This is a most excellent place for technology news and articles.
Signal is great if you want some privacy chatting with friends and family.
More sensitive stuff dealing with state secrets? Probably not the best option.
Im sure some homebrewed app is more secure lol
The main problem is control ig. On Signal, someone can ask for a code or passwords to log into your account or get your data. If you have your own solution, you can have physical security keys to verify yourself, making it impossible to give anything to anyone via the internet. You can also monitor logins and make logins on new, unauthorized devices impossible.
Encrypting stuff is not really the hard part of keeping oblivious users safe. As far as that goes, they will be fine if they have people who know what they are doing use established, well audited implementations.
How secure it is remains to be seen, but using Signal or Whatsapp or similar apps for official government business is to be avoided, anyway.
Agreed, but maybe for different reasons. Could you use Signal for government communication? Probably, but it would take intentional preparation, setup, and training of the end-users (most of whom are likely not security-minded or tech-savvy).
But practically speaking, governments should reasonably be developing an option that uses their own servers as relays, not ones controlled by a third party. Signal is run by a nonprofit (i.e. not driven by moneyed interests) and has survived court subpoenas for user data (because of how the useful data is stored encrypted at the endpoints, not the relays), but they do not have the same interests in nor are they developing a platform to keep government secrets safe.
Also, it's a central point of failure; even if it remains entirely uncracked throughout its lifetime, if the company goes under, those server relays will go, too.
I feel pretty safe as an end-user nobody, but I would be thinking twice if I was a government official.
Or any business. There’s always a back door if it’s not open source and self hosted.
Signal is open source....
Did you verify the code running on their servers is the same as the one in the repo though?
If you don’t compile and self host, it’s not safe.
mSzyfr was touted by the government as "the first secure instant messenger fully under Polish jurisdiction."
It does, however, rely on multi-factor authentication (MFA) provided by US megacorps. Microsoft is the recommended option...
Why?
users [can] retain access to messages even after logging out of the platform
This sounds great. Nothing bad could happen here. I'm sure the people developing this are competent.
An FAQ document for mSzyfr states that the messenger is built with a privacy-by-design philosophy, and explicitly notes that neither WhatsApp nor Signal fits this description.
Extremely competent, saying Signal is not private by design.
Extremely competent, saying Signal is not private by design.
While very disingenuous, it's not technically incorrect.
Signal is secure by design, and is extremely good at that with a very well designed and vetted cryptographic protocol.
But privacy isn't one of their primary goals, nor should it if it comes at the cost of security; for example, for the longest time you needed to share your phone number with everyone you wanted to talk to, and everyone in every group chat you are a part of could see it.
Really?! Based on their website, I'd say privacy is their primary goal, and personally I'd say they've done a great job at it
‘secure’ state-developed
Press X to doubt
headlines in a few days:
security researchers discover 'radioactive' vulnerability in Polish government messaging app
Not as stupid as the headline makes it sound. Signal is used in phishing attacks, whereas the home grown one is restricted to authorised users, making it more difficult.
Narrator: until someone else gains access
Yeah, I was careful to say "more difficult". This stops casual phishing.
Someone doesn't understand the first rule of How Not To Be Seen
Using an app that nobody else uses provides no entropy in which to get lost
that's reskinned, siloed matrix instance with maybe minimal changes
German Army does the same. No shame there.
Any ideas why it's always Matrix? Not even XMPP.
With not very performant servers and not very rich choice of clients, and still work in progress. And notably more fit for group chats rather than anything private and secure.
It's just Matrix being popular?
xmpp sucks balls and wasn't encrypted from day one. they have migrated from threema
Maybe. Or they got the feeling to use a low-effort open protocol, that isn’t xmpp. I mean, they considered open whisper, for example, they would have to invest in a custom client.
With matrix they slap a new sticker on the software and call it a day.
I mean, yeah. But it's not some national open source project, and that was claimed. Also, i'd like to know how intensely it was audited, because it's something different from open-source matrix homeserver/element-x (it's the propertiary part of it)
polish army used it too before this one, but it wasn't intended for sensitive info
France did that too with matrix fork « tchap »
Changing the App doesn’t fix that morons are using it wrong and in an unsafe manner.
Maybe they should spent the money on mandatory IT security training.
I guarantee they already do that
And still the idiocracy prevails.
kegsbreath has entered the chat
I'd be pretty pissed if governments' views on Signal come exclusively from US officials clearly misusing the software.
