mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

8.3K
active users

Signal

Signal is open source, so our code is regularly scrutinized in addition to regular formal audits. We also constantly monitor security@signal.org for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.

This is why Signal remains the gold standard for private, secure communications. 5/

@signalapp It would be great if Signal allowed accounts without requiring a phone number. Neither Telegram nor WhatsApp offer this option, but it could be useful in many situations. For example, I keep a smartphone at home for my children without a SIM card, and finding a messaging system that works over Wi-Fi alone is not easy.

@signalapp @sn
While I strongly agree to your wish, I would recommend to check out DeltaChat.

It's developed in Germany, follgwing highest security standards and does neither require a phone number nor a username to register.

Just select the automatically generated mail address und you (and your kids) are ready to go :)

@signalapp Documentation of the internals is lacking or is at least very sparse. Having the source code available is the bare minimum to request trust, but a detailed documentation also helps understanding what is intended, and what is your threat model.
Signal only provides some specs for the core protocols.

@signalapp thank you so much for your hark work! Keep strong💪

@signalapp Is all of the code from your backend services, the configuration management, and associated infrastructure work, all open source?

@signalapp Why do you need a CLA, why not avoid that and guarantee that one organization can't relicense everything without everyone's consent?

@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!

@kkarhan @signalapp

Signal is also used mainly by criminals and terrorists. Like JD Vance, Pete Hegseth, Elon Musk, ...

@chebra @signalapp state-sponsored terrorism doesn't count!

@kkarhan @signalapp But that's the only kind we have left!

@kkarhan @signalapp EncroChat got compromised because it had central updates. When the infrastructure was taken over, the intruder was able to push updates to the clients that compromised them.

EncroChat was designed for use by criminals, who are usually idiots about tech, and therefore had to be centrally controlled.

Some of the other "criminal chat networks" were honeypots from the beginning.

Anything with an IMEI or IMSI is trackable. Public Wifi would be better but it's a bit of a pain.

@kkarhan

#Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...

Just stop the BS. EncroChat was specifically built and marketed for criminals. It wasn't shut down by law enforcement, it was hacked by the French police, after which they decided to shut the service down themselves.

Signal is open source (and the issue regarding reproducible builds is known, but it doesn't impact the security of the app. It is caused by a navigation library that causes some race condition during the build process, the result of which is dependent on CPU speed. They are aware of the issue, and are working to fix it. It is tracked here: github.com/signalapp/Signal-An). If you don't trust the official build, you can compile it yourself. There are also forks like Signal-FOSS or @mollyim available if you prefer that.

The server is also open source (of course you can't verify if they are actually running that code, but that's gonna be the case for every application with a client/server architecture. Your point regarding Signal being "proprietary SaaS" is, again, total BS.

@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.

If #Signal was secure it would be the #1 comms tool of organized crime...

Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.

It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.

  • The cold hard truth is that #TechLiteracy is irreplaceable and the only solution to it is to actually teach normies how to "get gud" with stuff like PGP.

Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.

@kkarhan

If #Signal was secure it would be the #1 comms tool of organized crime...

Criminals aren't particularly smart. If they were smart enough to figure out which communication solution is secure, and which isn't, they definitely wouldn't have paid thousands of dollars for Anom phones or paid hefty license fees for EncroChat.
GrapheneOS and Signal are completely free. Both free of charge, and free as in freedom. And they're undoubtably the most secure secure solutions currently out there. The Signal protocol is the gold standard for encrypted messaging, and there's a reason why many other messengers use it as well. WhatsApp, Facebook Messenger, even Instagram DMs, Skype, Google Allo (which is defunct now), even Google's new RCS encryption standard uses the Signal protocol under the hood.

Real professionals use

Ah yes, gatekeeping secure communications. You're such a fucking genius. "Anyone who doesn't know how to use some obscure, outdated encryption software is just a retard, and doesn't have the right to communicate securely." That's literally what you're saying. I hope you realize the utter stupidity of your statement.

