notabot

I'm using Hacker's Keyboard, it's got all the keys where I expect them. None of the others feel right, but the fact it hasn't been updated in years does worry me. If anyone knows of a keyboard with a similar layout (separate number row, ctrl, esc, alt and cursor keys in place and the usual symbols as long press on the numbers) I'd love to try it out.

Interestingly, whilst Wikipedia does say that, the language in RFC 1591 (Domain Name System Structure and Delegation) only says:

There are a set of what are called "top-level domain names" (TLDs). These are the generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two letter country codes from ISO-3166.

Likewise, in ICANN's PRINCIPLES FOR THE DELEGATION AND ADMINISTRATION OF COUNTRY CODE TOP LEVEL DOMAINS, they say:

‘Country code top level domain' or ‘ccTLD' means a domain in the top level of the global domain name system assigned according to the two-letter codes in the ISO 3166-1 standard

In neither case do they actually limit two letter TLDs to being country codes, they only state that all country codes in ISO 3166-1 are ccTLDs. In the RFC, the author does suggest it is unlikely that any other TLDs will be assigned, but this has obviously been superseded with the advent of gTLDs. Thus I still consider it likely that the .io TLD will simply transition to being a commercial one, rather than a country one.

Having said all that, it's entirely possible I've missed some more recent rule that tightens this up and only allows two letter domains from ISO 3166-1. If I have I'd be glad of a pointer to it.

You're probably correct, but it'll still have to be competitive with other TLDs, so it probably wont go too high.

It'll get eliminated as a country code, yes, but that leaves it available as a generic TLD. Seen as it will be available and is obviously lucrative, someone will register it and, presumably allow domains to be registered under it. Off the top of my head, I think it costs $10,000 and you have to show you have the infrastructure to support the TLD you register, so an existing registrar is the most likely. That figure is probably out of date, it's been many years since I checked it, but the infrastructure requirement is the more costly part anyway.

I very much doubt that the .io TLD will vanish, too many big companies use it. Seen as non-country TLDs are allowed, I suspect that as soon as the country code goes away an existing registrar will buy it and .io domains will carry on.

Not morons, just not educated enough about them to understand exactly what the implications of that action are.

I agree that them having users' phone numbers isn't ideal. There are other identifiers they could use that would work just as well. However, both the client and server are open source, so you can build, at least the client, yourself. If you can content yourself that it does not leak your ID when sending messages, then you don't need to trust the server as it does not have the information to build a graph of your contacts. Sealed sender seems to have been announced in 2018, so it's had time to be tested.

Don't get me wrong, the fact they require a phone number at all is a huge concern, and the reason I don't really use it much, but the concern you initially stated was addressed years ago and you can build the client yourself to validate that.

You're correct that if you use the system the way it used to work they can trivially build that connection, but (and I know this is a big assumption) if it does now work the way they say it does, they do not have the information to do that any more as the client doesn't actually authenticate to the server to send a message. Yes, with some network tracing they could probably still work out that you're the same client that did login to read messages, and that's a certainly a concern. I would prefer to see a messaging app that uses cryptographic keys as the only identifiers, and uses different keys for different contact pairs, but given their general architecture it seems they've tried to deal with the issue.

Assuming that you want to use a publicly accessible messaging app, do you have any ideas about how it should be architected? The biggest issue I see is that the client runs on your phone, and unless you've compiled it yourself, you can't know what it's actually doing.

Strictly you're having to trust the build of the client rather than the people running the server. If the client doesn't send/leak the information to the server, the people running the server can't do anything with it. It's definitely still a concern, and, if I'm going to use a hosted messaging app, I'd much rather see the client built and published by a different group, and ideally compile it myself. Apart from that I'm not sure there's any way to satisfy your concerns without building and running the server and client yourself.

'Sealed sender' seems to avoid this by not actually requiring the client to authenticate to the server at all, and relying on the recipient to validate that it's signed by the sender they expect from the encrypted data in the envelope. As I mentioned in another reply, I’m just going on what they’ve published on the system, so either I could be completely wrong, or they could be being misleading, but it does look like they’ve tried to address this issue.

Whilst I absolutely agree it's correct to be skeptical about it, the 'sealed sender' process means they don't actually know which account sent the message, just which account it should be delivered to. Your client doesn't even authenticate to send the message.

Now, I'm just going on what they've published on the system, so either I could be completely wrong, or they could be being misleading, but it does look like they've tried to address the very issue you've been pointing out. Obviously it'd be better if they didn't have your phone number at all, but this does seem to decouple it in a way that means they can't build a connection graph.

With 'sealed sender' your phone number, or any other identifying information, is not included in the metadata on the envelope, only the recipient's id is visible, and it's up to the recipient's client to validate the sender information that is inside the encrypted envelope. It looks like a step in the right direction, though I don't use signal enough to have looked into auditing it myself.