If they encrypt meta data like they say they do (signal.org/blog/signal-is-expensive/), it should be very hard to use meta data the way you explained.
Whether they do can be looked up here (github.com/signalapp) by those who know what to look for.
As Signal uses reproducible builds (signal.org/blog/reproducible-android/), itcan be verified that the builds are made from the public source code.
They make offering a secure and trustable app a lot better (by being verifyable) than other messengers.
Comment on What's the deal with Signal?
muntedcrocodile@lemm.ee 4 weeks ago
Hey signal is better than most of the mainstream bs. I use it myself and I’m confident that the messages themselves are secure. However, it had issues.
Since we cannot verify the software they run on the server is the software that is open source then we must assume it is not.
We know for a majority of cases a phone number = a real identity. Signal implements sealed sender but since signal is a centralised point they can correlate the sealed sender extraordinarily easily. We must therefore assume signal knows when and who is communicating (We can verify they don’t know what is being said) this therefore means signal could theoretically have a full social graph of real identities for every singe user.
This is of course after we remember signal received funding from BBG which is an organisation funded by the us government purely for the purpose of promoting american propaganda.
Also I believe they used to have federation but all evidence of this seems to have been wiped from the internet.
Signal can either adapt and prove themselves with more than a “trust me bro” or they can die. Just cos they are better than the alternatives does not mean we should not demand better.
zergtoshi@lemmy.world 4 weeks ago
muntedcrocodile@lemm.ee 4 weeks ago
The point is we cannot trust they run the software they claim to run. Identifying a sender despite sealed sender is trivial if u have a centralised server.
Say I am the signal server and all the clients run the known/provable secure clients that are used. I as the signal server an subject to wiretap and gag orders so I can be obligated to run software that is not the published server software and into tell anyone. As a server I by definition have everyone’s IP address. A message with signal protocol has a sealed sender and a known identity recipient. As the signal server I can see when u send a message and from what IP and to which identity and what ip that identity is. I can then simply associate IPs and identities.
I trust the app I cannot trust the server. A reproducible build does not prove anything about the server it only proves the client.
zergtoshi@lemmy.world 4 weeks ago
Sure. If you want full control, you need to run your own server.
Matrix crosses my mind.
But using that is a different animal than installing an app from a store.
As far as security when communicating conveniently on mobile phone goes, Signal does a pretty good job. But you’re right that it’s important to realize what’s possible and what’s not possible.muntedcrocodile@lemm.ee 4 weeks ago
I use signal for communicating with normies who just wanna download an app. Just cos signal is better than most doesn’t mean we shouldn’t demand better. Why can’t we have both? With self hosted federated signal servers and no phone number requirement we can have our cake and eat it.
teolan@lemmy.world 4 weeks ago
Since we cannot verify the software they run on the server is the software that is open source then we must assume it is not.
But that’s like, the case for pretty much every messager out there, outside of self-hosting, which will not be done by 99.99% of the general population.
einkorn@feddit.org 4 weeks ago
They never had.
The talk about federation originated when the EU demanded interoperability from gatekeeper software i.e. Whatsapp. Signal said on day one they wouldn’t do from their end because it would mean lowering security.
racc@lemm.ee 4 weeks ago
There was LibreSiganal once but it got shut down by Signal. It’s quite old. This was like 10 years ago.
muntedcrocodile@lemm.ee 4 weeks ago
I mean long before that with one of the 3rd party apps they used to federate their own server with signal iirc.
einkorn@feddit.org 4 weeks ago
Well, that must be waaaaaaay back then. I’ve been using Signal for quite a while now, and I am not sure what you mean then.
muntedcrocodile@lemm.ee 4 weeks ago
Dr GPT found something on it. It was a federation between Silent Phone 2014-2015 (a secure messaging app developed by Silent Circle, a company co-founded by Phil Zimmermann, the creator of PGP) and TextSecure (the precursor to signal).