[godelski]

I'm not convinced. The bug is rare and requires a specific set of circumstances that not many people are going to perform. That is not an argument to collect metrics, or in other words, change the entire paradigm of Signal (no collection of Metadata). It does propose an argument for more audits, more eyes, and more care. But we do not expect Signal to be perfect, as no software is. Systematic failure, on the other hand, creates worry about Signal. But not individual.

[rvz]

> I'm not convinced. The bug is rare and requires a specific set of circumstances that not many people are going to perform.

I don't think you would say the exact same thing if this happened to closed-source apps like WhatsApp or Discord and open-source apps like Telegram or Element. All of these apps have funding behind them and lots of resources to urgently address security issues when reported or discovered.

The same goes for Signal and they knew about this issue and left this open and unfixed for months. They have $60M in funding, fully open-source, full time engineers working on it and the priority was a secret cryptocurrency project over a critical security issue.

No matter how 'rare' the bug was is pointless. There is no excuse for not prioritising for critical security issues and leaving them unfixed for months as these issues risk ruining their main selling point on privacy and security.

> It does propose an argument for more audits, more eyes, and more care.

Yet despite having a string of audits, it seems the priority for Signal was 'cryptocurrencies' last year and creating a new coin to be listed on an exchange for that purpose, instead of fixing this 7 month old critical issue that they knew about.

[godelski]

> I don't think you would say the exact same thing if this happened to closed-source apps like WhatsApp or Discord

You're right. Because I judge a project backed by a company worth hundreds of billions of dollars and with hundreds of developers differently than I judge a company with a few tens of millions and only a dozen developers. I'm not sure why any sane person would judge these with the same metric. 15 devs just can't do what 1500 can. I'm not sure why you think differently.

[rvz]

> Because I judge a project backed by a company worth hundreds of billions of dollars and with hundreds of developers differently than I judge a company with a few tens of millions and only a dozen developers.

Any project that can at least afford a string of external audits and proudly advertises on multiple claims of high quality security and privacy should be held to very high standards, especially if they are serious projects in security and privacy and are not toy or pet projects.

Hence this, I would expect all Signal engineers to be the best in their field and qualified in both of these standards to justify the compensation price and uphold these claims for Signal. The same goes for any serious secure messaging platform prioritising security and privacy.

The harsh reality is that serious projects and competitors with bold claims of security and privacy all get treated the same. No exceptions or passes. Otherwise it can't be considered a serious project or even recommended to users if they don't prioritise and fix critical issues urgently.

> I'm not sure why any sane person would judge these with the same metric.

So you're telling me that Telegram or Element are able to prioritise urgent and critical security issues much better than Signal could? Signal is a serious messaging app going with its bold claims of high quality security and privacy isn't it?

[godelski]

> So you're telling me that Telegram or Element are able to prioritise urgent and critical security issues much better than Signal could?

No, I'd say it is about the same actually. Telegram has a lot of hacks but HN doesn't throw a fit. Lot more serious ones too. Signal never had an issue with leaking someone's physical location to any user (read: "not a rare set of circumstances needed to reproduce"). Besides, Telegram still isn't e2e by default, doesn't have e2e groups, and has no security audits. I'm not sure why this is in the same category as Signal. As for Matrix, well it only recently enabled e2e. But the project is very small. Just because you don't know of a bug doesn't mean one doesn't exist. There's an old saying: "There's two types of software. Those with bugs and those that nobody uses." (read: "all software has bugs")

[rvz]

> Telegram has a lot of hacks but HN doesn't throw a fit.

It had the attention of HN. They seem to care about both Telegram and Signal's flaws. Just like you highlighting the 'security issues' in Telegram, there is no escape of highlighting Signal's 'security issues' and security researchers will do exactly the same. Once again, there are no exceptions.

> Besides, Telegram still isn't e2e by default, doesn't have e2e groups, and has no security audits. I'm not sure why this is in the same category as Signal.

I expect better from a 'secure alternative' that claims to be focusing on 'privacy and security' and that also proudly shows its list of security audits. Despite all of that, they introduce their own cryptocurrency coin just to get it listed on an exchange and used in Signal, Similar to Telegram's own cryptocurrency venture which failed. [0] Combine that with the security issues in this post which one of them taking half a year to fix and still using a phone number to login, it is no different to Telegram. They still haven't even fixed this serious security issue either. [1]

The worst part of all of this is their prioritisation on addressing these issues and went in favour of creating a cryptocurrency coin just like Telegram, which most likely explains the 7 months to address that security issue. At this point, their claim of upholding privacy and security is already damaged by all of the above.

[0] https://www.theverge.com/2018/5/2/17312046/telegram-initial-...

[1] https://github.com/signalapp/Signal-Android/issues/10247#iss...