Signal is open source, so our code is regularly scrutinized in addition to regular formal audits. We also constantly monitor security@signal.org for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.
This is why Signal remains the gold standard for private, secure communications. 5/
@signalapp Thanks for being AWESOME
@signalapp It would be great if Signal allowed accounts without requiring a phone number. Neither Telegram nor WhatsApp offer this option, but it could be useful in many situations. For example, I keep a smartphone at home for my children without a SIM card, and finding a messaging system that works over Wi-Fi alone is not easy.
@signalapp @sn
While I strongly agree to your wish, I would recommend to check out DeltaChat.
It's developed in Germany, follgwing highest security standards and does neither require a phone number nor a username to register.
Just select the automatically generated mail address und you (and your kids) are ready to go :)
@signalapp Documentation of the internals is lacking or is at least very sparse. Having the source code available is the bare minimum to request trust, but a detailed documentation also helps understanding what is intended, and what is your threat model.
Signal only provides some specs for the core protocols.
@signalapp thank you so much for your hark work! Keep strong
@signalapp ....and please, donate now! It's the only way to be indipendent
@signalapp would be cool to see an OpenBSD port.
@signalapp Is all of the code from your backend services, the configuration management, and associated infrastructure work, all open source?
@signalapp Why do you need a CLA, why not avoid that and guarantee that one organization can't relicense everything without everyone's consent?
@purpleidea
Signal licensed its code to WhatsApp in the past: https://signal.org/blog/whatsapp-complete/
CLA is needed to make this kind of licensing possible.
@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!
Signal is also used mainly by criminals and terrorists. Like JD Vance, Pete Hegseth, Elon Musk, ...
@chebra @signalapp state-sponsored terrorism doesn't count!
@kkarhan @signalapp But that's the only kind we have left!
@kkarhan @signalapp EncroChat got compromised because it had central updates. When the infrastructure was taken over, the intruder was able to push updates to the clients that compromised them.
EncroChat was designed for use by criminals, who are usually idiots about tech, and therefore had to be centrally controlled.
Some of the other "criminal chat networks" were honeypots from the beginning.
Anything with an IMEI or IMSI is trackable. Public Wifi would be better but it's a bit of a pain.
#Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...
Just stop the BS. EncroChat was specifically built and marketed for criminals. It wasn't shut down by law enforcement, it was hacked by the French police, after which they decided to shut the service down themselves.
Signal is open source (and the issue regarding reproducible builds is known, but it doesn't impact the security of the app. It is caused by a navigation library that causes some race condition during the build process, the result of which is dependent on CPU speed. They are aware of the issue, and are working to fix it. It is tracked here: https://github.com/signalapp/Signal-Android/issues/13565). If you don't trust the official build, you can compile it yourself. There are also forks like Signal-FOSS or @mollyim available if you prefer that.
The server is also open source (of course you can't verify if they are actually running that code, but that's gonna be the case for every application with a client/server architecture. Your point regarding Signal being "proprietary SaaS" is, again, total BS.
@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.
If #Signal was secure it would be the #1 comms tool of organized crime...
Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.
It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.
Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.
If #Signal was secure it would be the #1 comms tool of organized crime...
Criminals aren't particularly smart. If they were smart enough to figure out which communication solution is secure, and which isn't, they definitely wouldn't have paid thousands of dollars for Anom phones or paid hefty license fees for EncroChat.
GrapheneOS and Signal are completely free. Both free of charge, and free as in freedom. And they're undoubtably the most secure secure solutions currently out there. The Signal protocol is the gold standard for encrypted messaging, and there's a reason why many other messengers use it as well. WhatsApp, Facebook Messenger, even Instagram DMs, Skype, Google Allo (which is defunct now), even Google's new RCS encryption standard uses the Signal protocol under the hood.
Real professionals use
Ah yes, gatekeeping secure communications. You're such a fucking genius. "Anyone who doesn't know how to use some obscure, outdated encryption software is just a retard, and doesn't have the right to communicate securely." That's literally what you're saying. I hope you realize the utter stupidity of your statement.
Yet I've only seen TechIlliterates shill it
You are incapable of distinguishing a bug that causes reproducible builds to fail, while both the clients and the server are still FLOSS, allowing you to compile them yourself, from proprietary SaaS platforms. If anyone here is tech-Illiterate, it's you.
Cuz ComSec isn't done woth "JuSt UsE sIgNaL!"
