Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
Granted, the part
The globally recommended app by privacy and security experts, Signal, is now being downloaded massively and tops the Danish Google Play Store
is a little ironic, but you gotta push this winning tide and then work from that.
It’s e2e encrypted. Although, as I noticed, the key is just a short pin, unless you use password, but the recipient might not use it and your messages are just as secure as your recipient.
The PIN isn’t actually the encryption key, it’s just a display lock for the local client. But if whoever wants to read your messages has physical access to your phone and already bypassed the normal android lockscreen, you’re fucked anyway.
Facebook Messenger also claims to be end-to-end encrypted… There’s literally no way of knowing if they can decrypt your messages.
The only way to know is to host it yourself and preferably use post-quantum secure encryption.
The other party is always the weakest link.
But also signal’s pins are a little more complicated than that, but you’re right, switch to a passphrase.
Plus side, even if signal themselves edited the secure enclave, the world would need a new client pushed and probably notice something was off.
The way signal’s encryption works is really an art in paranoia.
Not if the US have the support of Google.
Totally not how the APK teardown community works, but ok.
How does APK teardown help if Google can replace the app unnoticed?
Because there will always people running Signal from a different source, and only one of them is sufficient to notice the server has been tampered with.
(And I’m not sure if they have reproducible builds yet, but if they do, people can also verify that even the Google Play-provided APK does or doesn’t match the published source code.)
Which server?
People don’t control their phone. There is no way of knowing if the installed app is the one that is running.
The server running Signal’s server-side code.
Some do, and that’s the point: if there’s an attempt at tampering, interested security researchers can detect it.
What could a client detect? Signal is a US company and will comply with the government. The server can’t be trusted.
They can detect if a different app was installed from the store on their phone. That’s not useful for anybody to know if their own app is unaltered. Only people of interest will receive a manipulated client. So there is no security in knowing that some people received the original app.
Besides, Google runs the OS. They can change the app at runtime.
And? That doesn’t help at all if the US government decides to force Signal to stop servicing Denmark.
It helps in that they still can’t read your messages. The EU is likely to make e2e messaging illegal before the USA cuts access.
You can’t really make e2ee messaging illegal, at least it is impossible to enforce with decentralized open-source messengers.
It is much more likely that the US will mess with Signal, than that you will stop being able to use an e2ee messenger like XMPP, which is just as secure as Signal regarding the e2e encryption.
The issue is that it’s already pretty hard to convince people to use something easy like Signal, most people just don’t care enough for something “complicated” like XMPP-based messengers, especially if mainstream app stores had to stop letting EU-based users install messengers with these features.
Well, yes. But when it comes to digital independence Signal isn’t better than WhatsApp. At least recommend something like Threema if you think the much better alternatives are too hard.
Except Meta fully owns the WhatsApp metadata, and frankly Signal is a lot more trustworthy about its e2e implementation being actually, in practice, secure.
All you need is a central registry where licensed messengers register their e2ee connections. Then network providers only have to report all ip addresses with connections that are not on that list.
Impossible with VPNs, but politicians have already announced their desire to make them illegal.
What? You are not making much sense. What is a “e2ee connection”?
An encrypted connection between two endpoints.That’s required for “decentralized open-source messengers”.
Currently it’s impossible to prevent because of all the encrypted video calls of the Meta messengers and similar connections between endpoints.
If those video streams are marked then it is known which endpoints use software that evades surveillance.
I am not sure you understand what you are talking about. There is no easy way to distingish between different connections and pretty much all internet traffic is encrypted these days.
My argument is that a central registry, where all controlled software registers their connections, is all that is needed to identify the connections that are outside the control of the surveillance state.
Oh that’s another consideration indeed.