the rest); this can work for a great for certain communities that desire this behavior.
Distributed (not to be confused with decentralized) encrypted chat there is Briar with a mesh network not even requiring internet, but has limited platform support & last I used years ago had massive battery drain issues.
If you must, there is Matrix which decentralized & offers E2EE but is relatively expensive to run from the clients, to servers, to the design generally being that it replicates the room messages & attachments & state across all servers for all users. While that duplicated data is great for resilience, can be expensive to store & is what takes minutes to join any room. I think it was a design decision ‘miss’ to try copy Slack/Discord/Telegram-but-FOSS as doing too much & none of it that well–where I think chat is better to be a bit simpler + expected to be ephemeral & a different service like a forum for important, permanent discussions & FAQs. Mastodon suffers similar issues with replication that makes some have to shutdown their self-host due to cost–which has led to Matrix in practice centralizing around Matrix[dot]org (who has a history of Israeli intelligence funding) & the servers they provide to others funneling all the metadata thru their org since they offer free accounts, are big enough to scale, & have most of the users. Folks act like Matrix is great just for being newer, but the aforementioned already cover its uses while being more mature.
Good luck getting people to use XMPP. It is complex and doesn’t even properly support photos and other media.
?
Images & video work fine on Cheogram, Dino, Gajim, & can be piped from Profanity
And your response brings up another reason why no one is going to adopt XMPP. There isn’t a central app or server for someone to use.
Wao, you really let’em have it. Love it.
There’s also Session, Simplex, Riot, Delta Chat, etc.
There are plenty of options. Yes, Signal is one of the lesser evils, but certainly not the holly grail as some would make it look.
It isn’t the holly grail but it is simple to use
Absolutely. It’s probably the most likely to be accepted by people that are in the mainstream apps life, for sure.
Lol xml
Balisage Paper: Fat Markup: Trimming the Fat Markup Myth one calorie at a time
Old paper, but so are these specs which haven’t really changed. I know there are more formats than XML vs. JSON but they are two of the most common, and relevant to the battle of XMPP/XML vs. Matrix/JSON.
It’s not just the verbosity, it’s also the complexity
one of the best
(link in alt text)
And then for no good reason a “FOSS” app’s binary grows by a couple MB…
This argument implies there’s an easy way for you to perform the reproducible builds on iOS, but it’s quite involved and requires a jailbroken iPhone. Overall this is more a limitation of apple and not signal.
Even if you were able to perform a reproducible build of Signal on a jailbroken iPhone, there’s no way to confirm that the stock iOS Signal app will match, or has a backdoor that got added in a supply chain attack that only is delivered to non jailbroken phones. You could use a jailbroken iOS device, but then it could be lagging behind updates and be even more vulnerable from zero days.
The real pressure here should be on Apple to provide a way to verify a build of an open source app matches what is being installed via the app store, but for some reason this is being framed as a Signal issue, which is disingenuous.
You also are quoting a communist. I can’t take you seriously
deleted by creator
In this case it does. He is prejudice against the US and anything but Russia maybe China. He has repeated cited cold war rhetoric such as East vs West.
What should people use? Many of the apps have gottas or are complex to use. Signal has the benefit of being easy. It can even be Foss if you use Molly