←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 3 comments | 06 Apr 21 18:04 UTC | HN request time: 0.536s | source
Show context
ndiscussion ◴[06 Apr 21 18:42 UTC] No.26715675[source]
It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.
replies(4): >>26715714 #>>26715934 #>>26716233 #>>26718058 #
morelisp ◴[06 Apr 21 18:46 UTC] No.26715714[source]
What's in the Signal server to be compromised?
replies(2): >>26715770 #>>26716093 #
corty ◴[06 Apr 21 18:49 UTC] No.26715770[source]
List of phone numbers? Pairs of communication partners? Timing and size of messages? Metadata about transferred media? There is still a lot, sufficient for targeting a drone strike as the usual wisdom goes.
replies(3): >>26715815 #>>26716325 #>>26716566 #
tptacek ◴[06 Apr 21 18:52 UTC] No.26715815[source]
Some of that information you don't even need a backdoor to collect; the rest is stored in plaintext by Signal's competitors.
replies(1): >>26716518 #
corty ◴[06 Apr 21 19:47 UTC] No.26716518[source]
Signal claims to specially protect some of that data, such claims need verification. Storing or not storing that data needs verification, without the trust that they do what they say they are no better than their competition. Trust is earned e.g. by openness about the source code. And that a server backdoor isn't strictly necessary is also beside the point because the server is the easiest and most obvious way to get at all that data.

Also, there is competition like Briar which has less of those pesky metadata problems (but some other problems instead)

replies(1): >>26718158 #
tptacek ◴[06 Apr 21 22:27 UTC] No.26718158[source]
I don't recall Signal ever having made implausible claims about traffic analytic attacks. I also don't buy into the idea that platforms are as trustworthy as their source release policies are orthodox.
replies(1): >>26718465 #
1. corty ◴[06 Apr 21 23:03 UTC] No.26718465[source]
It isn't advanced difficult traffic analysis if it is all your servers. Or all your logs landing in one logstash.
replies(2): >>26718484 #>>26721124 #
2. tptacek ◴[06 Apr 21 23:06 UTC] No.26718484[source]
What difference does this make? In your threat model the only serious countermeasure between you and state-level adversaries is a Logstash implementation?
3. morelisp ◴[07 Apr 21 06:21 UTC] No.26721124[source]
The goalposts now seem to be at "someone might subpoena Signal's logs for some metadata", having moved pretty far from the original claim of "Signal's server code hasn't been updated because it has been secretly backdoored or intentionally weakened." It's difficult to see this as good faith security analysis rather than fearmongering.