
I don't trust Signal - Bl4ckb0ne
https://drewdevault.com/2018/08/08/Signal.html
======
tptacek
Drew DeVault doesn't trust Signal because its Android incarnation uses the
Google Play Store --- the app market virtually all of its real users use ---
and not F-Droid. DeVault would also like it if Signal would interoperate with
other chat programs.

Instead, DeVault would prefer that you use Matrix, a system for which end-to-
end encryption is (according to its own website) "in late beta", offered on a
select subset of clients, and "not enabled by default"†.

This argument is clownish and we should be embarrassed it's on the front page.

There are people in the world that want to sysadmin their phones. It's a life
choice they are free to make and I don't hold it against them. But the vast,
overwhelming majority of users do not want to make the app market on their
phone work more like Debian and less like the Play Store. Signal, to put it
bluntly, does not care about the desires of the phone sysadmins. Even if they
caved to the sysadmins, the application would, for virtually all its users, be
no more secure. This bothers DeVault a lot, enough that he's constructed an
entire psychoanalysis of Moxie Marlinspike to explain to himself how it could
possibly happen that someone else on the Internet doesn't agree with him.

Also, just as a note to DeVault: the point of end-to-end encryption is that
you don't have to trust Signal's server. All it does is arrange for the
delivery of messages, which are secured client-to-client. Compare Signal's
server to Wire's, which --- last I checked --- _retains a record of every pair
of users who have communicated in the past_.

† _When this was pointed out downthread, DeVault responded: "[o]ther
alternatives (which I have not reviewed in depth) include Tox, Telegram, Wire,
and Ring". Telegram is a particularly funny reference to make, because not
only is E2E not the default there, but --- last I checked --- it can't even do
E2E group chat. Telegram's owners are adamant that TLS is adequate for group
secure chat._

~~~
ddevault
I feel like you didn't actually read the article or my comments in this
thread.

>Drew DeVault doesn't trust Signal because its Android incarnation uses the
Google Play Store --- the app market virtually all of its real users use ---
and not F-Droid

It should use both.

>the point of end-to-end encryption is that you don't have to trust Signal's
server. All it does is arrange for the delivery of messages, which are secured
client-to-client. Compare Signal's server to Wire's, which --- last I checked
--- retains a record of every pair of users who have communicated in the past.

My point is that Signal could just as easily keep a record of every pair of
users who has communicated. We can't be sure because we can't run our own
servers. I spoke about this in detail in the article.

>† When this was pointed out downthread, DeVault responded: "[o]ther
alternatives (which I have not reviewed in depth) include Tox, Telegram, Wire,
and Ring". Telegram is a particularly funny reference to make, because not
only is E2E not the default there, but --- last I checked --- it can't even do
E2E group chat. Telegram's owners are adamant that TLS is adequate for group
secure chat.

Thanks for omitting all of the context which clarified that I hadn't
researched them in depth and wasn't explicitly endorsing any of them, and the
comment where I clarified that E2E encryption _is_ enabled by default on
Matrix.

~~~
tptacek
I read your article, carefully, twice, once this morning (I briefly tweeted
about it but didn't feel like I could do it justice and deleted the tweet) and
again before writing this.

I've read all of your comments in this thread to date and, as you can see,
replied to some of them.

I feel like I have fairly summarized your arguments.

"It should use both", you say. Signal disagrees. That makes Signal evil,
according to your argument. "That's not how the world works" is my rebuttal.

Signal _could_ easily keep a record of every pair of users. So can every other
mainstream chat application --- and several of them _do_. Signal doesn't. My
reply on the subthread about this issue explains what Signal does differently
here, and it's not "publish the source code of the server".

People can simply read your comment on the thread --- I made clear where the
quote came from --- to see exactly what you said about Wire and Telegram and
Tox and Ring. I'm satisfied that I've represented your argument well.

~~~
ddevault
>"It should use both", you say. Signal disagrees. That makes Signal evil,
according to your argument.

You're oversimplifying this. For the full rebuttal, refer to the article.

>Signal doesn't.

You cannot know this. We don't need to have this conversation in two places,
I'll just link it for others who want to follow along:

[https://news.ycombinator.com/item?id=17726574](https://news.ycombinator.com/item?id=17726574)

>I'm satisfied that I've represented your argument well.

I don't think so.

>People can simply read your comment on the thread

Fair enough:
[https://news.ycombinator.com/item?id=17724300](https://news.ycombinator.com/item?id=17724300)

Full disclosure: I added the text in the parenthesis and the second paragraph
of this comment about an hour after it was initially posted.

~~~
tptacek
I don't think you understand that I can, in fact, just observe that Signal
disagrees with you, without making a point-by-point rebuttal of your argument.
Similarly, you don't indicate anywhere that you understand that Moxie can do
the same without acting in bad faith, which is something you accuse him of
doing.

You don't get to demand from strangers a debate on terms of your choosing.

------
g_sch
Some version of this post seems to circulate every few months or so. This one
is more direct in its accusations of Moxie acting in bad faith. I think this
is disingenuous. Moxie has been very clear[0] about the tradeoffs that Signal
has made and the reasons for them. It's fine to be dissatisfied with those
choices. It's another thing entirely to accuse Moxie of dissimulating.

Personally, I'd like to see Signal replace WhatsApp. That's why I support the
path Signal took, and why I also have a distaste for the author's snarky
dismissals of features like GIF search.

[0] [https://signal.org/blog/the-ecosystem-is-
moving/](https://signal.org/blog/the-ecosystem-is-moving/)

~~~
hutzlibu
But in the linked post he does not explain, why he does not maintain a F-Droid
repository for people who do not trust google, nor why the original Signal
Client does not connect to Signal Forks, even if they use everything the same.
Security reasons? Ordinary smartphones are full of rootkits anyways, so
someone using a forked Signal version probably is better of anyway, as he
knows a bit more what he is doing.

So the base argument holds in my opinion: Moxies main focus is Moxie in
control. And not making Signal the best and securely possible.

So I also use Signal, but as soon as Matrix gets stable, I am gone

~~~
move-on-by
> Moxie forbids you from distributing branded builds of the Signal app ...

Having multiple branded builds to choose from would be a terrible thing and
would easily allow fake apps to gain traction.

> ... and if you rebrand he forbids you from using the official Open Whisper
> servers.

This seems pretty fair to me. Not only could you abuse their resources, it
would greatly hinder their ability to make changes and respond to protocol-
level security threats. They aren't in the API business, controlling their
ecosystem allows them to make forward progress without concern for 3rd parties
that they have no control over. And still there is the issue of 3rd parties
abusing their server resources.

~~~
lez
The F-Droid argument is the strongest and most evident among all. I don't
trust Google, I don't trust Play.

The main point is, Moxie could take the wind out of the sails of literally all
arguments in this page by publishing Signal on F-Droid but he just won't.

This alone is enough for me to lose trust in Signal.

~~~
leshow
It seems pretty odd to me to distrust someone because they aren't using the
platform that you'd like them to use. Aren't there other issues with f-droid?
You have to root your device to run it, allow third party code. Those are all
security concerns too.

It was posted elsewhere but here's Moxie's take:
[https://github.com/signalapp/Signal-
Android/issues/127#issue...](https://github.com/signalapp/Signal-
Android/issues/127#issuecomment-13335689)

~~~
Hello71
> You have to root your device to run it

wtf. I have been using F-Droid for many years, and this has not been the case.
as far as I know, this has _never_ been the case, as Android has _always_ had
functions for third party app stores. in fact, even today, F-Droid recommends
_not_ using root for installs, since then you don't get the screen showing
permissions.

> allow third party code

that's called running apps.

tl;dr nice FUD.

~~~
angry_octet
'allow third party code' means code which is not signed. Once you tick that
any unsigned code can run, not only the app you downloaded. Makes exploitation
significantly easier. It would be better if Android forced you to explicitly
select which code could run, but too hard for most users.

~~~
ficklepickle
Then you "untick" it until the next time you need to install something.

This is what I do on lineageOS. I don't regularly install new apps.

Side rant: This marketer-driven "install an app for everything" is a threat to
the open internet and privacy. Usually the only reason is to extract more
personal info.

Already, young people barely use a web browser. That appears to be the future.
Now get off my lawn or I'll start talking about the war.

~~~
angry_octet
You might do it, but thousands wouldn't.

