Recent searches
Search options
Signal is open source, so our code is regularly scrutinized in addition to regular formal audits. We also constantly monitor security@signal.org for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.
This is why Signal remains the gold standard for private, secure communications. 5/
@signalapp Thanks for being AWESOME 
@signalapp the biggest flaw is the user, as demonstrated recently.
@signalapp I accidentally someone to a group chat
what now?
@linuzifer @signalapp Wieder rausschmeißen. 
@linuzifer run for office
Bbno$ hat mich gefragt ob ich Signal habe und ihn treffen möchte jetzt bin ich mir nicht mehr sicher ob das ne normale Honey trap war/scammer was tun?
Der ist hot Linus
Ach fgg ich hab den kleinen Ami nicht gefunden der geheult hat weil er aufgewacht ist und Trump immer noch lebt und das einzige was mir eingefallen ist um ihn zu trösten ist zu erzählen. Das Musk Raketen Engelsfürze im Himmel Himmel hinterlassen die aussehen wie Rosetten
@linuzifer @signalapp you hafta attack some other country now
@linuzifer
Einfach Nicole wieder entfernen
@signalapp
@linuzifer @signalapp
Your sentence no verb.
@linuzifer @signalapp pass uff atze, so wird man neuerdings verteidigungsminister
@signalapp Why Signal does not publish those formal audit reports?
Wiki page https://community.signalusers.org/t/overview-of-third-party-security-audits/13243 only contains research papers. There was a TextSecure audit https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/ and some evidence that in 2018 Signal paid Doyensec LLC., but no audit reports published.
For comparison, WhatsApp publishes its security audit reports and Wire published some (but not all): https://codeberg.org/kuketzblog/www.messenger-matrix.de/issues/40
Briar, Threema, Delta Chat, Session, SimpleX Chat all published at least some audit reports.
@link2xt @signalapp fair question, I'd like to see what's up!
Most likely answer is that they simply did not care to publish the reports. E.g. Wire lists audits from 2022 to 2024 on https://wire.com/en/security page but latest reports published are from 2018. Still, it is usually not much work to publish the reports if you address all the findings timely, as all the work preparing the report itself is done by the auditors.
The same topic was recently raised on Lemmy. More information on this would be really appreciated.
@signalapp signal ftw
@signalapp But is it idiot-proof? Can you give examples on things that would be idiotic to do, which might undermine security of a top secret conversation?!
Would you say that it is compatible with the requirements of the US government to safeguard conversations for either legal or historical purposes? Or would that just be a really stupid use of the software?!
Please provide clear, verifiable examples of governmental user stupidity, thanks! 
@signalapp A feature that would be great was to put pim in place of biometrics
@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!
- If #Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...
Signal is also used mainly by criminals and terrorists. Like JD Vance, Pete Hegseth, Elon Musk, ...
@chebra @signalapp state-sponsored terrorism doesn't count!
@kkarhan @signalapp But that's the only kind we have left!
@kkarhan Signal is literally open-source, meaning its source code is public, not proprietary: https://github.com/signalapp. Signal does not hold any user's secret keys.
@pixelcode neither are there reproduceable builds nor is #Signal's #backend opensoirce'd nor is it possible to #SelfHost.
- Thus it is #proprietary #SaaS!
It seems like Signal provides Free Software *clients* (AGPLv3) at least, that you can compile yourself, so you can be sure they don't leak your keys.
As for the clients provided from the various app stores: If they aren't reproducible, then indeed I would not trust them.
It might be the case that Signal uses the technical possibility of secure communication (via self compiled clients) to lure in users, most of whom will unwittingly use a client from an app store that seems identical to the free software one, but actually leaks your keys.
This would be the perfect way to sniff on people who attempt to communicate securely, but don't have the technical expertise to compile their own client, which is probably the vast majority of users.
Yes I'm wearing a tin foil hat but hey, it's completely plausible.
@taylan @pixelcode also add tocthe fact that @signalapp collects and stores #PII like #PhoneNumbers...
@kkarhan @taylan You could have simply clicked on the link to find out that Signal have published the source code of all their apps and of their server, instead of making false claims out of thin air.
