
Ask HN: Is Signal still a good app to use for encrypted messaging? - rwol
How secure is it?
======
rmrfstar
Its use of SGX for secure value recovery is highly problematic [1].

@matthew_d_green twitter feed has a regular stream of high-quality Signal
commentary.

[1] [https://arstechnica.com/information-
technology/2020/06/new-e...](https://arstechnica.com/information-
technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-intels-
ultrasecure-sgx/)

[2]
[https://twitter.com/signalapp/status/1262844332278603777](https://twitter.com/signalapp/status/1262844332278603777)

------
h2odragon
Probably at least as secure and very likely moreso than pretty much any other
option. cite as "random redneck off the internet" and due yer own
dilligencing, of course.

I must say its preferable for plain old SMS messaging, if nothing else, for
the options it offers and the stable sane behavior.

------
shervinafshar
Depends on what you need. EFF previously used to have a scorecard[1] for all
the messaging applications, but they reconsidered the model of their
recommendation and put together a good set of articles on the topic which ask
questions to consider and provide privacy and tech context. Here's one:
[https://www.eff.org/deeplinks/2018/03/thinking-about-what-
yo...](https://www.eff.org/deeplinks/2018/03/thinking-about-what-you-need-
secure-messenger)

The rest are linked from here[2].

[1]: [https://www.eff.org/pages/secure-messaging-
scorecard](https://www.eff.org/pages/secure-messaging-scorecard)

[2]: [https://www.eff.org/de/deeplinks/2018/03/secure-messaging-
mo...](https://www.eff.org/de/deeplinks/2018/03/secure-messaging-more-secure-
mess)

~~~
harry8
[1] Out of date for archival purposes only.

~~~
shervinafshar
Quoting my own message:

> EFF previously used to have a scorecard[1] for all the messaging
> applications, but they reconsidered the model of their recommendation

------
viraptor
It all depends on the context / your threat model. Do you want to prevent a
service provider from reading your messages? It's good. Do you want to be the
next Snowden? Probably not. Do you trust people you talk to? Etc.

~~~
whymarrh
Maybe this is a bit nitpicky, but Snowden himself does offer Signal to people
[1] and is listed on the Signal homepage as "using Signal every day" [2].

    
    
      [1]:https://twitter.com/Snowden/status/986277159252750336?s=20
      [2]:https://signal.org

~~~
vipa123
Not nitpicky. It was quite relevant to the thread.

------
upofadown
Pretty much anything will fail if the end device is compromised. It's probably
good up to that point. Otherwise you will have to look into some sort of air
gapping to a physically secure device dedicated to messaging (e.g. Yubikey).

As always, it depends on the threat model...

------
rogerkirkness
If you have to ask, you'll just have to trust it.

------
cpach
Yes. Signal is the gold standard of messaging apps.

------
aaron695
Rather than conspiracies theories of, depends if you are a spy or not.

Anyone want to explain where Signal fails for top level spying and Nation
States are coming after you?

And what the safer alternative is?

~~~
adamhearn
The biggest issue with signal is the forced reveal of your phone number. There
are several good alternatives. Wickr and session come to mind.

~~~
noman-land
If your adversary is a nation state, hiding your phone number is not an
option. They already know it and might compromise a device. Perhaps another
service is better or the use of a burner phone is preferred.

~~~
joemazerino
How can a nation-state adversary compromise a device only knowing the phone
number?

~~~
ncmncm
1\. Track locations of phones in contact.

2\. Rubber hose.

3\. Obtain copies of your messages still retained in your contacts' phones.

------
zh
What about [https://status.im/](https://status.im/) instead - OSS, e2e
encrypted by default.

------
probinso
you have to understand and read their security model in order to assess
whether it is an appropriate technology for your context. every time you use a
security advertised platform read the threat/security model.

------
besus
Wickr is another alternative with really tight security throughout it's app to
stack.

------
parliament32
Signal is still considered the gold standard for secure messaging on mobile.

------
wideawake
Depends on threat model. For most people. Yes.

------
giantg2
Best way to avoid interference or maintain security is to adopt old school
tactics. Look at the war games the military played to prepare for Iraq and how
the low tech red team comms worked.

~~~
Spooky23
Exactly. If you think you need Signal, you probably really need to STFU.

~~~
giantg2
Or you can communicate outside of electronic channels.

My point is if you are concerned that the government is monitoring your
communications (presumably related to the protests), then electronic methods
are not reliable. Even if the encryption is solid, they could start jamming
the frequencies used.

~~~
Spooky23
Good point. But this stuff is always cat and mouse. The mafia bigshots figured
out that they couldn't talk on the phone in the 60s and 70s once the FBI
started aggressively pursuing wiretaps. So they shifted.

In the 2000s, drug dealers figured out that Nextel direct connect weren't
tracable... so Nextel kiosks sprung up in the hood and you'd see them all
over. After that, prepaid burners were the next thing, followed by BlackBerry,
etc.

If your organizing protests in such a way that are going to attract
surveillance, "Use X" is dumb advice. It depends on the situation and what
consequences you can sustain. An activist may _want_ to be arrested. A Federal
employee may sacrifice their career just for being present. Context matters,
but the smart path is to leave your phone at home.

