Greetings!
A friend of mine wants to be more secure and private in light of recent events in the USA.
They originally told me they were going to use telegram, in which I explained how Telegram is considered compromised, and Signal is far more secure to use.
But they want more detailed explanations then what I provided verbally. Please help me explain things better to them! ✨
I am going to forward this thread to them, so they can see all your responses! And if you can, please cite!
Thank you! ✨
I can’t speak about telegram, but signal is absolutely not secure to use. Its a US-based service (that must adhere to NSLs), and requires phone numbers (meaning your real identity in the US).
Matrix, XMPP, or SimpleX are all decentralized, and don’t require US hosting.
This entire article is guessing at hypothetical backdoors. Its like saying that AES is backdoored because the US government chose it as the standard defacto symmetrical encryption.
There is no proof that Signal has done anything nefarious at all.
As an outsider, I mean isn’t that the same for news coverage for chinese/russian backdoors, but everyone believes it without any proof.
Why is US company being a US honeypot a big surprise, and its government recommending it not a big red flag? but it is when China recommends wechat? Can’t we be critical and suspicious of both authoritarian countries?
Do you have access to Signal servers to verify your claims by any chance? Afaik their servers are running modified codebase, and third party apps cannot use them. So how do you claim anything that goes behind closed doors at all? Genuinel curious.
Being critical is good, and we should always hold them accountable for our security. We can look to third party audits for help with that.
https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
That’s not how it works. The signal protocol is designed in a way that the server can’t have access to your message contents if the client encrypts them properly. You’re supposed to assume the server might be compromised at any time. The parts you actually need to verify for safe communication are:
So if I understand it Signal has your phone number but only logs sign up date and last activity date. So yes they can say this person has Signal and last used it on date X. Other than that no information.
Matrix doesn’t require a phone number but has no standard on logging activity so it’s up to the server admin what they log, and they could retain ip address, what users are talking in what, rooms, etc. and E2EE is not required.
I think both have different approaches. I’m just trying to understand. On one hand you have centralized system that has a standard to minimize logs or decentralized system that must be configured to use E2EE and to remove logs.