Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
Encryption

Signal Chief Explains Why the Encrypted Messenger Relies on AWS (theverge.com) 61

Posted by msmash from the closer-look dept.
An anonymous reader shares a report: After last week's major AWS outage took Signal along with it, Elon Musk was quick to criticize the encrypted messaging app's reliance on big tech. But Signal president Meredith Whittaker argues that the company didn't have any other choice but to use AWS or another major cloud provider.

"The problem here is not that Signal 'chose' to run on AWS," Whittaker writes in a series of posts on Bluesky. "The problem is the concentration of power in the infrastructure space that means there isn't really another choice: the entire stack, practically speaking, is owned by 3-4 players."

In the thread, Whittaker says the number of people who didn't realize Signal uses AWS is "concerning," as it indicates they aren't aware of just how concentrated the cloud infrastructure industry is. "The question isn't 'why does Signal use AWS?'" Whittaker writes. "It's to look at the infrastructural requirements of any global, real-time, mass comms platform and ask how it is that we got to a place where there's no realistic alternative to AWS and the other hyperscalers."
This discussion has been archived. No new comments can be posted.

Signal Chief Explains Why the Encrypted Messenger Relies on AWS More

Signal Chief Explains Why the Encrypted Messenger Relies on AWS

Comments Filter:

  • HyperScalers (Score:3)

    by KermodeBear ( 738243 ) on Tuesday October 28, 2025 @12:00PM (#65755940) Homepage

    We are no longer just "web scale," we are now at "hyper scale." That sounds so, like, high tech and stuff.

  • Amazon, google, Microsoft, cloudflare any one of these go down and huge chunks of the internet go dark. These are just the ones Iâ(TM)ve heard of. I bet there are companies all of the above rely on that I havenâ(TM)t heard of. The internet is not as resilient as it was.

    • Re: (Score:3)

      by cowdung ( 702933 )

      I wonder if it would make sense for a company like Signal to have servers in both AWS and Azure. Thus lowering the chances of a full crash. At least have a degraded speed mode or something.

      But at some scale hosting your own servers becomes cheaper. And you use AWS as your backup.

      • Multi-cloud increases your points of failure. Even multi-region within AWS adds complexity for data synchronization, and complicates the restoration of service after a single-region failure.

      • Multicloud would be a good option but what's the point? Your whole system can go down but you can point the finger at AWS and nobody even questions it. We saw that with CrowdStrike too.

        It's sort of similar to having your personal information released in a breach these days. Nobody cares anymore because everyone already has your information. Once it's expected, it no longer matters.

  • Learn from kiwifarms (Score:3)

    by ArmoredDragon ( 3450605 ) on Tuesday October 28, 2025 @12:10PM (#65755960)

    Kiwifarms seems to have figured out how to solve this problem pretty well. No cloud providers will host them due entirely to public pressure, so they've created a distributed hosting system with it's own ddos mitigation. And it seems to hold up well as they get ddos'd quite a bit, and any time one server goes down, there's another somewhere else on some other smaller provider to take it's place. This is exactly why I find that site so interesting. I don't care for the content, but they've proven that even in this day, you don't have to rely on any big infrastructure provider.

    However, it isn't a turnkey solution, unlike say AWS, who owns practically the whole stack. A lot of work and maintenance has to be done. I bet somebody could come up with a software framework of sorts that makes managing multiple providers on your own easier, and more scalable than what kiwifarms has done. Kiwifarms didn't even try to do it until they had to. And right now, nobody else has to.

    But do companies like signal have the will to?

    • Re:Learn from kiwifarms (Score:4, Informative)

      by Cley Faye ( 1123605 ) on Tuesday October 28, 2025 @12:44PM (#65756066) Homepage

      It is possible, today, to multi-home. Critical services do that (or should). It's not even *that* hard, although you have to be competent with all your providers.