Yet I've only seen TechIlliterates shill it

You are incapable of distinguishing a bug that causes reproducible builds to fail, while both the clients and the server are still FLOSS, allowing you to compile them yourself, from proprietary SaaS platforms. If anyone here is tech-Illiterate, it's you.

Cuz ComSec isn't done woth "JuSt UsE sIgNaL!"

Yeah, I'm absolutely sure you'll get more people to use secure communications by gatekeeping the topic. You seem to have figured it out.

MobileCoin was an attempt to ensure continuous funding for the Signal Foundation, decreasing the reliance on donations. It did not work out as planned, partly due to the inherent technological faults (e.g. only supporting Intel CPUs with SGX, which doesn't allow for true decentralization). The project has basically been abandoned for years. There hasn't been any development in quite a long time. Also, you don't have to use MobileCoin in any way, it's just there, but I doubt that most Signal users have even heard about it. The @mollyim client completely removes this functionality from the app.

insults against my intellect

You do realize how ridiculous that sounds, right?
Someone really got hurt in their feelings here over a simple argument about encrypted messaging 😂

Your view of the world is so incredibly unrealistic, it's almost absurd.

Also, are you able to type a single coherent sentence without inserting a million hashtags? It's painful to read, and it looks like a post made by a 3-year-old who just discovered what hashtags are.

@kkarhan @Andromxda @mollyim @signalapp @thunderbird @tails_live @tails @cryptoparty@mastodon.earth @cryptoparty@chaos.social Signal is the best thing out there if (1) you must use a phone with public cellular networks and (2) you do not have a technically competent person at EACH end.

If you can afford to use laptops with Tails, and have a sysadmin at each end, then stronger privacy is available including hiding your physical location (which you cannot do with a phone.)

All others, use Signal.

@kkarhan Signal is literally open-source, meaning its source code is public, not proprietary: github.com/signalapp. Signal does not hold any user's secret keys.

Signal has 122 repositories available. Follow their code on GitHub.
GitHubSignalSignal has 122 repositories available. Follow their code on GitHub.

@pixelcode neither are there reproduceable builds nor is #Signal's #backend opensoirce'd nor is it possible to #SelfHost.

@kkarhan @pixelcode

It seems like Signal provides Free Software *clients* (AGPLv3) at least, that you can compile yourself, so you can be sure they don't leak your keys.

As for the clients provided from the various app stores: If they aren't reproducible, then indeed I would not trust them.

It might be the case that Signal uses the technical possibility of secure communication (via self compiled clients) to lure in users, most of whom will unwittingly use a client from an app store that seems identical to the free software one, but actually leaks your keys.

This would be the perfect way to sniff on people who attempt to communicate securely, but don't have the technical expertise to compile their own client, which is probably the vast majority of users.

Yes I'm wearing a tin foil hat but hey, it's completely plausible.

@taylan @pixelcode also add tocthe fact that @signalapp collects and stores #PII like #PhoneNumbers...

@kkarhan @taylan You could have simply clicked on the link to find out that Signal have published the source code of all their apps and of their server, instead of making false claims out of thin air.

There's literally an entire manual on reproducing builds: github.com/signalapp/Signal-An

Also, nothing and no one stops you from self-hosting the Signal server.

@kkarhan @taylan @signalapp

I did not claim Signal isn't centralised. I did not claim it's possible to verify which software runs on a foreign server.

Unlike you, I substantiated my statements by citing a source – namely a link pointing to Signal's collection of Git repos which contain the source code of their client & server software and a manual explaining how to reproduce Signal's builds, which you continue to ignore.

The one making claims without stating any sources at all are you.

@pixelcode @taylan @signalapp the #centralization, espechally without means to hide it's traffic via @torproject / #Tor makes it trivial to detect and track @signalapp / #Signal users.

  • Add to that the fact that Signal has #PhoneNumbers = #PII on them and the fact they are incorporated in the #USA, thus subject to #CloudAct and it's not a matter if they snitch on users but how many thousands if not millions got subopena'd to this day.

And with no self-custody of keys it's trivial to #Room641A the users if the devs get "motivated" under threat of spending the rest of theor lives in jail.