Android could undoubtedly be stronger in this regard, and in permission
control, firewall, ad blocking etc, but it's not going to happen.

Apps wouldn't be so bad if they were actually sandboxed properly, but yeah,
they suck.

I was interested in Copperhead OS as an alternative, but it seems to have
fallen into a greed induced mess.

~~~
cannonedhamster
You just shot your own argument against his point in the foot. Thousands of
people doesn't even make up a percentage point of the users of Android. Most
people on Android use Google Play because it's sufficient against the threats
that they need to it be sufficient against. Most people are okay with the
risk/reward ratios that come with using commercial software because they then
don't have to think about it. Signal provides a nearly turnkey level of
protection above and beyond standard messaging in an easy enough format for
most people to use.

~~~
angry_octet
IDK what you're going on about. What is your argument?

I am arguing Play store is fine, and side loading is bad policy.

I argued that for every person who will take the time to micromanage
permissions, thousands wouldn't.

So what are you talking about?

------
skywhopper
This is a really poor post. Lots of in-the-weeds long-running-feud grudge
holding snark, but no real examination of the issues at hand. And his
assertions don't make sense in any case. You can't trust the Google Play store
because a malicious actor might have swapped out the trusted roots on you. But
then why should we trust F-Droid's signing infrastructure?

Then he gripes that the posted APK has to be manually checksummed to use it.
If you are truly paranoid, trusting a checksum you get from the same page you
get a binary is as secure as ignoring the checksum altogether. But why would
you trust a hidden signature process you can't see any more? How do you know
your F-Droid binary was secure?

But worst of all is this pointless assertion: "Truly secure systems don’t
require trust."

There are no truly secure systems. Malicious actors could replace your Matrix
app with a lookalike clone. Your phone could have a hidden keylogger built
into the OS. Or the hardware. The person's phone on the other end of your
communication could have been compromised. You could be being monitored by all
sorts of undetectable means.

Perfect security is an unattainable goal, but good security requires
acknowledging and enabling trust to play a role in the protocols and systems
we develop.

~~~
innerspirit
The post is literally responding line by line to a post from 5 years ago. Very
poorly thought out article.

------
hprotagonist
_But we have to trust that Moxie is running the server software he says he is.
We have to trust that he isn’t writing down a list of people we’ve talked to,
when, and how often. We have to trust not only that Moxie is trustworthy, but
given that Open Whisper Systems is based in San Francisco we have to trust
that he hasn’t received a national security letter, too (by the way, Signal
doesn’t have a warrant canary). Moxie can tell us he doesn’t store these
things, but he could. Truly secure systems don’t require trust._

We have at least one data point that says that Signal stores exactly two
integers about you, or did when the subpoena was issued:
[https://www.aclu.org/open-whisper-systems-subpoena-
documents](https://www.aclu.org/open-whisper-systems-subpoena-documents)

things can always change, but that’s evidence submitted in court under the
penalty of perjury, which is a fairly strong claim.

~~~
guiraldelli
I am happy to see I am not the only person in the world that feels like this
about Signal.

The interesting fact is that I "Ctrl+F" this page for Wire and I have seen
nothing, even though this comment is about something that made me switch over
Wire from Signal: to date, that's the unique instant messaging that has
FOSS'ed both the server and the clients. (OK, the article also says about
Matrix.)

I admire Wire for a number of reasons, but certainly FOSS'ing all their code
is one the main reasons. (The other is... Haskell! And also Rust.)

And just to point out, not only Wire bug-fixed the library implementation of
the Signal protocol, as they use the Signal protocol. And their web interface
is very good!

Oh, yes... And they are not based in USA.

 __EDIT: __I am not affiliated with Wire, but just a happy customer. :)

~~~
Vinnl
> that's the unique instant messaging that has FOSS'ed both the server and the
> clients.

Signal's server code is open source as well:
[https://github.com/signalapp/Signal-
Server](https://github.com/signalapp/Signal-Server)

And apparently the client can verify that the server is running that code:
[https://signal.org/blog/private-contact-discovery/#trust-
but...](https://signal.org/blog/private-contact-discovery/#trust-but-verify)

~~~
Gaelan
Note: my understanding of SGX is that this still requires trust of Intel.
Still, far better than nothing

~~~
saurik
It also requires there to not be a hardware sidechannel exploit on the device
running SGX... such as the variants of Spectre that have ben trickling out
every few weeks now all year... so yeah: Moxie's trust of SGX is pretty
damning.

~~~
Vinnl
As I understood it, the "trust" comes down to: "it has some limits, but it's
strictly better than nothing". I wouldn't call that damning.

------
r3bl
> P.S. If you’re looking for good alternatives to Signal, I can recommend
> Matrix.

Yes, if you're looking for alternatives to Signal, you should totally use a
solution that hasn't rolled out end-to-end encryption by default[0]. /s

...and that only two clients have implemented so far, out of 50ish that they
list on their website.

[0] [https://matrix.org/docs/guides/faq.html#what-is-the-
status-o...](https://matrix.org/docs/guides/faq.html#what-is-the-status-
of-e2e%3F)

~~~
Sir_Cmpwn
Author here, this is a fair criticism. Other alternatives (which I have not
reviewed in depth) include Tox, Telegram, Wire, and Ring (not an endorsement
of any of these). I'm an old curmodgen who just uses IRC+OTR and GPG, though,
so I have to depend on others for recommendations.

Also, Matrix enables end-to-end encryption by default on clients that support
it.

~~~
verbify
According to friends in the cryptography space and from a cursory reading of
wikipedia, Telegram is a shitshow compared to Signal.

It's one thing not to trust Signal. It's another to recommend alternatives
that are far worse.

~~~
carapace
(Totally unrelated, sorry, but about a month ago you and I had a brief
exchange about the placebo effect.[1] I got distracted and missed your last
reply and never responded. Sorry about that. It's too late to reply on the
original thread, and I don't want to hijack this one, but while looking for an
old comment I saw your reply and felt compelled to mention it to you. It was a
good exchange IMO and I didn't mean to "ghost" on it.)

[1]
[https://news.ycombinator.com/item?id=17457085](https://news.ycombinator.com/item?id=17457085)

~~~
verbify
I appreciate the apology, but I don't feel ghosting on an online conversation
should require an apology.

People have other lives, most often online discussions go way past their due
date (I actually like the fact that HN doesn't give you a notification when
somebody replies to your comment).

It was a good discussion though, the placebo effect is fascinating.

~~~
carapace
Yeah, I almost let it go but then I figured, what's the harm? It was a good
discussion. Well met.

------
Vinnl
> Off the bat, let me explain that I expect a tool which claims to be secure
> to actually be secure. I don’t view “but that makes it harder for the
> average person” as an acceptable excuse. If Edward Snowden and Bruce
> Schneier are going to spout the virtues of the app, I expect it to actually
> be secure when it matters - when vulnerable people using it to encrypt
> sensitive communications are targeted by smart and powerful adversaries.

I'm not so sure about this. I don't think Snowden and Schneier are praising it
because it is the most secure application available that works for every
threat model; I think they're doing it because it's the best attempt to up the
security of the masses. In other words: there's a limit to its threat model.
Signal makes it harder to do mass-scale surveillance, and allows e.g. whistle-
blowers to contact journalists without standing out because they're using an
encrypted messaging app.

Yes, it's important to highlight those trade-offs, and one can always do
better, but as far as I can see Moxie has always justified the trade-off with
arguments that were not based on being self-serving. You might not agree with
his conclusions, but I think it's unfair to accuse him of being self-serving.
(Unless you mean "thinking about the consequences for the success of Signal"
by "self-serving". It's not really clear how it serves Moxie otherwise, and
the author doesn't go into detail about that.)

In the end, I think it comes down to the author expecting different goals from
Signal than the project itself has - as implied by his disdain for GIF search.
Obviously Signal isn't only implementing features just to get more secure - it
also wants to be widely adopted. It's just that the author apparently doesn't
consider that as important.

~~~
eighthave
I think Signal does a very good job at providing easy security for the masses.
But for journalists and sources it can be dangerous since it is based on real
phone numbers, and those phone numbers are sent to the server to be matched
up. It is especially dangerous if the journalists and sources believe Signal
is protecting them in that use case.

------
3pt14159
Signal is not for state-proof encrypted communication. Not large states like
the USA or Russia. If you think it is, you've been misinformed. For state
actor proof communications you need to evaluate every action you take and
think:

"What are the assumptions that I'm making here?"

