In a short time you guys gave me a lot of info I wasn’t aware, Iooks like Signal is still a no-go. I’ll stick with Conversations.
Thanks everyone
1 Like
They need to sign their app to accomodate 3-letter-agencies when asked for help. When that happens, they can send you a modified app to extract your communications.
1 Like
This is pretty much exactly the argument Signal use for choosing not to use the F-Droid repo.
I must disagree here: Signal (app) is certainly not the best possible messenger out there, but it’s the best compromise between security/privacy and UX. It’s 100% floss and you can build your own apk and sign by your self if you prefer that.
Did you not read anything posted above? This discussion has been ongoing for the last 4 years.
1 Like
@Licaon_Kter I doubt you have really read my post! I’m not the only one using my own build self signed apk.
And while your own self build might be a thing Signal does not care about, it’s not the same thing when an entity as big (yet rather small) as F-Droid builds and hosts it.
Yep, just what I thought: you overlooked the context.
I didn’t mention “F-Droid builds” anywhere.
optimumpro was worried about “3-letter-agencies” and “send you a modified app” and I responded to her/him that she/he can build own apk instead.
2 Likes
Yet the title of the thread… yet the forum where you post… context?!
I am aware that one can build their own version.
You have to go back in history, at least to the time when the devs dropped sms encryption and even earlier.
The main developer, in a matter of weeks, had turned from someone harassed by the TSA into a receipient of a major government grant ($13 mln). Then he received lucrative contracts with the “greatest” bastion of privacy, Facebook and affiliates. You don’t get that by accident. You get that by providing your own significant part of the bargain.
Apart from that: to have encryption protocol, the app itself, user’s phone number and server in the same hands is not a very secure model. Encryption of sms was at least 2 notches better: server and phone number were not in signal’s hands. Also, your phone carrier didn’t have any idea which application you were using. That created additional problems for the agencies, and that’s why it was dropped. Why else to drop sms encryption, if you keep the feature. The explanation provided by the dev was BS.
Also, check this:
https://blogs.fsfe.org/larma/2016/open-whisper-systems-responsible-disclosure/
1 Like
The messages are end-to-end-encrypted, still… what do you mean? The keys are on the device.
The medium of the transmission (SMS vs Internet) does not pertain to the security here.
The phone number is used as means to authenticate, yes… not great, but then again… messages are encrypted ON THE DEVICE, so even if they hijack your SIM they can’t read your messages.
Have any links for your accusations?
/LE: Hey, I’ll help: About backdoors in Signal and other apps | ~larma/blog
2 Likes
These are not accusations:
But this is not the first time Marlinspike has experienced what it means to get additional attention from the authorities. He tells of an instance from two months ago when he wasn’t able to print out his boarding pass and asked ticket agents to do that for him. They weren’t able to do so immediately because they needed to inform the DHS of his travel arrangements first, and so he discovered that he was on a federal watchlist.Then, when he was returning home from the Black Hat security conference in Abu Dhabi, he was submitted to questioning by an agent from the U.S. Consulate in Frankfurt during his layover on the city’s airport.
Here is some partial info regarding government grants:
https://www.opentech.fund/results/supported-projects/open-whisper-systems/
If you know anything about ‘federal watch lists’, you know that a removal from those lists is a virtual impossibility, unless, of course, you make a deal with the government or file and win a law suit (and if the latter had been done, we would have known about it).
If you say that the method of delivery of messages, i.e., whether over the internet or telecom (phone operator network) does not affect security, then why was it necessary to remove encryption for sms?
More links: Pando: Democratizing career progression
2 Likes
Because SMS is a limited medium to send stuff, eg. try to send a 10Mb video.
Also, maintaining it means extra work, look at Silence.
Not sure why you think that SMS is key to something useful.
Yes, Durov & the Telegram team got the same border treatment… all hail 5 eyes…
Because SMS is a limited medium to send stuff, eg. try to send a 10Mb video.
What does it have to do with encryption? Signal still has sms with its limited medium. It hasn’t removed the feature, just encryption. Why? As I have already said, agencies don’t need extra-headache: they want to have everything in one place for an easy acquisition.
Durov & the Telegram are harassed too
: they are, but unlike Marlinspike, they, instead of being harassed, haven’t suddenly and magically transformed themselves into recipients of multi-million government grants. That’s the crucial difference here. As they say, follow the money, and if you do, Signal looks awfully compromised, especially that it is, unlike the Telegram, being lauded by people who are exactly in the same position (and have the same history) as Marlinspike.
Also, I am not sure that Signal would work on an Android device that is free from Google Account, Google apps and Google Services Framework (someone may correct me here). Because if you have them, no encryption (even from Mars) could protect you, as the incoming messages could be seen after they are decrypted and outgoing ones - before they are encrypted.
Google Services are not needed, and yes…system apps can capture the screen and do a lot o mstuff.
1 Like
What about Google account and Google Apps? In other words, can Signal work on let’s say Omnirom (no Gapps installed)?
I’ve already answered, if you have them you’ll get Push notifications, if not it will switch to websockets iirc.
Already answered, less work for the devs, features bring a dev burden no matter how “simple” you think they are. Specially crypto stuff shoed-in over 160 chars long short messages.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.