I didn’t know my city was cool enough to put signal flyers.
Cool but I wouldnt exactly trust a random qr code
QR codes essentially just encode text, as long as you’re using a sensible QR code reader and check any URLs before opening them there’s minimal risk to scanning a QR code.
I still wouldn’t trust it because of homograph attacks.
Oh is that like bankofarnerica.com or whatever, hoping the r and n look enough like an m for at least some people to click?
edit: under absolutely no circumstances click on the above link. Your bank will be robbed and your foreskin soldered shut. To very don’t.
Respectfully I think this is a minimal attack vector in this case due to the limited character set of urls. But thanks for the callout, I didn’t know there was a name for this sort of attack.
Punycode enables you to encode any Unicode character as ASCII. Almost all browsers support this.
Modern browsers happily show you the actual characters, while sending their encoded entities to the server. So, from a user perspective there is no ASCII limitation. Case in point: söhne.at (just some random website, I have no idea what they are or if they are legitimate)
They’d still resolve via DNS to an address in ASCII though, right? Wouldn’t that only be an issue if ICANN didn’t have a monopoly on DNS registration? i.e what we already depend on for a semblance of convenience without totally compromising opsec
It utilizes punycode under the hood. The actual DNS entries still use ASCII.
Or xss/sqli/etc attacks on vulnerable sites that don’t sanitize url query parameters
Well not really, it’s a good way to do a IDN homograph attack
Surely it’s legit
EDIT: It actually is
What is it? Just signal’s webapge? I’m a coward.
Yup. I cropped the QR code and checked it with an online reader, and it’s literally signal.org
Okay, but who’s is doing guerrilla advertising for a centralized service that requires a SIM card & an Android/iOS primary device or no account for thee. …At least in the past I convinced grandma this is the new SMS app you can use as I knew she would treat it as such, but now I wish I hadn’t since even that useful feature was lost. I want to drop Android entirely, but I need access to my contacts locked in the Signal system–which centralized system lock-in is one of the things we privacy-concerned folks want to avoid.
Signal isn’t perfect but it’s still one of the best options.
It’s the bare minimum for passable due to E2EE, not being owned by a corporation, & mostly open source–not “best”. We have better.
what?
XMPP is an extensible protocol that has over a decade of battle testing from the casual chat to massive industrial communications applications (Zoom, Jitsi, almost certainly any online game you’ve played). It has E2EE in modern clients. It’s decentralized by nature & relatively easy to self-host. Both servers & clients use very few resources like bandwidth, storage, processing, memory (consider conditions of the time of invention). It doesn’t take minutes to join & sync chatrooms (MUCs). Gateways allow folks to talk across non-XMPP platforms. Governance is distributed in the open & not tied to a single entity. There are even projects like Snikket that can be rolled out for a family that is close to turn-key for set up. Along with something like Movim can create a self-hosted social network built atop an XMPP server for posts to share stories & media for a longer-term storage.
If E2EE encryption isn’t seen as a must relying on TLS + self-hosting: lighter, simpler IRC (good feature set with v3) which has been around since the ’80s can be a good choice. Zulip which is a forum/chat platform that has the most usable UX for trying to actually hybridize both (it’s not amazing UX, but better than the rest); this can work for a great for certain communities that desire this behavior.
Distributed (not to be confused with decentralized) encrypted chat there is Briar with a mesh network not even requiring internet, but has limited platform support & last I used years ago had massive battery drain issues.
If you must, there is Matrix which decentralized & offers E2EE but is relatively expensive to run from the clients, to servers, to the design generally being that it replicates the room messages & attachments & state across all servers for all users. While that duplicated data is great for resilience, can be expensive to store & is what takes minutes to join any room. I think it was a design decision ‘miss’ to try copy Slack/Discord/Telegram-but-FOSS as doing too much & none of it that well–where I think chat is better to be a bit simpler + expected to be ephemeral & a different service like a forum for important, permanent discussions & FAQs. Mastodon suffers similar issues with replication that makes some have to shutdown their self-host due to cost–which has led to Matrix in practice centralizing around Matrix[dot]org (who has a history of Israeli intelligence funding) & the servers they provide to others funneling all the metadata thru their org since they offer free accounts, are big enough to scale, & have most of the users. Folks act like Matrix is great just for being newer, but the aforementioned already cover its uses while being more mature.
Good luck getting people to use XMPP. It is complex and doesn’t even properly support photos and other media.
?
Images & video work fine on Cheogram, Dino, Gajim, & can be piped from Profanity
And your response brings up another reason why no one is going to adopt XMPP. There isn’t a central app or server for someone to use.
