[zedred]

I was hopeful at first. A large VC funded company with a big full time team should run circles around a small open source effort, but their security is still way behind Signal. I was also quickly put off by their "less than honest" marketing.

[walterbell]

Could you share details on "security is still way behind Signal"?

Edit: found previous discussion, https://news.ycombinator.com/item?id=13132157

[zedred]

I haven't directly explored the source for either in little while, so I should take a new look. I might be a little out of date, but the things that I have seen second hand recently confirmed my earlier conclusions.

Like I recently saw an announcement from Wire that calls are now secure, but they had been advertising them as secure all along! I had even spent time looking through the code but didn't know that calls weren't authenticated. Now are they really secure? I don't know, they said that before too, and the source is so hard to follow. Then I saw a post that showed they weren't even doing cert pinning, which is so basic.

I wanted to like it, but the more I looked the more I felt like "security" was just sprinkled on as an after thought.

[walterbell]

Did you see that they implemented CBR for audio calls and submitted patches to both Signal and WebRTC?

https://medium.com/@wireapp/call-security-constant-bit-rate-...

[JshWright]

In 2017... CBR has been a thing in secure calling apps for ~5 years now.

[walterbell]

Can you recommend some iOS/Android apps which support CBR?

[JshWright]

Silent Phone is both Android and iOS compatible, and we have used CBR codecs since we launched (in 2012).

[Siimteller]

Care to name one?

[JshWright]

Silent Phone (disclosure: I am an employee)

[Propen]

https://techcrunch.com/2017/02/10/messaging-app-wire-now-has...