from the well-signal-just-pissed-in-my-cornflakes dept.
In a blog post today (12 October 2022), the Signal team announced that they will be removing SMS/MMS send/receive functionality from the Signal Android app.
For many years, the Signal app on Android has supported sending and receiving plaintext SMS and MMS messages in addition to Signal messages. SMS and MMS are standardized communication protocols that allow mobile devices to send and transmit messages, and most people picking up their phone to text or share memes don't really think about them. [...] we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below.
In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not. [...] This change will only affect you if you use Signal as your default SMS app on Android. Meaning that you use Signal on Android to receive and send both Signal and SMS messages from within the Signal interface.
[...] The most important reason for us to remove SMS support from Android is that plaintext SMS messages are inherently insecure. They leak sensitive metadata and place your data in the hands of telecommunications companies. With privacy and security at the heart of what we do, letting a deeply insecure messaging protocol have a place in the Signal interface is inconsistent with our values and with what people expect when they open Signal. [...] We are focused on building secure, intuitive, reliable, and pleasant ways to connect with each other without surveillance, tracking, or targeting. Dropping support for SMS messaging also frees up our capacity to build new features (yes, like usernames) that will ensure Signal is fresh and relevant into the future. After much discussion, we determined that we can no longer continue to invest in accommodating SMS in the Android app while also dedicating the resources we need to make Signal the best messenger out there.
Do many (any?) Soylentils use Signal? What's your use case?
This change will break my primary use case (as the app for SMS and secure messaging on my phone) and will confuse the hell out of the dozens of non-technical folks I've converted to Signal over the years.
(Score: 5, Insightful) by sweettea on Friday October 14 2022, @04:02PM (2 children)
For me, Signal's entire usecase is that I can use it for all synchronous communications. SMS with most people, and when they switch to Signal, that automagically adds security to our conversation. But my big selling point for other people has been that it works just fine as an SMS client so they don't need to change their ways (beyond using Signal). Now, it'll just joining the list of walled gardens I check every week or so, like Discord and Matrix and Zulip, and I'll probably use Facebook Messenger for communication instead (with end-to-end encrypted chats when I would have used Signal before).
The saddest.
(Score: 5, Informative) by bmimatt on Friday October 14 2022, @05:26PM
Zuck is the man in the middle of your end-to-end in FB messenger. At least with Signal no one is snooping/mining/selling your data.
(Score: 3, Insightful) by Sjolfr on Friday October 14 2022, @09:50PM
Your use case is not really about security because you are willing to ditch it for convenience. I think it's a good example of what may happen to the user base of signal though; lots of people will stop using it.
Yet, the move to drop regular SMS is a smart one by the signal team, at least IMHO. Their focus is security ... nail that message home. I check signal just as often as regular SMS because I don't expect one app to do it all. Which is very sad when you think about it.
In reality ALL messaging should be encrypted; SMS, MMS, email, IRC, etc. It's not a technical problem to accomplish this, it's a problem with companies wanting to mine the data for virtually free. I hope that signal ports it's app for use by Librem5 and other free, non-corp owned, phone manufacturers.
(Score: 1, Insightful) by NateMich on Friday October 14 2022, @04:59PM (1 child)
Just another proprietary messaging app.
(Score: 2, Informative) by drgibbon on Saturday October 15 2022, @08:54AM
It's been a while, but when Moxie was still around at Signal I remember him saying that he'd love to not use Google Play Services and all that, but there was no working alternative.
Certified Soylent Fresh!
(Score: 5, Insightful) by Ox0000 on Friday October 14 2022, @05:02PM (7 children)
Legit question: this has been something that worked: SMS via Signal has worked and been a solved problem. The SMS standard is also not changing and so it's not like keeping up with changes is something that would be expensive to them, since it doesn't require any updates. Why are they removing code that works, code that requires no updates?
