kcabnazil t1_j9xiq9q wrote

Using Signal for SMS is like trying to have your cake and eat it too. Eventually, the curtains had to drop; but, that also means either getting EVERYONE YOU KNOW to use Signal or fragmenting your messaging clusters. It sucks that they dropped support, even if I understand the spirit of the decision.


kcabnazil t1_j9xi3m9 wrote

You make good points here. Multiple, actually. Using any software or hardware means putting your trust in whoever made it. Extrapolating that into something of a strawman argument/fallacy that is still completely true, using any device you didn't personally manufacture and write all the firmware/software for is opening yourself up to insecurity. The real question is, as you allude to, "who do you trust, and how far?"

However, I'd argue the semantics of, "if anything, it means people will overly trust it."

People will overly trust anything that sells them the message they want. That includes using products from big name companies. That also means believing their IT friend Bob who says anything open source is the way to go. Little do they know, Bob also happens to be making a dollar a day on their open source but rarely scrutinized app for dog memes using your phone for cryptomining.

Apple's image of privacy for the iPhone is a mirage built on believable efforts and misleading reports. People still gulp it down eagerly. Signal's image of privacy is built on throwing themselves to the lions by being well known and showing their code; anyone and everyone with the capacity to look will look if it matters to them. It doesn't mean Signal is perfect, but it does mean they're putting everything on the line to prove they're doing the best they and every other contributor can. Both teams have track records, but only one is willing to show you what happened along the way.

That said, I find it very surprising that Signal has not gone the way of Lavabit. How have they evaded U.S. government gag orders while honoring their commitments? I assume no big company has; that's rather perposterous, honestly. Several have canaries for these situations.


kcabnazil t1_j9xf5jy wrote

I hope noone is downvoting this because they think it is inaccurate.

It is, however, missing the point.

Being open source means you can show to have security objectively, not through obscurity. It means others can not only analyze it for weaknesses, but contribute resolution to those weaknesses as well.

Whether or not that open source code is what's really used to build an application... is another matter. I wonder if that can be objectively proved for Signal. It definitely can't be for others ;)