Signal now available in fDroid by Guardian Project Repo. Can it be trusted?

Xtreix

GrapheneOS I had completely forgotten about their ties to MobileCoin, I've never used it but I just remember my astonishment when I saw it, not really knowing what to think of it at the time...

DeletedUser64

For an average person, use Signal instead of SMS, if you can get people to convert then everyone is a winner!

For everyone else who is on some entities radar, use something better.
Give nothing away to get an account, not even a burner sim number. (simplex)
A burner sim is a lead to be followed up..a start point to identify you.
Given enough motive, time and expense, that teeny tiny bit of metadata may be the reason you get woken up at 2am.

Stewart

No, but Signal is more than enough, and for all threats, you can use it anonymously by hiding your phone number and activating ephemeral messages.

DeletedUser64

Stewart, you can use it anonymously by hiding your phone number and activating ephemeral messages.

How is signal anonymous when you give your phone number to an organization in order to get a signal account
All you can do after that is with-hold your number from potential signal users you may converse with. Your phone number is out in the wild and you have no control over it any longer.. you have to trust signal will do the right thing.
Ephemeral messages... tosh, try and delet the inappropriate message you sent to a person who then photographed their device on a desktop next to a current front page of a newspaper with your signal message displayed..
Signal/molly/simplex are tools, which one and how you use them is how you keep anonymous/safe/alive/etc

Stewart

DeletedUser64 In any case, when you talk to someone, the most important thing is to talk to people you trust as much as possible. I'm not going to say compromising things to people I don't trust, and whether it's Signal/Molly/SimpleX, it's all the same.

newbie24689

angela I agree with GRapheneOS - it'd be horrible if these discussions became contaminated with politics and political hot-button topics!

But this is AN EXTRAORDINARY WRITE UP! Intentionally and humorously "way over the top" it is arguably not political, but actually makes wonderful fun of American politics - and it communicates a number of important, subtle and not-so-subtle points. I hope that folks (Americans) can enjoy your excellent post regardless of their position on abortion or referenced politicians. Bravo! I plead for a one-time exception here.

argante

akc3n

It was created by TheHatedOne.

As well as this: Signal's Terrible MobileCoin Betrayal.

Signal:

the server is not open-source because they use a proprietary spam scanner(?). But wait: for encrypted messages?
push notifications risk
account recovery/copy risk if someone has the ability to copy my sim, eg: registration lock by default?
signal's infrastructure is on amazon cloud
full knowledge of who contacted whom and when

thure

argante full knowledge of who contacted whom and when

I think seiled sender avoids this and the server only knows to whom the message should be delovered.

thure

argante the server is not open-source because they use a proprietary spam scanner(?). But wait: for encrypted messages?

Do you have any source about this info?

GrapheneOS

argante Signal only uses FCM to wake the app and it's not mandatory. It's used when it's in a profile with Play services. There's a Molly variant without support for it.

argante

thure

I think seiled sender avoids this and the server only knows to whom the message should be delovered.

Let's say you bought a number on crypton with monero. You activated signal on this anonymous phone number. You also have a wifi-only phone. One day you're having a coffee and connect to a public wifi. You paid for the coffee with your card. And that's is enough to determining that this number and signal belong to you. If you did it ones again, then there's complete certainty that it's you. Today, no one looks at one source of data, but many different sources are compared to look for connections.

Even if the signal server doesn't save IP logs, Amazon's service can, and a signal keeps its servers there. Such data is very valuable for three-letter agencies, and Amazon is their contractor.

argante

thure

https://www.reddit.com/r/privacy/comments/qlw1ag/signal_is_adding_a_closedsource_spam_reduction/

https://github.com/signalapp/Signal-Android/issues/11101

Viewpoint0232

argante Let's say you bought a number on crypton with monero. You activated signal on this anonymous phone number. You also have a wifi-only phone. One day you're having a coffee and connect to a public wifi. You paid for the coffee with your card. And that's is enough to determining that this number and signal belong to you.

Surely you'd be clever enough to use a VPN and pay with cash :)

argante

GrapheneOS

There's a Molly variant without support for it.

For Molly there is UnifiedPush via mollysocket .

argante

Viewpoint0232

Surely you'd be clever enough to use a VPN and pay with cash :)

VPN servers are most often in the same data centers (DataPacket, M247) and there is a high probability that the websites you visit are also in the same data center. So if you hear about a fast VPN, it probably means they are in the same data center as everyone else. Next, Cloudflare has the ability to check you and track your browser fingerprint. VPN won't protect you from this. And finally: most VPNs are simply data brokers - they collect information about you and sell it to others. So you transfer the tracking of you from the ISP to the VPN provider.

Artn

RubenTortillaDip The signal app is available by the repo of the guardian project.
After some additional thoughts:
I can see that Signal is on release 7.32.1 in their Github repository, and in the Guardian repository in F-droid it is version 7.31.1 (this is not an issue of Guardian project, it is an issue of most of the apps in F-droid repo as well).
Disregarding the change log (https://github.com/signalapp/Signal-Android/compare/v7.31.1...v7.32.0) it is worth noting that having the latest update is essential for security.
Having said that, an argument can be made for using the alternative repo if they would rebuild from the source code (which must be a reproducible build or it will fail updating). In a ideal world, the maintainer of the project should not be the only person that builds the source code, the additional value that another person is buildings from the source code (specifically for reproducible builds) is that you know by an additional trusted party (i.e. the Guardian project in this case) that the developers will not distribute something that is not built from the source code.
I am aware of the opinion that adding additional parties in the trust chain is counter-security, but in a community of users, this can be an added verification method that the app is truly built from the source.
In this specific case, I would say the benefit of having the most updated version is more important than the benefit of verifying if the release distribution is built from publicly available source code, since you can also do it yourself if want:
https://github.com/signalapp/Signal-Android/tree/main/reproducible-builds

angela

GrapheneOS i understand the reason and that it's too prevent spam, but hackers and scammers can just use a temp #. it seems like a large privacy impact without a large spam impact. ive never seen a spammer on simplex. The numbers block spam argument feels flimsy and pretextual and I dont believe that's why they ask, despite no objective proof to support the feeling.

GrapheneOS

@angela Please avoid unsubstantiated theories.

New platforms that are not well known typically don't experience major issues with spam.

« Previous Page