Security isn't TRUE/FALSE. Signal is more secure than other products like Telegram. There are a lot of things it could add to increase its security. But it's pretty damn good and that it doesn't do things that would make it better doesn't change the fact that it's damn good.
> All it seems like you're trying to do is distract from these glaring issues.
I take issue with listing "automatic software updates without user consent" as a list item in criticisms about Signal because "automatic software updates without user interaction" are a damn good idea for the threat models that take most computer crime into account. Even the paranoid (I don't use this term lightly) models can be mitigated by a well implemented secure update infrastructure.
What would you rather have?
- Activists being pwned by 1day vulnerabilities
- The patch being applied automatically as soon as it's available
This is a criticism of words you said, not some attempt to distract from "these glaring issues".
WordPress, which powers 26% of websites on the Internet, doesn't even cryptographically sign its updates. If you pwn their update server, you've got a backdoor into millions of websites. The Mirai botnet? Child's play in comparison.
That's a glaring issue.
> If OWS was legitimately interested in security and anonymity, they wouldn't be including proprietary components and shutting down other open source projects that take matters into their own hands.
So says your ideology.
If OWS wasn't legitimately interested in security and anonymity, why would they publish their protocols as open specifications that anyone can use to develop their own protocols and apps?
Go on, take their papers and build an app that doesn't do all the things you disagree with.
Fork their project (It's GPL; you can fork it!), remove all Signal trademarks and branding, and release your own GPL app that doesn't rely on proprietary components. Make your app/protocol federated. If you do these things, there's literally nothing OWS can do to "shut down" your project.
Don't bother worrying about integrating with Signal users or using Signal servers. Do a better job and convince people to use your fork instead.
https://paragonie.com/blog/2016/10/guide-automatic-security-...