@neurovagrant no, because #Signal is a #proprietary #SingleVendor / #SingleProvider solition that is subject to #CloudAct and thus can't be secure by design.

If you really want #InfoSec, #OpSec, #ComSec & #ITsec, then #SelfHosting everything is key.

But that'll require #TechLiteracy and may not scale well...

IMHO self-hosting a #Zulip Server works good for organizational structures.

@kkarhan @neurovagrant Turn off Contact Discovery and Signal basically eliminates the need to trust the server. It doesn’t matter what the server is running because all metadata except the recipient is encrypted. Your group names, group participants, reactions, typing notifications, profile pictures, message bodies, etc. are all opaque and indistinguishable.

Matrix and XMPP spew all your metadata across all servers participating in a room, encrypting very little besides message bodies. There are some progressing XEPs to encrypt more metadata, but we shouldn’t rely on platforms like Matrix or XMPP in their current form to hide our metadata because they don’t. Participants, probable cause from linked profiles outside the conversation, timestamps, group information, etc. are all as private as your Fedi DMs.

The only thing that comes close to Signal with something like Tor would be Briar, but I don’t know how well offline messaging works on it. I can’t speak for alternatives like SimpleX since I’m not familiar.

@Seirdy @neurovagrant just use #XMPP over #Tor then...
Also it's not done with "Just use Signal" because #ITsec, #InfoSec, #OpSec & #ComSec are all interlinked.

#Signal is for gullible #TechIlliterates that are too lazy to learn despite being #TechLiterate is part of their job.

Assholes like #GlennGreenwald for example...

Signal will inevitably crash down like #EncroChat and #ANØM before...

@Seirdy @neurovagrant use a client that doesn't shit itself out, like #MonoclesChat and #Gajim...

Also unless I can preproducibly built client and server myself I won't trust any app or software at all!

@kkarhan @neurovagrant Ok. Let’s say I use one of those clients. I create a room and my friends, using those clients, join it. Say we all use the same server, and the server gets compromised.

What data is at risk?

• The name of the room
• Members of the room
• Timestamps of encrypted messages
• Senders of encrypted messages
• Group member display names
• Group member profile pictures
• Description of the room
• Who sent DMs to whom
• Most active group members
• A given message’s sender and recipient.

The full Signal Protocol is far more than Signal’s double-ratchet encryption protocol. It prevents any of this from leaking, and assumes the server has already been compromised. All the server sees is the recipient of a message; the sender is sealed on the application protocol layer.

@Seirdy @neurovagrant You purposefully refuse to accept the core problem:

#Signal is a.#centralozed #SingleVendor / #SingleProvoder solution that is subject to #CloudAct and obviously implementing #Govware #Backdoors.

Why else are all the #tinfoilhat|ed conspiracy theorists on #Telegram and not #Signal??
https://www.youtube.com/watch?v=G1thc5DSHwA

@Seirdy @neurovagrant

And since #Signal isn't financed by it's users, it must finance itself somehow...

I.e. #PRISM membership?
https://www.youtube.com/watch?v=WVDQEoe6ZWY

@Seirdy @neurovagrant because when "push comes to shove", admins held at gunpoint will integrate #Govware #Backdoors into the #centralized #SingleVendor / #SingleProvider service...

https://twitter.com/thegrugq/status/1085614812581715968