@kkarhan @pixelcode

thus subject to Cloud Act

They literally don't store anything about you, other than the phone number you used to sign up, and the timestamp of the last login. They can't fulfill any kind of subpoena, because they simply don't have the data. This was proven in court:
signal.org/bigbrother/cd-calif

I don't know what your mission is, any why you're constantly spreading misinformation about a secure communications platform, trying to discourage people from using it, without naming alternatives.
It's pretty suspicious at the very least.

Signal MessengerGrand jury subpoena for Signal user data, Central District of California (again!)Signal still knows nothing about you, but inexplicably the government continues to ask.

@Andromxda @pixelcode How can you claim something you can't evidence?

It makes you look like one of those folks shilling #VPN|s that ain't logless after all...

  • I don't believe in #marketing #lies and #Signal can't (and won't) be able to evidence that they don't log shit.

At least they should be honest about things and not claim bs, cuz demanding a #PhoneNumber is just #KYC with extra steps like demanding any #SSN or other #PII. Makes them look like chinese MMORPGs that demand ID card numbers for account signups, thus #paywalling the ability to use their service anonymously...

Infosec ExchangeAndromxda 🇺🇦🇵🇸🇹🇼 (@Andromxda@infosec.exchange)@kkarhan@infosec.space @pixelcode@social.tchncs.de > thus subject to Cloud Act They literally don't store anything about you, other than the phone number you used to sign up, and the timestamp of the last login. They can't fulfill any kind of subpoena, because they simply don't have the data. This was proven in court: https://signal.org/bigbrother/cd-california-grand-jury/ I don't know what your mission is, any why you're constantly spreading misinformation about a secure communications platform, trying to discourage people from using it, without naming alternatives. It's pretty suspicious at the very least.

@kkarhan

How can you claim something you can't evidence?

I literally included a link to the evidence. Here's the link again: signal.org/bigbrother/cd-calif
Signal got a judicial subpoena from the Central District of California. They were represented by the ACLU, and they responded with the only bits of data they had: the Unix timestamp of account creation, and the timestamp of the last connection.

It seems like you are simply ignoring the evidence (on purpose).

demanding a PhoneNumber

All big messenger apps collect phone numbers, in order to prevent spam. Unlike WhatsApp or iMessage though (I mean technically you can find iMessage contacts by Email address, but no one does that), you don't have to share your phone number with contacts, in order for them to be able to message you. User names exist for this exact purpose: signal.org/blog/phone-number-p

Signal MessengerGrand jury subpoena for Signal user data, Central District of California (again!)Signal still knows nothing about you, but inexplicably the government continues to ask.

@kkarhan @taylan

For every messenger there's the risk of someone finding out that you use that messenger (for example when you download the app without a proxy or when you rent a server for self-hosting). So what?

Nothing and no one stops you from voluntarily using Tor to connect to Signal (Orbot, InviZible, Advanced Privacy etc.). For those oppressed by authoritarian regimes, Signal offers easy-to-use censorship-circumvention proxy support built into the app.

support.signal.org/hc/en-us/ar

@kkarhan @taylan

Neither knowing your phone number nor the Cloud Act nor both in combination gives Signal the magical ability to “snoop” on your end-to-end encrypted chats or to circumvent Sealed Sender, if that's what you're trying to express with your PII argument. signal.org/blog/sealed-sender/

Long-term secret keys and session keys are generated and stored on the end-user's device and are never sent to the server. It's called end-to-end encryption for a reason. Wiretapping doesn't change that.

Signal MessengerTechnology preview: Sealed sender for SignalIn addition to the end-to-end encryption that protects every Signal message, the Signal service is designed to minimize the data that is retained about Signal users. By design, it does not store a record of your contacts, social graph, conversation list, location, user avatar, user profile name, ...

@pixelcode @taylan Your nonchalant "So what?" gets people publicly murdered by the state in many juristictions...

  • Which is why there is no substitute to teaching proper #TechLiteracy ffs!

If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.

If you do think so then you should really get some professional help, cuz you seem rather lost...