One assumption is that you're not currently on anyone's radar. Are you willing
to bet the entire enterprise on this assumption? How certain are you? Are you
99.999% certain?

Another assumption is that the operating system you are running the app in is
not compromised _on either end of the communication_. 99.99%?

Another assumption is that the screen isn't viewable by other devices. Another
assumption is that the frequency of your key taps aren't picked up by a mic
and then turned into intelligible letters.

Another assumption is that the encryption algorithms you're utilizing haven't
been subtly chosen to be intelligible to a single actor or that they'll stay
secure once we have quantum computers.

Etc. Etc. Etc.

Signal is good because it raises the bar. Stock traders buying black
information probably won't get your communications. They won't be scooped up
in a email server leak. They wont be visible to your wife when she enters your
phone's unlock code because they auto delete, and they don't get pushed to
your iPad, like FB messenger[0].

But if you want to go up against James Bond, and you're already on his radar,
you need to give up the illusion that anything computer related is fully
trustable. Just pre-arrange some code words or OTPs and meet in person in an
area without electronics or go even more old school and use dead drops with
hand written communication.

[0] I personally know 3 people that were caught cheating this way.

~~~
lmm
> Signal is not for state-proof encrypted communication. Not large states like
> the USA or Russia. If you think it is, you've been misinformed.

Ok, but in that case what does Signal offer that any random messenger with
transport encryption doesn't? If your threat model doesn't include state
actors then you can probably trust a) the HTTPS certificate infrastructure b)
an international corporation like Facebook, so you can probably assume that
no-one would tap your FB messenger messages in transit. "Not pushed to your
iPad" sounds more like a bug than a feature - I want to be able to read my
messages anywhere that I'm logged in as me (at least while I have my yubikey
or what have you plugged into that device). Automatic deletion... eh, I would
rather make a deliberate decision about when to delete things, personally.

~~~
3pt14159
1\. The HTTPS infrastructure is downgradeable and relies on DNS and a
multitude of certificates. And not all the ciphers are safe. Yes it can be
done securely-ish, but unless you're layering another level of encryption over
HTTPS it isn't fully secure. Layering is what the CIA does, according to the
Snowden leaks.

2\. As for the rest of it: Cool man, that sounds like you want a normal chat
app that is more usable and less secure. I use Messenger too for things that
don't matter.

~~~
lmm
> The HTTPS infrastructure is downgradeable and relies on DNS and a multitude
> of certificates. And not all the ciphers are safe. Yes it can be done
> securely-ish

There's no reliance on DNS. We know what the right way to do HTTPS is, and an
app that doesn't have to maintain compatibility with ancient browsers can use
a strictly secure profile (no old ciphers, no downgrades etc.). HTTPS is older
and more complex than the Signal protocol, but it's also extremely widely
deployed and gets a huge amount of attention from security researchers. I
think actual attacks on the protocol are less likely with HTTPS than with
Signal.

> unless you're layering another level of encryption over HTTPS it isn't fully
> secure.

Nonsense. Two layers of valid encryption are no more secure than one, and two
layers of flawed encryption will almost certainly still be flawed.

> 2\. As for the rest of it: Cool man, that sounds like you want a normal chat
> app that is more usable and less secure. I use Messenger too for things that
> don't matter.

It's not that my chats don't matter. It's that I don't think autodeletion or
one-device-only represent a meaningful security improvement.

~~~
3pt14159
> There's no reliance on DNS.

In practice there is for most situations. Are you going to get a static IP and
go through the work of finding one of the rare cert authorities to get an
HTTPS cert for it authorized?

> Nonsense. Two layers of valid encryption are no more secure than one, and
> two layers of flawed encryption will almost certainly still be flawed.

I hate arguing about this because I feel like there is a difference between
how mathematicians think and how engineers thinks. I agree that one of the
layers should be HTTPS if the context allows for it, because it has a lot of
eyes on it, as you mention; but I fail to see how layering encryption is bad
from a privacy standpoint.

Mathematically, this statement:

> Two layers of valid encryption are no more secure than one.

Is only true if there are no mistakes and if it would take more operations in
the universe to break the first layer of encryption.

But why should we, a priori, assume that there are no mistakes? We have
hundreds of examples of thought-to-be-secure ciphers / one way hashes ending
up in the trash heap. Look at things like Cloudbleed. In reality things break.
In reality cert authorities get moled or hacked. If you've been using layered
encryption you're safer. Also, HTTPS basically mandates that you use TLS,
which for some contexts doesn't work because we'd prefer a one-way (i.e.,
connectionless) channel to communicate to stop inbound traffic at the physical
layer.

> It's that I don't think autodeletion or one-device-only represent a
> meaningful security improvement.

It's helped plenty of people that have had their phone seized at the border or
their other device seized by the police. Sometimes you don't that information
is sensitive until later, and sometimes you choosing to delete it at that
point is illegal or impossible.

~~~
lmm
> In practice there is for most situations. Are you going to get a static IP
> and go through the work of finding one of the rare cert authorities to get
> an HTTPS cert for it authorized?

You don't need DNS to check whether the server purporting to be messenger.com
has a valid certificate for messenger.com. An attacker who controls the
network can of course cut you off entirely, but an attacker who controls DNS
can't intercept you messages because that doesn't get them any closer to
having a certificate.

> I agree that one of the layers should be HTTPS if the context allows for it,
> because it has a lot of eyes on it, as you mention; but I fail to see how
> layering encryption is bad from a privacy standpoint.

Do you feel safer behind two locked doors than one? I guess it can't hurt, but
the effort would surely be better spent on virtually any other aspect of the
system. E.g. if you double the key length in a single layer of encryption
you've made it 2^128 (or whatever your key length was) times harder to crack,
whereas if you stack two layers then you've only made it twice as hard.

Beyond that my argument would be: many security breaches happen because
someone got confused about where the security boundary was. If you use one
layer of encryption then everyone knows that the encrypted data is untrusted
and the decrypted data is trusted. If you have two layers it's very easy to
get lazy and introduce a small hole into one layer assuming the other will
cover it, then you do the same for the other layer, and then an attacker
figures out how to connect those two holes in a way you hadn't thought of and
suddenly you're doomed.

------
pron
> Truly secure systems don’t require trust.

This is a chat app so, by definition, security requires trusting at least one
other person. Also, I think experience shows that secrets can often be least
trusted to those who have some interest in/use for them, with the secret owner
often being the least trustworthy of all. So I'd say that if you trust
yourself you're already probably trusting one of the weakest links in whatever
chain of trust you would have.

But seriously, pretty much every secure system requires trust, and the more it
relies on technology, the more trust is required. You need to trust there are
no backdoors or holes in a long chain of hardware and software that no one
person can possibly verify, and if they hypothetically could, they could only
hypothetically do so with the help of verification software that they could
not themselves verify, at least not without dedicating a lifetime to that
goal. Trustless security does not exist, and attempting to achieve it by
adding more technological layers and more complexity reduces rather than
enhanced security. We should make it easy for us to choose whom to trust, not
work on a futile attempt to take trust out of the system.

~~~
zzzcpan
> Trustless security does not exist, and attempting to achieve it by adding
> more technological layers and more complexity reduces rather than enhanced
> security.

How so? If you can minimize trust to the point where you have to trust someone
to only properly design federated or peer-to-peer open protocol and trust that
others will participate and oversee the process it's one thing, as there is no
control or power to go around. Open and secure enough implementations from
other parties can emerge with more parties verifying them and a possibility to
switch in case someone does something sneaky. But if you also have to trust
the same organization with implementation, infrastructure, distribution, there
is not much security to talk about. There is no way to even verify claims that
the thing they open sourced is the same thing they compile and distribute. And
so much centralized power makes the organization a lucrative target for state
actors with no realistic possibility to defend.

The more centralized trust you have the less secure system can be. It's like
an upper bound on security.

~~~
pron
I understand your argument, but it cannot be shown to be more valid than the
complete opposite: the less centralized a system is, the more complex it is in
terms of protocols, and you need to trust many more people to design it
correctly than you would need to trust to operate a centralized system. In
fact, it could be argued that beyond some complexity level, an unbreakable
design is virtually impossible, even in principle.

Your argument about an appealing target could also be used to show the exact
opposite: decentralized systems are much harder to upgrade, and so they become
attractive targets which you need to break much less frequently (especially
considering that the internet backbone itself is pretty centralized), and so
it makes even very expensive cracking more affordable. The argument about
open-source applies pretty much equally to the centralized and decentralized
case.

