[404errorist]

Rip to the people who should have just stuck to signal

[Dismas]

Rip to the people who should have just stuck to signal

Who's to say Signal can't suffer a similar fate?

[404errorist]

Rip to the people who should have just stuck to signal

Who's to say Signal can't suffer a similar fate?

It could, but not in its current state unless they break the encryption. They could take over the parent company and it's servers then push a compromised update, certainly. But as it is, it is seemingly secure.

But, obviously, you should always treat everything as if it is compromised.

[ConcernedCitizen]

Rip to the people who should have just stuck to signal

Who's to say Signal can't suffer a similar fate?

It's tough to answer this question... let's first talk about transparency.

To understand the severity of the state of privacy on the internet and the safety of its users, you have to understand that it will never be possible to obtain 100% transparency or security. Even browsers like Firefox, Brave, Librewolf, Waterfox, etc. - all user-friendly and promising privacy and ad-blocking as well as fingerprinting protection - still do not disable telemetry by default before startup on the first run, and in some case that isn't possible. Such is the case of all browsers. This is an example of some of the destination addresses a network analysis reveals about some of the DNS and HTTPS requests Firefox makes even when telemetry and automatic updates are completely disabled:

• detectportal.firefox.com
  
• detectportal.prod.mozaws.net
  
• detectportal.firefox.com-v2.edgesuite.net
  
• a1089.dscd.akamai.net
  
• mozilla.org
  
• location.services.mozilla.com
  
• content-signature-2.cdn.mozilla.net
  
• locprod1-elb-eu-west-1.prod.mozaws.net
  
• d2nxq2uap88usk.cloudfront.net
  
• firefox.settings.services.mozilla.com
  
• push.services.mozilla.com
  
• ec2-52-35-220-92.us-west-2.compute.amazonaws.com
  
• ec2-34-242-33-12.eu-west-1.compute.amazonaws.com
  
• server-13-33-240-52.hel50.r.cloudfront.net
  
• shavar.services.mozilla.com
  

I know it's outside of the topic entirely but you should really be wary of what browser you use. If your threat model specifically requires you to have maximum anonymity and privacy, you should always default to Tor browser instead of packing extensions into your current Firefox profile or altering the user.js as in Arkenfox/user.js.

Now, certainly operatives and citizens looking to remain private and secure shouldn't be required to know all the ways an adversary could target them from the authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. Because that wouldn't be important. The only important thing is the "how", because they live the "why" every day. Operatives and citizens need something simple and effective and most importantly - it doesn't make them stand out because millions of others use it at any given time.

The case for Signal is just that. It's end-to-end encryption when both parties use it and it offers what journalists and operatives and citizens all strive to achieve: privacy.

"As the world stands today, the future of ... privacy does not look great. The existing landscape is dominated by traditional credit companies, who over the past decade have been steadily pushing their networks for increased access to user data ... but the data story there is similar. This is not a future we are particularly excited about. At Signal, we want to help build a different kind of tech – where software is built for you rather than for your data – so these are trends that we watch warily."

[Dismas]

Rip to the people who should have just stuck to signal

Who's to say Signal can't suffer a similar fate?

It's tough to answer this question... let's first talk about transparency.

To understand the severity of the state of privacy on the internet and the safety of its users, you have to understand that it will never be possible to obtain 100% transparency or security. Even browsers like Firefox, Brave, Librewolf, Waterfox, etc. - all user-friendly and promising privacy and ad-blocking as well as fingerprinting protection - still do not disable telemetry by default before startup on the first run, and in some case that isn't possible. Such is the case of all browsers. This is an example of some of the destination addresses a network analysis reveals about some of the DNS and HTTPS requests Firefox makes even when telemetry and automatic updates are completely disabled:

• detectportal.firefox.com
  
• detectportal.prod.mozaws.net
  
• detectportal.firefox.com-v2.edgesuite.net
  
• a1089.dscd.akamai.net
  
• mozilla.org
  
• location.services.mozilla.com
  
• content-signature-2.cdn.mozilla.net
  
• locprod1-elb-eu-west-1.prod.mozaws.net
  
• d2nxq2uap88usk.cloudfront.net
  
• firefox.settings.services.mozilla.com
  
• push.services.mozilla.com
  
• ec2-52-35-220-92.us-west-2.compute.amazonaws.com
  
• ec2-34-242-33-12.eu-west-1.compute.amazonaws.com
  
• server-13-33-240-52.hel50.r.cloudfront.net
  
• shavar.services.mozilla.com
  

I know it's outside of the topic entirely but you should really be wary of what browser you use. If your threat model specifically requires you to have maximum anonymity and privacy, you should always default to Tor browser instead of packing extensions into your current Firefox profile or altering the user.js as in Arkenfox/user.js.

Now, certainly operatives and citizens looking to remain private and secure shouldn't be required to know all the ways an adversary could target them from the authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. Because that wouldn't be important. The only important thing is the "how", because they live the "why" every day. Operatives and citizens need something simple and effective and most importantly - it doesn't make them stand out because millions of others use it at any given time.

The case for Signal is just that. It's end-to-end encryption when both parties use it and it offers what journalists and operatives and citizens all strive to achieve: privacy.

"As the world stands today, the future of ... privacy does not look great. The existing landscape is dominated by traditional credit companies, who over the past decade have been steadily pushing their networks for increased access to user data ... but the data story there is similar. This is not a future we are particularly excited about. At Signal, we want to help build a different kind of tech – where software is built for you rather than for your data – so these are trends that we watch warily."

A lot of great information, and I agree with your points. However, my issue lies with the fact that people assume when an entity says their messages are encrypted, that they actually are. It takes one push of an update to change that. After all, Anom was advertised as encrypted but the FBI held a master key to decrypt messages the entire time.

The creator of Anom was originally arrested after running "Phantom Secure" and entered a plea deal. I'm merely suggesting that the same tactic could be applied to many other encrypted communications, whether they rely on updates or otherwise. Three letter organizations only need to have leverage on the operator.

[ConcernedCitizen]

...

A lot of great information, and I agree with your points. However, my issue lies with the fact that people assume when an entity says their messages are encrypted, that they actually are. It takes one push of an update to change that. After all, Anom was advertised as encrypted but the FBI held a master key to decrypt messages the entire time.

The creator of Anom was originally arrested after running "Phantom Secure" and entered a plea deal. I'm merely suggesting that the same tactic could be applied to many other encrypted communications, whether they rely on updates or otherwise. Three letter organizations only need to have leverage on the operator.

The Signal app has been reviewed as well as the Sessions fork in separate audits, I believe. I read about the Anom app and I have to say it's not at all surprising that its users were caught, because they trusted one single app to keep their communications secure. SIGINT wouldn't be required to crack the messages of criminals that just blindly trusted a proprietary app. This is a huge failure in due diligence as well as encryption practices.

[fritz]

Behind the scenes In how they solely operate within the confines of their environment, certainly not.

Obviously! But seeing their ideology it would take a lot (as shown on their Big brother page, as soon as they receive a subpoena they post it)

100% privacy will never be attained- ever.

Obviously!

[Kon6]

The frighteningly eerie part here is any messaging app that is not open source, and that does not utilize verifiable end-to-end encryption with modern primitives for everything, could be a homogeneous honeypot.

[ConcernedCitizen]

The frighteningly eerie part here is any messaging app that is not open source, and that does not utilize verifiable end-to-end encryption with modern primitives for everything, could be a homogeneous honeypot.

Spoiler:

[mothered]

as soon as they receive a subpoena they post it

It's amazing what the power of a court order does to certain entities.