I don't want to put words in anyone's mouth but the only thing I can think of is that SMS and it's delivery mechanism itself is somehow inherently and unfixably vulnerable to "something" that could - by virtue of Signal handling SMS - spread into your Signal-comms... This is purely conjecture but would be the only legit reason I could think of for removing working code.
(Score: 2) by bmimatt on Friday October 14 2022, @05:30PM (2 children)
To make more people switch to Signal.
Also, this is annoying, I'm not behind a proxy or firewall:
(Score: 2) by janrinok on Friday October 14 2022, @06:37PM (1 child)
It is puzzling - there was a 4 minute interval between your last 2 posts so it shouldn't have triggered that warning. Unless you pressed the back button (which would give you a reskey which had already been used) I cannot explain it.
(Score: 3, Informative) by deimtee on Saturday October 15 2022, @01:14AM
I've had that message before. It may say one minute but I'm pretty sure it's more like five.
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 2) by NotSanguine on Friday October 14 2022, @08:04PM
An excellent point, but one that isn't really an (or the) issue. At all. At least not according to Signal (read TFA, I promise I won't report you to the police!).
Additional discussion can be found here [signalusers.org]. Less focused discussion can be found here [ycombinator.com].
IMHO, removing SMS support/fallback will be the death knell for Signal. And more's the pity.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by RamiK on Friday October 14 2022, @10:18PM (2 children)
I think they don't want to support RCS but feel the need to do so if they're to maintain their SMS support.
Besides, as that "capacity to build new features (yes, like usernames)" comment suggested, it seems they're considering breaking away from phone numbers as primary identifiers. So, the handling of SMS will become extraneous to how Signal will work going forward.
compiling...
(Score: 4, Insightful) by NotSanguine on Friday October 14 2022, @10:30PM (1 child)
Google only allows specific OEMs [xda-developers.com] (I think Samsung is the only one ATM) to use the RCS API on Android.
Which is, of course, a page out of Microsoft's 'Embrace, Extend, Extinguish' playbook.
They want to own the most prevalent messaging platform in the US/Canada (and possibly Australia too), that being SMS.
It's quite sad.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Interesting) by RamiK on Saturday October 15 2022, @08:25AM
It's a complex licensing issue: The problem is that RCS is implemented differently by each ISP and that they're not willing to open source and/or freely license the libraries since that would allows apps to circumvent their QoS and billing shenanigans. e.g. if apps can tag text and image messages as videos at the protocol layer, text messages will get rated with a fraction of the billing SMS and MMS costs.
I'm not seeing much extend here.
Google's only interest in messaging is data mining for advertisements. Doing an RCS app lets them insert themselves between the ISPs who actually own the infrastructure and the users so they'll gain access to the same data the ISPs sell to advertisers but for free. However, they'll never "own" any of it.
Regardless, whether you use SMS or RCS over Signal or some other open source messaging app, you as a user only stand to lose.
compiling...
(Score: 1, Insightful) by Anonymous Coward on Friday October 14 2022, @06:05PM (5 children)
They won't need my phone number to install and use anymore, right?
Who runs Signal? Does it operate in a "free" country? Is it really "secure"? on the internet?
(Score: 2) by Rosco P. Coltrane on Friday October 14 2022, @06:27PM
It's one of the least insecure internet messaging options out there.
(Score: 2) by NotSanguine on Friday October 14 2022, @08:21PM (2 children)
Since all Signal messages are endpoint encrypted/decrypted (you know, end-to-end encryption), it's irrelevant unless you can physically access/compromise an endpoint. In which case, it doesn't matter what software you use.
Signal doesn't have the keys to decrypt messages. So even if their servers are compromised (and IIUC, messages only sit on the their servers until they're delivered) they're just encrypted blobs which would take more than the lifetime of the universe to brute force.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2, Informative) by NotSanguine on Friday October 14 2022, @08:31PM (1 child)
I'd add that if you're a directed target of a state actor and/or well funded and motivated adversary, Signal isn't enough.
However, most of us aren't in that group and as such, benefit from the e2e encryption Signal provides.
