[Testing] UK Community group chat via SIGNAL

david_ross · March 22, 2018, 10:01pm

Early stages here, but as communities are free to choose the platform in which they communicate, I’m going with one of the most secure available to us - SIGNAL. Over the top for most people, but out of respect of the many edge cases I’ve seen dicussed via Mozfest, it feels the most appropriately considerate. Available for use on iOS, Android, Mac OS, Windows, Debian/Ubuntu.

Industry recognised for it’s integrity, E2E encrypted (see next post for more on this), independently audited, and even with the ability to utilise GROUPS and Video Calls.

I don’t have a smart-phone, use Arch Linux for my desktop distro, and not particularly keen on using the desktop version of Signal which makes use of Electron. This severely restricted my ability to interact with the rest of you. I was recently pointed towards the SIGNAL-CLI project. Problem solved!

Mozilla UK Community Signal Group
Group Id: xM3+yGf8XM9ECTBgC9hAhA==
Name: uk-community

david_ross · March 23, 2018, 10:43am

It’s been pointed out to me that Signal Groups uses opportunistic mixed-mode encryption. As the mobile app can be used to replace SMS/MMS, messages like this will NOT be E2EE if a group member decides to use it via SMS (additionally over email in this project). We have no control over that.

To me this is a valid hybrid use inside a group format for our intended purposes of the UK Community. In most cases we need to consider usability > security. If your threat model requires greater security be wary of this limitation in the functionality of groups.

I hope this transparently communicates the real-world halfway point. More on this HERE.

david_ross · March 23, 2018, 10:40am

So as rightly pointed out over on Mastodon, that group ID does not implement via the apps, meaning this can only be acheived by me MANUALLY adding people through the CLI. Will carefully work through this in coming days. Deffo a work in progress…

For now, if you wish to be a part of this test phase, please DM me.

david_ross · March 24, 2018, 9:27am

Day 2 of test: Signal servers went down

david_ross · March 27, 2018, 12:20pm

Some observations…

Negative: disclosure of mobile number required
Negative: if SIM were stolen or cloned comms could be carried out until observed and actioned
Negative: groups require manual invitation
Negative: groups are private (not helpful for public engagement & perception of OPEN)

david_ross · March 27, 2018, 12:32pm

Further tests taking place on Matrix and Wire.

david_ross · June 26, 2018, 8:25am

3 month update.

Zero activity so far in Signal. I’ve shared my details with dozens of contacts and nobody has so far contacted using Signal. Nobody from here in Discourse has reached out for my details either.

It does feel a breach of a layer of privacy having to volunteer your moile number. Though, Signal has a superb reputation despite this model.

Tests will continue through until the end of the year. This will include the period of Mozfest onboarding and wrap-up.