PSA: @signalapp remains the most secure, privacy-preserving general purpose IM app safely and easily usable by non-techies.
👉 Don't let some randos on social media convince you otherwise.
If your very specific information security requirements meant you'd need to be using some other tool, you would have already known that, and would not be taking advice from social media posts. 👀
Vegetables are healthier than red meat.
Vaccines work and are safe.
Signal is secure.
@rysiek @djm62 @signalapp the randos argument seems to be "if you add randos to a signal chat, they'll be able to read your messages, so it's not secure" 🤦
When I get beef from the butcher it's not vegetarian 🤷
@rysiek @signalapp The only caveat with Signal I know of, when it comes to security, is that it is only as secure as your mobile device.
Keep it up to date. Use strong passphrases. Use GrapheneOS if you can afford a device that has it. Otherwise, use Lockdown Mode on iOS.
@alwayscurious @signalapp that's going to be true for any IM app.
@rysiek @signalapp That is true, but it isn’t obvious to many.
The other thing that can be tricky with Signal is message backups.
@rysiek @signalapp Why it asks ab phone number?
@rocking_horse @signalapp probably to make account recovery simpler. I would like it to not require it either, and some work has been done to make mobile numbers less important in Signal, so maybe that will happen one day.
@rysiek @signalapp In this simple way, privacy is abandoned. I think this is not a coincidence but a deliberate action.
@rocking_horse by taking something like this and blowing it up to "privacy is abandoned" despite all the effort @signalapp demonstrably puts into protecting privacy – with stellar track record – you are misrepresenting the issue, misinforming people, and potentially putting a lot of folks who are entirely safe and secure on Signal in danger.
I think this is not a coincidence but a deliberate action.
It's the equivalent of "mercury in vaccines" conspiracy theory in the context of InfoSec.
How would you compare Signal to Threema?
@pacs I have not seen major red flags about Threema.
It had some major security issues four years ago:
https://breakingthe3ma.app/
It seems they took researchers seriously and fixed those issues in a timely manner. That said, these *were* serious issues, and if similar issues happened to be found in Signal I would get worried about Signal – but not enough to ditch it.
The fix was to deploy a new protocol, which was a reasonable decision, but which the researchers in question have *not* looked at.
@rysiek @signalapp The best and safest option is Keet by Holepunch. No servers involved.
@rysiek Agree on the former, but I think there are certainly folks whose infosec needs preclude @signalapp that don't know it, so it's good to spell out.
@pettter @signalapp sure. And they should ask people who might help.
