A lot of recent (and upcoming) blog posts I’ve written, and Fediverse discussions I’ve participated in, have been about the security of communication products. My criticism of these pro…
My whole thing is applied cryptography! When I’m discussing what the bar is to qualify as a real competitor to a private messaging app renowned for its security, I’m ONLY TALKING ABOUT CRYPTOGRAPHIC SECURITY.
This isn’t a more broad discussion. This isn’t about product or UX decisions, or the Network Effect.
Those are valid discussions to have, but NOT in reply to this specific post, which was very narrowly scoped to outlining the specific minimum technical requirements other products need to have to even deserve a seat at the table.
I understand, but its all about framing. “What does it Mean to be A Signal Competitor”, well that is chat apps as that is the space signal occupies. That might not be what space it occupies to you, but that is the space it occupies. “What does it take to compete with Signal’s Security” frames the argument to one component, and I would probably have a very different response to that framing. Because of the framing, your argument comes across as “don’t talk about use case, its not worth my time.” I understand this is because your focus is the cryptographic security, but threat modeling and Human factors has to be a consideration of an overall security posture. Congratulations, you have the best cryptography, but if its not usable, the cryptography doesn’t matter, if the users are the weakness, the cryptography doesn’t matter, if nobody is willing to use it because its missing a key user feature, the cryptography doesn’t matter.
I know enough about cryptography to know to leave it to the experts. I know about hardware power side channels, I know several exploits have been implementation based and not cryptography based, and I know vulnerability does not always mean an exploit
If it doesn’t have all these properties, it’s not a Signal competitor. It’s disqualified and everyone should shut the fuck up about it when I’m talking about Signal.
That’s the entire point of this post. That’s the entire framing of this post.
If that’s not personally useful, move on to other things.
I understand your point of view, but whether you like it or not, your title will be viewed as the framing. “What Does It Mean To Be A Signal Competitor?” At a surface reading, it seems to me what that means to you is very different from what that means to others.
I assume you probably wrote it along the lines of “What does it mean for an E2E encrypted protocol to compete with Signal on a technical level”
Others read it as “what does it mean to compete with the signal app” and there is no additional depth to security.
I think what they mean is that someone unfamiliar with your line of work might even read the entire post and come away with it with the view of “Okay, and?” since the title told them this was going to be about “What Does It Mean To Be A Signal Competitor?”
The problem there is that what Signal is is different to different people, someone might for example use it like any other chat application, in which case even something like Telegram (ew) or Discord could be an alternative to them.
Again, if someone is familiar with your blog, they’ll know what you mean, but the blog post can be viewed by someone in isolation, in which case it won’t be so clear, especially since it’s also in relation to moving off of Telegram, which is not an E2EE platform at all by default
As I wrote here: https://furry.engineer/@soatok/112883040405408545
My whole thing is applied cryptography! When I’m discussing what the bar is to qualify as a real competitor to a private messaging app renowned for its security, I’m ONLY TALKING ABOUT CRYPTOGRAPHIC SECURITY.
This isn’t a more broad discussion. This isn’t about product or UX decisions, or the Network Effect.
Those are valid discussions to have, but NOT in reply to this specific post, which was very narrowly scoped to outlining the specific minimum technical requirements other products need to have to even deserve a seat at the table.
I understand, but its all about framing. “What does it Mean to be A Signal Competitor”, well that is chat apps as that is the space signal occupies. That might not be what space it occupies to you, but that is the space it occupies. “What does it take to compete with Signal’s Security” frames the argument to one component, and I would probably have a very different response to that framing. Because of the framing, your argument comes across as “don’t talk about use case, its not worth my time.” I understand this is because your focus is the cryptographic security, but threat modeling and Human factors has to be a consideration of an overall security posture. Congratulations, you have the best cryptography, but if its not usable, the cryptography doesn’t matter, if the users are the weakness, the cryptography doesn’t matter, if nobody is willing to use it because its missing a key user feature, the cryptography doesn’t matter.
I know enough about cryptography to know to leave it to the experts. I know about hardware power side channels, I know several exploits have been implementation based and not cryptography based, and I know vulnerability does not always mean an exploit
The framing is as follows:
Matrix, OMEMO, whatever.
If it doesn’t have all these properties, it’s not a Signal competitor. It’s disqualified and everyone should shut the fuck up about it when I’m talking about Signal.
That’s the entire point of this post. That’s the entire framing of this post.
If that’s not personally useful, move on to other things.
I understand your point of view, but whether you like it or not, your title will be viewed as the framing. “What Does It Mean To Be A Signal Competitor?” At a surface reading, it seems to me what that means to you is very different from what that means to others.
I assume you probably wrote it along the lines of “What does it mean for an E2E encrypted protocol to compete with Signal on a technical level”
Others read it as “what does it mean to compete with the signal app” and there is no additional depth to security.
Anyone incapable of reading past the title is not worth listening to
I think what they mean is that someone unfamiliar with your line of work might even read the entire post and come away with it with the view of “Okay, and?” since the title told them this was going to be about “What Does It Mean To Be A Signal Competitor?”
The problem there is that what Signal is is different to different people, someone might for example use it like any other chat application, in which case even something like Telegram (ew) or Discord could be an alternative to them.
Again, if someone is familiar with your blog, they’ll know what you mean, but the blog post can be viewed by someone in isolation, in which case it won’t be so clear, especially since it’s also in relation to moving off of Telegram, which is not an E2EE platform at all by default
If they actually read the whole thing, including the addendum, there should no longer be any confusion.
As a rule, I never change titles after pressing Publish.