Would Mexico and Panama be the 53rd and 54th then?

The first step would probably be to try and revoke their tax exempt non profit status. But I’m confident the Signal Foundation would at that point just move to another jurisdiction. Maybe Canada, Switzerland or something like that.

That’s what I thought when I first saw this

I agree

Absolutely

There was a period where they didn’t push changes to the repo, but all the code was released afterwards and it’s been getting regular updates ever since. But it also doesn’t matter at all, since the Signal client is designed in a way that avoids putting trust in the server. Signal servers could literally be run by the NSA and it wouldn’t matter, as everything is fully end-to-end encrypted, including metadata. The Signal protocol was also updated to use post-quantum cryptography in 2023.

below a large bold warning that discourages people from actually using it

Yeah, because an APK downloaded from the web isn’t automatically verified. You need to perform the verification of the package manually, which most users probably won’t do. So it’s safer to download a build from the Play Store, which does this automatically in the background.

Signal’s default, well-supported installations use Google services

Signal only uses FCM for notifications, with a fallback mechanism (WebSockets) being available in all builds of the app, as well as Google Maps for location sharing (which most people probably don’t use anyway).

so unless you’re an extremely atypical user, those services are present on most of your contacts’ devices

Google Play services being present on people’s devices has nothing to do with Signal including the library. They are present on almost every Android device, because Google pressures OEMs to include them and grant them system level privileges.

Let’s also remember that E2EE doesn’t protect the endpionts

Yeah, but that’s the case with EVERY messenger app, so I really don’t know what your point is here?

As far as I know moxie, signals lead dev, considers only the use of the officially build and distributed client authorized to use their servers.

Moxie has resigned a few years ago. The article you linked to is 9 years old, Signal leadership has changed a bunch of times since. Signal can’t detect that you’re running an alternative client, because that check would require them to include some new code in the official client. Even if they did this, they couldn’t just ban anyone who’s client doesn’t pass the check, since it could just be an older version of the official client. They could force everyone to use the official app, but they really have no reason to invest time and effort into enforcing this. Molly is only available for Android, and it isn’t even on the Play Store or the official F-Droid repo, so the user base naturally won’t be as big.

No it’s not: https://github.com/signalapp/signal-server

Have you been using this one?

I tried it out once, but I currently don’t use it, because I just run mollysocket on my own server.

On my app I don’t get rich notifications only “you may have a new message”.

That should only be the case while your Molly database is locked, because the actual messages can’t be decrypted, so no message preview can be shown in the notification.

Oh that’s the only one I know of. I thought that this is what you’re referring to.

We are still in a trust me bro situation

No we’re not. You don’t have to trust Signal, everything is open source, you can actually verify it.

it’s not really different from Whatsapp or Telegram

That’s not true. WhatsApp is fully proprietary and Telegram doesn’t use E2EE by default. And even if you enable it, they use a weak encryption protocol.

It’s also available on their website btw: https://signal.org/android/apk/

Well, you can still insert client side decryption into the app.

That’s why all clients are fully open-source. You can also use a fork like Molly.

your conversations are still tied to Google

That’s simply false. Signal Notifications never include the content of the message or any metadata, no matter if they’re sent over FCM, APN, WebSockets or UnifiedPush (via mollysocket). That wouldn’t even be possible, since the Signal server sending out the notification doesn’t even have the key to decrypt the message. Only the users involved in the conversation have the keys, that’s how end-to-end encryption works. Signal simply sends an empty message via FCM (or any other push system), and the Signal app on your device then receives and decrypts the encrypted message and shows you a preview of the message content as a notification on your operating system.

And every build of the Signal client for WhatsApp also supports WebSockets as a fallback push notification system, in case Play services aren’t installed or can’t be reached. The only reason why FCM is used by default is that it saves some battery, because it only maintains one background network connection for all apps, instead of each app handling notifications themselves.

I personally have them hosted on fly.io for free via the legacy hobby plan

Here’s the link for anyone who’s interested: https://github.com/pcrockett/mollysocket-fly

so the company can be bought

The company (Signal Messenger LLC) is fully owned by Signal Foundation, a 501©3 non profit organization.

Try to use federated services

I generally like this idea, and I also use federated services for things like social media, that’s why we’re having a discussion here on Lemmy. But it introduces some issues with private messaging, like lack of reliability, which sucks if you want to use Matrix as your primary messenger, as well as metadata leaks. Federation is not always the answer, and in my opinion definitely not when it comes private and secure messaging.

they are more robust against hostile take overs

Probably around 80-90% of Matrix users are on the matrix.org homeserver, so it’s absolutely not as decentralized and resilient as you think it is.

I currently use Telegram for my friends and family

Telegram is probably the worst thing you could use, it doesn’t encrypt messages by default and they are stored on Telegram’s servers, so they can read them at any time.

I’m also on Element/Matrix. Before I try to get my contacts to join me on there, should I be aware of any privacy issues

Yes, Matrix leaks a bunch of metadata and doesn’t have post-quantum encryption.

The best option is to use Signal. It uses end-to-end encryption by default for everything: Normal chats, group chats, voice and video calls and even stories. Messages are only stored on their servers (in encrypted format, so they can’t access them) until you receive them, after which they are promptly deleted and only stored on your device. And Signal has much better metadata protection than Matrix. The UX is also much better and less confusing, making onboarding new users much easier.