~~~
zzzcpan
> the less centralized a system is, the more complex it is in terms of
> protocols, and you need to trust many more people to design it correctly

I disagree with that. The more centralized system is, the less trust
boundaries it has and more vulnerable and insecure it is, because penetrating
one trust boundary gives access to everything. Security always requires
additional complexity. And decentralization forces you to take that complexity
seriously for once, something you neglect, not simplify, in centralized
insecure designs. Forcing you to deal with just trust explicitly and
systematically leads to much more secure designs.

Other than that decentralized systems are exactly the same as centralized,
just with more players and choices and incentives not to break anyone's trust.
The only problem is all that embrace, extend crap large corporations always
attempt to pull off and recentralize everything.

~~~
pron
> because penetrating one trust boundary gives access to everything

The same could be true for a decentralized system if the flaw is in the
centralized backbone or the shared protocols/algorithms.

------
distantsounds
"The APK direct download doesn’t even accomplish the stated goal of “harm
reduction”. The user has to manually verify the checksum, and figure out how
to do it on a phone, no less. A checksum isn’t a signature, by the way - if
your government- or workplace- or abusive-spouse-installed certificate
authority gets in the way they can replace the APK and its checksum with
whatever they want."

This is true for just about every single piece of software that one downloads.
But nice job deflecting it onto Signal to solve for you. Installing an APK by
hand is not difficult either, you transfer it to your phone and open it. I
don't see how Signal is doing any better or worse of a job from similar apps.
Also, Signal's checksum verification is SHA-256 which I'd say is "good
enough." It's also being served from an HTTPS webpage. Is there something
missing here?

~~~
shittyadmin
Additionally with Android APKs, the APK has to be signed and additional
updates will be verified to match the same vendor.

~~~
Bartweiss
Which as far as I can tell is what Marlinspike meant by harm reduction.

It's not preventing anyone from hijacking your encrypted session and serving
you a bad app, I'm not sure how it _could_. ("How do you secure your
connection given that your security has already been silently compromised?"
isn't a question I really understand.) But it helps ensure that people are at
least _requesting_ the genuine app, and if they get it then they'll get
signature verification for future versions.

------
LaGrange
"If Edward Snowden and Bruce Schneier are going to spout the virtues of the
app, I expect it to actually be secure when it matters - when vulnerable
people using it to encrypt sensitive communications are targeted by smart and
powerful adversaries."

Because if the adversary is, say, an abusive ex that happens to work for the
telco, for example, then it doesn't matter. Unless you're actively hunted by a
G7 country your problems are inconsequential.

~~~
threatofrain
How do you defend abused spouses in discourse by comparing their needs to
people hunted by the most powerful political forces? Surely these two cases
ought not be on the same table for comparison.

~~~
LaGrange
The original autor outright dismissed the entire class of threats, which,
while they may seem "lesser," are also far more common. And it's not just
abusive exes, not even every state actor has access to an NSA. Neither Signal
nor any other existing application based by the same protocol (which exist and
are _more_ popular than Signal itself — What's App is one, for example) are
sufficient, but on the other hand, it requires far less knowledge to operate.

Signal comes from recognition that very few people can practically operate
high-effort tools, and if the effort to operate a fancy tool distracts them
too much from the things they actually aim to do (it's rare that someone's
goal in life is "using Matrix"), they'll fall back on something that _doesn
't_ distract them.

For example, even when facing a state actor — if training your cadres to
securely operate an encryption tool takes away too much from the core activism
of your organization, the tool is no longer helpful. Same applies if the
actual overhead of using it ("both have to be online" requirements, for
example, or for somewhat lower threat profiles, "no emoji") makes it
impractical.

For most people the threat is going to be someone they know, or high-volume-
low-effort attempts. Whether it's an ex or a boss or even most states, it's
unlikely they're facing NSA. They often have a lot of other things to do, and
neither their ability nor want to enforce technical solutions on others are
high. That's the range Signal-backed apps generally target.

~~~
Bartweiss
> _not even every state actor has access to an NSA_

This is a massively undervalued point. As far as I can tell, most of the
people relying on Signal/WhatsApp/Firechat/etc for life-or-death issues are
neither hiding from exes nor fleeing the US government. The bulk of use seems
to be journalists and protestors in places like Turkey or Bangladesh who have
reason to fear state monitoring of communications, but are unlikely to face
deep or targeted attacks like having been served a compromised APK from day
one.

That Turkey example is seriously relevant. In 2013, the Turkish government
created a fraudulent certificate allowing it to intercept traffic to all
Google domains, potentially viewing things like gchat and gmail
communications. This offered a whole bunch of lessons:

\- That the CA web-of-trust model is seriously broken, as we've seen
repeatedly.

\- That even if companies secure their data and respect your privacy, non-E2E
data transfer can still be unsafe.

\- That any software or data obtained under a hostile network without a prior
signed session is unsafe. Play Store Signal installs in that time could
theoretically have been compromised, but "app store versus dedicated download
site" and "checksum vs. signature" were irrelevant; all four paths could have
been compromised via the same attack vector.

\- That "secure download environment, insecure usage environment" is a major,
meaningful category of use. That describes a journalist installing Signal in
the US and flying to Turkey; an activist installing it prior to a regime
change; or a protestor copying it from a trusted friend's installation.

So you're exactly right: Signal isn't a complete solution for an adversary
with unlimited resources and direct access to every layer of a network, but
it's still massively important even for dealing with most state actors.

------
okatsu
I don't know anything about Moxie derailing threads or anything like that but
if we just listened to critics all the time then we just wouldn't have
anything. Signal is better than a lot of what is out there and being used as
scale and that counts for something. More secure is always better than not
secure at all.

~~~
pmlnr
Read the end of an article as well. We have solutions like Matrix, and like
XMPP with OMEMO.

~~~
okatsu
Signal did what those things failed to do which is to actually gain some
popularity outside of HN. I hope Matrix takes off! In the meantime if people
are convincing their families and friends to get on Signal then that's a net
positive to me.

~~~
jsgo
@ynniv - because if you can coax a friend who isn't on anything but Facebook
to use Signal over, say, Messenger, then it is a net win. Is it perfect? No.
Is it a better situation than the current? Yes.

~~~
ashooner
Exactly. Signal's most important feature is that it isn't Facebook.

------
toast0
AFAIK, Signal has an open source client, and an open source server. If you
want federation, you can go ahead and build it, and find users, and you can
start from a reasonably well working base. Moxie isn't going to build it,
because he doesn't think federation works; to convince him, you'll need to
show him it works, not just tell him. Is there an example of a federated chat
service which has end to end encryption that just works?

Peer to peer chat is interesting, but it means that IPs of communicating users
are more widely exposed -- now anybody in the network path between two users
can see they're communicating with each other, not just that they're both
communicating with Signal. I may not want to share my IP with some (or most)
people I communicate with. Additionally, there's a lot of hard work around
actually getting a peer to peer connection on today's internet, for a large
fraction of connections, you're going to have to proxy packets for them
anyway.

~~~
dTal
> Is there an example of a federated chat service which has end to end
> encryption that just works?

Yes. SilenceIM is a fork of Signal that maintains only the SMS implementation
of the Axolotl ratchet. It works perfectly.

For that matter, every other chat network does too, if you use Pidgin and the
pidgin-otr plugin.

End to end encryption is a property of the clients, not the network,
practically by definition.

~~~
toast0
SilenceIM and pidgin-otr add e2e over existing networks. That means I can
attempt to send messages to people who won't be able to receive them. That is
the opposite of 'just works'.

With Signal, or other services, where e2e support is a mandatory part of the
client and is the only way to send messages, if someone is available on the
platform, I know that I'll have a e2e message stream. (subject to MITM of key
exchange, of course)

------
pmlnr
The article actually proposes an alternative: Matrix, and Matrix is, in fact,
a good piece of software, with federation options.

I tend to agree with most parts of the article, especially the lack of
federation options.