      I'll oversimplify a bit, but

      • DNS can have multiple resolvers, that's not the hardest part (let's hope the root do not crash.)
      • Load balancers, through both DNS and apt container management (or whatever similar tech you have) can handle one provider failing mostly gracefully; some clients will insist on hitting the dead one, but it will smooth out. You will have to have load balancers that can work with multi-homed stuff, so prepare to tinker a bit unless your providers are nice.
      • Services "processing" that can be stateless will rely on their resources being available, and can be spanned as needed to absorb the load, including over multiple hosts.
      • Services that aren't stateless are more of a hassle because it's easier to lose something if one goes dark, but it's a risk that can be evaluated and mitigated too, with proper admins and services.
      • The "ressources" (storage, database, dedicated hardware, etc.) all have some form of redundancy mechanism available, that can range from trivial to complex to setup, but ultimately things can fall back properly if one instance disappear.

      Note that all of this assumes one of the following: either your providers play nice with each other, or you go bare metal in some places to setup redundancy, replication, etc.. Also note that this will require competent sysadmins to at the very least bridge the gap between multiple providers. A business could be built on top of these ideas, to provide services that are "transparently" served by at least two big, independent providers. But all of this costs a lot.

      About Signal they failed when AWS failed. Baring any active attempt at hindering Signal, this is a relatively rare event (although it happens more and more these days). Increasing infrastructure costs indefinitely to handle a very sporadic downtime is not really an obvious solution. Keep in mind that as long as it's not the whole AWS zone that goes under, AWS is quite good at keeping services available in case of minor events (other providers too, I suppose).

      I have no idea where Signal gets his money, but wherever that is, I assume that "increasing infrastructure cost by 40% to alleviate two hours of downtime a year" would not look too good.

      • Signal sells on their security. Being on AWS makes every message far-more-easily available to governments and Amazon's interests. Even if the apps are secure when the network is not, the apps can receive a sneaky update at any time when the files are not served by the owner.

      • What I have in mind is more akin to a kubernetes-like framework, combined with ipv6 anycast IPs (so DNS is less important, especially if your app manages it's own certificates, does certificate pinning, etc.) If such a thing existed, I think it could prove to be pretty reliable.

        We already know that it can be done with competent sysadmins, because somebody is already doing it.

        The part that software can't solve is setting up contracts with the providers, and they're all doing their own thing. On the other han

        • You can anycast with IPv4 as well, but you'll need a /24 at minimum to really do it (none of my transit providers will accept smaller, and I don't accept smaller from my customers, but I have seen smaller on the internet BGP table)

          A /24 enough to have a fully anycast framework for domain hosting including your nameservers.
          That's basically how all of our multi-PoP HA works.
          As someone mentioned, synchronization gets more difficult as the system gets more complex, but frankly it isn't bad, and there are *l

          • The problem with v4 anycast is the requirements for it (at least, for a public IP) are beyond the reach of what most people can reasonably do, even if they know what they're doing.

            If the entire internet hates you, or you just plain don't have the resources, and you're susceptible to ISPs that suddenly drop you and/or go out of business, I think having more than one v4 anycast subnet might be hard to maintain uptime with.

            I've never had to though, so I'm not sure. I tend to think that having multiple would at

            • The problem with v4 anycast is the requirements for it (at least, for a public IP) are beyond the reach of what most people can reasonably do, even if they know what they're doing.

              If the entire internet hates you, or you just plain don't have the resources, and you're susceptible to ISPs that suddenly drop you and/or go out of business, I think having more than one v4 anycast subnet might be hard to maintain uptime with.

              I've never had to though, so I'm not sure. I tend to think that having multiple would at least give you redundancy without having to rely too much on DNS, especially as in the case with kiwifarms where one of their registrars just decided to keep the domain after dropping them (and it's taking them on the order of years so far to get it back via the courts.) Though I suppose for an app, using multiple domains might make that mostly transparent

              The crazy thing is the internet was designed to route around politicians and hardware failures. It just doesn't work too well when either the internet hates you or your cloud provider goes down. Signal I think is exactly the kind of app that needs to have distributed services, regardless of what the internet thinks of it.

              Wait- is there a way to anycast an IPv6 subnet without arranging for transit from someone? Shouldn't be any difference between getting your hands on an IPv4 allocation and an IPv6 allocation and then setting up transit (again- other than price, which is a major hurdle since IPv4 addresses are worth their weight in gold)

              If the entire internet hates you...