If you're a Saudi/Russian/Chinese/Iranian/etc. anti-government activist, don't use Signal for anything really sensitive.
For everyone else, it's fabulous.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 5, Insightful) by gawdonblue on Friday October 14 2022, @10:58PM
Or Israeli, French, British, USian, Australian, NZer, etc.
Actually, Australian law insists that end-to-end encryption has backdoors for Federal intercept, so guessing Signal isn't available in Oz, or that the backdoor is there for every country to use.
(Score: 2) by cykros on Saturday October 15 2022, @01:47AM
The real issue with Signal is that they host the code on centralized repositories that can push updates at will and as such effectively operate as a rootkit. If I'm not mistaken, the code has been audited in the past, and appears solid, with no evidence to the contrary, but that Google COULD push an update for it (and you have no choice but to either install it from Google Play or manually update it through some convoluted process) that breaks the security means mostly that you're safe up to and to the point where Google, likely through some 3 letter agency's interjection, has decided that you're not anymore.
That Moxie Marlinspike has forever refused to host it elsewhere such as f-droid has been a sore point for many. Honestly, this news that they'll be dropping SMS as well will likely mean I'll be dropping it altogether and looking for an alternative -- if I just wanted a propriety messaging platform, I already have Telegram. I don't see any reason for this -- it's always been clear when sending a message in Signal whether it was secure or insecure, and SMS hasn't changed, so what could possibly be the real motivation here escapes me.
(Score: 4, Touché) by Rosco P. Coltrane on Friday October 14 2022, @06:10PM (6 children)
And that's not SMS. SMS plaintext, Signal is encrypted. I don't want to mix the two. I've never SMSed through Signal, very much to keep the two completely separate on purpose.
We here on SN understand the distinction between SMS and Signal messages, but non-technical users may not. So I think it's a good thing that SMS is dropped, so there is no possible confusion between the two.
(Score: 3, Informative) by Rosco P. Coltrane on Friday October 14 2022, @06:16PM (1 child)
Also, my use cases are:
- Keeping in touch with friends and family asynchronously. It's convenient to leave text, audio and video messages and the other party (or parties) picking them up later when it's convenient or when their cellphone or computer comes online
- Illegal things. Yes, like everybody, sometimes I hire people to do things that aren't legal, or I pay them to legit things but they don't want to tell the taxman. I trust Signal more than I'd trust anything else to conduct business with those people. And of course, when the deed is done, everybody erases the conversation and *poof* the evidence is gone for good, since it only existed in the parties' machines after it had traversed the server that delivered the messages.
(Score: 1, Insightful) by Anonymous Coward on Friday October 14 2022, @08:13PM
Like any other third party, you have to trust them on that, and they can be ordered to keep logs for an indeterminate time
(Score: 5, Insightful) by NotSanguine on Friday October 14 2022, @08:12PM (1 child)
I'm guessing you have an iPhone.
iPhones require iMessage to be the default messenger.
That's not the case for Android. Setting Signal to be the default messenger gave folks the best of both worlds: if someone uses Signal, messages are encrypted. If they don't, SMS is seamlessly used instead.
Which is also the default behavior for iMessage (iMessage to/fromiMessage encrypted -- except with Apple able to decrypt if you use iCloud backups, and iMessage to/from everything else SMS/unencrypted).
Having SMS support in Signal (with Signal as default messaging app on Android) is what enabled me over the past ten years or so to convert a whole bunch of folks to Signal. With that functionality going away, most of those folks will abandon Signal.
Which will make for less encrypted messages, which will make stuff that needs to be encrypted stand out that much more.
It's (IMHO) a terrible decision. But Signal will do as Signal wants. Even if it kills them
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Interesting) by cykros on Saturday October 15 2022, @01:49AM
There's a bright side: forks to Signal DO exist, but they've never caught on, because they don't interoperate with it. Perhaps this amazing blunder can finally mean that one of them can gain traction, and you won't have to choose between a platform people use and avoiding needing to use what is effectively a rootkit (Play Store) to get it.
