Software engineering is so often dominated by a move fast and break things mentality, driven by a rush to deploy and scale and profit, with the ability to fix problems with later updates. It’s a very immature process compared to every other engineering domain, because fix-it-later is much more difficult, expensive, and dangerous when it’s a bridge, building, airplane, or anything else tangible (although Boeing did a great job of destroying engineering process and accountability after the MBAs took control away from the engineers).
The work detailed in this Signal blog post is clearly slow and methodical, with continual checks for correctness and curiosity for optimal solutions driving careful experimentation. Building on existing proven PQ standards and keeping their refinements open for public academic feedback is wonderfully responsible. Building formal correctness proofs into CI and blocking trunk merges is spectacular.
They’re doing everything right, even years after Moxie Marlinspike’s departure. Bravo! Working this way is very expensive and requires absolute support from upper management. I’m definitely a fanboy for Meredith Whittaker and the direction she’s running the organization. Hell yeah!
“SPQR” lol
Keep in mind, pedophiles don’t use Signal.
They use Matrix, which is a real thorn in the side of the authorities trying to catch them.
Hopefully this gives you some insight into which platform is more private.
That’s uhhh…a weird selling point ya got there bud.
It’s the truth.
I’m still convinced that Signal is an NSA honeypot.
Considering Signal has been subpoenaed several times and proven in court the only thing they can give the feds is:
- Do you have an account with Signal? (Registered Phone #)
- When did you make the account?
- When did you last connect to the service?
I don’t think it’d be in their best interest to lie to the feds 6 times. You can quite literally read the subpoena for yourself, such as the most recent one in August 2024, which is only 2 pages long.
What why? The e2e protocol is open source as is the client. How would that even work?
Central servers basically. Funded by ex-meta people and endorsements from western governments (general “if it’s popular then it’s compromised” suspicion). Also it requires your phone number gathers things like contact info from the phone, even if one assumes the messages are secure. basically could be seen as relinquishing a list of potential associates…
I don’t think Signal is unsecure, in a sense. it’s just secure for nobodies or anybody who want to use it in non western countries against governments hostile to the west or being designated to regime change targets. I however don’t think it’s much more secure than whatsapp for an high profile pro-Palestine activist for example. It’s a privacy tool for some and honeypot for others depending how they relate to US security state and western governments. Whats better for an intelligence agencies than to have a control of the globally used privacy communication tool.
Tl;Dr - you have nothing other than baseless suspicion of an open source protocol that’s been reviewed by tons of security people and is widely considered secure by people who actually know what they’re talking about
Also, Whatsapp literally runs on the signal protocol, but Meta, so comparing them is stupid considering meta is involved so your privacy is assumed bad/not existent.
Of course I don’t have any concrete proof. If there was concrete proof we shouldn’t be having this conversion. My main issue is that it’s centralized and that’s a huge black box. People obsess with this “but it’s protocol open source” like headless chickens when that’s not the issue. Open source is like the step one when it comes to private and secure messaging. It just comes down to if you trust the devs and those doing the hosting. When it’s central all of that thrust rests on that one group and their hosting service not fucking you over even if they can or can not read the encrypted messages themselves. I’m not concerned signal keeping people’s dickpicks private here in that that even whatsapp is as good as any.
I see I made the mistake of coming to an obvious fangirl meeting to have an serious discussion about security merits.
Of course I don’t have any concrete proof.
serious discussion about security merits.
Those two don’t go together, bud.
It just comes down to if you trust the devs and those doing the hosting.
Ok so let’s talk about “ex-Meta” Brian Acton walking away from nearly a billion dollars due to his moral stance on private communication. Or Meredith Whittaker’s determination to pioneer a tech business model other than surveillance capitalism.
You’re absolutely right that it comes down to trusting the devs, which is why WhatsApp is a nonstarter even though it uses Signal’s E2EE. Europe’s chat control proposal doesn’t need to break E2EE, it just needs to demand that the messaging client app scans all content locally before encrypting and has a way to tattle. Meta could also be scanning everything you type into WhatsApp and feeding it into a local AI advertising interests summarizer or whatever else, and still claim E2EE. The open source client is far more important than an open source server when there’s proper E2EE.
And how is the central server supposed to know anything when every message it transmits is verifiably e2e encrypted?
Even if we assume that man in the middle attack is impossible with signal. Intelligence agencies care more about metadata anyway. Remember that getting meaning from terabytes of daily messages hasn’t really been viable way to mass spy anybody until very recently, since you needed humans to read them individually to get any wider sense of chat logs. if they know who talked to who and when. With those they can social graphs and get a list of suspects when everybody is tied to an identifiable phone number. Yeah they won’t directly get incriminating chat of somebody ordering drugs, but they can go nab the dealer and their associates with that info. Or they can have a group of key activists followed if they know that when messages between these people spike just before a protest happens.
They also don’t have that data. Who you talk to and when it also concealed from them.
Check out their blog article about “Sealed Sender” from back in 2018.
https://signal.org/blog/sealed-sender/Also note that the EFF encourages the use of Signal.
https://ssd.eff.org/module/how-to-use-signal
???
It’s actually way simpler than that. It was funded by the CIA for a long time because it was used to support insurgencies that the CIA was into. They pulled that a while back because Americans were getting into it, hence all the calls for donations in the past several years.
Too bad I forgot where I heard this. May not be true, idk, who knows these days. But it makes sense.
Yeah there was some Radio Free Asia money connection with the open whisper system that now is Signal.