              I think that also comes down to price, really. The smallest IPv6 subnet you can reasonably announce on the public internet is still going to be very cheap, and come in a larger network of man

    • In fairness, Signal has something on the order of 70 million active users, and in contrast this is the first time I've ever heard of Kiwifarms.

    • Re: (Score:3)

      by AmiMoJo ( 196126 )

      Kiwifarms is a tiny website though. Signal handles a lot of messages, a lot of push notifications. An even bigger issue is that Signal needs to be available as widely as possible, without being blocked.

      Tor uses Microsoft Azure to get around blocking in some regions. Even governments can't really block what look like normal HTTPS connections to Azure cloud, without breaking a lot of stuff. The same goes of AWS.

      • Tor uses Microsoft Azure to get around blocking in some regions. Even governments can't really block what look like normal HTTPS connections to Azure cloud, without breaking a lot of stuff. The same goes of AWS.

        Blackhats like to host proxies for their traffic in Azure and AWS for the same reason.

  • Our entire economic system is based on getting a monopoly and control over supply. That's the way you make money. You can imagine a world with 20 competitve Amazon's but our current economic system won't really allow that to happen.

    • Re:Monopolism (Score:5, Insightful)

      by JaredOfEuropa ( 526365 ) on Tuesday October 28, 2025 @12:33PM (#65756030) Journal
      That's kind of what that (tired and overused term) "late stage capitalism" is: monopolies, oligopolies, and lack of competition. Companies seem to naturally gravitate towards cornering markets or collusion. The sad thing is that both in the US and the EU (and elsewhere too probably), antitrust laws have become a joke in practice. Capitalism needs checks and balances, and keeping the free market working is the most important one even for the more laissez-faire minded. That means strict rules around market share. a free market cannot function without meaningful competition.

      • Re:Monopolism [solution approach] (Score:4, Interesting)

        by shanen ( 462549 ) on Tuesday October 28, 2025 @12:51PM (#65756084) Homepage Journal

        What if we taxed monopoly profits in a progressive way? If you are getting profit from a monopoly, then your tax rate goes up, with the revenue used for regulating the monopoly and for researching ways to break the monopoly. Various ways to detect monopoly situations, but the three I favor right now are (1) checking to see if customers have real choice, (2) studying complaints from wannabe competitors who can't get into the market, and (3) looking at whether the people who work in the field have alternative employment opportunities.

        But my truly subversive thought is that this would motivate companies to break their own monopolies to increase their retained earnings. Divide the company into competing entities. The evil that is Microsoft is an easy example. Imagine that Microsoft split itself into two or three daughter companies, each starting with a copy of the source code and an equal share of the corporate resources. Then let them go at it hammer and tongs. (Plus none of them needs to be too big to fail and all of them can and should be subject to higher liability for mistakes and incompetence...)

        Solution-oriented thinking? I must be begging for the Funny mod.

        • I always thought that should be the case: if a company grows beyond a certain market share, additional rules should kick in. Perhaps extra taxes, but certainly rules against them buying up more competitors in the same space. Grow even further, and they might be deemed a public utility subject to strict price and access regulations.

          Companies have been broken up in the past, with good results. A company might split itself to get around antitrust laws, which is fine if it results in actual competition.

      • Re: Monopolism (Score:4, Interesting)

        by simlox ( 6576120 ) on Tuesday October 28, 2025 @02:33PM (#65756348)
        Simple rule: Large companies must pay dividends instead of keep growing. Put a max worth of 100 billion USD. Any company with a higher evaluation must pay dividends and thus become smaller. The stock holders must instead invest in other companies.
        • Simpler rule. Make every corporation return its income to its shareholders, tax the shareholders and let them use the money they have left to invest however they want. There are a lot of small corporations that already work that way.

      • That's kind of what that (tired and overused term) "late stage capitalism" is: monopolies, oligopolies, and lack of competition.

        So "late stage capitalism" started in the 1800's? In theory we broke up those monopolies in the United States around 1900 with anti-trust laws. In practice, the modern Supreme Court has gutted those laws. That is not surprising when the entire court attended one of two law schools, both of which focus on training lawyers to serve large corporations.