My real pain point with Signal is that there is no real desktop application
for it - no, a connected web interface is not a desktop application. For
example, XMPP with OMEMO can be used simultaneously from Android Conversations
AND Pidgin - same account, same messages (yes, it needs XMPP Carbons on the
server), e2e.

~~~
Vinnl
What do you mean by a "connected" web interface? And what would being a
desktop application bring it?

Signal Desktop is somewhat buggy, not that full-features, and doesn't
integrate that well with the rest of my OS, but otherwise it's working fine,
and I can use it simultaneously with my phone. (But I can also use it with my
phone turned off, which I love.)

~~~
pdkl95
> but otherwise it's working fine

It doesn't work _at all_ for me, because it requires a mobile phone number,
which I don't have (a phone + _any_ monthly subscription fee doesn't fit in a
tiny fixed income budget).

~~~
Vinnl
I don't think that has anything to do with the desktop app specifically?

~~~
pmlnr
It does. Desktop app is desktop, end of story - no GSM connection and/or phone
number should be required.

~~~
Vinnl
It sounds like you'd also be against requiring phone numbers if they didn't
have a desktop app...

~~~
pmlnr
A phone app requiring a phone number is reasonable; it doesn't matter if I
like it or not.

On a desktop app, it's not reasonable to ask for a phone number. Ask for
something else; email, for example.

------
gruez
>Google Play

use yalp store

> Packages on F-Droid are reviewed by a human being and are cryptographically
> signed

>The app has to update itself, using a similarly insecure mechanism. F-Droid
handles updates and actually signs their packages

so are all android APKs. granted it's trust on first use: it accepts any
signature for the first install, and only enforces the signature if you try to
install an update.

>A checksum isn’t a signature, by the way - if your government- or workplace-
or abusive-spouse-installed certificate authority gets in the way they can
replace the APK and its checksum with whatever they want

this is probably the only legitimate concern, to use f-droid so you have a
permanent anchor of trust (f-droid, rather than whatever CAs you have
installed) for the first install. this isn't even that big of an issue when
you can install using yalp store. google might be a rootkit or whatever, but
at least you can be reasonably sure that the apks are the originals.

~~~
stratosmacker
This doesn't even touch on the fact that Signal depends on Play Services. It
has a websocket option, but the setting is actually not in the GUI

~~~
Vinnl
Hmm, how do you configure it? IIRC it just automatically used it because I
don't have Play Services.

~~~
craftyguy
AFAIK it's not user configurable, and the only way to enable it is to have a
device without play services installed.

------
r3vrse
> There’s an alternative to the Play Store for Android. F-Droid is an open
> source app “store” (repository would be a better term here) which only
> includes open source apps (which Signal thankfully is). By no means does
> Signal have to only be distributed through F-Droid - it’s certainly a
> compelling alternative. This has been proposed, _and Moxie has definitively
> shut the discussion down._

Adjunct to the rest of this discussion: just read through that GH issue and
came away with markedly different conclusions than the author of the blog
post.

It reads like someone who is trying hard to justify and prioritize dev
time/resourcing in the face of what is a demanding and vitriolic minority. No
evidence of disingenuous intent or desire to push a particular agenda. I see
nothing that would have prevented the old OSS adage: "if you want to see it,
do it".

Drew, I don't know you, or the background for the argument you're making, but
it seems like you have something stuck in your craw here. Maybe take a little
time and try to view the situation with fresh eyes? You're obviously
passionate about this subject -- and the unique perspective is appreciated --
but it devalues the rest of the info presented, and I don't buy the precept
you're proposing.

------
bilbo0s
People should just know by now, if you need to communicate something in
private, you should just _never_ use any electronic device that uses public
networks. All of these "secure" tools that are being used must be understood
in that context. They are "secure" against honest people.

What I mean by that is that it's a lot like your home or apartment. Sure, you
should lock your door and turn on your alarm system when you leave. At the
same time, if you know there are three letter agencies surveilling you, it's
probably wise to go ahead and assume they broke into your home and placed bugs
in it despite your security precautions.

Because they have.

~~~
tabletopneedle
People still need to communicate with their peers in insecure networks. Now
you need to compare the nitty gritty details and choose the most secure one
for your needs. If you need content protection to keep dick picks out of NSA
office circulation, Signal is probably the best. For metadata-free chat,
Ricochet and Briar are currently the top duo.

------
londons_explore
This article is entirely about the Play store and F-droid.

As a user, when an app claims to be 'secure', I expect the app itself to have
made reasonable security tradeoffs. I don't however expect them to change my
OS, my package manager, or anything else. The security of those other
components isn't their concern.

------
qznc
> Truly secure systems don’t require trust.

Security is something which only makes sense in relation to an attacker model.
Only after you specified that, then we can discuss if something is secure or
not.

Signal is not secure if the NSA is after you. Signal is secure if your Chinese
competitor is after your business data. Signal is secure if you are a
journalist in Turkey.

~~~
tabletopneedle
Remember that OTR, Cryptocat and PGP were secure enough when Snowden was
agreeing about handing data to Greenwald and Poitras. So while Signal isn't
secure if you're NSA's target, it might be secure enough to protect you from
passive threat scanning.

------
angry_octet
The author is a delusional crank. He is very deliberately ignoring the very
cogent arguments for the Signal architecture in favour of some specious
moaning about how play store is subverted by the NSA.

If you want a federated / onion-routed message transport, start coding. You
can use the signal ratchet mechanism if you want, you just can't call the
resulting shibboleth Signal. Distribute only by obscure methods, easily
subverted by users installing malware versions with higher search rankings.
Then stand back and watch as hardly anyone used your app.

------
leshow
> This is a strong accusation, I know. The thing which convinced me of its
> truth is Signal’s centralized design and hostile attitude towards forks.

The thing that convinced you that Moxie _feels_ a certain way is that Signal
has a 'centralized design'.

Please, if you're going to accuse someone of acting in bad faith with no
evidence the least you can do is be honest about it. You have nothing but your
feelings for proof of anything.

------
INTPenis
I agree that Tox is better but at the same time I know people who truly need
to stay hidden and they use Signal on a burner phone with a cash sim-card.
That way it doesn't matter which medium the messages are transmitted over
because it still can't be traced back to them.

And as far as I know the encryption is solid.

Unlike some other alternatives like Wickr Signal actually open sources their
app and their communication protocol.

~~~
tabletopneedle
Until Tox defaults it's communication through Tor, it doesn't offer any
notable differences. Sure, there is no central server, but intelligence
agencies can see who you talk to without compromising server just by looking
at the destination IP address of packets. Tox suffers from same MITM problems
if the ToxID is changed e.g. on Twitter page of your contact, the same way the
author of the article claims the "checksum" of Signal's APK can be changed by
NSA, your employer or angry spouse.

------
mnm1
If the consequences of sending messages are torture and death, I wouldn't
trust any form of electronic communication. That's what face to face meetings
are for and have always been for. I did not think signal is insecure, but
either party could be compromised in other ways like a key logger or other
local software that intercepts messages on the device they are composed on. I
certainly wouldn't trust any mobile os based app although desktop ones might
not necessarily be better even if they both run on a Linux os that's fully
open source. Most people are not up against such threats, so in most cases it
doesn't matter. For the people that are, they are brave in using such
software. I would never place my life in the hands of such software. I simply
wouldn't trust any such software with my life. By comparison, the software in
my car or on a plane is a different matter but it's also engineered to
different standards and has proven itself in a verifiable manner--I haven't
died after much driving and many flights.

~~~
angry_octet
I would trust Signal on iOS, depending on who I was messaging. I'd turn on
timed messages though, and the signal number wouldn't be my main phone number.
Far less likely to be key logged on iOS. If you don't browse websites on the
device that helps.

You have to consider that face to face meetings are often observed by third
parties, you can be tracked easily, extremely incriminating generally. The
other person can talk, and provide evidence of your location. In comparison,
sending a signal message is comparatively covert.

