Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications. 1/
Discussion
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users. 2/
nostr:nprofile1qqsfhcskzx35zsnwj9rz2lz5z70z95tchd75zphzglwl8eg8k7v956cpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43q80udzz when can users replace phone numbers with npubs? I'm willing to pay Bitcoin to signal for having non KYC access without a phone number.
Try nostr:npub1exv22uulqnmlluszc4yk92jhs2e5ajcs6mu3t00a6avzjcalj9csm7d828
How about the #Signal desktop app vulnerability for which one contact in a group message using Signal desktop could expose the chat conversation because of the lack of encryption? I’m not familiar with the details of the issue but my understanding is that it hasn’t been fixed.
#SignalApp
You're likely talking about the issue where the keys for the SQLite database were stored in plaintext on disk.
That's been fixed reasonably well on Mac. On Windows & Linux they database keys are in the OSes keychain (or Secret Service or whatever they call it) but any app running as that user can just get them in plaintext, just like they could when they were on disk in plaintext.
Signal has a history of collecting everyone's phone numbers even after usernames were finally implemented, blocking open source clients from being in the stock F-droid repos, taking years to partially fix the plaintext keys thing, not actually having public code to run a server that actually works, not allowing 3rd party clients to connect to their centralized servers and so on...
Having said that, their crypto was still legit last time I looked at the code. Metadata protection is lacking, but that's going to be true of nearly every centralized service.
Threads aren't a thing on nostr... This is dumb ... Just post a long form note SMH
It wasn’t until nostr:nprofile1qqswj6g3yk86hd7zxhlmkpfvj6s8h7gl8mu3e7srde85gt7jxvszv8cpzpmhxue69uhkummnw3ezumrpdejqzyrhwden5te0dehhxarj9emkjmn9lyk0ed retweeted this did I know nostr:nprofile1qqsfhcskzx35zsnwj9rz2lz5z70z95tchd75zphzglwl8eg8k7v956cpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43q80udzz had an npub. Based.
Thread on nostr