        • Yes, the late 1800s-1920s was peak late stage capitalism, but the threat of communism made it change its ways and play nice for like 30-40 years, but then people were successfully indoctrinated into letting capitalism run amok by successive waves of red scares and the USSR collapsed, and now here we are again. Every time capitalism survives a brush with its late-stage phase, it means we will suffer through another one, but with more automation, surveillance and means of control.

    • Re:Monopolism (Score:4)

      by Brain-Fu ( 1274756 ) on Tuesday October 28, 2025 @01:14PM (#65756128) Homepage Journal

      Part of the government's job is to protect the health of the economy by breaking up monopolies and enforcing anti trust law. This is necessary in order to ensure that there remains opportunity for competition.

      It isn't an easy thing to do, of course, especially when those with the most political power are the very monopolies and cartel bosses being regulated, but it is a necessary element of a healthy capitalistic economy.

      Our current government isn't doing a very good job of that. And so, predictably, here we are.

  • Elon should just shut up. (Score:4, Informative)

    by Puls4r ( 724907 ) on Tuesday October 28, 2025 @12:29PM (#65756016)
    X uses AWS.
    Bluesky uses AWS.
    Signal uses AWS.
    Telegram uses AWS.
    Instagram used AWS, now Facebook.
    TikTok uses AWS and Google.

    Elon should go back to doing drugs and insulting Trump.

  • roll your own (Score:4, Insightful)

    by awwshit ( 6214476 ) on Tuesday October 28, 2025 @12:30PM (#65756022)

    How did these cloud providers get to be "hyperscale"? They didn't start hyperscale, they grew into hyperscale.

    Signal too could buy its own hardware, and put it in datacenters that they own or lease. No one is dependent on cloud providers, everyone can run their own hardware. Cloud providers have done a good job of convincing people not to run their own, there is nothing like instant gratification (at whatever cost). I'd guess Signal could save money running their own hardware.

    • Yeah, but that takes effort.

    • At that scale, anyone would save massive money if they had a basic emulation layer to make their private environment look like AWS. That's likely part of it - Amazon uses a lot of open source software but they tweak it and nothing is exactly the same. The problem is either having to go multicloud during the transition (paying double) or having to cut over, not to mention rewriting parts of your software to work with non-AWS infrastructure.

      • Arguments to never start with AWS. Signal didnt benefit from their provider's availability zones, maybe they don't care to be more robust but want to tell a different story.

  • A corporation should start life as it's own entity an be required to end as it's own entity. No mergers or buy outs by other corporations.

    • >A corporation should start life as it's own entity an be required to end as it's own entity. No mergers or buy outs by other corporations.

      Such a rule would be too easy to work around: Instead of "selling yourself" as part of a merger, sell your assets, little by little, to the company you want to be absorbed by, and passing the profits on to your stockholders as a special dividend (sadly for the stockholders, this will mean taxes on dividends). When you are down to nothing of value beyond your corpora

  • In the thread, Whittaker says the number of people who didn't realize Signal uses AWS is "concerning," as it indicates they aren't aware of just how concentrated the cloud infrastructure industry is.

    Why do you need cloud?

    It's expensive. It puts an additional layer of potential failure. It makes you dependant and locks you in. The list just goes on and on. It might makes sense for a startup that doesn't want to commit to capital investment but even then there are less expensive options.

    • It costs less, and it requires magnitudes less skill. No thinking or analysis or hard work is required. That's the reason(s).
      That's what MBA groupthink and software monoculture gets you.
      Common logic among mid to C suites is "you'd be crazy to build what you can buy for cheaper"
      CRAZY, I say! <slams table>

      Until there is a worldwide outage, and you don't look so smart anymore as billions in sales or whatever is lost.
      So until Management puts a value on self reliance, this will continue.
      Sad. Pretty much ev

      • Until there is a worldwide outage, and you don't look so smart anymore

        Except everyone just looked to Amazon for the blame. Not one company was heavily blamed for relying on AWS. But if they moved to private infrastructure every blip or outage would be their own fault with no finger to point.

  • This isn't the network we tried to build (Score:5, Insightful)

    by Arrogant-Bastard ( 141720 ) on Tuesday October 28, 2025 @01:06PM (#65756110)
    We tried to build a resilient network of interoperating but not interdependent systems. Each time we had to make a design and implementation compromise -- for example, DNS -- we argued at length about its merits: was the convenience or the performance or the abstraction worth the price in reliability or security or simplicity? Those debates are long-forgotten by now, of course, but we did have them and we tried to engineer the best possible decisions we could.