There's literally an entire manual on reproducing builds: https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds%2FREADME.md
Also, nothing and no one stops you from self-hosting the Signal server.
@pixelcode @taylan that is simply not true.
@signalapp is #centralized and there's no way one can verify the code released for the servers is what they actually run.
Unlike your replies my criticisms ain't founded based off "#TrustMeBro!" but systemic issues I highlight which #Signal refuses to address or take seriously!
I did not claim Signal isn't centralised. I did not claim it's possible to verify which software runs on a foreign server.
Unlike you, I substantiated my statements by citing a source – namely a link pointing to Signal's collection of Git repos which contain the source code of their client & server software and a manual explaining how to reproduce Signal's builds, which you continue to ignore.
The one making claims without stating any sources at all are you.
@pixelcode @taylan @signalapp the #centralization, espechally without means to hide it's traffic via @torproject / #Tor makes it trivial to detect and track @signalapp / #Signal users.
- Add to that the fact that Signal has #PhoneNumbers = #PII on them and the fact they are incorporated in the #USA, thus subject to #CloudAct and it's not a matter if they snitch on users but how many thousands if not millions got subopena'd to this day.
And with no self-custody of keys it's trivial to #Room641A the users if the devs get "motivated" under threat of spending the rest of theor lives in jail.
thus subject to Cloud Act
They literally don't store anything about you, other than the phone number you used to sign up, and the timestamp of the last login. They can't fulfill any kind of subpoena, because they simply don't have the data. This was proven in court:
https://signal.org/bigbrother/cd-california-grand-jury/
I don't know what your mission is, any why you're constantly spreading misinformation about a secure communications platform, trying to discourage people from using it, without naming alternatives.
It's pretty suspicious at the very least.
@Andromxda @pixelcode How can you claim something you can't evidence?
- Pretty shure if it's not @signalapp themselves, then their centralized architecture and unwillingness to even have an #OnionService on @torproject makes it trivial to pull a #Room641A on them.
It makes you look like one of those folks shilling #VPN|s that ain't logless after all...
- I don't believe in #marketing #lies and #Signal can't (and won't) be able to evidence that they don't log shit.
At least they should be honest about things and not claim bs, cuz demanding a #PhoneNumber is just #KYC with extra steps like demanding any #SSN or other #PII. Makes them look like chinese MMORPGs that demand ID card numbers for account signups, thus #paywalling the ability to use their service anonymously...
How can you claim something you can't evidence?
I literally included a link to the evidence. Here's the link again: https://signal.org/bigbrother/cd-california-grand-jury/
Signal got a judicial subpoena from the Central District of California. They were represented by the ACLU, and they responded with the only bits of data they had: the Unix timestamp of account creation, and the timestamp of the last connection.
It seems like you are simply ignoring the evidence (on purpose).
demanding a PhoneNumber
All big messenger apps collect phone numbers, in order to prevent spam. Unlike WhatsApp or iMessage though (I mean technically you can find iMessage contacts by Email address, but no one does that), you don't have to share your phone number with contacts, in order for them to be able to message you. User names exist for this exact purpose: https://signal.org/blog/phone-number-privacy-usernames/
For every messenger there's the risk of someone finding out that you use that messenger (for example when you download the app without a proxy or when you rent a server for self-hosting). So what?
Nothing and no one stops you from voluntarily using Tor to connect to Signal (Orbot, InviZible, Advanced Privacy etc.). For those oppressed by authoritarian regimes, Signal offers easy-to-use censorship-circumvention proxy support built into the app.
https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support
Neither knowing your phone number nor the Cloud Act nor both in combination gives Signal the magical ability to “snoop” on your end-to-end encrypted chats or to circumvent Sealed Sender, if that's what you're trying to express with your PII argument. https://signal.org/blog/sealed-sender/
Long-term secret keys and session keys are generated and stored on the end-user's device and are never sent to the server. It's called end-to-end encryption for a reason. Wiretapping doesn't change that.
@pixelcode @taylan Your nonchalant "So what?" gets people publicly murdered by the state in many juristictions...