Yeah, I'm absolutely sure you'll get more people to use secure communications by gatekeeping the topic. You seem to have figured it out.
MobileCoin was an attempt to ensure continuous funding for the Signal Foundation, decreasing the reliance on donations. It did not work out as planned, partly due to the inherent technological faults (e.g. only supporting Intel CPUs with SGX, which doesn't allow for true decentralization). The project has basically been abandoned for years. There hasn't been any development in quite a long time. Also, you don't have to use MobileCoin in any way, it's just there, but I doubt that most Signal users have even heard about it. The @mollyim client completely removes this functionality from the app.
insults against my intellect
You do realize how ridiculous that sounds, right?
Someone really got hurt in their feelings here over a simple argument about encrypted messaging
Your view of the world is so incredibly unrealistic, it's almost absurd.
Also, are you able to type a single coherent sentence without inserting a million hashtags? It's painful to read, and it looks like a post made by a 3-year-old who just discovered what hashtags are.
@kkarhan @Andromxda @mollyim @signalapp @thunderbird @tails_live @tails @cryptoparty@mastodon.earth @cryptoparty@chaos.social Signal is the best thing out there if (1) you must use a phone with public cellular networks and (2) you do not have a technically competent person at EACH end.
If you can afford to use laptops with Tails, and have a sysadmin at each end, then stronger privacy is available including hiding your physical location (which you cannot do with a phone.)
All others, use Signal.
@kkarhan Signal is literally open-source, meaning its source code is public, not proprietary: https://github.com/signalapp. Signal does not hold any user's secret keys.
@pixelcode neither are there reproduceable builds nor is #Signal's #backend opensoirce'd nor is it possible to #SelfHost.
@taylan @pixelcode also add tocthe fact that @signalapp collects and stores #PII like #PhoneNumbers...
@kkarhan @taylan You could have simply clicked on the link to find out that Signal have published the source code of all their apps and of their server, instead of making false claims out of thin air.
There's literally an entire manual on reproducing builds: https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds%2FREADME.md
Also, nothing and no one stops you from self-hosting the Signal server.
@pixelcode @taylan that is simply not true.
@signalapp is #centralized and there's no way one can verify the code released for the servers is what they actually run.
Unlike your replies my criticisms ain't founded based off "#TrustMeBro!" but systemic issues I highlight which #Signal refuses to address or take seriously!
I did not claim Signal isn't centralised. I did not claim it's possible to verify which software runs on a foreign server.
Unlike you, I substantiated my statements by citing a source – namely a link pointing to Signal's collection of Git repos which contain the source code of their client & server software and a manual explaining how to reproduce Signal's builds, which you continue to ignore.
The one making claims without stating any sources at all are you.
@pixelcode @taylan @signalapp the #centralization, espechally without means to hide it's traffic via @torproject / #Tor makes it trivial to detect and track @signalapp / #Signal users.
And with no self-custody of keys it's trivial to #Room641A the users if the devs get "motivated" under threat of spending the rest of theor lives in jail.
thus subject to Cloud Act
They literally don't store anything about you, other than the phone number you used to sign up, and the timestamp of the last login. They can't fulfill any kind of subpoena, because they simply don't have the data. This was proven in court:
https://signal.org/bigbrother/cd-california-grand-jury/
I don't know what your mission is, any why you're constantly spreading misinformation about a secure communications platform, trying to discourage people from using it, without naming alternatives.
It's pretty suspicious at the very least.
@Andromxda @pixelcode How can you claim something you can't evidence?
It makes you look like one of those folks shilling #VPN|s that ain't logless after all...
At least they should be honest about things and not claim bs, cuz demanding a #PhoneNumber is just #KYC with extra steps like demanding any #SSN or other #PII. Makes them look like chinese MMORPGs that demand ID card numbers for account signups, thus #paywalling the ability to use their service anonymously...
How can you claim something you can't evidence?
I literally included a link to the evidence. Here's the link again: https://signal.org/bigbrother/cd-california-grand-jury/
Signal got a judicial subpoena from the Central District of California. They were represented by the ACLU, and they responded with the only bits of data they had: the Unix timestamp of account creation, and the timestamp of the last connection.
