[deleted]
Real question: is Messages truly E2EE like Signal? Or just branded as E2EE like WhatsApp?
Real question: is Messages truly E2EE like Signal? Or just branded as E2EE like WhatsApp?
[deleted] If you use RCS then your messages are E2EE.
How is this worse than SMS, which is unencrypted?
[deleted] 1) You can't trust encryption if you can't read the algos.
2) Even if you could trust the encryption, its now going through MORE HANDS. Not only does your service provider know about messages you're sending, g* also does. g* does NOT know if you send an SMS.
That means that g*, even if you assume that the encryption is good, knows that (a) you sent or received a message, (b) at what time, (c) from/to whom, (d) physical location of both parties. That's not data you should be sharing with a hostile adversary!
On a slight aside, I would invite people to watch the documentary The Good American https://www.imdb.com/title/tt4065414/
It speaks of how back in 2001 the NSA could intercept any electronic form of communication, and even if encrypted could pull on it's metadata to learn a lot about the sender, receiver and even predict what was being talked about.
I don't care about open source. It's a kind of myth that's often found.
In the real world: 99% of people don't know read code, and about the remaining 1%, most will have no expertise in security, and even less in cryptography.
I prefer the opinion of a company specializing in audits, with experienced cryptographic experts, rather than people who often have as much knowledge as I do, i.e. very few.
I'd rather have google and my carrier know that I'm sending a message, without having the content, than have only my carrier see it, but also be able to read it.
I trust google's security more than the poor security of my country's carriers.
@csis01 Don't take it personally, but I took a look at your profile, and from your comments, I can see that you're biased against Google, which taints your advice against it.
Giving biased advice and opinions isn't productive or helpful, and I would like you to stop.
[deleted] I'd rather have google and my carrier know that I'm sending a message, without having the content, than have only my carrier see it, but also be able to read it.
I trust google's security more than the poor security of my country's carriers.
You're completely right. While Google isn't known for being privacy-friendly in any capacity, it's sure as hell known for its security and security practices. Using RCS is miles better than using SMS.
[deleted] I don't care about open source. It's a kind of myth that's often found.
No, its not a myth. Open source is real. And just because YOU can't read something doesn't mean that NOBODY can. It is far safer to use something open source that somebody trustworthy has read, than anything closed.
csis01 Please read this thread: https://discuss.grapheneos.org/d/5643-setup-and-advice-for-investigative-jorunalist-threat-model/25
Do I look like someone who supports Google?
I don't care what company it is, what I care about is facts when giving people advice. I'm not letting bias taint my recommendations.
csis01 Deleted. (Got confused between threads).
csis01 You said anyone supporting Google. I do, in a way, support Google by recommending Google Messages or something like GBoard.
[deleted] I pretty much would run Google software since I am aware of its quality. On three conditions: 1.) no network access, 2.) no underlying Google Play Services, 3.) no other apps with network access in the same profile. Hang on, I only use one profile. That means I will never run it... :) But I am okay with that. What other people think is their business.
This is a complete myth, since the whole basis of this reasoning is to systematically answer "You can read the code, it's open source".
An answer given to everyone, that only few people can actually apply. And even if I could, do you really think I'd go out of my way to audit all the applications I use?
If an audit costs thousands, even tens of thousands of dollars, there are several reasons for that.
GrapheneOS has never supported this reasoning, by the way.
Myth is the wrong word. Open Source exists, there are benefits and drawbacks like anything else.
Nobody is expecting FOSS project code to be read by everyone who uses it. It is about community. Knowing that there are at least some people looking at code, is a huge benefit to everyone else.
Trust is never absolute. You don't have to trust a specific code auditor, because there are many. If someone tries to put in a backdoor in an open source project with decent popularity, it will likely be found sooner than later.
The more popular a project gets, the more independent people will look at the code. Whether for contributions, or finding vulnerabilities, it is a tangible benefit that closed source lacks. With closed source, you must trust a single entity. For Google, we all agree their quality is top notch. Privacy and data sharing however, is another matter.
Even with Google, although mostly proprietary and closed, they do have AOSP. The clue is in the name. This "Open Source Project" is what allows developers to make the modifications they need to bring us GrapheneOS.
If you didn't care about Open Source and want to trust Google over open source devs, then you would not be running GrapheneOS.
I'm not saying that open source doesn't exist, I'm saying that its relevance as an argument of authority is invalid.
Likewise, as some GOS developers have already demonstrated, proprietary applications aren't black holes that cannot be audited.
I appreciate the transparency of open source, and that some community projects work very well, but that's mostly down to the developers, not the users.