@rysiek @djm62 @signalapp the randos argument seems to be "if you add randos to a signal chat, they'll be able to read your messages, so it's not secure" 🤦
When I get beef from the butcher it's not vegetarian 🤷
Discussion
Loading...
The only reasonable criticism one could level at Signal is that their reliance on AWS means their operations can be interdicted by the US government.
Not as in : "The US can read your messages"
But as in : "The US could deny them service, and it would cause an outage and the need to rebuild that part of the infrastructure on other continents"
But that is not a concern for laymen who likely also rely on a bunch of other services that are at least as interdictable.
@androcat indeed, and it is a valid criticism. I would also like @signalapp to be federated, for example.
But that doesn't mean that – as some people imply or outright claim – Signal is "insecure" or "broken" or "dangerous". Anyone who's making such claims without hard proof is harming people.
I know you know this, I just feel this needs to be spelled out.
Indeed, that would be a ridiculous accusation.
Operational security is important, for sure, but not as important as informational security in this case.
Telegram is the dangerous one, because it is decrypted towards the back end, and the back end is owned by literal far right crackpots.
@androcat plus, Telegram broadcasts user IDs unencrypted on the wire, even with messages encrypted to the keys the servers hold:
https://rys.io/en/179.html
Songs on the Security of Networks
Telegram is indistinguishable from an FSB honeypot
Many people who focus on information security, including myself, have
long considered
Telegram suspicious and untrustworthy.
Now, based on findings
published by the investigative journalism outlet ISt
⁂
More from
Michał "rysiek" Woźniak · 🇺🇦
@rysiek @djm62 @signalapp the randos argument seems to be "if you add randos to a signal chat, they'll be able to read your messages, so it's not secure" 🤦
When I get beef from the butcher it's not vegetarian 🤷
@rysiek @signalapp The only caveat with Signal I know of, when it comes to security, is that it is only as secure as your mobile device.
Keep it up to date. Use strong passphrases. Use GrapheneOS if you can afford a device that has it. Otherwise, use Lockdown Mode on iOS.
@alwayscurious @signalapp that's going to be true for any IM app.
@rysiek @signalapp That is true, but it isn’t obvious to many.
The other thing that can be tricky with Signal is message backups.
@rysiek @signalapp Why it asks ab phone number?
@rocking_horse @signalapp probably to make account recovery simpler. I would like it to not require it either, and some work has been done to make mobile numbers less important in Signal, so maybe that will happen one day.
@rysiek @signalapp In this simple way, privacy is abandoned. I think this is not a coincidence but a deliberate action.
@rocking_horse by taking something like this and blowing it up to "privacy is abandoned" despite all the effort @signalapp demonstrably puts into protecting privacy – with stellar track record – you are misrepresenting the issue, misinforming people, and potentially putting a lot of folks who are entirely safe and secure on Signal in danger.
I think this is not a coincidence but a deliberate action.
It's the equivalent of "mercury in vaccines" conspiracy theory in the context of InfoSec.
@rysiek @signalapp And all that stuff you generated from the simple fact that Signal forces you to share your private phone number?
@rocking_horse you seem to be the one taking a small issue – fact that Signal requires phone number upon registration – and blowing it up to the level of "privacy is abandoned".
I merely commented on that.
By the way, I gave a talk about (among others) how the phone number thing in Signal is an issue and I'd like it to not be an issue:
https://media.ccc.de/v/mch2022-196-signal-you-were-the-chosen-one-
But there is a world of difference between mentioning an issue, and blowing it out of proportion. One is helpful, the other is harmful.
@rysiek@mstdn.social @signalapp@mastodon.world @rocking_horse@mastodon.social Afaik it was about fighting spam abuse and to make moving away from SMS easier (you could just start texting others in your contact list instead of having to first get their ID etc)
@MarkAssPandi @rysiek @signalapp This simple thinking may have happened in the past, but enough years have passed to realize that it is usually about obtaining private numbers.
@rocking_horse you are publicly making a claim about @signalapp's intent here.
I would like you to substantiate that claim somehow. "I have a hunch" is not enough.
I would also like you to spell out *why* you think they would want to obtain phone numbers. You are making it sound somehow bad or malicious, even though non-malicious explanations for this have been provided.
So what, exactly, are you implying that Signal is doing with those phone numbers that is so evil?
@rysiek @signalapp @MarkAssPandi I'm talking ab simple fact that #SignalApp asks for the private phone numbers. I think that people are enough smart to understand that this is not for their privacy.
1+ more replies (not shown)
How would you compare Signal to Threema?
@pacs I have not seen major red flags about Threema.
It had some major security issues four years ago:
https://breakingthe3ma.app/
It seems they took researchers seriously and fixed those issues in a timely manner. That said, these *were* serious issues, and if similar issues happened to be found in Signal I would get worried about Signal – but not enough to ditch it.
The fix was to deploy a new protocol, which was a reasonable decision, but which the researchers in question have *not* looked at.
@rysiek @signalapp The best and safest option is Keet by Holepunch. No servers involved.
@rysiek Agree on the former, but I think there are certainly folks whose infosec needs preclude @signalapp that don't know it, so it's good to spell out.
@pettter @signalapp sure. And they should ask people who might help.