Get a Signal account for secure communications. DO IT NOW.
@kkarhan@lauren no, because @signalapp is subject to #CloudAct (= incompatible with #GDPR & #BDSG if you ever care!) and collects #PII in the firirm of #PhoneNumbers, which are at best pseudonymous but trivial to track and at most means that people inviting others without their consent comitted an illegal disclosure if PII!
- Use real #E2EE with #SelfCustody of all the keys that isn't a [www.youtube.com] #proprietary #SingleVendor & #SingleProvider solution that peddles [www.youtube.com] a #shitcoin #scam!
Give #XMPP+#OMEMO a shot: @monocles / #monocles & @gajim / #gajim.
1 [docs.monocles.eu] 2 [docs.monocles.eu] 3 [docs.monocles.eu] 4 [monocles.eu] 5 [monocles.chat]
@kkarhan @lauren @signalapp @monocles @gajim This 
is pretty much all false, & bad security/privacy advice.
@kkarhan@dalias I sincerely disagree because none of my claims got debunked and no evidence against #XMPP+#OMEMO have come up to me as of today.
- @signalapp being a #centralized, #SingleVendor & #SingleProvider solution subject to #CloudAct by virtue of being located in the #USA WILL NOT JUST BLOW UP IN PEOPLES FACES, BUT GET PEOPLE KILLED under #Trumpism!
I hope to be proven wrong, but up until now I've always been at the position of saying [www.youtube.com] #ToldYaSo!
- Whereas with @monocles you have way stricter #DataProtection (cuz there are no #DataProtevtionLaws in the #US that actually get enforced, otherwise #Musk's minions.would've been jailed of not killed for trespassing and hacking critical systems!) AND unlike #Signal, monocles [monovles.eu] doesn't demand any #PII whatsoever! https://infosec.space/@kkarhan/113999675511028742
@kkarhan @signalapp @monocles @lauren Very few systems promoted as Signal alternatives match the cryptographic privacy properties (see: ratcheting, etc.) of Signal.
The claims about "located in the USA" and "Cloud Act" are all nonsense because the only threat to Signal users from this is availability (seizure and shutdown of the server infrastructure), not undetected breakage of privacy properties.
There are presently no systems with superior privacy properties to Signal *and* level of functionality on par with what general public expects. There are a lot (like the XMPP stuff, *sigh*, and Matrix) that are worse in both regards. If you're happy with reduced functionality, Cwtch (and possibly some other similar Tor-based systems) or VeilidChat are stronger, but it's gonna be a while before you convince normies to use them, and in the mean time they're still going to be on insecure shit like WhatsApp, FB Messenger, Telegram, etc...
@dalias @kkarhan @signalapp @monocles @lauren
Some people like to make bold statements without verifying first.
The server *can* do malicious things (even targeted, so it maybe already is happening without anyone known) that result in exactly an "undetected breakage of privacy properties". Here's an issue about this, closed with the comment that privacy features are only best-effort with no guarantee: https://github.com/signalapp/Signal-Android/issues/13842
@pixelschubsi @kkarhan @signalapp @monocles @lauren That's that sealed-sender is best effort, which is roughly equivalent to saying "trying to approximate what you'd get with a Tor-based or Velid-based approach on top of open internet is best-effort". It's still way better than all the posers who say "Signal is insecure because it's centralized, try my hand-rolled crypto instead!"
Batching, delays and cover traffic are varying degrees of unimplemented in all of those.
(And of course, even when implemented long-running always-available/low-latency services are subject to deanonymization by active interference and passive observation of downtime correlated with power outages & natural disasters.)
@kkarhan@infosec.space@lispi314 @lauren @pixelschubsi yes, but we canbagree that very #centralized servers like those of @signalapp are way more susceptible to that compared to any halfassed #OniomService because it's trivialbto hust shove some #GlimmerGlass box on the fiber between a datacenter and their #upsream(sl and just "#bullrun" the selectively captured traffic...
With @torproject / #Tor it's much cheaper to actually attack and take down a #Server / #Service.
For an organization like #Signalcthat that gets their fans to #FUD about "#Metadata" it's shocking to see they didn't do an #OnionService to this day!