Hacker News new | ask | show | jobs
by dijit 1330 days ago
To be honest I don’t see a strong reason to trust signal either except better marketing.

There are so many scandals that come to mind, like not updating the FOSS code for years.

I’m no fan of Meta, and they have incentive to hoover up data.

But I don’t have a good reason to trust signal other than that everyone on hackernews seems to love them.
2 comments
palata 1330 days ago
You mix up concepts. The client app is responsible for e2ee, you don't have to care about the server.

So you can actually audit the client code and make sure it is e2ee, which you cannot do with WhatsApp. In other words, for e2ee you must trust WhatsApp, not Signal.

I presume that for the outdated code, you think about the server code. That's different and would imply metadata, not message content.

Signal is e2ee, and you don't have to trust them for that.

link
dijit 1330 days ago
> Signal is e2ee, and you don't have to trust them for that.

Only if both sides are using clients that are self-compiled, independently-compiled (and audited), deterministic/reproducible or third-party.

The problem is that the network and the app are the same people, and worse than that; they send binaries and expect you to trust them.

I know lip service is paid to reproducibility but afaik the instructions for doing that are 404ing.

I just get a greasy feeling from the lock-in, the heavy marketing, the fact that everyone refuses to speak critically of them unless it’s about anonymous usernames.

A truly good secure client would have worked on any network, it wouldn’t rely on transporting your data over their servers, it would be a protocol that was open to third parties to implement, it would also be reproducible or independently compiled by trusted third parties (like OS maintainers, who already audit a lot of the code that gets built and signed).

link
palata 1327 days ago
> I just get a greasy feeling from the lock-in, the heavy marketing, the fact that everyone refuses to speak critically of them unless it’s about anonymous usernames.

There are two things: First, say the Android apk they distribute has a backdoor, and someone realizes that (it's distributed to millions of people, could be that someone checks). Then that's the end of Signal, right? So that's a big risk for them. That's for the "mass surveillance" scenario. Not perfect, but that's something. Second, if you fear a targeted attack, then self-compile Signal. It's not that difficult if you care about it.

link
yummypaint 1330 days ago
Look at how signal vs meta make their money. Meta's entire business model is built around directly violating people's privacy, and conspiring with other businesses to violate people's privacy.

Meta is a publicly traded company. Signal is a 501c3, it's a completely different kind of organization.

link
dijit 1330 days ago
I already said that meta has an incentive to snarf up your data.

There is credibility to the notion that signal is designed to ensure that people who are paranoid would prefer it.

The fact that it exists and is convenient prevents more secure messengers from existing as the lions share simply goes to signal, and this is what I mean by marketing. It is conventional wisdom that signal is the bees knees and looking further or scrutinising it is folly.

A lot of funding comes from the government to signal too; and since it’s an American company it must comply to the best of its ability with US law. They tell us that they can only comply in small ways, but given that there is no independent verification of the server (that it even runs the FOSS code) and the hostility in having unofficial clients on the network I am left pondering.

link