Ask HN: Is Signal still a good app to use for encrypted messaging?
How secure is it? Its use of SGX for secure value recovery is highly problematic [1]. @matthew_d_green twitter feed has a regular stream of high-quality Signal commentary. [1] https://arstechnica.com/information-technology/2020/06/new-e... [2] https://twitter.com/signalapp/status/1262844332278603777 Probably at least as secure and very likely moreso than pretty much any other option. cite as "random redneck off the internet" and due yer own dilligencing, of course. I must say its preferable for plain old SMS messaging, if nothing else, for the options it offers and the stable sane behavior. Depends on what you need. EFF previously used to have a scorecard[1] for all the messaging applications, but they reconsidered the model of their recommendation and put together a good set of articles on the topic which ask questions to consider and provide privacy and tech context. Here's one: https://www.eff.org/deeplinks/2018/03/thinking-about-what-yo... The rest are linked from here[2]. [1]: https://www.eff.org/pages/secure-messaging-scorecard [2]: https://www.eff.org/de/deeplinks/2018/03/secure-messaging-mo... [1] Out of date for archival purposes only. Quoting my own message: > EFF previously used to have a scorecard[1] for all the messaging applications, but they reconsidered the model of their recommendation It all depends on the context / your threat model. Do you want to prevent a service provider from reading your messages? It's good. Do you want to be the next Snowden? Probably not. Do you trust people you talk to? Etc. Maybe this is a bit nitpicky, but Snowden himself does offer Signal to people [1] and is listed on the Signal homepage as "using Signal every day" [2]. Not nitpicky. It was quite relevant to the thread. Pretty much anything will fail if the end device is compromised. It's probably good up to that point. Otherwise you will have to look into some sort of air gapping to a physically secure device dedicated to messaging (e.g. Yubikey). As always, it depends on the threat model... If you have to ask, you'll just have to trust it. Yes. Signal is the gold standard of messaging apps. Rather than conspiracies theories of, depends if you are a spy or not. Anyone want to explain where Signal fails for top level spying and Nation States are coming after you? And what the safer alternative is? The biggest issue with signal is the forced reveal of your phone number. There are several good alternatives. Wickr and session come to mind. Yeah I didn't particularly like that about Signal. If a malignant person were trying to keep tabs on a person (victim) using Signal, they would be able to see that the victim has switched to encrypted messaging (letting the malignant person know the victim is at least partially onto them). Thinking about the use case of a person trying to avoid a hacker/stalker here for example. If your adversary is a nation state, hiding your phone number is not an option. They already know it and might compromise a device. Perhaps another service is better or the use of a burner phone is preferred. How can a nation-state adversary compromise a device only knowing the phone number? 1. Track locations of phones in contact. 2. Rubber hose. 3. Obtain copies of your messages still retained in your contacts' phones. Easily fixed by hosting your own Signal server and recompiling its phone apps, no? "Easily" Your app store provider can be FISA compelled to send you (specifically) a special update. What about https://status.im/ instead - OSS, e2e encrypted by default. you have to understand and read their security model in order to assess whether it is an appropriate technology for your context. every time you use a security advertised platform read the threat/security model. Wickr is another alternative with really tight security throughout it's app to stack. Signal is still considered the gold standard for secure messaging on mobile. Depends on threat model. For most people. Yes. Best way to avoid interference or maintain security is to adopt old school tactics. Look at the war games the military played to prepare for Iraq and how the low tech red team comms worked. Why is this downvoted? Exactly. If you think you need Signal, you probably really need to STFU. Or you can communicate outside of electronic channels. My point is if you are concerned that the government is monitoring your communications (presumably related to the protests), then electronic methods are not reliable. Even if the encryption is solid, they could start jamming the frequencies used. Good point. But this stuff is always cat and mouse. The mafia bigshots figured out that they couldn't talk on the phone in the 60s and 70s once the FBI started aggressively pursuing wiretaps. So they shifted. In the 2000s, drug dealers figured out that Nextel direct connect weren't tracable... so Nextel kiosks sprung up in the hood and you'd see them all over. After that, prepaid burners were the next thing, followed by BlackBerry, etc. If your organizing protests in such a way that are going to attract surveillance, "Use X" is dumb advice. It depends on the situation and what consequences you can sustain. An activist may want to be arrested. A Federal employee may sacrifice their career just for being present. Context matters, but the smart path is to leave your phone at home. Do you work for Chinese government? No. If I was, I would advocate that you use it so that you become dependent on the technology so that the government could strategically shut it down when they want to (rf jamming).
[1]:https://twitter.com/Snowden/status/986277159252750336?s=20
[2]:https://signal.org