43 lines
2.6 KiB
Markdown
43 lines
2.6 KiB
Markdown
---
|
||
title: "Why I won’t recommend Signal anymore (damn'it)"
|
||
date: 2016-11-06T20:59:00+06:00
|
||
draft: false
|
||
tags: ["signal app","encryption","surveillance","data privacy","xmpp"]
|
||
author: "9x0rg"
|
||
hidemeta: false
|
||
ShowReadingTime: true
|
||
ShowPostNavLinks: true
|
||
showtoc: false
|
||
cover:
|
||
image: "/images/"
|
||
alt: "<alt text>"
|
||
caption: "<text>"
|
||
---
|
||
I don't like WhatsApp - I don't mean the app by itself, it's a great app - but its owner, Facebook. And I don't like Facebook owner, Mark. Mark Zuckerberg bought WhatsApp for a [whooping USD 19 Billion](https://www.forbes.com/sites/parmyolson/2014/10/06/facebook-closes-19-billion-whatsapp-deal/) in 2014. Why would you do that?
|
||
|
||
When you invest such a *mahoosive* amount of money in an instant messenger, you probably expect a *mahoosive* return on investment, right? Unless it’s about philanthropy. Not sure Mark is that sort of guy. So be prepared to switch to another instant messenger.
|
||
|
||
* Telegram? Looks promising, need to dig in a little regarding their cryptography and the team behind the project.
|
||
* Signal? Looks very promising, cool find !
|
||
|
||
Wait.
|
||
|
||
Sander Venema seems to disagree though:
|
||
|
||
### [Why I won’t recommend Signal anymore](https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore/) -- Sander Venema
|
||
|
||
> To be clear: **the reason for this is not security**. To the best of my knowledge, the Signal protocol is cryptographically sound, and your communications should still be secure. The reason has much more to do with the way the project is run, the focus and certain dependencies of the official (Android) Signal app, as well as the future of the Internet, and what future we would like to build and live in.
|
||
>
|
||
>[...]
|
||
>
|
||
> ### Multiple problems with Signal
|
||
>
|
||
> * Lack of federation[^1]
|
||
> * Dependency on Google Cloud Messaging[^2]
|
||
> * Your contact list is not private[^3]
|
||
> * The RedPhone server is not open-source[^4]
|
||
|
||
[^1]: Moxie [made it clear](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) that he does not want LibreSignal, amodified version of Signal that removed the Google dependency, to use the Signal servers
|
||
[^2]: Google usually has root access to the phone, there’s the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies. PRISM is also still a thing.
|
||
[^3]: Signal associates phone numbers with names, hashes them before sending them to the server, but since the space of possible hashes is so small for phone numbers, this does not provide a lot of security.
|
||
[^4]: The server component of RedPhone is not open source. What prevents the RedPhone server code from being released (whether it is legal issues or simple unwillingness) is unclear. |