Hacker News new | ask | show | jobs
by fr2null 1900 days ago
I don't think it does, at least not for the security reasons you name.

If you are self-hosting a server, you may not have the latest and greatest features, but all the code you are running is open-source, so no sneaky backdoors (well, no more sneaky backdoors than the ones in the open source code).

If you are not self hosting, than it really doesn't matter if the server source code is open or not. There is not a single guarantee that they are actually running the that code on their server.

(For client code this is a different story of course, but we're talking about server source code)
1 comments
corty 1900 days ago
In a strict sense, you are completely right. But nonetheless people are recommending Signal because the client implementation looks good and is somewhat verifiable (absent appstore evilness and ignoring the lag between update and verification). The server implementation however is only based on trust in the people running the servers. And there, openness about the code at least gives a few hints about what is going on there, enabling me to trust at least a little more than not-at-all.
link
rOOb85 1900 days ago
> The server implementation however is only based on trust in the people running the servers.

They literally chose a zero server trust model when designing the protocol. NSA could be running modified signal servers and it wouldn't make a difference. Your messages would still be safe since all the magic happens on the clients. The servers just route the encrypted data, it's all just 1's and 0's to them.

> And there, openness about the code at least gives a few hints about what is going on there, enabling me to trust at least a little more than not-at-all.

Do we even know if signal was running updated server code in production? Maybe they have been running the same code that was on github this whole time.

link
corty 1900 days ago
> Your messages would still be safe

Only the message contents. Everything else, like time, identities, communication networks is still at risk. What you are saying is very misleading since you completely neglect to mention the importance of all that non-content metadata.

link