@neurovagrant no, because #Signal is a #proprietary #SingleVendor / #SingleProvider solition that is subject to #CloudAct and thus can't be secure by design.

If you really want #InfoSec, #OpSec, #ComSec & #ITsec, then #SelfHosting everything is key.

But that'll require #TechLiteracy and may not scale well...

IMHO self-hosting a #Zulip Server works good for organizational structures.

@kkarhan @neurovagrant Turn off Contact Discovery and Signal basically eliminates the need to trust the server. It doesn’t matter what the server is running because all metadata except the recipient is encrypted. Your group names, group participants, reactions, typing notifications, profile pictures, message bodies, etc. are all opaque and indistinguishable.

Matrix and XMPP spew all your metadata across all servers participating in a room, encrypting very little besides message bodies. There are some progressing XEPs to encrypt more metadata, but we shouldn’t rely on platforms like Matrix or XMPP in their current form to hide our metadata because they don’t. Participants, probable cause from linked profiles outside the conversation, timestamps, group information, etc. are all as private as your Fedi DMs.

The only thing that comes close to Signal with something like Tor would be Briar, but I don’t know how well offline messaging works on it. I can’t speak for alternatives like SimpleX since I’m not familiar.

@Seirdy @neurovagrant just use #XMPP over #Tor then...
Also it's not done with "Just use Signal" because #ITsec, #InfoSec, #OpSec & #ComSec are all interlinked.

#Signal is for gullible #TechIlliterates that are too lazy to learn despite being #TechLiterate is part of their job.

Assholes like #GlennGreenwald for example...

Signal will inevitably crash down like #EncroChat and #ANØM before...

@Seirdy @neurovagrant use a client that doesn't shit itself out, like #MonoclesChat and #Gajim...

Also unless I can preproducibly built client and server myself I won't trust any app or software at all!

@kkarhan @neurovagrant Ok. Let’s say I use one of those clients. I create a room and my friends, using those clients, join it. Say we all use the same server, and the server gets compromised.

What data is at risk?

• The name of the room
• Members of the room
• Timestamps of encrypted messages
• Senders of encrypted messages
• Group member display names
• Group member profile pictures
• Description of the room
• Who sent DMs to whom
• Most active group members
• A given message’s sender and recipient.

The full Signal Protocol is far more than Signal’s double-ratchet encryption protocol. It prevents any of this from leaking, and assumes the server has already been compromised. All the server sees is the recipient of a message; the sender is sealed on the application protocol layer.

@Seirdy @neurovagrant You purposefully refuse to accept the core problem:

#Signal is a.#centralozed #SingleVendor / #SingleProvoder solution that is subject to #CloudAct and obviously implementing #Govware #Backdoors.

Why else are all the #tinfoilhat|ed conspiracy theorists on #Telegram and not #Signal??
https://www.youtube.com/watch?v=G1thc5DSHwA

@kkarhan @neurovagrant All right, say you’re right about Signal being a honeypot. Say you you’re one of the bad actors leveraging its backdoors, and you have access to the Signal servers. I send messages from a Signal client with a reproducible build signature. How would you find out any of the data I described?

For a compromised XMPP or Matrix server, you’d have your answers with a few database queries. How would you go about this with Signal?

@Seirdy @neurovagrant @kkarhan

Reading your conversation. Kevin, be a bit more respectful, you could learn stuff 😉
Signal cryptography is the state of the art. Everyone is reusing their work, WhatsApp, Matrix... Does that protect you from the NSA? Probably not, but nothing does. Is it a bad thing that Signal is centralized? Yes, mostly because you can block their servers to shutdown the service, and also because you depend of them, if they become "evil". (I am a bit afraid by their crypto)
1

@Seirdy @neurovagrant @kkarhan

Is decentralization a better solution? For privacy from corporation and independence, yes. If you want to protect yourself from the NSA, obviously not. If they want to, they will break your server in no time. Nothing would protect you from them.

@fla @Seirdy @neurovagrant Then you obviously seem to not know basic concepts such as #airgapping and #AsymetricCryptography.

You see, the #NSA can only hack what's connected to thei internet, and cops can only seize what they'll find on a person / inside a home/car/garage/warehouse...

https://github.com/KBtechnologies/PocketCrypto

@fla @Seirdy @neurovagrant But if you really have to face state-sponsored attackers of the #NSA kind you've already failed so hard in terms of #InfoSec, #OpSec & #ComSec that it's easier to fake the death of one than to even begin leveling up #ITsec.

So your points are entirely moot.

https://mastodon.social/@fla/110776269617206885

@neurovagrant

THE CORE PROBLEM YOU BOTH ( @fla & @Seirdy ) ARE IGNORING IS #CENTRALIZATION!

Because it's a #SingleVendor / #SingleProvider solution they'll be naturally subject to state intervention aka. being forced to integrate #Govware #Backdoors under the threat of getting their shit forcibly unplugged.

The people that work at @signalapp have names and adresses the state knows, and thus they'll be subject to threats by the state.

@neurovagrant @fla @Seirdy it is not only a legal requirement for providers like @signalapp to integrate #Govware #Backdoors AND comply with #Cyberfacism aka. "Export Controls" on #Cryptography whereas with fully - #opensource|d and #decentralized systems [i.e. @torproject ] the state can't force the maintainers to backdoor it.

I mean just look at #Tor, #Monero and all the other tools llike @kalilinux that get used by people regardless of the legality of their actions.

@neurovagrant @fla @Seirdy Relying on a #centralized #SingleVendor / #singleProvider solution like @signalapp / #Signal is even more dangerously naive as equally centralized solutions like #EncroChat or #ANØM:

Or do you naively believe governments that strictly enforce #LawfulInterception will just not care because it's #Signal?
Hell no!

There's a reason #XMPP - #OMEMO and other protocols where users own the keys are still around: Because they work and ain't Single-Vendor/Single-Provider!