(Score: 2) by NotSanguine on Friday October 14 2022, @08:16PM (1 child)
I'd also note that Signal stores *all* messages that it handles in an encrypted database on your device.
Straight up SMS apps do not.
That doesn't make sending SMS more secure, nor does it stop carriers/law "enforcement" from accessing SMS messages on the carrier's network or other users' phones, but it does make storage on your device more secure.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by Rosco P. Coltrane on Friday October 14 2022, @11:50PM
Yeah but that's my point: I don't care if SMS is stored in plaintext on my device. In fact, I want them readable: if my cellphone is ever seized and analyzed, it builds a picture of a random Joe Blow's cellphone usage, as I reserve SMS for mundane, unimportant daily stuff. Storing SMS in an encrypted Signal database is like a big red flag.
(Score: 4, Insightful) by bradley13 on Friday October 14 2022, @06:22PM
I use Signal extensively, and cannot fathom their reasoning here. Sure, mark SMS messages more prominently, but removing the functionality?
I still get SMS messages, and that's not going to change. So now I *will* have an additional communications app. On top of too many others. Annoying.
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by Anonymous Coward on Friday October 14 2022, @07:23PM (1 child)
That drove the growth of Signal in the first place.
Seamless messaging that's encrypted when communicating with others that have such a capability, while falling back to unencrypted communications is great.
Especially for non-technical users.
Needing a separate app will cause a great deal of confusion for those (dozens?) of folks I've converted to Signal (with Signal as the default messaging app) over the years.
They'll just stop getting SMS messages at all. Which are likely the bulk of their messages anyway.
This will reduce adoption of Signal and drive away many Signal users, ironically reducing the amount of encrypted messaging that people are doing.
And more's the pity. :(
(Score: 2) by NotSanguine on Friday October 14 2022, @07:48PM
Not sure why that posted AC. That was me.
Oops.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by liar on Friday October 14 2022, @08:35PM (8 children)
So, instead of Signal? Recommendations?
Noli nothis permittere te terere.
(Score: 5, Insightful) by NotSanguine on Friday October 14 2022, @08:39PM
Yup. I abandoned FB/Meta almost a decade ago and won't use anything they touch.
I'd suggest an open source SMS client for SMS messages and whatever your social group uses for communication.
Alternatively, set up (or use an existing one) a Matrix server and use Element (or any of a bunch of others) as a client.
This is such a pain in the ass. Yuck.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2, Informative) by drgibbon on Saturday October 15 2022, @02:09PM (5 children)
Why would Signal dropping SMS support mean you need to stop using it? It works very well for encrypted/private messaging.
For SMS you could try Silence [silence.im], which is an old Signal fork (I believe from back when Signal was called TextSecure and did encrypted SMS). Silence hasn't been updated in years, but it still works fine, and gives encrypted SMS for anyone else that uses Silence (not many). I'm not aware of any other options, although there might be some.
Certified Soylent Fresh!
(Score: 2) by NotSanguine on Saturday October 15 2022, @09:57PM (3 children)
Because most folks don't use Signal.
As such, only the people who are actually interested in security will use it. Everyone else will disable it as their default messenger and/or uninstall it .
For the folks who are actually interested in security, they can (and will be willing to do so) install a Matrix client and connect to a Matrix server (preferably the one running on my hardware on my premise) for encrypted communications.
The nice part about SMS support in Signal was in allowing folks to use it as their primary messenger app, and using encryption when possible, and SMS when not.
That's why.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1) by drgibbon on Friday October 28 2022, @02:26PM (2 children)
My experience is that people I want to talk to will usually install Signal (and it's a lot more popular than it used to be), but apart from that I don't think all that many are into SMS. As far as I can see, most use some form of messenger, and I find it hard to believe that a lot of people will go to the trouble of installing Signal as an SMS client.
