Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
Like one of the main things Signal is really terrible at given that it is based in the US and hosted on AWS servers 🤦
Besides being hosted in the AWS servers, there’s no way to check if what’s running there is the same as the published code. That’s why i don’t use signal.
When the signal foundation is losing money every year, i can just wonder what will happen when the money runs out. Even the good guys need to eat.
Or what will happen when trump will decide to seize the AWS servers running the signal application server.
It shouldn’t matter because you can verify that your data is encrypted and thus not accessible to the server, but also, IIUC, they use secure enclaves so that you can verify that their server is running the published source code.
It’s e2e encrypted. Although, as I noticed, the key is just a short pin, unless you use password, but the recipient might not use it and your messages are just as secure as your recipient.
The other party is always the weakest link.
But also signal’s pins are a little more complicated than that, but you’re right, switch to a passphrase.
Plus side, even if signal themselves edited the secure enclave, the world would need a new client pushed and probably notice something was off.
The way signal’s encryption works is really an art in paranoia.
Not if the US have the support of Google.
Totally not how the APK teardown community works, but ok.
How does APK teardown help if Google can replace the app unnoticed?
Because there will always people running Signal from a different source, and only one of them is sufficient to notice the server has been tampered with.
(And I’m not sure if they have reproducible builds yet, but if they do, people can also verify that even the Google Play-provided APK does or doesn’t match the published source code.)
Which server?
People don’t control their phone. There is no way of knowing if the installed app is the one that is running.
The server running Signal’s server-side code.
Some do, and that’s the point: if there’s an attempt at tampering, interested security researchers can detect it.
And? That doesn’t help at all if the US government decides to force Signal to stop servicing Denmark.
It helps in that they still can’t read your messages. The EU is likely to make e2e messaging illegal before the USA cuts access.
You can’t really make e2ee messaging illegal, at least it is impossible to enforce with decentralized open-source messengers.
It is much more likely that the US will mess with Signal, than that you will stop being able to use an e2ee messenger like XMPP, which is just as secure as Signal regarding the e2e encryption.
All you need is a central registry where licensed messengers register their e2ee connections. Then network providers only have to report all ip addresses with connections that are not on that list.
Impossible with VPNs, but politicians have already announced their desire to make them illegal.
The issue is that it’s already pretty hard to convince people to use something easy like Signal, most people just don’t care enough for something “complicated” like XMPP-based messengers, especially if mainstream app stores had to stop letting EU-based users install messengers with these features.
Well, yes. But when it comes to digital independence Signal isn’t better than WhatsApp. At least recommend something like Threema if you think the much better alternatives are too hard.
Except Meta fully owns the WhatsApp metadata, and frankly Signal is a lot more trustworthy about its e2e implementation being actually, in practice, secure.