~~~
mnm1
The other person can show your signal messages to the wrong people just as
well as they can talk about the conversation. At least with a conversation,
you have plausible deniability although that may not count for much. You do
also have to be careful of being recorded. Still, the point is, I would not
trust a software platform. Ios or Android doesn't make a difference. They are
both easily exploitable and have tons of security bugs no doubt, many that the
biggest state actors are likely hoarding as 0 days for just such an occasion.
There is no perfect solution.

~~~
angry_octet
I don't think many experts would call iOS "easily exploitable", especially if
you don't install random apps and browse the web. 0-days aren't easily
available for places like Iran, Syria, Egypt, etc, or even larger countries
like Brazil, and wouldn't be burnt on any ordinary suspect. They still usually
rely on the user clicking a link. A locked down iPhone (no BT, WPA2-EAP, VPN,
Signal, hard passphrase) is a hard target.

If your contact is the type who will record the fading Signal messages with
another phone you're already fucked.

------
bArray
To be completely honest, Android should be considered as "insecure" for the
same reasons. It's binary blobs that are hacked around by distributors with
limited support after a year or so (when phones stop being manufactured and
widely sold).

Can we just get a proper Linux OS running on mobile devices already that's
properly open source and easily re-flash-able? It's clear that ARM is here to
stay and if Linux is to stay relevant, it needs to move towards support for
one of the most popular computing devices on the planet. Desktops made their
way into each home and mobile have made their may into each pocket.

That way, running something like Signal would be more trust-able coming from a
package manager, especially with something like Debian's reproducible builds.

------
kup0
I don't prefer messaging apps that require phone numbers, they always feel
less trustworthy to me because that one aspect of privacy isn't there

------
phyzome
« those are all really convenient excuses for an argument which allows him to
design systems which serve his own interests. »

I wish the author would actually lay out what they think Moxie's interests
_are_.

------
moogly
As a Signal user, I just wish I could make my own personal fork of the desktop
app and still talk to everyone without having to use the beta servers and fear
of having access cut off, because the visual design and UX of the desktop app
is absolutely atrocious. And the latest update that was pushed a few days ago
was a massive step back; the bloated UI now looks like some iOS app from 2007.
It's just embarrassing. And don't even get me started on the lack of a search
function -- something the mobile client has.

~~~
Vinnl
Hmm, if you can improve the UI by yourself, could you not submit a pull
request to do that? That would probably still allow you to use the improved UI
without fear of having access cut off.

(I wasn't aware of a redesign - just updated, and I don't really like it
either, but ah well.)

~~~
moogly
In theory yes, but I don't think the team would appreciate any old random
schmuck to change their product's look-and-feel :)

------
jMyles
I have recently switched to Riot (built atop Marix, which the author endorses
at the end) for some family communications and yeah, I think I do prefer it to
Signal.

------
darklajid
I personally don't distrust Signal.

I just refuse to use it. This comes up on HN a lot and everytime I have to
admit that I am kinda unfair here: Signal is heralded as the nice and secure
solution - but seems incomplete to me. I don't doubt all the more clever
persons that tell me that Signal is the best choice for encryption right now.
But as long as it doesn't support federation (I miss XMPP) and as long as it
does require a phone number (None of anyone's business, not required for my
contacts, a baaaad way to handle identification) it is utterly broken for me.

I'll continue to use Telegram for family, friends and casual business stuff.
The applications are awesome across platforms, I can initiate conversations
with people without using a phone number. Worse encryption? Probably. Likely.
Just as centralized? Yes - hate it there as well.

But I hoped that Signal would be the solution. I'm unfair. Signal gets judged
for NOT being open (federation, phone number). Telegram is just a random
service that I use instead then - works better anyway.

~~~
catdog
> But as long as it doesn't support federation (I miss XMPP) and as long as it
> does require a phone number (None of anyone's business, not required for my
> contacts, a baaaad way to handle identification) it is utterly broken for
> me.

Why not simply use XMPP then?
[https://conversations.im/omemo/](https://conversations.im/omemo/)

------
cwmma
Federation is not some sort of magic dust that would fix signal, you'd be just
exchanging one problem (centralization) with another (spam).

Plus in all likelihood even if they did federate, it would just be like email
with gmail that the Open Whisper Systems is the dominant player so most
conversations have at least one party running on Moxie's hardware.

~~~
craftyguy
> one problem (centralization) with another (spam)

I'd take the risk of possibly receiving more spam over the risk of depending
on yet another walled garden.

------
throwawaymath
The blog post states the following:

 _> [Moxie] makes arguments which don’t hold up, derails threads, leans on
logical fallacies, and loops back around to long-debunked positions when he
runs out of ideas._

Can anyone provide examples of threads where Moxie is acting like this? The
blog post didn't give any.

------
noncoml
You don't need to have absolute trust in Signal, you just need to trust it
more than WhatsApp.

------
bumholio
The line about F-Droid doing no automated scanning is particularly troubling.
Since he can't possibly imply that a Signal compromise would be detected this
way, Moxie is making a political argument against the way people are using
F-Droid to install _other applications_. He refuses - on principle, no less -
the right for users to control their hardware and have full control over the
software they install, and thinks the walled garden approach should be forced
on every Signal user.

Sorry, there is no excuse for Signal not to be available on F-Droid. I
understand the automatic updates argument if it was valid at the time, but
Signal has no right to impose what other applications I run and how I get
them.

~~~
Arnt
Does F-Droid support reproducible builds now? Or does it offer any other kind
of assurance that the software downloaded actually comes from the purported
origin?

~~~
bumholio
Yes, they only publish the signed binaries produced from public sources
according to a recipe anyone should be able to follow.

[https://f-droid.org/en/docs/Reproducible_Builds/](https://f-droid.org/en/docs/Reproducible_Builds/)

~~~
Arnt
That's what Moxie does too, and F-Droid won't trust that. So what's different?
Why are F-Droid's builds trustworthy?

------
amai
If you prefer obscure alternatives try:

[https://vsee.com/messenger/](https://vsee.com/messenger/)

[https://zangi.com/](https://zangi.com/)

------
sodosopa
Where's the "This Post is Bullshit" button?

------
api
I trust it more than unencrypted SMS or Facebook Messenger.

I trust it less than p2p chat over an encrypted network I control with layered
defense in depth.

Security is not a boolean.

~~~
lmm
Security is not a boolean, but when your whole selling point is security you'd
better be good at it.

I trust Signal the same amount as Facebook Messenger or any other centralised
messaging system that uses transport encryption (e.g. Skype, IRC+SSL,
WhatsApp...). But what's the USP that means I should use Signal rather than
any alternative?

~~~
Vinnl
Their USP is "security made simple", in other words: use Signal because it's
as easy as the mainstream alternatives, but far more secure (but not perfect).

~~~
lmm
That only works if they're actually more secure than the mainstream
alternatives. I don't think they are; Signal has transport encryption but the
system probably isn't secure against Open Whisper Systems themselves or
someone who controls the central server, which is the same security situation
you'd be in with any of the alternatives I mentioned.

~~~
jlund
Everything in Signal is end-to-end encrypted.

------
ezoe
Seriously, why do they use the smartphone in the first place? The smartphone
ecosystem, be it Android or iPhone, is not secure. It can not be trusted.

Even if we avoid Apple and Google's software distribution platform, Your
smartphone still has binary blob kernel module, baseband processor and the OS
runs on top of that.

People who claims secure and trust on top of smartphone are all liar, idiot or
both.

Don't use the smartphone.

~~~
kvark
Unless it's Librem-5
([https://puri.sm/shop/librem-5/](https://puri.sm/shop/librem-5/)), although
we've yet to see what comes out of it

~~~
nickpsecurity
Still not secure. I describe the risks here:

[https://news.ycombinator.com/item?id=10906999](https://news.ycombinator.com/item?id=10906999)

~~~
craftyguy
Maybe not perfectly secure, but it's a big step up from the current devices.
Being able to physically separate devices (e.g. baseband/modem) and toggle
them off would allow you to obtain a much more secure environment.

------
jmarinez
+1 I agree wholeheartedly wiht the concerns and complaints in this post. Even
if you were to have the most trustworthy person leading a system like this,
who is to say that this person's mind won't change. Or worse, a different
successor could redefine the goals - this is created under a company after
all. What's the solution? Trust in design.

------
wpdev_63
If signal was somehow federated(without a central server) and open
source(which it is) then there's not much to not to trust.

When they figure out a way to make signal serverless, then the only thing you
would have to worry about is the OS of the phone and its underlying
architecture...

I have no doubt we will reach that point but I wish we get there sooner rather
than later.

------
JustSomeNobody
What's wrong with using Google Play Services?

Correct me if I'm wrong, but I assume it has to do with message notifications.
So, by using GCM, Signal would be leaking some metadata about when and who,
etc. I assume. But wouldn't someone be able to get that same information from
your ISP (with a little more work)?

You're losing the benefits of longer battery life for basically nothing.

Security isn't absolute. I don't know why this blogger has the attitude that
there is such a thing.

