|
|
|
|
|
|
by dijit
1327 days ago
|
|
|
> Signal is e2ee, and you don't have to trust them for that. Only if both sides are using clients that are self-compiled, independently-compiled (and audited), deterministic/reproducible or third-party. The problem is that the network and the app are the same people, and worse than that; they send binaries and expect you to trust them. I know lip service is paid to reproducibility but afaik the instructions for doing that are 404ing. I just get a greasy feeling from the lock-in, the heavy marketing, the fact that everyone refuses to speak critically of them unless it’s about anonymous usernames. A truly good secure client would have worked on any network, it wouldn’t rely on transporting your data over their servers, it would be a protocol that was open to third parties to implement, it would also be reproducible or independently compiled by trusted third parties (like OS maintainers, who already audit a lot of the code that gets built and signed). |
|
|
There are two things: First, say the Android apk they distribute has a backdoor, and someone realizes that (it's distributed to millions of people, could be that someone checks). Then that's the end of Signal, right? So that's a big risk for them. That's for the "mass surveillance" scenario. Not perfect, but that's something. Second, if you fear a targeted attack, then self-compile Signal. It's not that difficult if you care about it.