Open Source duel: Kontalk vs Signal


#1

##Signal
:heavy_plus_sign: 10-15x more users than Kontalk
:heavy_plus_sign: more features (group chat, voice messages, …)
:heavy_minus_sign: Server not open source
:heavy_minus_sign: Moxie makes some unreasonable decisions regarding Google independency or quitting Signal forks

##Kontalk
:heavy_plus_sign: fully open source
:heavy_plus_sign: more suggestions get implemented
:heavy_minus_sign: few users

Please complete this its if you can think of more arguments! :slight_smile:


THE PERFECT MESSENGER!1! ***legit*** (no Clickbait)
#2

Signal

:heavy_minus_sign: Requires Google Cloud Messaging, and thus does not work on smartphones without Google Play (like mine)

Edit: I now notice you named it, but I want to leave this here anyway to show that it means Kontalk runs on more phones

:heavy_plus_sign: Uses axolotl, which supports Perfect Forward Secrecy

Kontalk

:heavy_plus_sign: No non-Free dependencies, can run on Replicant or non-Google CyanogenMod, etc.
:heavy_minus_sign: Uses GPG, which doesn’t support Perfect Forward Secrecy (may switch to OMEMO?)
:heavy_plus_sign: Available on F-Droid


#3

From what I remember from the last time I checked, Signal server is open source. They just do not allow for external servers that are not under their control to talk to the main server. So even though you can implement your own server, you can’t have it under the Signal network. Moxie’s made a post about this, iirc it enables them to quickly implement fixes and move on without waiting other servers to catch up, which would compromise security.
What is closed source is the audio calls implementation. Which kontalk anw does not support.
Also Signal uses a widely accepted security protocol. I hope Kontalk can switch to OMEMO soon to take advantage of this.


#4

About OMEMO… see here: https://github.com/kontalk/androidclient/issues/132 It’s milestone 4.1.0


#5

You could use the XPosed module “This App Will Run Without Google Play Services”. It disables the error message shown when you start the app. But then you won’t receive push notifications. Or microG, which emulates the Google Play Services.


#6

So this means that the Signal network is another walled garden. Isn’t that the highest security threat? Attack one server (cluster) and the whole network is down… :stuck_out_tongue:


#7

It seems that at least the Google dependency doesn’t affect the privacy of Signal-users:

Neither Google nor Apple has access to metadata about who you are communicating with.

Signal support page

######PS: I can happily announce that Austria finally has a president!! :smiley:


#8

That’s pretty much how Kontalk uses GCM too. It’s just a signal to wake up the app.


#9

So it looks like Signal was recently blocked in Egypt and there have been people urging users to switch to Kontalk as an alternative.

Am not an expert, so I though to ask here. Can the distributed and federated nature of Kontalk become an advantage in cases like this and if yes, how?


#10

Well, since Kontalk now counts 1 server only, it’s easy to block it. That’s why I’ve been pressuring on people opening other servers even if the number of users don’t justify it yet. I’ve also been working on an easy way to migrate an account to another server when e.g. the server has shut down or has been blocked.


#11

Here is the blog entry in English language:

http://www.madamasr.com/en/2016/12/19/feature/society/signal-unstable-alternatives-to-the-encrypted-messaging-application/


#12

Yes but even if you have 10 servers, if an entity wants to block them can’t they do the same for all of them using similar methods/tactis? Or one can always create a new server and then it is a game of catchup?

I was thinking that the fact that Kontalk can talk to outside networks through XMPP makes this more difficult.


#13

I think that if the ISP blocks all XMPP connections, 10 servers won’t help you. That’s why we need independent ISP, in the best case customer-owned coops.


#14

If the connection happens via an encrypted channel through a standard port, let’s say 443, it’ll be impossible to block. You can mitigate it by avoiding long-lived connections, but then you can always use BOSH (XMPP over HTTP).


#15

Mobile messengers seem to be a trending issue nowadays. Here is a relevant post with related links and many comments discussing PGP vs Signal.

My guess is that most Kontalk users are here because we want to stay away from Google’s services. Once our community here is a bit bigger it would be interesting to run a survey to learn more about these reasons and what people expect from Kontalk in the future.


#16

Hm. I for one want to stay away from walled gardens. I’m for open gardens that everyone can benefit from. :sunflower:


#17

Signal is horrible. It’s completely Google compliant which screams anti-privacy. However, it is unfortunate that Kontalk does not support iOS. The reason I would even suggest this is only because a friend of mine uses iOS so I’m not able to use Kontalk with him, therefor I’m limited to Hangouts which I absolutely despise.

Just like Telegram, Signal uses proprietary software within their servers and I’m not sure if they require proprietary dependencies but I’m pretty confident that Telegram does. They say they want to protect privacy but they use non-free software to do so.

The fact that Snowden would recommend services like Signal or SpiderOak leads me to believe that he might not be as serious about privacy as people think. Or maybe he’s just making those recommendations because they are easier for the vast majority. I don’t know but of course I appreciate what he’s done and the secrets he’s exposed.


#18

Well if I were able to recommend anything to someone living in Egypt, I would inform them of Tor and how to use obfuscated bridges in order to hide that activity so that their government does not block it as I’m sure they do.


#19

“Just like Telegram, Signal uses proprietary software within their servers…”

Well, that’s not true, their server software is open source and you can find the code on Github (https://github.com/WhisperSystems/Signal-Server). But there’s annother problem: they don’t allow federation. So you could set up your own Signal server, but it would’nt help much, because the exchange of messages with Open Whisper System’s server would be blocked by them.

This is one of the crucial problems of Signal: it’s a walled garden.


#21

I think, this is an important point. The definition of “secure” always depends on the specific threat model. And our’s in Germany, Italy, Canada oder the US still is low level, whereas users in let’s say Egypt, Syria or China have to face much more severe risks.

I for example know some Syrian refugees here in Germany and usually I recommend Kontalk to them (or Conversations and ChatSecure in case they are tech savvy). But actually I recommend it only for their communication within Europe and tell them to stay with their shitty WhatsApp when it comes to communication with friends and family in their homeland. Why? Because I don’t want their family members in Syria to stick out of the mass. I’m pretty sure that in Syria with it’s 17 intelligence agencies Deep Packet Inspection is epidemic and it would be quite a risk to be flagged with “communicates with foreign countries using a messenger that is focussed on privacy”. Sure, they still can’t read, what you want to hide from their eyes – but in many countries it’s enough to demonstrate that there may be anything you want to hide to become a potential enemy of the state.