~~~
jhasse
It allows Google to easily circumvent any end-to-end encryption since it's a
rootkit.

~~~
JustSomeNobody
How? What mechanism?

Does it access the plain text from the keyboard before the app encrypts it?

~~~
jhasse
It could do that.

~~~
Tomte
Google certainly doesn‘t need the Play services to do that. If you assume
Google to be malicious in that way, no app on your Android phone can be
secure.

~~~
jhasse
Sure, but the Play services make it A LOT easier for them.

------
sbmthakur
Slightly off topic: How do you convince your friends & family to switch to
Signal from WhatsApp?

------
anderber
For those looking for an open-source, private and secure messenger take a look
at Adamant: [https://adamant.im/](https://adamant.im/)

------
nailer
Is the .apk reproducible from the source?

~~~
lorenzhs
It is. [https://signal.org/blog/reproducible-
android/](https://signal.org/blog/reproducible-android/)

------
alexnewman
Although signal has cash they need a lot more support. It’s a good time to
remind people they are hiring

------
trumped
Signal is at least as good as all the other cloud messaging apps... (privacy
wise)

~~~
lucb1e
Sure but I think that is a given. The fact that it's "at least as [secure]" as
something that stores chats in plaintext on their servers (Telegram) is not
exactly news...

~~~
trumped
> The fact that it's "at least as [secure]" as something that stores chats in
> plaintext on their servers (Telegram) is not exactly news...

probably news to most people... because most people appear to be trusting
it....

------
ryanlol
Secure messaging on android seems like an oxymoron.

~~~
IshKebab
Why?

~~~
gruez
probably because google play services that's installed on nearly every android
phone.

~~~
IshKebab
How does that make Android insecure?

------
tabletopneedle
"Google Play Services lets Google do silent background updates on apps on your
phone and give them any permission they want. Having Google Play Services on
your phone means your phone is not secure."

Yes, Google can install a backdoored version of Signal. This is bad. But if
you can't take that risk, you can install e.g. LineageOS without Google Apps,
download the source code, reproducibly compile the apk, and install it on your
android. If you have a better idea, maybe it can be implemented.

"A checksum isn’t a signature, by the way - if your government- or workplace-
or abusive-spouse-installed certificate authority gets in the way they can
replace the APK and its checksum with whatever they want."

If they can add a certificate on your smartphone/PC, why can't they replace
Signal with malicious one? Why can't they replace F-Droid? There is no 100%
method to solve this issue, unless perhaps if you can meet with F-Droid
developers, obtain the authentic public key from them to verify the F-Droid
client's signature. Calling SHA256 cryptographic hash a checksum shows slight
dishonesty on your side. The differences in connotations between the words are
significant.

F-Droid doesn't magically solve this problem. The root of trust comes from
another SHA256 hash --
61:DB:51:32:39:47:61:C4:D4:3F:8A:9B:AE:72:B0:2E:B0:8D:F3:B5:ED:F2:92:1C:7B:14:7E:2F:29:30:83:03
-- that authenticates the certificate of f-droid.org.

Or it comes from the hash
F3:33:D2:E7:FA:A3:68:7F:B2:99:3E:6D:F6:9D:EE:1D:DA:77:36:11:DD:CA:B3:3A:B6:79:87:AA:40:56:94:22
that authenticates the MIT's PGP key server that has the signature
verification key for F-droid clients:
[https://pgp.mit.edu/pks/lookup?search=f-droid&op=index](https://pgp.mit.edu/pks/lookup?search=f-droid&op=index)
All your suggestion does is, it adds a layer or two where we hope the NSA
doesn't compromise them in case you'd want to use that chain to install and
validate Signal. And even if you personally verify the authenticity of public
key, you haven't solved the issue of private key exfiltration via hacking. You
need expensive HW like HSMs to even start combatting exfiltration. And Google
can afford those.

"...centralized servers and trademarks."

Of course you can't call a fork with the same or similar name as the original.
You don't want malicious entities to create projects with names like "Signal
Official Client" etc. Having distinct name helps both the fork and the
original one.

Centralized servers fix a crucial issue, shitty designs that linger forever.
It also fixes the issue of having to deal with backwards compatibility
indefinitely. Moxie can actually see what versions are still deployed, and
push updates to most users. The idea here being, you don't have to support
older protocols (e.g. the group chat had a big issue that was or is currently
being worked on), implement backwards compatilibity that risks downgrade
attacks etc.

Let me give you an example. Riot decided to go with stupid, stupid base64
public key fingerprints. What happens here the only way to jump to smart
choice of base10, is if all clients switch at the same time. If one client
shows fingerprint in different base, it's not compatible. Sure, you can add a
feature that lets the clients negotiate which fingerprint to use but then you
need to get that deployed to every client. This happens really slowly, and it
must usually follow the waterfall model with first deciding about these things
on future revisions of Matrix protocol. And if you want to know how that will
turn out, take a good look at OpenPGP research group: since SHAppening, they
haven't even been able to agree on a new hash function for fingerprints. And
once decided, that hash function will wait for years before the next revision
of protocol is ready. Then you wait for it to be implemented in upcoming
reference libraries and forks of those. And then you wait for them to be
deployed in clients. Moxie changed all users' fingerprints from Base16 to
Base10 -- my guess -- within a week by pushing the update. The advantage of
agility is obvious.

"But we have to trust that Moxie is running the server software he says he
is."

For content encryption, we absolutely don't have to trust him. For metadata,
yes, we must trust the server runs the version that only collects registration
date and some other minor detail, I forget. If you want to remove metadata,
use Ricochet or Briar. Because Signal isn't lying about being anonymous by
design, the only thing I think we can agree is, it should be stated in clear
on their front page: "End-to-end encrypted, but not anonymous, we know your
phone number and IP-address, and can see who you talk to, when and how much".

"We can stop Signal from knowing when we’re talking to each other by using
peer-to-peer chats."

Yes, but that doesn't prevent global passive adversaries from seeing who we
connect to directly. In some authoritarian country, the government could see
Alice and Bob talk to each other. With centralized design, they only see
connection to service providing domain fronting, or connection to Signal
server at most. If you really wanted to solve this, you would run Ricochet or
Briar.

Federation is a horrible idea. I trust they are not interested in my metadata
personally. I won't trust metadata of all my chats to a friend of mine who
runs personal instance of Signal Server. He watches porn on that same
computer. He downloads Russian game cracks to that computer. He has friends
who are my enemies and vice versa. He has repressed personal grudges, reasons
to fuck me over, or he doesn't have 50M in foundation money (and he'd prefer
$5k over our weekend hang-outs that admittedly are getting boring) or strong
cypherpunk ideology to prevent corruption. He's a chinese refugee who has
relatives he loves in political prisons, waiting to hand out their organs to
rich members of the political party, and he's being extorted for my metadata
on his computer. His computer isn't patching itself automatically so there as
RCE vulnerability that got him compromised by our common adversary. He clicked
on wrong link, once. The number of threats is endless.

Federated system doesn't distribute risks across hundreds of operators, it
increases the attack surface tremendously, while dropping the number of
targets the metadata of which is compromised at the moment. But I don't care
about others, I care about the fact my friend doesn't have as good security as
Google and Signal devs. Government agencies are really, really, really, really
good at hacking and the trend is towards mass hacking. Having shitty servers
makes that free because you can use exploits that should already be useless
due to system updates.

"Federation would also open the possibility for bridging the gap with several
other open source secure chat platforms to all talk on the same federated
network -"

Yeah let's talk about that. Currently many Matrix channels lack end-to-end
encryption because there is a backdoor: an IRC-bridge bot that leaks all
conversations to non-end-to-end encrypted environment. Like you said:
"Tradeoffs are necessary - but self-serving tradeoffs are not.", the
possibility of having bots is extremely dangerous. The fact Matrix isn't end-
to-end encrypted by default is horrible. The E2EE is in beta, and the
fingerprint verification in clients suck. For the past three years I've been
complaining about this, every time there is a developer assuring this will be
fixed. This bug should never have existed in the first place. Now the users
have come to accustomed to having the possiblity for briges to insecure
systems.

"but those are all really convenient excuses for an argument which allows him
to design systems which serve his own interests."