Certified Soylent Fresh!
(Score: 2) by NotSanguine on Friday October 28 2022, @09:23PM (1 child)
You may well be correct. In fact, I hope you are, given Signal's move to deprecate SMS support.
That said, most of the folks I've moved to Signal over the years (Android users only, since iMessage is mandated as the default messaging app) aren't technical, nor are they invested in WhatsApp/Telegram/etc.
And they don't think about security very much either. They just use what they have (generally whatever SMS app is provided by the stock OEM build on their phones). Specifically for those folks, that will be the end of Signal (or any encrypted messenger) and they will be confused about why they're not getting SMS messages (which make up the bulk of their message traffic).
The end result will be a less secure messaging environment (to Google's benefit, and likely a conscious choice on their part, as they're the ones who won't allow third parties to use the RCS APIs) rather than a more secure environment.
Signal (as a centralized service) isn't and will never be sufficient for those (like dissidents and activists) who require strong security/encryption. As such, moving away from SMS support (plus opportunistic encryption) will only hurt and not help.
As I mentioned elsewhere, removing SMS support will likely be the death knell for Signal. I don't like it, but if that's what Signal wants to do, that's their decision. And more's the pity.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1) by drgibbon on Saturday October 29 2022, @10:29AM
I can't speak for your circle of friends/family, but I'm confident that this will not be the end of Signal for anyone that I talk to on there. Signal allows for photos/video, audio, groups, stickers, voice and video calls (including group calling).. I don't know of many who can't tell the difference, and those that can't will just see SMS coming into a different app, not really a big deal as far as I can see.
I don't follow the connection that you're drawing between the weaknesses of centralization (specifically for those who need very strong security/privacy) and SMS support. Apart from not believing that Signal dropping SMS support will cause large numbers of users to leave in the first place, wouldn't dissidents/activists who really require strong encryption basically enforce it on their communications? They have to communicate over some channel, so OK, the action is there—people will either get on the network or they won't. This idea that droves of people who don't care about privacy are installing Signal because it has SMS support is hard to believe (why bother installing anything new at all if you don't care, and then why Signal out of all the other options?). It also doesn't seem very relevant for dissident/activist networks in hostile settings. Actually in these cases, wouldn't it be quite bad to have unsecured channels (SMS) being mixed in with secured ones (Signal)? That's potentially very confusing and probably dangerous in the kinds of environments that you're raising here.
Seems unlikely to me, but we'll see I suppose!
Certified Soylent Fresh!
(Score: 0) by Anonymous Coward on Sunday October 16 2022, @08:44AM
I have used Silence for years. Works really well. SMS for those who don't use Silence, and offers encrypted SMS for those who do. Why do I need Signal?
(Score: 3, Interesting) by Magic Oddball on Sunday October 16 2022, @05:20AM
My family recently started using Telegram (in place of SMS, Google Hangouts/Chat, and in my parents' cases Facebook Messenger) and it's a pretty decent option, particularly as it has decent native clients on all major desktop OSes.
(Score: 4, Informative) by The Vocal Minority on Saturday October 15 2022, @03:15AM
Just adding my voice to the chorus...
Signal isn't perfect, but not letting the perfect be the enemy of the good I have been using it, and doing so more and more over the past few years. The reason I have been using it more and more is that other people, even non-technical people, have been starting to use it as well. The main reason they have been using it is because it is easy to use, and I think a big part of this is the seamless integration with SMS/MMS.
This wouldn't be the first stupid committed by the Signal devs (see F-droid debacle) it would be unfortunate if it killed any possibility of the app becoming more popular.
(Score: 4, Informative) by bradley13 on Saturday October 15 2022, @10:46AM (1 child)
Contact form for Signal: https://support.signal.org/hc/de/requests/new [signal.org]
Everyone is somebody else's weirdo.
(Score: 2) by liar on Wednesday October 19 2022, @05:04PM
Thanks! Message sent.
Noli nothis permittere te terere.