I wish it were more obvious that Signal expires its apps every 90 days.
My mom couldn't receive signal calls on the backup phone I gave her. I had disabled auto-updates since apps break UI sometimes and she gets confused by things moving around.
When I visited, I opened the signal app and was told I had to update.
I have been bitten by this in the past. At least now they give warnings in-app that the app will expire soon. But if you don't use the app regularly, you wouldn't even know. Also, I'm not aware of any other apps that die in this way, so it's not like people are in the habit of periodically checking the app to make sure they're still on a version that can receive incoming messages.
This has more sinister implications in some places. For example, Apple app store in Russia can get banned at any time. So if I understand this correctly, if that happens, Signal will stop working for all iPhone owners in Russia in 6 months. And guess where you really need something like Signal?
It's patently unforgivable that a message would not be delivered because the client is out of date.
The Signal team is incredibly clueless and arrogant toward its userbase. It seems to simply not have occurred to them that many people rarely/never have wifi, may not be on AC power when they are on wifi which means the phone may not check for / apply updates, etc.
In the US, cellular is often expensive and slow.
In underdeveloped countries where software like Signal could be really important, all this is even more true.
We get shit crammed down our throats to protect the most obscure edge cases for the smallest percentage of the most vulnerable users - such as not being able to sync messages between devices - but then they pull shit like this which has a huge impact for people in rural areas and underdeveloped countries?
> Delivering a message to a client which is known to be less secure than the sender expected it to be is unforgivable.
That is inconsistent with the threat model of a messaging system!
Inherently, a messaging system will deliver a plaintext copy of the message to the recipient(s). Wouldn't be much of a messaging system otherwise.
Once you sent something and it was delivered in plaintext to the recipient, the information disclosure risk is completely out of your control (and out of control of the application in use). The recipient is free to leak it however they wish.
If you don't trust the recipient to keep it private, don't send it.
> That is inconsistent with the threat model of a messaging system!
I disagree, the worst thing that a messaging system that aims to be "private" can do is to actually not be private. Sending to a known-insecure client is a violation of, like, the one thing signal claims to do.
> If you don't trust the recipient to keep it private, don't send it.
My threat model is some combination of "third party actors who I don't trust" and "second parties who I trust but who are non-experts"[1]. I would like Signal to protect me from the first (by not delivering things to known-insecure clients that can be middlemanned or otherwise discovered) and the second, by having privacy-respecting and mistake-preventing defaults. Things like disappearing messages and such. Keeping my trusted-but-nonexpert peers from making mistakes that can harm either of us in the future is a key part of my threat model.
For example, disappearing messages prevent me from being harmed by my friend, who I trust to discuss things with, not having a lockscreen password and getting warrented by the police. An outdated or third party client that lets you keep them forever, even if well intentioned, can break that aspect of the threat model. And yes, a peer who is actually nefarious can still do that, but that's not my threat model. I think my friends aren't privacy-experts, I don't think they're feds.
[1]: This is, for example, the reason that I think PGP is not a good tool. Even if I do everything right, a well meaning peer who is using the PGP application can unintentionally leak my plaintext when they don't mean to, because of the tool's sharp edges.
But you don't know, at the time of sending, which version of the client will show up to retrieve it. Otherwise both clients would need to be connected at the same time before you were allowed to send.
Just curious, since I'm not really active in this space, but wouldn't the threat model of most concern be that an external actor breaks (maybe an outdated version of) the app or protocol? This would leak data without you or the recipient being any the wiser. It seems like that's the threat the app-expiry policy is intended to address.
You could update the protocol version if and when a protocol weakness is discovered and then stop talking the previous protocol version after a transition period.
No need to continuously expire apps in the absence of a protocol breach.
What if there's a vulnerability in the app itself?
I have no idea if that's what they're concerned about - they may just be being arseholes in this case - but from the outside it seems like a legit reason to build in the capability for app expiration.
If the app has to be updated on a 90 day schedule, then it's likely that most of those updates aren't making anything more secure. So it's not "known" that someone running last quarter's version is less secure than the sender expects.
I think this is the tradeoff that Signal makes versus the messenger most similar to it, WhatsApp. Though of course everyone in a group chat must pick one or the other, so it's not much of a free choice. (My friend group in the bay area is entirely on Signal, for example, though I also have a WhatsApp account.)
> In the US, cellular is often expensive and slow.
Mint will sell you a plan for 5GB of data for $15/mo. Its not that expensive to have a basic cellular plan. And that's assuming you're not poor enough to have your cellular plan almost entirely subsidized. And also assuming you're pretty much never anywhere with wifi.
In the vast majority of markets in the US it'll take a minute or less to download, it'll probably take more time unpacking on your device and installing.
Sure, but the thing I was responding to was "in the US".
There's cheaper per-gig plans in the US. Visible has unlimited plans for $30/mo which is cheaper per-gig if you use a lot but more if you're using less than 5GB anyways. And if 200MB/yr currently seems like an expensive amount of data to you, you're probably already using less than 5GB a month.
My mom couldn't receive signal calls on the backup phone I gave her. I had disabled auto-updates since apps break UI sometimes and she gets confused by things moving around.
When I visited, I opened the signal app and was told I had to update.