You should not make such generalized defamatory claims if you want to be taken
seriously. I took this seriously at start but your arguments really lost their
traction. It was another badly thought post that didn't show understanding of
design choices and that hurt more than in helped: People might now switch to
less secure Matrix protocol. Or they might even go with unaudited Tox,
designed by non-experts.

~~~
bumholio
I stopped reading after:

 _All your suggestion does is, it adds a layer or two where we hope the NSA
doesn 't compromise them in case you'd want to use that chain to install and
validate Signal._

You can't possibly think that compromising the full infrastructure of MIT or
F-Droid, a noisy criminal act with serious repercussions against the
perpetrators, is in any way comparable to a MITM against a suspect.

That's like saying "Ok, North Korea has some small nukes, but if they really
want to get serious about a nuclear attack, they can always penetrate the
White House and steal the nuclear football from under Trump's ass".

------
apeace
TL;DR he doesn’t trust Signal because he doesn’t trust the Android operating
system, and something about federation.

> No doubt these are non-trivial problems to solve. But I have personally been
> involved in open source projects which have collectively solved similarly
> difficult problems a thousand times over with a combined budget on the order
> of tens of thousands of dollars.

Shut up and code then. I’ll personally review your fully decentralized and
secure chat app which nobody uses because it’s not available on any app store.
Let me know when it’s done.

~~~
jMyles
The author expressly endorses Matrix.

~~~
apeace
And which operating system does the author expect people to use Matrix on? The
one he personally wrote and reviews every commit to? Does he expect everyone
to only chat on "trusted" open-source desktop operating systems and not their
phones?

The F-Droid argument is a really empty one. Packages are cryptographically
signed? Are you verifying those signatures? In an article about "trust", can
you explain how exactly you trust F-Droid packages and not Google Play ones?

What about iOS?

The whole article is extremely vapid and lacks any compelling argument. Signal
has introduced state-of-the-art encryption to millions of people in an
accessible way.

The author goes on to poke fun at the animated GIF feature of Signal as if it
is a waste of time compared to working on an F-Droid distribution, but
neglects to address five of the seven points written by Moxie (which he links
to) about why they chose not to do that.

~~~
jhasse
> In an article about "trust", can you explain how exactly you trust F-Droid
> packages and not Google Play ones?

It's easier for Google to manipulate a package on Google Play than on F-Droid.

> Signal has introduced state-of-the-art encryption to millions of people in
> an accessible way.

WhatsApp has done that to even more people, so what's the point of Signal?

~~~
lorenzhs
> It's easier for Google to manipulate a package on Google Play than on
> F-Droid.

That's not how Android app signing works. It's a "trust on first use" model,
so once you install an app, any update must be signed by the same key or the
system will refuse to install it. That key is held by Signal, not Google, so
Google cannot sign updates to apps.

> WhatsApp has done that to even more people, so what's the point of Signal?

You know who implemented the end-to-end encryption in WhatsApp? The people
behind Signal. But compared to Signal, WhatsApp provides a lot more metadata
to the server, and it's owned by Facebook, a company not commonly associated
with guarding your privacy. Both have their pros and cons, and both have
legitimate reasons to exist.

~~~
jhasse
> That's not how Android app signing works.

Google has root, so it can change how app signing works at any time.

> Both have their pros and cons, and both have legitimate reasons to exist.

I just looks to me like whenever someone mentions a pro point of Signal, it's
something where WhatsApp shines even more (e.g. "brings end-to-end encryption
to the masses", "it's available on the App stores", "better iOS support than
something like Tox", ...).

~~~
lorenzhs
> Google has root, so it can change how app signing works at any time.

This argument boils down to "what if the government compels Google to infect
your phone with spyware", and it's already been established elsewhere in this
thread that using a smartphone for sensitive communication might not be the
best idea if the NSA is after you.

Regarding advantages of Signal over WhatsApp, I just gave you one in the
message you replied to. WhatsApp provides a lot of metadata to their servers
(this is necessary for some of their features, like group invite links). And
while end-to-end encryption protects the contents of your messages, Facebook
can still observe when and how much you chat with whom.

Some further advantages off the top of my hat: Signal has reproducible builds
(on Android), the Desktop client works when your phone is off. They're also
working on private contact discovery (I don't know how far this has
progressed): [https://signal.org/blog/private-contact-
discovery/](https://signal.org/blog/private-contact-discovery/)

------
topkeks
[https://twitter.com/matthew_d_green/status/10275665785592709...](https://twitter.com/matthew_d_green/status/1027566578559270912)

------
madeuptempacct
Is there a preference of Telegram over Signal or vice versa?

~~~
r3bl
Telegram doesn't have end-to-end encryption by default (only in secret chats).

That's all you need to understand to know that it's an inferior product in
comparison to Signal.

~~~
ethagnawl
Telegram's encryption algorithm is also homebrewed.

[https://gizmodo.com/why-you-should-stop-using-telegram-
right...](https://gizmodo.com/why-you-should-stop-using-telegram-right-
now-1782557415)

------
auslander
Google, APK ... if you're concerned about security, you would use Apple iOS
only.

~~~
jhasse
Apple has root access to every device just like Google has to Android phones
running Google Play Services.

~~~
auslander
Security wise, Apple iOS is superior in any possible aspect to Android.
Forensics people never complain how hard it is do Android, never :)

~~~
jhasse
> Security wise, Apple iOS is superior in any possible aspect to Android.

One aspect where Android is superior is that more of it is open-source.

~~~
auslander
"Google Play Services is a _proprietary_ background service and API package
for Android devices from Google" [0] - I don't know a phone running pure AOSP
without any proprietary code.

[0] en.wikipedia.org/wiki/Google_Play_Services

~~~
jhasse
> more of it

not all of it

------
chinathrow
[] deleted

~~~
thinkling
[https://en.wikipedia.org/wiki/Moxie_Marlinspike](https://en.wikipedia.org/wiki/Moxie_Marlinspike)

------
oyebenny
Does Signal work in foreign countries? Like South America & Middle East for
example.

------
syngrog66
Signal immediately asks for your phone number. Dead giveaway that they are not
about privacy. So I assumed its a honey trap.

------
vectorEQ
most of these services aren't allowed to grow (i.e. not heavily invested in by
the people with actual money) if they dont have some form of data mining or
things like 'oops we facilitated key generatyion and kept all the keys' etc.

If you want to securely communicate, either be smart about it outside of the
app you chose. (encrypted or encoded with your own keys / tools where an app
is just a medium of transfer) or create your own secure channels (not too
difficult these days with good vetted open source implementations of crypto on
multiple platforms...)

I would say anyone who fully trusts any of these apps, and is worried about
their privacy, is contradicting their worries with their behaviour.

just google 'signal vulnerabilities' or that for any other of these apps...
even if they have some good form of archntecture it's riddled with bugs...
people can access your data. live with it, avoid it, or make the actual data
incomprehensible for any 'eve' yourself instead of trusting another to do it
for you.

------
alexnewman
Want to lose all faith in signal, try filing a bug fix as pull request

\- It probably will be ignored forever or shouted down \- wanna notify the
mailing list. Guess what you have to join rise up! Aka if you wanna file a
patch to signal I hope you are ok with Joining an “anarchist” mailing list \-
Then when you are approved to make noises on the mailing list, it still gets
ignored, no explainatiob

1 year later I removed the obvious bugs in the base64 implementation of signal

------
daxorid
OWS's staunch refusal to permit anything other than phone numbers as
identifiers should tell you everything you need to know about Signal.

It is an _authenticated, nonrepudiable_ communications platform using
identifiers that are very difficult (possible, yes, but most people will get
it wrong) to comprehensively anonymize.

The ability to present nonrepudiable communications to a judge is precisely
the wet dream of law enforcement officers, ambitious prosecutors, and despotic
regimes everywhere. All they need to do is flip the people you're
communicating with, and you're done.

------
4684499
Seriously, if Signal become decentralized and doesn't require a phone number
to use, I'd switch to it without hesitate. Call me lunatic or whatever, all
the court related news, security analysis only makes me feel Signal is just
another honey trap or will become one eventually, because none of these
positive reviews solves trust issues existed long ago. There are better models
out there, they just don't want apply, I can't stop asking why. You'd think
they'll re-consider the options after so many users expressed their concerns,
or at least provide multiple choices, but no, it's been years, nothing has
changed.

I'd keep using Riot until then, even it's less secure and less user friendly,
but it's good enough for me.

