What's more frustrating is the security absolutist mindset that seems too common in these sorts of discussions, where meaningful improvements in security are derided as useless because they don't solve every single problem in every scenario. Or worse, because they don't satisfy a particular ideological view of how computing should work, whether or not that truly impacts security.
Is running Signal on an iPhone going to stop the Mossad from Mossading your chats if they want to? Probably not, but then neither will exclusively communicating using some fully open source cellphone with full root access that doesn't actually exist. The benefit of Signal on an iPhone is that people will actually use that and it will help against a lot of things that aren't the Mossad pulling out all the stops coming after you personally.
Honestly a lot of security discourse feels like calling airbags and seat belts useless because they won't help if you drive head on into a bullet train. Let's have a discussion about limitations and paths to improvement, absolutely. But ignoring "better" because it's not "perfect" is rarely a good strategy.
> But ignoring "better" because it's not "perfect" is rarely a good strategy.
But "better" it is not. When the attacker controls the CA and your OS there is nothing "better".
Those days the Web Browser and the apps hapilly sending telemetry over the internet are the main entry point for an attacker. And yet we see statements like "if you use E2EE you are secure.
Is running Signal on an iPhone going to stop the Mossad from Mossading your chats if they want to? Probably not, but then neither will exclusively communicating using some fully open source cellphone with full root access that doesn't actually exist. The benefit of Signal on an iPhone is that people will actually use that and it will help against a lot of things that aren't the Mossad pulling out all the stops coming after you personally.
Honestly a lot of security discourse feels like calling airbags and seat belts useless because they won't help if you drive head on into a bullet train. Let's have a discussion about limitations and paths to improvement, absolutely. But ignoring "better" because it's not "perfect" is rarely a good strategy.