It’s time consuming, but it’s fun too. It’s my main hobby now.
The group system is mainly interesting from an engineering and illustrative PoV. Signal is actively working on getting rid of current privacy violations, while I generally find that Threema and others don’t spend this engineering effort. This is not limited to groups, that’s why I also mention unidentified delivery, and their other 40 blog posts that illustrate their efforts. That said, any
libsignal-based messenger is probably an upgrade over SMS in some regard. Maybe the main exception being WhatsApp, but we still have to find out why exactly it’s terribly bad.
Re Swiss-vs-US, you make a valid point if I’m allowed to interpret your statement very broadly. Signal uses the principle of “trust on first use”. A US-hosted machine could actively intercept the first communication, which allows them to be a middle man. If they don’t intercept the full line of communication, this will be detected. This is however a MITM attack, and not per se an attack on the server. If you use Threema to communicate with someone US-based, this attack also happens. TL;DR: you don’t need a back-door to bypass e2e.
The only way to make sure, and this is a general thing for any messaging system ever, is that you need to check your “fingerprint” of the derived key, or manually check and confirm the public key of the other party. TOFU is best-effort, and sadly will always be best-effort.
I agree that recaptcha is totally creepy and Googly, but I also see the need of Signal to implement such a system. My hope is that they add more options to verify that you’re a human being; currently they only have reCAPTCHA and GCM, both being Googly.
TL;DR for the full post: I think Signal is moving in the right general direction, while the other competitors feel like a fad or a grab for power, staying where they started. Please do inform me if I tell lies about Threema et al., I’d be very interested in being proven wrong.