• NaibofTabr@infosec.pub
    ·
    edit-2
    7 months ago

    The CEO also claims that users' Signal messages have popped up in court cases or in the media, and implies that this has happened because the app's encryption isn't completely secure. However, Durov cites "important people I've spoken to" and doesn't mention any specific instance of this happening.

    [...]

    The Register could not find public reports of Signal messages leaking due to faulty encryption.

    Claims made without evidence can be dismissed without evidence.

    Durov's entire criticism seems to be based on implications and have no actual evidence of any technical problems with Signal. He's basically just throwing shade at a competing business, which amounts to whining.

    • EngineerGaming@feddit.nl
      ·
      7 months ago

      Funny how first association is "eend-to-end encryption is broken" and not, you know, that whoever used the message got hold of one of the "ends".

  • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
    ·
    7 months ago

    I'm always amazed how people come out of the woodwork to defend Signal any time any criticism of it comes up. It's become a sacred cow that cannot be questioned. Whatever you may think of Telegram, should bear zero weight on your views of Signal.

    The reality is that people developing Signal have close ties to US security agencies. It's a centralized app hosted in US and subject to US laws. It's been forcing people to use their phone numbers to register, and this creates a graph of real world contacts people have. This also is terrible from security perspective. It doesn't have reproducible builds on iOS, which means you have no guarantee regarding what you're actually running. These are just a handful of things that are publicly known.

    And then we know stuff like this happens. NSA suggested using specific numbers for encryption that it knew how to factor quickly. The algorithm itself was secure, but the specific configuration of how the algorithm was implemented allowed for the exploit https://thehackernews.com/2015/10/nsa-crack-encryption.html

    These kinds of backdoors are very difficult to audit for because if you don't know what to look for then you won't have any reason to suspect a particular configuration to be malicious. Given the relationship between people working on Signal and US government, this is a real possibility here as well.

    The same kind of scrutiny people apply to Telegram and other messaging apps should absolutely be applied to Signal as well.

    • devraza@lemmy.ml
      ·
      7 months ago

      I’d just like to add that you can use a temporary phone number service to sign up to Signal as you only need a phone number to register, not to actually use Signal.

  • Citizen@lemmy.ml
    ·
    7 months ago

    If one is to compare apple to apples, imho the decision to choose between Signal, Whatsapp and Telegram and other "messengers" is obvious and clear.

    Signal is fully open source! You can run it on-premises, if you know your business!

    Why are we not talking about it?

    I hope my comment will not be discarded/removed as not being in sync with the narative... 😉

    • mox@lemmy.sdf.org
      ·
      7 months ago

      Signal is fully open source! You can run it on-premises, if you know your business!

      Why are we not talking about it?

      Unless something has drastically changed recently, the official Signal service won't interoperate with anyone else's instance. That makes its source code practically useless for general-purpose messaging, which might explain why few are talking about it.

      • Citizen@lemmy.ml
        ·
        edit-2
        7 months ago

        My point is that you have all the open source software components needed to run secure communications, on your own premises, for your own users/community in case you are not trusting Signal's infrastructure.

        If you know any other similar alternative with strong encryption open source protocols please let me know! I love learning new things everyday!

        Cheers!

        • mox@lemmy.sdf.org
          ·
          7 months ago

          on your own premises, for your own users/community in case you are not trusting Signal’s infrastructure.

          Yes, that's an example of data sovereignty. It's good for self-contained groups, but is not general-purpose messaging, since it doesn't allow communication with anyone outside your group.

          If you know any other similar alternative with strong encryption open source protocols please let me know! I love learning new things everyday!

          Matrix can do this. It also has support for communicating across different server instances worldwide (both public and private), and actively supports interoperability with other messaging networks, both in the short term through bridges and in the long term through the IETF's More Instant Messaging Interoperability (MIMI) working group.

          XMPP can do on-premise encrypted messaging, too. Technically, it can also support global encrypted messaging with fairly modern features, with the help of carefully selected extensions and server software and clients, although this quickly becomes impractical for general-purpose messaging, mainly because of availability and usability: Managed free servers with the right components are in short supply and often don't last for long, and the general public doesn't have the tech skills to do it themselves. (Availability was not a problem when Google and Facebook supported it, but that support ended years ago.) It's still useful for relatively small groups, though, if you have a skilled admin to maintain the servers and help the users.

    • The_Dark_Knight@lemmy.sdf.org
      ·
      7 months ago

      Matrix is hsit atm mate stop recommending it maybe one day it will become good but that day is not today also they are said to be scattering metadata and bashes XMPP for no real reason . Briar and SimpleX is the gold standard for now only if they had more users .

      • mox@lemmy.sdf.org
        ·
        edit-2
        7 months ago

        Matrix is shit atm mate

        No, it is not.

        bashes XMPP for no real reason .

        No, it does not.

        Briar and SimpleX is the gold standard for now

        No, they are not. They might fit a certain niche (or could be once they mature) but neither is a good general-purpose messenger, because their goals and designs inherently limit usability.

        No messaging platform fits every use case, but Matrix is great for general-purpose private messaging that anyone, anywhere can easily use, without Google services, without a phone number, and without being vulnerable to shutdown if a single country's laws turn unfavorable. It has other advantages as well. It's not flawless, but is constantly improving, and is already very useful to many people.

        If you have a specific criticism that you can actually support with facts, you could bring it up for discussion. Slinging vague attacks that look a lot like something one might see in a poorly-informed reddit post doesn't help anyone.

        • The_Dark_Knight@lemmy.sdf.org
          ·
          7 months ago

          Its like you have never used it . The clients and servers are laggy federation is shit etc . but you seem to have your mind set no hope in arguing .

          • mox@lemmy.sdf.org
            ·
            7 months ago

            The clients and servers are laggy

            Which ones, exactly? The largest public server was laggy about two or three years ago, but hasn't been recently in my experience, and in any case, you can pick a different server or run your own. I have never seen a laggy client.

            federation is shit etc .

            Again, that doesn't match my experience, and what you've written is too vague to have any useful meaning.

            no hope in arguing .

            Apparently not. Good day.

            • devraza@lemmy.ml
              ·
              7 months ago

              I’ve previously had issues with Matrix being incredibly slow and unreliable with federation (I’m self-hosting). However, that’s pretty much in the past now and I seem to have somehow resolved that issue.

              • mox@lemmy.sdf.org
                ·
                7 months ago

                Which server software are you running? Any recent experience with Conduit or Dendrite?

                • devraza@lemmy.ml
                  ·
                  7 months ago

                  I’ve been using Conduit within a docker container for a while now, and it’s worked pretty well aside from the mautrix-signal bridge (this was fixed in version v7.0.0, I think). Other than conduit, I tried out dendrite, but the latency in sending messages was unbearablex

                  • mox@lemmy.sdf.org
                    ·
                    edit-2
                    7 months ago

                    I wonder if Conduwuit would be worth a try. I don't know anything about the maintainer or what led to the fork, but I see it already has active contributors.

  • The_Dark_Knight@lemmy.sdf.org
    ·
    7 months ago

    Idk how secure telegram is but cmon signal is shady AF . They won't let fdroid have it cause they want to sign their own keys or some shit but there is a speculation its because they can roll out custom apk to targets which governments want which is just not possible if it is hosted by someone like fdroid . Even telegram allows that and they even allow third party apps which signal won't .

    SimpleX and briar is the best option if your actually worried about privacy .

    This comment is copy pasted from another thread where I had the same opinion