GM Nostr.
What do you think the chances are that Signal is compromised?
Discussion
I believe when they do "quantum resistance" they are putting in the backdoor
I think it’s exceedingly unlikely signal is compromised given the way they are open source with various ways of verifying builds.
Rabble- doesn't it impossible to really answer if we don't know what code runs server-side?
Also, FYI There is the Molly fork of signal which is FOSS including push notifications, and which still connects to the signal servers.
If you find yourself forced to use a network that is under the control of, designed by and/or operated by a potential adversary, then you're going to need end to end encryption.
- Phil Zimmermann
Yeah. I think the encryption is unlikely to be compromised. But given the centralized identity servers the metadata could easily be compromised.
I've always assumed Signal encryption is compromised. That's why it gets pushed so heavily by the 3 letters.
I've always assumed it was NSA, or Navy Intelligence.
Development funded by CIA recently.
What are the alternative options?
Session
SimpleX
Nextcloud Talk (self-hosted for family)
0xChat (Nostr)
Keychat (Nostr)
Signal the Protocol is good, & these are good adaptations of it.
#SimpleX is what I recommend most typically among my circle. The basic idea of "2 relays, 1 per side, instead of one signal dot com for both sides of the chat" is a really easy no-cost privacy-win concept to communicate to technotypicals 🙂
Awesome I haven't heard of oxchat or nextcloud talk.. thanks for that.
How does 0xchat call privacy compare to the others? Guessing its routed through their servers
You can go to settings and use your own ICE servers
Not sure on the details. 0xChat has written about it.
GM, more thank zero
Dm bro
Isn't the problem that they could be compromised enough already? Here's some thing that could eventually lead to issues:
1. They have your phonenumber. Which in 99% of the world means it will lead to you when things get "seized" (stolen).
2. Their servers are centralised meaning that if things get "seized" (stolen) they may at some point find a hole, or a a brute force attack vector that will be able to do something with that data.
I am not saying it is not secure (right now) or you should not use it, but it makes it really easy to apply a lot of pressure on a single point and that is something you have to consider if you need absolute privacy.
💯💯💯 this is exactly the issue. But there are definitely degrees of “compromised”.
Signal has for years been an issue in that it is only distributed officially on the official repositories for Android and iOS. And this opens you pretty wide up to have an update pushed, as these repos are tantamount to a root kit.
Moxie Marlinspike has had this issue brought to his attention for years at this point, and his unwillingness to truly address it speaks volumes.
At the end of the day it all depends who you're trying to ensure privacy from. If it's the NSA, you really should consider using One Time Pad cryptography, which is unbreakable when implemented correctly, but is far from convenient. Anything else should be considered to be taking short cuts -- which are always going to be worth weighing the risk/benefits of.
The desktop app still has the vulnerability that was disclosed in 2018. It's not a direct vulnerability in the encryption that Signal uses but if you can get access to someone's computer with malicious software or physical access you can mirror their signal app.
The hand waving from Meredith Whitaker saying it's not a problem was odd.
Hmmm. I hadn't realised that exploit was so old. Definitely odd.
99.9%. Ever seen gov attack Signal? That’s your clue
Uh, yes. Many times.
https://ooni.org/post/2021-how-signal-private-messenger-blocked-around-the-world/
https://www.reddit.com/r/signal/comments/onvcw0/list_of_countries_who_banned_signal/
https://www.theverge.com/2024/8/9/24217008/signal-blocked-venezuela-russia
The US gov. has access to signal. Through the US gov all friendly states have access to data in signal.
That is why the CEO of signal is not put under arrest and anti US gov try to block signal
Not blocked but compromised in the sense that three letter agencies have access to some degree of data.
Didn’t Tucker Carlson claim that his signal messages were intercepted by the NSA when he was trying to arrange an interview with Putin ?
Even assuming Tucker is not just full of shit (big assumption), all you really know is they somehow got wind of that interview. NSA have a lot of ways to wiretap people, so he's just speculating it's through Signal.
Yeah. That sounded a little rich. They probably had lots of other and easier ways to listen in on his phone.
The actual E2EE conversations are secure: The encryption is Open Source and well audited, and the apps have reproducible builds on all platforms were that's possible. If anybody claims Signal can read your messages that's BS IMO.
That said, Signal have copped some criticism that they still need a phone number for sign up. IIRC they said want Signal to be a drop in replacement for WhatsApp and to have easy onboarding via SMS. But the paranoid take would be that it's also a easy metadata id for everyone on the app, so you can see who is talking to who, even if you don't know what they're saying.
Personally I'm fine with the tradeoff for being easy to use and normie friendly though. Like, if you are personally targeted by a alphabet agency it's probably not safe for you to use a phone at all regardless of what app you're using.
If you're really concerned about this you can switch to SimpleX, but personally I feel like that's overkill in most people's threat model. Just don't go to Telegram instead, they cast a lot of FUD on Signal's security even though they're worse in every way.
GM. Wouldn't be surprised but I hope not.
I don't necessarily think so. But everything depends on your threat model. For most people it is safe enough, besides being difficult to even get people to use Signal, it would be damn near impossible to get normies on SimpleX or Threema.
That has absolutely been my experience. I'm getting them on my self-hosted Snikket, though, somehow. It's like a glitch in their programming.
If your threat model includes people breaking down your door and interrogating (torturing) you, the messaging app or security don’t really matter since you’ll give them anyway. Shamir secret sharing is used by companies that needs security, along with guards, double entrance security doors, offline / airgapped devices, etc…
Idk that feels like bs. If you're super paranoid then you probably don't trust anything you aren't hosting yourself. Extraordinary claims require extraordinary evidence IMO.
Yeah. I tend to agree. But pragmatically. I also think most internet connected systems are compromised to one degree or another.
Signal does feel too good to be true.
🤷
Even if it’s compromised by state actors it’s still strictly better than SMS and other unencrypted options. Staying out of the public/corporate dragnet is still a huge step up in privacy from where most of the world is at right now.
💯 all steps in the right direction. We’ll make another big step forward soon.
any service that uses personal cell phone numbers is a target
what are alternatives then? #asknostr
SimpleX Chat
Open source, non need for a mobile number