1
0
9x0rg.com/content/posts/infosec/why-i-wont-recommend-signal-anymore.md

43 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Why I wont recommend Signal anymore (damn'it)"
date: 2016-11-06T20:59:00+06:00
draft: false
tags: ["signal app","encryption","surveillance","data privacy","xmpp"]
author: "9x0rg"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
cover:
image: "/images/"
alt: "<alt text>"
caption: "<text>"
---
I don't like WhatsApp - I don't mean the app by itself, it's a great app - but its owner, Facebook. And I don't like Facebook owner, Mark. Mark Zuckerberg bought WhatsApp for a [whooping USD 19 Billion](https://www.forbes.com/sites/parmyolson/2014/10/06/facebook-closes-19-billion-whatsapp-deal/) in 2014. Why would you do that?
When you invest such a *mahoosive* amount of money in an instant messenger, you probably expect a *mahoosive* return on investment, right? Unless its about philanthropy. Not sure Mark is that sort of guy. So be prepared to switch to another instant messenger.
* Telegram? Looks promising, need to dig in a little regarding their cryptography and the team behind the project.
* Signal? Looks very promising, cool find !
Wait.
Sander Venema seems to disagree though:
### [Why I wont recommend Signal anymore](https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore/) -- Sander Venema
> To be clear: **the reason for this is not security**. To the best of my knowledge, the Signal protocol is cryptographically sound, and your communications should still be secure. The reason has much more to do with the way the project is run, the focus and certain dependencies of the official (Android) Signal app, as well as the future of the Internet, and what future we would like to build and live in.
>
>[...]
>
> ### Multiple problems with Signal
>
> * Lack of federation[^1]
> * Dependency on Google Cloud Messaging[^2]
> * Your contact list is not private[^3]
> * The RedPhone server is not open-source[^4]
[^1]: Moxie [made it clear](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) that he does not want LibreSignal, amodified version of Signal that removed the Google dependency, to use the Signal servers
[^2]: Google usually has root access to the phone, theres the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies. PRISM is also still a thing.
[^3]: Signal associates phone numbers with names, hashes them before sending them to the server, but since the space of possible hashes is so small for phone numbers, this does not provide a lot of security.
[^4]: The server component of RedPhone is not open source. What prevents the RedPhone server code from being released (whether it is legal issues or simple unwillingness) is unclear.