Hacker News new | past | comments | ask | show | jobs | submit login

That was addressed by the third section, under "targeted attacks":

https://paragonie.com/blog/2016/10/guide-automatic-security-...




And yet Signal doesn't have the capability to do what the article describes in that section.


That sounds like a really good technical discussion to have with the OWS team.

https://github.com/WhisperSystems/Signal-Android/issues


[flagged]


> So you admit that Signal is insecure by design.

No, I would not say it like that.

Security isn't TRUE/FALSE. Signal is more secure than other products like Telegram. There are a lot of things it could add to increase its security. But it's pretty damn good and that it doesn't do things that would make it better doesn't change the fact that it's damn good.

> All it seems like you're trying to do is distract from these glaring issues.

I take issue with listing "automatic software updates without user consent" as a list item in criticisms about Signal because "automatic software updates without user interaction" are a damn good idea for the threat models that take most computer crime into account. Even the paranoid (I don't use this term lightly) models can be mitigated by a well implemented secure update infrastructure.

What would you rather have?

  - Activists being pwned by 1day vulnerabilities
  - The patch being applied automatically as soon as it's available
This is a criticism of words you said, not some attempt to distract from "these glaring issues".

WordPress, which powers 26% of websites on the Internet, doesn't even cryptographically sign its updates. If you pwn their update server, you've got a backdoor into millions of websites. The Mirai botnet? Child's play in comparison.

That's a glaring issue.

> If OWS was legitimately interested in security and anonymity, they wouldn't be including proprietary components and shutting down other open source projects that take matters into their own hands.

So says your ideology.

If OWS wasn't legitimately interested in security and anonymity, why would they publish their protocols as open specifications that anyone can use to develop their own protocols and apps?

Go on, take their papers and build an app that doesn't do all the things you disagree with.

Fork their project (It's GPL; you can fork it!), remove all Signal trademarks and branding, and release your own GPL app that doesn't rely on proprietary components. Make your app/protocol federated. If you do these things, there's literally nothing OWS can do to "shut down" your project.

Don't bother worrying about integrating with Signal users or using Signal servers. Do a better job and convince people to use your fork instead.

What's stopping you?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: