Why I Trust Signal: My Go-To for Secure Messaging

Trust leads to the dark side

Fine, go verify it
- Sadly, Im not qualified to do that. It’s still my messenger of choice.
- Cant server isnt foss they could be doing anything with metadata.

Imo, I think Signal is a good "normie-oriented secure messenger", but I think Simplex is more worthy of focus.

Agreed. The thing with Signal is that it has a longer history and a lower barrier to entry.

I convinced my non-tech nerd partner to switch to Matrix and it’s been working suprisingly well for us.

Is that (non)-(tech nerd) or (non-tech) (nerd) partner?
- she’s not a tech nerd

I'd also recommend taking a look at Threema.

I think their product direction is a bit better. Particularly as Signal still shows a message that they don't back sync messages before you paired devices "for your security" ... Threema also doesn't back sync messages in their beta multi device setup, but that seems to be more less of a product stance and more of a "we just don't do it yet."

Threema is definitely missing some features like emoji reactions, stories, and a builtin cryptocurrency (which depending on your stances might be pros or cons).

Both apps have definitely gotten better over the years; I think Threema's multi device support has really drained resources on their side so there hasn't been as much outward feature work. I'm hoping it won't be terribly long until that changes.

Why would they need crypto dawg
- IMO, they wouldn't
While it isn't necessarily an argument against Threema's security, I think it's important to consider that Threema is owned by a privately held company ^[1[2]] — Signal is owned by a non profit ^[3].
- I almost think that's a pro. I don't understand how signal intends to pay for servers forever with voluntary donations. Though I'd be fine if they set up a mandatory annual fee.
  Signal is far more polished IMO but both are great.
If you're seriously concerned about privacy and security I wouldn't look at Threema. They severely mishandled vulnerabilities by insulting the security researchers, then introduced a new protocol they built with the advice given to them for free from the SAME researchers before that, and yet it still doesn't support critical features like full forward secrecy. If all you want primarily is the best security out there Signal is and will be the best for a long time to come by the looks of it.
- I think that's a characterization of what happened but not necessarily a good representation of what actually happened.
  Yes, some researchers in Zurich found vulnerabilities. Yes they down played them ... because you still couldn't read anything. They were also already working on a new protocol before those researches wrote their paper and yes I'm sure they made some tweaks based on their findings.
  This is their response; I'd hardly call it "insulting" https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
  You could say the same thing about Signal's response to their "desktop security scandal" earlier this year (of which Threema wasn't vulnerable and Signal repeatedly refused to acknowledge as a problem).
  yet it still doesn't support critical features like full forward secrecy
  They do support PFS (perfect forward secrecy) though their new multi-device solution doesn't yet support it.
  https://threema.ch/en/blog/posts/ibex
  This is the same protocol they were already working on when the "researches they insulted" released their research finding issues with the old protocol.
  Threema is also far more active with third-party audits than any other group: https://threema.ch/en/faq/code_audit
  They severely mishandled vulnerabilities by insulting the security researchers, then introduced a new protocol they built with the advice given to them for free from the SAME researchers before that, and yet it still doesn't support critical features like full forward secrecy.
  IMO this entire sentence is just wrong.
- Perfect Forward Secrecy has been around since version 5.0 (as an opt in beta feature) and enabled by default since 5.1.
  https://threema.ch/en/blog/posts/security-proof-ibex
  Here is the original statement you're referring to:
  https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
  I don't see any insults and the vulnerabilities were patched.
  I agree that they downplayed it a bit, but back then they were still a for profit company. Now they are non-profit and it is in their interest to handle such cases in a way that is more aligned with their customers instead of their profits.

The only one I trust is Briar.

Not a bad choice. Briar has usability limitations but in terms of democracy it is a powerful tool.

Not really; But I'll suggest you look these up:

Simplex is the only one I would recommend out of those
Jami is based on a ancient broken codebase and it lacks a security audit
Session has several issues but most recently the screwed over the people who were silly enough to buy crypto.
I have never heard of Cwtch so that rules that out

It's well known that NSA and also maybe others have already broken encryption algorithms in many applications. idk about Signal tho.

Yeah no, the NSA isn't capable of breaking modern encryption.

I don't trust Signal. Haven't used it since it went down when people and capitol rioters fled WhatsApp and signed up. My understanding is it's a brittle centralized system just like WhatsApp.

AND back when I did use it, the app had dark patterns that included spamming all your contacts when you set up the app.

Matrix still needs work, but it is the future in this space.

Matrix still needs work, but it is the future in this space.
Matrix can send encrypted events ^[1.1], but, imo, the Matrix protocol is a firehose of metadata ^[1.3][1.2]. I'd argue that metadata leakage doesn't lend itself well to anonymity; if one seeks anonymity, then I think they should seek to reduce their metadata footprint, as, logically, any information is better than no information when trying to identify someone.
- I think that's fair, maybe I should have said efforts like Matrix.
  But I'd also view a singular commercial company's no-cost product as not being a long term bet on privacy/anonymity.
I don’t trust Signal. Haven’t used it since it went down when people and capitol rioters fled WhatsApp and signed up. My understanding is it’s a brittle centralized system just like WhatsApp.
Imo, there are more components to trust than service reliability (iiuc) — eg: trust in the underlying protocol, trust in the governing body etc.
- Yes, I agree.

Signal is encrypted but they still feed meta data to Alphabet boys

Make no mistake that it is part of the us security apparatus.

While for most it really doesn't matter, take note where we are heading in light of the recent adjustment to a affluent parasites life.

Who do you think the spooks will side during the first corpo war?

We just don't know but they will know who you keep in touch with...

How so?
Signal also uses our metadata encryption technology to protect intimate information about who is communicating with whom—we don’t know who is sending you messages, and we don’t have access to your address book or profile information. We believe that the inability to monetize encrypted data is one of the reasons that strong end-to-end encryption technology has not been widely deployed across the commercial tech industry.
Source: https://signal.org/blog/signal-is-expensive/
I haven't verified that claim investigating the source code, but I'm positive others have.