The point of Signal is supposed to be that to the best of our knowledge, even if all its packets are run through FSB and NSA, and even if they captured all Signal employees at once and somehow forced them all to cooperate, your messages should still be safe until they manage to push an app update that compromises the app.
Of course this only helps as long as your device isn't backdoored but that is true for any app.
(I say this as someone who regularly defend Telegram here, because in my opinion I don't have to pick one or another.)
many argue that silicon valley firms are de facto extension of the US government [1]. a swiss army knife (haha) in their toolkit that allows complete control over the flow of information. i mean seriously, just look at how fast the Crypto AG story was forgotten. only this Dutch article [1] and a handful of others properly dives into the profound impacts that the CIA backdoored Crypto AG devices likely had on world events in the past 50 years. [2]
so yeah if SV firms were not extensions of the US govt. (hardware firms too, not just software), they would have already been broken up years ago.
the senate hearings are just a charade used to stroke the ego's of the 'visionary' SV tech bro CEOs. they also show us how tech illiterate the working class has been made. [2]
Gee, thanks for contributing to the conversation and providing a useful alternative.
The only semi-popular better option I can think of is Matrix, but getting people on Signal is already hard enough and using Matrix on a mobile device is (last I checked) far from ideal.
Security is a gradient, not an all-or-nothing. Signal is vastly better than almost every other electronic communication method.
Once its compromised there is no gradient anymore and you never know when things are compromised because three letter agencies will anyway not tell you.
Given the risk of xyz agency, there seem to be only a couple options to me:
- side-load a peer reviewed apk so you can check the sigs and make sure all crypto is being done locally (and to make sure that the implementation is solid)
- manage your own keys like you would with traditional pgp emails. Give your public to your friend. Force them to send anything sensitive using it. Maybe change to symmetric keys from asym but rotate occasionally. But you still have to trust the app you use to do this unless you want to do it manually each time.
Signal has open sourced clients with reproducible builds (on Android) and their encryption library has been reviewed by multiple 3rd parties to great acclaim.
PGP lacks forward secrecy, meaning if a key does get compromised all of your past correspondence is now also compromised.
Of course this only helps as long as your device isn't backdoored but that is true for any app.
(I say this as someone who regularly defend Telegram here, because in my opinion I don't have to pick one or another.)