It seems like you are simply ignoring the evidence (on purpose).
demanding a PhoneNumber
All big messenger apps collect phone numbers, in order to prevent spam. Unlike WhatsApp or iMessage though (I mean technically you can find iMessage contacts by Email address, but no one does that), you don't have to share your phone number with contacts, in order for them to be able to message you. User names exist for this exact purpose: https://signal.org/blog/phone-number-privacy-usernames/
For every messenger there's the risk of someone finding out that you use that messenger (for example when you download the app without a proxy or when you rent a server for self-hosting). So what?
Nothing and no one stops you from voluntarily using Tor to connect to Signal (Orbot, InviZible, Advanced Privacy etc.). For those oppressed by authoritarian regimes, Signal offers easy-to-use censorship-circumvention proxy support built into the app.
https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support
Neither knowing your phone number nor the Cloud Act nor both in combination gives Signal the magical ability to “snoop” on your end-to-end encrypted chats or to circumvent Sealed Sender, if that's what you're trying to express with your PII argument. https://signal.org/blog/sealed-sender/
Long-term secret keys and session keys are generated and stored on the end-user's device and are never sent to the server. It's called end-to-end encryption for a reason. Wiretapping doesn't change that.
@pixelcode @taylan Your nonchalant "So what?" gets people publicly murdered by the state in many juristictions...
If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.
If you do think so then you should really get some professional help, cuz you seem rather lost...
It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!
@pixelcode @kkarhan I have followed their #ReproducibleBuilds over the years, they never actually reproduce the whole thing from source, just the easy parts. Last I checked, all their native code is just pulled in as binaries when using their reproducer setup. Plus, they can't reproduce the proprietary Google libraries https://github.com/signalapp/Signal-Android/blob/556bcda58ae65abbba75bf899a43666ba6d9d427/app/build.gradle.kts#L533
@taylan @pixelcode on @fdroidorg it is possible...
@pixelcode @kkarhan #OpenSourceInitiative has gone to great lengths to try to standardize the definition of "open source", including filing trademarks. Including proprietary libs fails their definition of #OpenSource For this reason, many are now using the term #SourceAvailable for things like Signal.
@eighthave @kkarhan I wrote “open-source”, not “Open Source ®”. I don't care about the opinion of the Open Source Initiative ®.
@signalapp A feature that would be great was to put pim in place of biometrics
@signalapp But is it idiot-proof? Can you give examples on things that would be idiotic to do, which might undermine security of a top secret conversation?!
Would you say that it is compatible with the requirements of the US government to safeguard conversations for either legal or historical purposes? Or would that just be a really stupid use of the software?!
Please provide clear, verifiable examples of governmental user stupidity, thanks!
@signalapp signal ftw
@signalapp Why Signal does not publish those formal audit reports?
Wiki page https://community.signalusers.org/t/overview-of-third-party-security-audits/13243 only contains research papers. There was a TextSecure audit https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/ and some evidence that in 2018 Signal paid Doyensec LLC., but no audit reports published.
For comparison, WhatsApp publishes its security audit reports and Wire published some (but not all): https://codeberg.org/kuketzblog/www.messenger-matrix.de/issues/40
Briar, Threema, Delta Chat, Session, SimpleX Chat all published at least some audit reports.
@link2xt @signalapp fair question, I'd like to see what's up!
Most likely answer is that they simply did not care to publish the reports. E.g. Wire lists audits from 2022 to 2024 on https://wire.com/en/security page but latest reports published are from 2018. Still, it is usually not much work to publish the reports if you address all the findings timely, as all the work preparing the report itself is done by the auditors.
The same topic was recently raised on Lemmy. More information on this would be really appreciated.
@signalapp I accidentally someone to a group chat
what now?
@linuzifer run for office
@linuzifer @signalapp pass uff atze, so wird man neuerdings verteidigungsminister
@linuzifer @signalapp
Your sentence no verb.
@linuzifer
Einfach Nicole wieder entfernen
@signalapp
@linuzifer @signalapp you hafta attack some other country now
Ach fgg ich hab den kleinen Ami nicht gefunden der geheult hat weil er aufgewacht ist und Trump immer noch lebt und das einzige was mir eingefallen ist um ihn zu trösten ist zu erzählen. Das Musk Raketen Engelsfürze im Himmel Himmel hinterlassen die aussehen wie Rosetten
Bbno$ hat mich gefragt ob ich Signal habe und ihn treffen möchte jetzt bin ich mir nicht mehr sicher ob das ne normale Honey trap war/scammer was tun?
Der ist hot Linus
@signalapp the biggest flaw is the user, as demonstrated recently.