Hacker News new | ask | show | jobs
by cassianoleal 1980 days ago
Assuming you have:

- read the source code and are satisfied that it's secure

- compiled that version of the code

- installed it on your mobile or desktop

You're still only as secure as the client on the other side of the conversation.

If that one is compromised (has not gone throught the steps above) it could very well be sending all messages in clear text to a malicious party.

Edit: formatting
2 comments
jolmg 1980 days ago
Ok, sure. But what do you propose? It's still a much better situation than what we have with Whatsapp. Is there something that the Signal Foundation could do to alleviate that concern you have? There's no technical solution in any technology for preventing the other side being compromised, as far as I can see.
link
cassianoleal 1980 days ago
At present I'm choosing to trust Signal.

That doesn't mean I blindly trust them, only that despite seeing potential for abuse I judge that they have more incentive to be telling the truth than not.

Also check the comment by user faitswulff where they mention how they have been subpoenaed "and could only supply account creation time and last connection time".

link
HengYeDev 1979 days ago
Matrix since you can self-host and have control while still being able to communicate to other people on it through federation
link
jolmg 1979 days ago
>>> You're still only as secure as the client on the other side of the conversation. If that one is compromised ... it could very well be sending all messages in clear text to a malicious party.

>> There's no technical solution in any technology for preventing the other side being compromised, as far as I can see.

I don't know Matrix, but I can guarantee that it doesn't solve the problem of a compromised client obtaining the messages willingly sent to it.

link
Enginerrrd 1980 days ago
Yeah and since you have the possibility of dealing with state actors with deep pockets, you have to wonder if Android or iOS doesn't have the ability to copy your private keys and send those off somewhere for storage. Because of signal's popularity, it feels pretty possible to me.

If the NSA did have it backdoored somehow through the OS, it's a good bet they'd force LE agencies to use parallel construction to keep that information top secret.

That is why we really need open source hardware and OS's. A good (or even functional) open linux phone can't come fast enough.

link
bigiain 1979 days ago
If your adversary is state actors with deep pockets or the NSA, you've lost already. No amount of opsec cosplay is going to save you.

Your solution?

* Magical amulets?

* Fake your own death, move into a submarine?

* YOU’RE STILL GONNA BE MOSSAD’ED UPON

https://www.usenix.org/system/files/1401_08-12_mickens.pdf

link
acct776 1979 days ago
AOSP (Vanilla, GrapheneOS, CalyxOS) doesn't have this capability.

The Google Play Services app/package? Heh...

link