[PeterStuer]

Addendum: if your threat model includes any nation state that has significant ties to the nation state that hosts your physical or transit infrastructure, you're hosed.

[Obscurity4340]

How might this apply or what are the implications of Signal given its US jurisdiction?

[lmm]

The US authorities can make the same orders that they made with LavaBit (i.e. ordering them to produce a backdoored build and replace yours with it), and they can make them secretly. Given that Signal by design requires you to use it with auto-update enabled (and, notably, goes to some effort to take down ways of using it without auto-update), and has no real verification of those auto-updated builds, I would consider it foolish to rely on the secrecy of Signal if your threat model includes the US authorities or anyone who might be able to call in a favour with them.

[wildfire]

How odd. I have, and continue, to use Signal without auto-update enabled.

I have been prompted, twice in three years to update though.

Perhaps the requirement depends on your country?

[Obscurity4340]

Ya, does it do that thing banking apps do where it insists on the most recent version in order to even be usable?

Otherwise, thats more of an iOS option that can be easily altered

Settings < App Store < Automatic Downloads > App Updates

[autoexec]

Signal started keeping sensitive user data in the cloud a while ago. All the information they brag about previously not being able to turn over because they don't collect it in the first place, well they collect it now. Name, photo, phone number, and worst of all a list of all your contacts is stored forever.

It's not stored very securely either. I wouldn't doubt that three letter agencies have an attack that lets them access the data, but even if they didn't they can just brute force a pin to get whatever they need.

https://community.signalusers.org/t/proper-secure-value-secu...

[Natanael_L]

Signal relies on the client program to not be compromised to keep conversations secret