←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 5 comments | 06 Apr 21 18:04 UTC | HN request time: 1.015s | source
Show context
cmckn ◴[06 Apr 21 20:39 UTC] No.26717119[source]
Eh, I don't think open source necessarily implies open development. Being able to look at and modify the source code of the software I use is the bar for "open source" for me; I don't expect every organization to do all their development out in the open. Seems like this code was made available while it was still relevant, so I don't think anyone is really at fault here.
replies(2): >>26717316 #>>26717662 #
1. corty ◴[06 Apr 21 20:59 UTC] No.26717316[source]
For security software like Signal it does. When there is a lag in publishing server source code, the running version isn't what the public can inspect, but an old one that is no longer valid.

And it produces the appearance that they have something to hide, like the need to sanitize the source and get rid of something. Maybe it is just embarrassing WIP stuff, maybe a backdoor.

replies(1): >>26717394 #
2. fr2null ◴[06 Apr 21 21:06 UTC] No.26717394[source]
I don't think it does, at least not for the security reasons you name.

If you are self-hosting a server, you may not have the latest and greatest features, but all the code you are running is open-source, so no sneaky backdoors (well, no more sneaky backdoors than the ones in the open source code).

If you are not self hosting, than it really doesn't matter if the server source code is open or not. There is not a single guarantee that they are actually running the that code on their server.

(For client code this is a different story of course, but we're talking about server source code)

replies(1): >>26717588 #
3. corty ◴[06 Apr 21 21:26 UTC] No.26717588[source]
In a strict sense, you are completely right. But nonetheless people are recommending Signal because the client implementation looks good and is somewhat verifiable (absent appstore evilness and ignoring the lag between update and verification). The server implementation however is only based on trust in the people running the servers. And there, openness about the code at least gives a few hints about what is going on there, enabling me to trust at least a little more than not-at-all.
replies(1): >>26717895 #
4. rOOb85 ◴[06 Apr 21 21:58 UTC] No.26717895{3}[source]
> The server implementation however is only based on trust in the people running the servers.

They literally chose a zero server trust model when designing the protocol. NSA could be running modified signal servers and it wouldn't make a difference. Your messages would still be safe since all the magic happens on the clients. The servers just route the encrypted data, it's all just 1's and 0's to them.

> And there, openness about the code at least gives a few hints about what is going on there, enabling me to trust at least a little more than not-at-all.

Do we even know if signal was running updated server code in production? Maybe they have been running the same code that was on github this whole time.

replies(1): >>26717990 #
5. corty ◴[06 Apr 21 22:10 UTC] No.26717990{4}[source]
> Your messages would still be safe

Only the message contents. Everything else, like time, identities, communication networks is still at risk. What you are saying is very misleading since you completely neglect to mention the importance of all that non-content metadata.