I would like to express concern about the future of the Signal messenger. Although Signal currently has a significantly smaller audience than WhatsApp, there are existential risks associated with the messenger covering a larger number of users. Is it rational to say that the goal of this messenger is to be used by the largest number of users, so let’s assume for a moment that Signal was able to achieve its mission and most WhatsApp users switched to Signal - I know this is right now unrealistic, but even 30% of users would be an enormous, huge number. Thus, what is the future of the messenger when it starts organizing communications for 1 billion users worldwide?
Would it be rational to assume that counterintelligence forces and special police will send their agents to the organization as undercover workers to sabotage the work and embed backdoors during companies in the context of company growth and staff expansion in this scenario? The question is rhetorical.
I would like to hear the response of the company’s president to this existential threat, and to thank for their work.
You must log in or register to comment.
You can’t prove that Google isn’t shipping backdoored versions of the app to targeted individuals
I use apk version from the site
Do you verify the checksum? Each time you update?
Hi, look, even considering that this question do not have relation to post’s subject I would suppose that if you are going to discuss this external threat (from users) I would begin from os level, not from dns level…
So I am not interested right now in this question, with respect
So you’re not running a hardened OS, whether GrapheneOS or a locked down Linux derivate like Qubes? Strange, given your question I assumed you did.
Not 3veryone wants to answer this shit. Can you gyess why?
Did I say I am not ranning? Please be at the limits of the post’s subject
Signal Foundation is a nonprofit in California, and they are the ones that operate the relays and maintain the FOSS app. Since they’re a regular 501©3 and not a religious org, you can look into how their money is spent (to see if it’s going to any suspicious recipients) and whether they’re getting suspiciously large sums of money.
On top of that, they don’t have access to the communication data itself. It’s all E2EE, and the app being FOSS means you can inspect how that data is encrypted and sent (and even build your own from source, if you’re paranoid). Even if they’re unknowingly hiring covert bad actors, it’s unlikely their activities would stay hidden for long.
So while it’s certainly a concern that it’s still centralized messaging, it’s probably one of the best options due to the easy access for most people. Other than a billionaire buyout or government laws that force backdoors into encryption, the only real existential threat they currently face is operation costs. They were fortunate to have wealthy philanthropists in the beginning, but if they have an explosion in users (unlikely), it might bring the organization to its knees.
I don’t find your particular scenario to be worrisome. And if it turns out that it’s compromised in the future, there’s other good apps out there, like SimpleX.
There’s also XMPP(on which whatsapp is based on), it’s quite good with OMEMO.
Yep, and I think there’s a third option that I can’t recall at the moment (not Matrix), but no matter what, there’s alternatives that work and could be made to fit people’s chat needs.
If you ever recall what the third option is, please post.
Hi, what about gnu linux xz utils backoor scenario? Also is there any regular auditing of signal by third party auditing company?
About simplex its not allowed in my threat model, I will rather use pure xmpp protocol with omem as an alternative.
Why not simplex?
Hi, what about gnu linux xz utils backoor scenario?
This was caught by the community thanks to it being FOSS, and it was somewhat distinct from the scenario we’re talking about here, since the repository was wholly taken over by a bad actor who tricked the original (burnt out) maintainer to hand over the repo.
Could a bad actor get their claws in and take over the repo? Possibly, but given the fact that it’s maintained by a foundation with lots of devs and not just one thankless hobbyist, that likelihood is probably small.
Also is there any regular auditing of signal by third party auditing company?
Regular? I don’t know. They have been audited, iirc, and they have received numerous legal requests to turn over data to courts, to which they’ve been able to reply “what data?” Bear in mind that they would almost certainly not do this if it meant jeopardizing their entire business. No business is going to go to jail for us, after all.
You do what you feel is appropriate for your threat model, but as far as general threats to privacy or Signal’s existence go, I’m not currently concerned about their future.
Hi, I think you not really understood threat that I published -undercover agents -developers that will apply for the job at signal and receive it, and they will do their backdoor without Signal foundation knowing,its obvious. About audites that you mentioned - could you provide some link to it?
Do you really think government/counter agents aren’t already doing this?
Any security agency that wasn’t aware of it before even we were, with projections of likely growth path, who else is looking at it, etc, etc, wouldn’t be a very effective security agency.
Keep in mind that this is what I can think of off the top of my head, and I’m not an intelligence/security boffin.
Also, capitalization, punctual, etc are a thing for a reason… If you can’t be bothered then people won’t take you seriously. Is it really that hard to press shift as needed?
Was the post edited? It looks fine now. ._.
But you were bothered, yes?
Unfortunately looks like you wasnt interested in professional and respectful discussion so I block you
Signal is not a company, so in that case since it’s Open Source they shouldn’t be able to implement real hidden backdoors
Signal is non profit company, so my term is correct, being open source doesnt meant be secure and be immutable to internal divertions - see linux xz utils backdoor + thay rent amazon servers
Signal’s source code has so much more eyes looking at it than xz-utils.
Hello, Could you point to me some specialists who reguralry check all the server code and app code concretely? And publish the result. So I can follow their eyes
Unfortunately, no. My assertion came from sheer popularity of their GitHub repositories and personal observation among my tech-savvy friend groups.
You can start checking out their code yourself, though. There are a lot of open-source software out there and it would be unfeasible for anyone to audit their code themselves. At some point, you’ll have to put some trust into others. Be it software audit companies, or the Signal developers.
Yes, usually I trust audit companies like Cure53 but if I understand correctly there werent any audits for tge ladt years… I only know that Snowden has recommended that 5 years ago I think, of cource he deserve trust but since then he didnt say anything about it if I remember. Probably he also did some audit that moment 5 years ago but not full audit because it seems impossible for one person…