Signal is open source, so our code is regularly scrutinized in addition to regular formal audits. We also constantly monitor security@signal.org for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.
This is why Signal remains the gold standard for private, secure communications. 5/
@kkarhan@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!
- If #Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...
@pixelcode@social.tchncs.de@kkarhan Signal is literally open-source, meaning its source code is public, not proprietary: https://github.com/signalapp. Signal does not hold any user's secret keys.
@kkarhan@pixelcode neither are there reproduceable builds nor is #Signal's #backend opensoirce'd nor is it possible to #SelfHost.
- Thus it is #proprietary #SaaS!
@pixelcode@social.tchncs.de@kkarhan @taylan You could have simply clicked on the link to find out that Signal have published the source code of all their apps and of their server, instead of making false claims out of thin air.
There's literally an entire manual on reproducing builds: https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds%2FREADME.md
Also, nothing and no one stops you from self-hosting the Signal server.
@kkarhan@pixelcode @taylan that is simply not true.
@signalapp is #centralized and there's no way one can verify the code released for the servers is what they actually run.
Unlike your replies [social.tchncs.de] my criticisms ain't founded based off "#TrustMeBro!" but systemic issues I highlight which #Signal refuses to address or take seriously!
@pixelcode@social.tchncs.deI did not claim Signal isn't centralised. I did not claim it's possible to verify which software runs on a foreign server.
Unlike you, I substantiated my statements by citing a source – namely a link pointing to Signal's collection of Git repos which contain the source code of their client & server software and a manual explaining how to reproduce Signal's builds, which you continue to ignore.
The one making claims without stating any sources at all are you.
@kkarhan@infosec.space@pixelcode @taylan @signalapp the #centralization, espechally without means to hide it's traffic via @torproject / #Tor makes it trivial to detect and track @signalapp / #Signal users.
- Add to that the fact that Signal has #PhoneNumbers = #PII on them and the fact they are incorporated in the #USA, thus subject to #CloudAct and it's not a matter if they snitch on users but how many thousands if not millions got subopena'd to this day.
And with no self-custody of keys it's trivial to #Room641A the users if the devs get "motivated" under threat of spending the rest of theor lives in jail.
@Andromxda@infosec.exchangethus subject to Cloud Act
They literally don't store anything about you, other than the phone number you used to sign up, and the timestamp of the last login. They can't fulfill any kind of subpoena, because they simply don't have the data. This was proven in court:
https://signal.org/bigbrother/cd-california-grand-jury/
I don't know what your mission is, any why you're constantly spreading misinformation about a secure communications platform, trying to discourage people from using it, without naming alternatives.
It's pretty suspicious at the very least.
@kkarhan@Andromxda @pixelcode How can you claim something you can't evidence [infosec.exchange]?
- Pretty shure if it's not @signalapp themselves, then their centralized architecture and unwillingness to even have an #OnionService on @torproject makes it trivial to pull a #Room641A on them.
It makes you look like one of those folks shilling [www.youtube.com] #VPN|s that ain't logless after all [web.archive.org]...
- I don't believe in #marketing #lies and #Signal can't (and won't) be able to evidence that they don't log shit.
At least they should be honest about things and not claim bs, cuz demanding a #PhoneNumber is just #KYC with extra steps like demanding any #SSN or other #PII. Makes them look like chinese MMORPGs that demand ID card numbers for account signups, thus #paywalling the ability to use their service anonymously...
@Andromxda@infosec.exchangeHow can you claim something you can't evidence?
I literally included a link to the evidence. Here's the link again: https://signal.org/bigbrother/cd-california-grand-jury/
Signal got a judicial subpoena from the Central District of California. They were represented by the ACLU, and they responded with the only bits of data they had: the Unix timestamp of account creation, and the timestamp of the last connection.
It seems like you are simply ignoring the evidence (on purpose).
demanding a PhoneNumber
All big messenger apps collect phone numbers, in order to prevent spam. Unlike WhatsApp or iMessage though (I mean technically you can find iMessage contacts by Email address, but no one does that), you don't have to share your phone number with contacts, in order for them to be able to message you. User names exist for this exact purpose: https://signal.org/blog/phone-number-privacy-usernames/
@pixelcode@social.tchncs.deFor every messenger there's the risk of someone finding out that you use that messenger (for example when you download the app without a proxy or when you rent a server for self-hosting). So what?
Nothing and no one stops you from voluntarily using Tor to connect to Signal (Orbot, InviZible, Advanced Privacy etc.). For those oppressed by authoritarian regimes, Signal offers easy-to-use censorship-circumvention proxy support built into the app.
https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support
@pixelcode@social.tchncs.deNeither knowing your phone number nor the Cloud Act nor both in combination gives Signal the magical ability to “snoop” on your end-to-end encrypted chats or to circumvent Sealed Sender, if that's what you're trying to express with your PII argument. https://signal.org/blog/sealed-sender/
Long-term secret keys and session keys are generated and stored on the end-user's device and are never sent to the server. It's called end-to-end encryption for a reason. Wiretapping doesn't change that.
@kkarhan@pixelcode @taylan Your nonchalant "So what?" [social.tchncs.de] gets people publicly murdered by the state in many juristictions...
- Which is why there is no substitute to teaching proper #TechLiteracy ffs!
If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.
- Or do you really think that in a world where multi-year long sting ops like #ANØM / #OperationIronside / #OperationTrøjanShield get greenlit that @Mer__edith would risk dying of old age in jail for non-paying users?
If you do think so then you should really get some professional help, cuz you seem rather lost...
- #Signal doesn't even bother to have an #OnionService, much less to provide means to use their service without self-doxxing with a #PhoneNumber, which at best is pseudonymous and requires money to attain and maintain...
It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!
@pixelcode@social.tchncs.deWho was murdered by the state only because they used a specific messaging app? Please provide a source.
Who says Signal would be shut down? Again, you just make up claims.
The fact that you use Signal is not confidential, and someone finding out that you do is not “doxxing”.
Tech literacy ≠ fabricating conspiracy theories
@kkarhan@pixelcode I'm not gonna violate confidentiality just to win an argument on the internet.
- I have helped people with a literal DoA bounty on their head escape a literal warzone and enshure their comms are clean and secure.
Mark my words: #Signal is a sting op and the day they get caught snitchin' you can apologize to me in person.