• UnderpantsWeevil@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    16 days ago

    And I’m sure in the intervening ten years they haven’t done anything about that

    https://blog.dijit.sh/i-don-t-trust-signal/

    Signal is not open source

    Why would I say something so provably untrue? “Of course signal is open source, it’s on f-droid! (it’s not, actually1); there are even sources on github!” … I can already hear it coming.

    How is it then dear reader, that they developed MobileCoin integrations for over a year without anyone knowing?

    That would be because, they stopped updating sources. We can be reasonably sure that private & unpublished code was in production, otherwise they left some security vulnerabilities unpatched for a long time2. This throws into question the entire nature of what they consider “open source” to mean, they are clearly comfortable deploying non-public software.

    It’s also vanishingly small amounts of people who will use the from-FOSS versions of the client, nearly everyone will be downloading it from Google Play or Apple’s App Store; and they have a long way to go when it comes to verified builds which seems to work when you google it and there’s a page; but in reality if you read the page you’d realise is not possible.

    Which gives a false appearance in my opinion, and that is a large part of my issue honestly; that there is a surface level of “everything is by the book” but underlying it all is: nothing, really. Signal doesn’t give you any option to verify their claims

    If I were in a situation to be signal, if there was a competing implementation that I could point my clients to (similar to how headscale is an implementation of tailscale’s control server); I’d certainly be a lot more comfortable, since then I could be in a situation where I can see all traffic to my server and jail/inspect all traffic coming from the binary distributed Signal client; thus it would allow for independent verification of the binary distributions delivered via Play or the iOS App Store.

    As it stands the whole thing is built on trust and people believe that someone else will do the hard part of reverse engineering every version.

    Which I don’t have to tell you is significantly more effort, requires much more advanced skills and might not even yield results even if there were concerning items yet to be discovered.

    “Moxie says you can run your own server though!”3; I’d like to see where I can change the endpoint in the signal app that’s distributed via Play or App Store; my claim is purely that I can’t verify those and that few enough people run the custom compiled versions to be meaningful. If I was to be smart and want to hide a back door I’d only need one side of every conversation. – please note though, I’m not saying they do this, I’m just saying that they could do this and the only thing that says they don’t is “trust me”.

    • Laurel Raven@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      16 days ago

      That sounds pretty bad, but 1) the article is 3 and a half years old (not that big of a deal really, but an update on the current status would be useful at this point), and 2) I see plenty of commits to all five of their pubic facing repos.

      I’m not saying they’re wrong…I’m not going to presume to understand it better than them… But I’m not seeing how that translates to them hiding things from public view, or if they were that they’re still doing so. If you’re aware of something I’m missing there, I’m very much interested in hearing about it.

      But yes, trust should not be implicit, it should be verified.