←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 1 comments | 06 Apr 21 18:04 UTC | HN request time: 0.2s | source
Show context
BugsJustFindMe ◴[06 Apr 21 21:12 UTC] No.26717442[source]
> While communication is guaranteed to be secure due to the end-to-end encryption implemented in the open-source client apps and the Signal protocol

So the client is open source and guarantees end-to-end encryption regardless of what the server does. Ok, then I honestly don't care. Why should I?

I use Signal for its safety characteristics, which as stated are apparently ensured by the client regardless of what the server does, not because of the server, and I continue to agree with Moxie that federation is a white whale that doesn't solve any regular person problems.

replies(5): >>26717530 #>>26717721 #>>26718332 #>>26718385 #>>26719831 #
1. jjav ◴[07 Apr 21 02:12 UTC] No.26719831[source]
> So the client is open source and guarantees end-to-end encryption regardless of what the server does. Ok, then I honestly don't care. Why should I?

What operations does your client do? How would you know?

If the client is open source and the build is reproducible and you can built it yourself to compare the binary with the official binary on the app store, then.. yes, you can trust that the client is guaranteeing your end-to-end encryption.

If there is a snapshot of open source code which doesn't match the official binary, you have no way to know what the client you run is actually doing. That's why you should care.

This has nothing to do with trusting Signal, good people. If your threat model is such that you care about secure messaging, you can't just trust a binary that's handed to you.