- Which is why there is no substitute to teaching proper #TechLiteracy ffs!
If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.
- Or do you really think that in a world where multi-year long sting ops like #ANØM / #OperationIronside / #OperationTrøjanShield get greenlit that @Mer__edith would risk dying of old age in jail for non-paying users?
If you do think so then you should really get some professional help, cuz you seem rather lost...
- #Signal doesn't even bother to have an #OnionService, much less to provide means to use their service without self-doxxing with a #PhoneNumber, which at best is pseudonymous and requires money to attain and maintain...
It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!
Who was murdered by the state only because they used a specific messaging app? Please provide a source.
Who says Signal would be shut down? Again, you just make up claims.
The fact that you use Signal is not confidential, and someone finding out that you do is not “doxxing”.
Tech literacy ≠ fabricating conspiracy theories
@pixelcode I'm not gonna violate confidentiality just to win an argument on the internet.
- I have helped people with a literal DoA bounty on their head escape a literal warzone and enshure their comms are clean and secure.
Mark my words: #Signal is a sting op and the day they get caught snitchin' you can apologize to me in person.
Can it be verified in some way that the application distributed in the app stores is bit-identical to such a reproducible build? Genuine question.
Sorry for not following the link earlier; the first paragraph seems to imply that the answer is yes.
If so, that would mean there's probably no plausible way for Signal Android users to have their keys intentionally leaked by rogue changes to the app...
Then again, one has to wonder how frequently the app is being updated, and whether every single update will be verified by someone out there. Else, they could briefly slip something in and take it out again in a subsequent update...
(Yes, I'm on full tinfoil mode, just for fun. I'm not trying to be accusatory against Signal for any particular reason. Just regular scrutiny.)
@taylan @kkarhan Yes, that's a valid concern, and such Doppelgänger attacks have, in fact, been executed against other apps in the past, IIRC even against one of those wannabe-supersecure messengers for drug dealers.
For an incredibly popular and state-of-the-art app like Signal, however, I'm fairly confident that there are one or two semi-paranoid cryptography enthusiasts out there who periodically verify builds. (Including the US government, considering that we learned they use Signal too 
)
Yes, you basically download the source code of the Signal version you've installed and build the binary manually. Then, you pull the .apk installed from the app store and compare it to your build.
The procedure is described in detail in the aforementioned manual: https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds%2FREADME.md
@taylan @pixelcode on @fdroidorg it is possible...
#Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...
Just stop the BS. EncroChat was specifically built and marketed for criminals. It wasn't shut down by law enforcement, it was hacked by the French police, after which they decided to shut the service down themselves.
Signal is open source (and the issue regarding reproducible builds is known, but it doesn't impact the security of the app. It is caused by a navigation library that causes some race condition during the build process, the result of which is dependent on CPU speed. They are aware of the issue, and are working to fix it. It is tracked here: https://github.com/signalapp/Signal-Android/issues/13565). If you don't trust the official build, you can compile it yourself. There are also forks like Signal-FOSS or @mollyim available if you prefer that.
The server is also open source (of course you can't verify if they are actually running that code, but that's gonna be the case for every application with a client/server architecture. Your point regarding Signal being "proprietary SaaS" is, again, total BS.
@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.
If #Signal was secure it would be the #1 comms tool of organized crime...
- Yet I've only seen #TechIlliterates shill it.
Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.
- Again: Demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam (#MobileCoin) makes Signal literally untrustworthy and if it doesn't for you then maybe your standards are just too low...
It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.
- The cold hard truth is that #TechLiteracy is irreplaceable and the only solution to it is to actually teach normies how to "get gud" with stuff like PGP.
Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.
- So rather than vomiting insults against my intellect in my mentions, go to the next @cryptoparty@mastodon.earth / #Cryptoparty / @cryptoparty@chaos.social and lend a hand.
If #Signal was secure it would be the #1 comms tool of organized crime...
Criminals aren't particularly smart. If they were smart enough to figure out which communication solution is secure, and which isn't, they definitely wouldn't have paid thousands of dollars for Anom phones or paid hefty license fees for EncroChat.
