I don’t know if I’m opening a can of worms here, and I’m still trying to backtrack a lot of history where I was tuning everything out. I keep seeing random swipes at Signal (or the representatives (?)), and I was wondering whether they are founded or just lies.Is it another situation like Lemmy where we just “take the technology and move on”? Thanks!

  • jet@hackertalks.comEnglish
    299·
    20 hours ago

    Signal is great, you should use it.

    Current problems with signal

    1. it’s centralized
    2. your encryption key is stored in the cloud
    3. It’s not federated

    Details

    1. Means it’s vulnerable to government pressure, it’s not wrench proof

    2. means you can’t really trust it for sensitive things, like if you were running the french government communication systems it would be foolish to use signal. Signal uses the power of Intel SGX enclaves to keep your private key safe, so your trusting Intel not to sign something bad, your trusting sgx to not have exploits, etc.

    3. Means it’s a walled garden, and not open to self hosting.

    Signal is the best main stream e2e out there, but it’s not the last one we will ever see, something will replace it

    • lemmylommy@lemmy.world
      9·
      18 hours ago

      There is not „your encryption key“ because there is not only one.

      The cloud backup (protected by the pin) includes the contact list, NOT your messages. Those are encrypted on device with a key that is on device and can not be recovered by anyone from the cloud.

      • jet@hackertalks.comEnglish
        3·
        18 hours ago

        There is not „your encryption key“ because there is not only one.

        It’s close enough, its the master key from which all other keys can be derived.

        https://signal.org/blog/secure-value-recovery/

        If someone loses their phone, the stretched_key, auth_key, and c1 variables can be regenerated at any time on the client as long as the user remembers their chosen passphrase.