Hacker Read

Sir_Cmpwn | karma 19702 | avg karma 5.33 · 2016-12-22 20:56:02+00:00

GCM depends on Play Services, so I'm really not.

dublinben | karma 8633 | avg karma 2.93 · 2016-12-22 21:08:22

GCM is merely one minor component. The existence of the microg project proves that you can implement one without the other.

Sir_Cmpwn | karma 19702 | avg karma 5.33 · 2016-12-22 21:15:32

MicroG does not implement GCM.

floatboth | karma 5759 | avg karma 2.0 · 2016-12-22 21:25:53+00:00

MicroG does implement the GCM client! I've been getting push notifications through that thing for several months.

Sir_Cmpwn | karma 19702 | avg karma 5.33 · 2016-12-22 21:30:38+00:00

Through Google, yes, but you can't bring along your own push notification delivery service.

tptacek | karma 394296 | avg karma 6.04 · 2016-12-22 21:41:21+00:00

Your argument has become circular, because the what Signal uses push notifications for isn't security-relevant: the messages are empty and used only as a wakeup.

Sir_Cmpwn | karma 19702 | avg karma 5.33 · 2016-12-22 21:49:10

They still contain information, though. They say when you're talking on Signal. Matched with someone else's messages at about the right frequency to indicate a conversation, they give a pretty decent idea of who you're talking to.

tptacek | karma 394296 | avg karma 6.04 · 2016-12-22 23:37:52+00:00

They give the same information that TCP/IP traffic analysis does.

Sir_Cmpwn | karma 19702 | avg karma 5.33 · 2016-12-23 00:25:09

Perhaps, but we can at least start to explore solutions to that if we can work on the server too.

tptacek | karma 394296 | avg karma 6.04 · 2016-12-23 00:36:37

You're ping-ponging all over the place. Which is it? "Glaring security problems", or impediments to fully exploring the solutions space?

Sir_Cmpwn | karma 19702 | avg karma 5.33 · 2016-12-23 00:45:02

Why can't it be both? You're a real difficult person to have a rational discussion with, you know.

tptacek | karma 394296 | avg karma 6.04 · 2016-12-23 01:49:27

Because it's clearly not both.

If I say "your house is on fire!" and you rebut "no it isn't" and I respond "well, your shoelace is untied", any reasonable observer will conclude that you've conceded the house fire.

If my house was really on fire, you'd say "no, really, look at it! Flames are shooting out of the bedroom window!". If your strong argument was valid, you'd restate it, perhaps with additional evidence.

reply

kuschku | karma 11518 | avg karma 1.46 · 2016-12-22 22:09:55+00:00

No, it implements one half of it.

Signal still has to be linked with a proprietary binary, which contains lots of tracking code.

reply