GrapheneOS and Signal are completely free. Both free of charge, and free as in freedom. And they're undoubtably the most secure secure solutions currently out there. The Signal protocol is the gold standard for encrypted messaging, and there's a reason why many other messengers use it as well. WhatsApp, Facebook Messenger, even Instagram DMs, Skype, Google Allo (which is defunct now), even Google's new RCS encryption standard uses the Signal protocol under the hood.
Real professionals use
Ah yes, gatekeeping secure communications. You're such a fucking genius. "Anyone who doesn't know how to use some obscure, outdated encryption software is just a retard, and doesn't have the right to communicate securely." That's literally what you're saying. I hope you realize the utter stupidity of your statement.
Yet I've only seen TechIlliterates shill it
You are incapable of distinguishing a bug that causes reproducible builds to fail, while both the clients and the server are still FLOSS, allowing you to compile them yourself, from proprietary SaaS platforms. If anyone here is tech-Illiterate, it's you.
Cuz ComSec isn't done woth "JuSt UsE sIgNaL!"
Yeah, I'm absolutely sure you'll get more people to use secure communications by gatekeeping the topic. You seem to have figured it out.
MobileCoin was an attempt to ensure continuous funding for the Signal Foundation, decreasing the reliance on donations. It did not work out as planned, partly due to the inherent technological faults (e.g. only supporting Intel CPUs with SGX, which doesn't allow for true decentralization). The project has basically been abandoned for years. There hasn't been any development in quite a long time. Also, you don't have to use MobileCoin in any way, it's just there, but I doubt that most Signal users have even heard about it. The @mollyim client completely removes this functionality from the app.
insults against my intellect
You do realize how ridiculous that sounds, right?
Someone really got hurt in their feelings here over a simple argument about encrypted messaging 
Your view of the world is so incredibly unrealistic, it's almost absurd.
Also, are you able to type a single coherent sentence without inserting a million hashtags? It's painful to read, and it looks like a post made by a 3-year-old who just discovered what hashtags are.
@Andromxda I agree with all of your points. I think that it was said with too much attitude, but I do agree with what you're saying.
I've seen others come up with fantasies about Signal. I say that if nobody should use Signal because it's a government op,why aren't people condemning Tor, which was invented by government?
I do prefer SimpleX for privacy, but it's more reasonable to give out phone number and say to message on Signal, and then they can use a different messenger from Signal
@ravshaul I do agree that SimpleX is superior from a technical standpoint (in regards to anonymity and decentralization), but it's not as easy to use and straightforward as Signal.
Signal is the optimal middle ground between security, anonymity and most importantly for the majority of users, usability. Yet it doesn't compromise security. As I said, the Signal protocol is the gold standard for encrypted messaging, and this is accepted and acknowledged throughout the entire industry.
And for some unfortunate reason discussions about Signal seem to attract trolls and conspiracy theorists.
@Andromxda On Lemmy someone said don't use Signal because blah blah blah, SimpleX is what all people need to use. I replied saying it's a fantasy to believe SimpleX can overtake Signal. I said for example, if you and I know have the same contact. you can give them my number to tell them to message me on Signal, that doesn't work with SimpleX. A business can promote their number and mention that they're on Signal as a way to contact the company, SimpleX can't do that.
@ravshaul I fully agree with you, that's exactly what I also tell people on Lemmy when this topic comes up.
@Andromxda I think people have gotten so socially isolated, they are always alone, and all communication is through internet and not the real world, they don't have people calling them, that they lose the perspective that apps and websites is not real life. Nothing important ever happens on the internet, including messages, that can't wait until tomorrow to read them. So those people get so attached to online activity and being alone, they don't know how businesses work or meeting people outside
@ravshaul Exactly. People look at small technical details, not at whether they can actually use a certain messenger to message their friends and family.
@signalapp Is all of the code from your backend services, the configuration management, and associated infrastructure work, all open source?
@signalapp Why do you need a CLA, why not avoid that and guarantee that one organization can't relicense everything without everyone's consent?
@purpleidea
Signal licensed its code to WhatsApp in the past: https://signal.org/blog/whatsapp-complete/
CLA is needed to make this kind of licensing possible.
