• Korkki@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    17
    ·
    2 months ago

    I would never risk any third party messaging service in military or critical state matters. It’s just common sense, even for a layman. Everything is compromised, Telegram is, Whatsapp is, Signal is, all of them are.

      • TheTechnician27@lemmy.world
        link
        fedilink
        English
        arrow-up
        19
        arrow-down
        2
        ·
        edit-2
        2 months ago

        It’s not, unless they’re some sort of cryptography expert with a peer-reviewed white paper pending publication. The Signal protocol (GPLv3) is extremely robust and has almost no capacity for metadata generation, and both the app and server-side code are under the AGPLv3 (technically if they were compromised they could use different, unaudited server-side code, but refer back to “basically no metadata”). Signal has essentially no capacity to be compromised; they can’t even bait and switch users with a pre-compiled app whose source code isn’t the publicly available one and actually has a backdoor because their builds are reproducible and it would be caught immediately.

        Maybe they take issue with the crypto bullshit, which is valid but doesn’t compromise messaging security. Maybe they don’t like that they took away SMS, which I completely agree with, but also actually makes it marginally more secure. Either way, I seriously doubt if they had any mathematical insight into Signal being “compromised” that they would be here hanging around on Lemmy right now.

        • Kwozyman@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          2 months ago

          Be that as it may, it’s still an incredibly short sighted decision to use a centralized service that is under 3rd party control for real security sensitive applications.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            2
            ·
            2 months ago

            Yeah, that does bother me. But it’s also a lot easier to build a centralized service like that than to get people on a decentralized one.

            If you really want something private and are willing to jump through a few hoops, Simplex exists. But most people aren’t willing to jump through a few hoops, and even Signal (a pretty low bar) is a hard enough sell as it is. And that’s why I use Signal, because it’s my best chance to get people onto something better. In other words, don’t let perfect be the enemy of better.

                  • sugar_in_your_tea@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    4
                    ·
                    2 months ago

                    Sure, and I use Tuta. Those are outliers, the vast majority use gmail, or at least the vast majority in my circles do.

                    It’s the same thing as the network effect, just a little less ubiquitous, people will tend to use whatever everyone else uses. Getting something new like email (SMTP) is a huge endeavor, it’s a lot easier to just build a centralized service and get people to use that, and most people will use the same provider anyway.

                    I don’t like it, but I understand why it works and is so common.

    • rottingleaf@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 months ago

      I would never risk any third party messaging service in military or critical state matters.

      Ah, so mister genius would write his own, have I heard that right? Would he use XOR twice when encrypting a message, just to be double safe?

      • Korkki@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        How secure something is an spectrum. Sure self hosted matrix is a lot safer than sending your messages through meta servers for example. It’s about what is the threat levels of what one is doing. Total tinfoiling like writing your own quantum proof multi encryption ciphers and sending that over an tamper proof usb stick with self destruct mechanism by a carrier pridgeon is not necessary or practical for average people who just want privacy, but for critical government applications and especially the military it might be. That is what we are talking about here.

        • rottingleaf@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Sure self hosted matrix is a lot safer than sending your messages through meta servers for example.

          A lot safer in which case? I can imagine a few very real ones where it’s not.

          Self-hosted Signal (requires patching the client, but it’s straightforward) server I would understand.

          but for critical government applications and especially the military it might be. That is what we are talking about here.

          Signal devs have a few papers describing how and by what logic they are addressing these problems.

          Again, self-hosting (because accounts can be blocked by Signal) their solution is a better idea.