It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.
I thought they were never compromised? They shut down rather than comply with the order
>The service suspended its operations on August 8, 2013 after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email
Lavabit was never compromised, I'm saying that Signal may have been compromised by the feds, instead of choosing to shut down. Feds may have learned their lesson and not provided an option this time.
The chance that a small nonprofit with so much traffic is not leaking/providing data to the feds is astronomically slim imho, there are so many actors who would love to there hands on it. Maybe it thwarts some inteligance services but not those with unlimited resources.
I would point you towards Stuxnet and take a look at how sofisticated a state level attack can be and the fact that today Iran still can not keep us (America/Israel) out of it's centrifuges. Everything you type online is being stored by multiple actors, to think they can't access a small company with limited resources is wishful thinking. If no one in Signal's 180 employees is working for the feds I would be embarrassed to be an American.
List of phone numbers? Pairs of communication partners? Timing and size of messages? Metadata about transferred media? There is still a lot, sufficient for targeting a drone strike as the usual wisdom goes.
Signal doesn’t store lists of phone governments have lists of phone numbers. Comunication partners are hidden from the server using Sealed Sender for many conversations.
The rest of this could possibly be obtained, it it wouldn’t require a patch to the server as message sizes and timestamps likely appear on disk somewhere. Though the data is encrypted, you could tell “x received a message from some party (sealed sender prevents knowing who) at y time of roughly z size”.
Signal still uses and verifies phone numbers, so at some point they will pass through their infrastructure. They could still save them, knowing the source code they use gives at least at hint that they don't.
Sealed sender also is based on the pinky-swear that the infrastructure distributing the sender auth certificates doesn't correlate identities and connections with the messaging infrastructure. And that the server receiving the enveloped messages doesn't log. So all based on trust based on believing the right source code is running somewhere.
When access to that source code is restricted suddenly, of course people are worried.
Signal claims to specially protect some of that data, such claims need verification. Storing or not storing that data needs verification, without the trust that they do what they say they are no better than their competition. Trust is earned e.g. by openness about the source code. And that a server backdoor isn't strictly necessary is also beside the point because the server is the easiest and most obvious way to get at all that data.
Also, there is competition like Briar which has less of those pesky metadata problems (but some other problems instead)
I don't recall Signal ever having made implausible claims about traffic analytic attacks. I also don't buy into the idea that platforms are as trustworthy as their source release policies are orthodox.
Being able to hide from a government that wants to drone you while still being in the cellphone network requires much much much more OPSEC than just using Signal. For an average user Signal is about protecting the content of your messages, not your network, and it's good at that.
"No one" is a bit harsh; I even helped a poster in r/Signal set up a CircleCI build for the repo in order to show that it's not oppressively hard, just tedious (as with all things CI/CD)
The Signal android build now uses some PKCS11 machinery that requires patching out to build without using a smartcard, but otherwise it works as expected.
I dove into this darkness while trying to fix the borked MMS handling on Visible (a Verizon MVNO), and is the reason I'm generally with you: if someone can't build the project, then it's not effectively open source, IMHO, because I lose my "right to repair"
By this standard, there is practically nothing that qualifies as open source. Compile something yourself? Well can you really trust your compiler unless you compiled it? How do you compile your compiler without a compiler? Obviously this is possible but no one does it; therefore no software is truly open source.
I disagree that these are on the same level - compiling something yourself, or having something compiled by ie the Arch Linux maintainers requires a number of people to comply.
The app store is a single point of failure with huge reach.
But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.
> But despite best efforts by the community to verify builds, Google and Apple can be forced to upload a malicious app to a particular user, meaning they aren't using the same app at all.
Hi there! Signal-Android developer here. App signing verification is done at the OS-level, and Google does not have our signing key, so they wouldn't be able to give an existing user a different APK and have it successfully install.
>The service suspended its operations on August 8, 2013 after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email