  • #Signal doesn't even bother to have an #OnionService, much less to provide means to use their service without self-doxxing with a #PhoneNumber, which at best is pseudonymous and requires money to attain and maintain...

It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!

MastodonPixelcode 🇺🇦 (@pixelcode@social.tchncs.de)@kkarhan@infosec.space @taylan@feministwiki.org For every messenger there's the risk of someone finding out that you use that messenger (for example when you download the app without a proxy or when you rent a server for self-hosting). So what? Nothing and no one stops you from voluntarily using Tor to connect to Signal (Orbot, InviZible, Advanced Privacy etc.). For those oppressed by authoritarian regimes, Signal offers easy-to-use censorship-circumvention proxy support built into the app. https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support

@pixelcode @kkarhan I have followed their #ReproducibleBuilds over the years, they never actually reproduce the whole thing from source, just the easy parts. Last I checked, all their native code is just pulled in as binaries when using their reproducer setup. Plus, they can't reproduce the proprietary Google libraries github.com/signalapp/Signal-An

#Debian and #Guix rebuild everything from source.

@pixelcode @kkarhan

Can it be verified in some way that the application distributed in the app stores is bit-identical to such a reproducible build? Genuine question.
@pixelcode @kkarhan

Sorry for not following the link earlier; the first paragraph seems to imply that the answer is yes.

If so, that would mean there's probably no plausible way for Signal Android users to have their keys intentionally leaked by rogue changes to the app...

Then again, one has to wonder how frequently the app is being updated, and whether every single update will be verified by someone out there. Else, they could briefly slip something in and take it out again in a subsequent update...

(Yes, I'm on full tinfoil mode, just for fun. I'm not trying to be accusatory against Signal for any particular reason. Just regular scrutiny.)

@pixelcode @kkarhan #OpenSourceInitiative has gone to great lengths to try to standardize the definition of "open source", including filing trademarks. Including proprietary libs fails their definition of #OpenSource For this reason, many are now using the term #SourceAvailable for things like Signal.

@eighthave @kkarhan I wrote “open-source”, not “Open Source ®”. I don't care about the opinion of the Open Source Initiative ®.

@signalapp A feature that would be great was to put pim in place of biometrics

@signalapp But is it idiot-proof? Can you give examples on things that would be idiotic to do, which might undermine security of a top secret conversation?!

Would you say that it is compatible with the requirements of the US government to safeguard conversations for either legal or historical purposes? Or would that just be a really stupid use of the software?!

Please provide clear, verifiable examples of governmental user stupidity, thanks! 😏

@link2xt @signalapp fair question, I'd like to see what's up!

Most likely answer is that they simply did not care to publish the reports. E.g. Wire lists audits from 2022 to 2024 on wire.com/en/security page but latest reports published are from 2018. Still, it is usually not much work to publish the reports if you address all the findings timely, as all the work preparing the report itself is done by the auditors.

wire.comSecurity & Privacy with WireSecure your communication with Wire's end-to-end encryption for messages, calls, and file sharing. Stay compliant and protect your data with Wire's easy privacy features.

@signalapp I accidentally someone to a group chat
what now?

@linuzifer @signalapp pass uff atze, so wird man neuerdings verteidigungsminister

@linuzifer @signalapp you hafta attack some other country now

@linuzifer @signalapp

Meinst du Vance.

Du weißt schon dass das hier traurig ist warte.

@linuzifer @signalapp

Ach fgg ich hab den kleinen Ami nicht gefunden der geheult hat weil er aufgewacht ist und Trump immer noch lebt und das einzige was mir eingefallen ist um ihn zu trösten ist zu erzählen. Das Musk Raketen Engelsfürze im Himmel Himmel hinterlassen die aussehen wie Rosetten

@linuzifer @signalapp

Bbno$ hat mich gefragt ob ich Signal habe und ihn treffen möchte jetzt bin ich mir nicht mehr sicher ob das ne normale Honey trap war/scammer was tun?

Der ist hot Linus

@signalapp the biggest flaw is the user, as demonstrated recently.