[p0ppe]

Why didn't Google just develop this in house? It almost feels like they're admitting to having no credibility on privacy without an external partner.

[bad_user]

That's nonsense. In-house proprietary encryption is not peer reviewed and untrustworthy by definition and if you're going to work in the open, especially for a new proprietary chat app, it makes better sense to build on an open platform that's already proven and is handled by people that really know their stuff. More secure and probably cheaper as well.

[nxzero]

Being open source or closed source doesn't make code more secure. What make code more secure is making it more secure. Have you audited the code?

[hobarrera]

Open vs closed sources makes a difference in how much I TRUST its security level, not security itself.

[qutebird]

It is possible for anyone to audit open source software though, unlike proprietary software.

[zmanian]

The Signal protocol is for all intents asymptote the state of the art in the design of a secure messaging protocol. There doesn't seem to be any meaningful improvements to the design without changing the requirements.

New requirements might be

- Post Quantum forward secrecy

- Groups messaging with transcript verification

- Security weakness in x25519 or AES-CBC-HMAC or SHA256 primitives.

If you don't have any new requirements, crypto protocol developer time is a scarce resource. Why reinvent the state of the art?

[street]

The only reason I (somewhat) trust the encryption in Whatsapp is that it came from OpenWhisperSystems. For Allo, I imagine I'd feel the same.

Some of the value is in signalling to your users.

[dharma1]

Why bother if there is a ready solution, that's already got the trust of other market leaders?

[ocdtrekkie]

I'd distinctly trust it more because Google didn't create it.