    That was then. This is now. Back then, we thought about the long-term good of the network and its prospects for helping human society. Today everyone is thinking about next quarter's profits and nobody cares about the impact on people. And thus the original architecture of the network has been subsumed by a relatively small number of operations which in turn are in the critical path for hundreds of thousands of operations. The network is now -- ironically -- far more fragile than it was when we cobbled together connections between the ARPAnet, Usenet, CSNet, and BITnet with spare parts.

    It's now entirely plausible that an adversary with a budget of under $1M US could cripple the country for days to weeks, disrupting air travel, commerce, utilities, telecommunications, etc. via simultaneous attacks on just a handful of operations. And the budget to do the same to other countries may be considerably smaller.

    We can't fix this. We're old and dying off, and those few of us who are left are dismissed as out-of-touch and obsolete. It will be up to those of you who are much younger to reverse this by pushing -- hard -- to move things back to as distributed an architecture as possible. Good luck.

    • Engineers don't make decisions. Profits do.

    • Doesn't this make it a bit of a zero sum game, since everyone can essentially take out everyone else?

    • >It's now entirely plausible that an adversary with a budget of under $1M US could cripple the country for days to weeks,

      About 5-10 years ago I read that there were 2-3 dozen electrical substations that, if a key component at each one was taken out all at once, would cause major disruptions for large parts of the United States for years.

      If you knew where these 2-3 dozen substations were, you might be able to take them all out at once for a budget of $10M (think: drone with bomb). Granted, $10M is far fr

  • Misleading premise (Score:3)

    by flink ( 18449 ) on Tuesday October 28, 2025 @02:42PM (#65756382)

    It's not like we lost something here. Before AWS and other cloud providers came along, it was simply impossible to stand up a global video conferencing network without a massive capex and ongoing maintenance costs if you weren't already a telco or backbone internet provider.

    If all Signal wanted to do was exchange text coms with occasional images, they could still rent a handful of colo racks and be in pretty good shape.

    Complaining about limited options to source a global multimedia streaming network solution is like complaining about limited options for contractors to put a satellite in orbit. Well yeah, it's a niche expensive service with huge startup costs. The fact that you can buy such a service at all is pretty amazing.

  • Why would you need AWS for exchanging just small text ? It is not true for emails. It is not true for messages either. Just use any federated text services. All of them have a very good support for encryption client to client.

  • big telcos worldwide (vodafone, orange, telefonica, destuche telekom) offer opestack clouds. ditto for other cloud actors (4th place biggest cloud onwards)

    so signal could be running in 3 or four DIFFERENT openstack clouds so, if one fails, the others pick up

    is just lazziness and herd mentality...

  • Another reason I guess I had no clue AWS was down that day, I was on Session all day long and a friend sent me a message thru Session that AWS was down that day. I was on Signal using Linux distros and Android phones, till I tried Session and found, wow, ok, so, no persistent connection to AWS, which means it stays online if AWS goes down (which at the time seemed improbable). Still, nice to have the alternative that stays connected no matter what.

  • One of the things myself and mates are testing is Delta Chat (https://delta.chat) over chatmail relays - it works surprisingly well, and the new design of chatmail relay onboarding is pretty darn easy. Using it is just fine (the UI is dated, could use a designer); I was worried about battery use but it seems to do a really good job, down at the 2% level with regular use since it's not using push tech, instead having to poll.

  • Why not use peer-to-peer encrypted messaging solutions that don't need central severs?

    https://jami.net/ [jami.net] is one such system (I have no connection to it, I just think its a good system)

  • Companies like Signal relying on "The Cloud" says a lot about a company who's main product is technology. This is a question of Opex vs Capex where Opex wins. When Signal were starting out and had just created the app, I 100% agree that AWS might have been a good platform to get the company started. As soon as you were established (as you have been for years now), the move /should/ have been to in-house this. This is your main product, why would you rely on a vendor for your entire sustainability? You'd p

Slashdot Top Deals

No extensible language will be universal. -- T. Cheatham

Close