> *I used to use Signal but switched to Sylo as they don't require a phone number to sign up*
Thank you very much for mentioning it here (and bringing it to my attention!)
> ***The Sylo difference***
> *We are fully committed to your privacy. That is why Sylo is private by design and puts you in control of your own data.*
> *Sylo enables you to communicate directly with your peers using end-to-end encryption. We cannot see or decrypt your communications in the Sylo app. Only the contacts you choose to communicate with are able to decrypt your messages.*
> *Your Sylo data – that is, the encrypted content of communications – is distributed across a network of nodes. Since your data is encrypted, the node operator cannot decrypt it either, so it remains confidential. This system of distributed node storage also means your data is highly resistant to cyberattacks.*
> ***What information do you have to provide to use Sylo?***
> *Sylo has no requirement for you to provide an email address or phone number to create an account.*
The EU is possible going the same route as Australia and other country's that want to ban encryption or have banned encryption. And if you ask me, they are more and more crossing the line. Time to get a backup plan. We must fight against these crossings off the lines.
Πολύ καλή η πρωτοβουλία της Κομισιόν, ας ελπίσουμε να επεκταθεί και στα υπόλοιπα θεσμικά όργανα της ΕΕ, ειδικά στο Ευρωπαϊκό Κοινοβούλιο. Δεν θα θέλαμε οι κακές σελφιζ του Αλέξη του Γεωργούλη να καταλήξουν σε λάθος χέρια.
Την χρησιμοποιείς για SMS κυρίως. Είναι φοβερά καλή φάση γιατί αν και εσύ και ο άλλος που μιλάτε έχετε και οι 2 signal τότε τα μηνύματα μεταξύ σας είναι κρυπτογραφημένα. Επίσης, σε περίπτωση που είσαι συνδεδεμένος σε WiFi/mobile data τότε αντί για SMS στέλνεται instant message (αλά FB messenger φάση, αρκεί και πάλι ο άλλος να έχει signal). Επίσης έχει αυτοκαταστρεφομεναηνυματα και screenshot protection.
Edit: ναι έχει και βιντεοκλήσεις.
Everyone here uses whatsapp because goverment doesnt get access to it and you can talk all about gray business. something you cant do on skype, facebook messenger and other mainstream app private messaging.
This is classic EU way of trying to add backdoors to spy on citizens.
Signal is open source - you can inspect the code and compile the program yourself if you suspect there are any backdoors. And if there were backdoors, somebody would have noticed them and published the results (there are tens of thousands of programmers out there who really care about security).
WhatsApp is owned by Facebook and it's not open source. We have to trust Facebook and their auditors when they say that there are no backdoors in WhatsApp - no one else knows.
it's a bit alarmist, don't you think? Their ToS still adheres to Swiss law. I know Reddit has its Signal circlejerk but it's not necessarily better on all accounts that were mentioned in the article (US jurisdiction, server security).
Signal certainly don't store an unencrypted record of everyone I talk to [server-side](https://www.vice.com/en_us/article/gvzw5x/secure-messaging-app-wire-stores-everyone-youve-ever-contacted-in-plain-text).
You can read more of the PTIO reasoning [here](https://forum.privacytools.io/t/delisting-wire-from-privacytools-io/2087/).
It is, of course, entirely up to you who you choose to trust.
Telegram has its own secret encryption scheme which is a bit sketchy - we only have their word that they are actually using it and that it is working properly. Signal uses an industry standard open source encryption scheme that no one has cracked yet (as far as we know) - you can compile it yourself if you don't trust the program on the Play Store.
Functionality wise TG is probably the best IM app out there, tbh. If I don't need encryption I prefer it over others.
For your average user, nothing.
But Signal is open source, so if you have an high security job you can pay a team to Audit the code and prepare a package that is certified to not have backdoors and that it is solidy encrypted.
Downloading Signal from the PlayStore is still having faith that whoever compiled the code did not mess with it.
>Downloading Signal from the PlayStore is still having faith that whoever compiled the code did not mess with it.
Signal have had reproducible builds for years: https://signal.org/blog/reproducible-android/
The same principal that /u/Sylbinor detailed still applies in that case though. It's *most probably* clean, but you would never be certain unless you compiled your own version and knew the code inside out
In my understanding those are orthogonal: in Signal a message is encrypted on person A's device, sent through the server, and decrypted on person B's device.
But the server keeps the messages in encrypted form. And so person A's desktop client can fetch them and decrypt them.
The message is not encrypted account-to-account but device-to-device. If you share critical decryption piece between different devices it compromises security so you end up with your standard level of safety, not "end-to-end" one.
There are SO many ways the security can compromised it's just insane. That's why there is unwritten law "don't roll your own crypto".
Signal is inferior in UI/UX to most of popular apps, but privacy wise they do better than Telegram where your chats are encrypted end-to-end only when using 'secret chats'
Nonetheless Signal is open source yet their Server being monopolized is kind of suspicious.
Open source end to end encrypted shouldn't be vulnerable to a corrupt(ed) server.
That said, any app update would have to be scrutinised. preferably freeze version until audit has been done for a new version of the app.
Not just server corruption but also the hard dependency this one entity is an issue. It’s a risk to availability and reliability and i don’t know why a public institution would take that over existing alternatives.
Riot/Matrix or XMPP with OMEMO (conversations/chatsecure, there are also native desktop clients) are the only ones I know of that tick all the boxes. That is when considering federation and self-hosted servers an important thing, which I do.
Of course, Email with PGP also works, but it's another use case IMHO.
There are also more exotic ones, e.g. p2p ones (without servers) or Delta, which builds on top of Email, but I have no experience with those.
The update is already compiled through. You don’t know if the version pushed to your iPhone is actually the same version you’re reading the source code of. Sure, you can compare hash but even that can be manipulated.
This is the only way forward. Picking and choosing between various companies that promise they will keep as much as they can from the US government is not enough. Signal maybe doesn't have the message contents due to end to end encryption, but they still have metadata, which they "promise" they will delete and won't give to anyone.
> Signal maybe doesn't have the message contents due to end to end encryption, but they still have metadata
They remove a good chunk of the metadata with their sealed sender functionality: https://signal.org/blog/sealed-sender/
> which they "promise" they will delete and won't give to anyone.
Yep, this has also been proven in a US federal court of law: https://signal.org/bigbrother/
Ok, they don't know the sender, but they know the IP of the sender, and the recipient. So when the recipient sends a message to someone at that IP, secrecy is out the window. Or am I forgetting something.
Proven? How do you prove that? I mean, it's not a mathematical equation. They "promise" that they will disclose any subpoena.
Also, if they disclose the fact someone took my metadata, should that make me feel better?
>Ok, they don't know the sender, but they know the IP of the sender, and the recipient. So when the recipient sends a message to someone at that IP, secrecy is out the window. Or am I forgetting something.
You're forgetting that the above applies to every single application out there that you use.
I get around the IP issue with a VPN myself.
>Proven? How do you prove that?
By "proven" - I meant more that as a US registered non-profit, they can't lie to a grand jury without being thrown in jail if it was later shown that they were in contempt of court.
In the published court documents, the US government demanded all information that Signal had on a user and all Signal had was the user's phone number and the time and date they registered for the service and when they were last online.
The signal server code is also available online if you want to check the metadata it stores: https://github.com/signalapp/signal-server
>You're forgetting that the above applies to every single application out there that you use.
Not if the server is yours. Which is possible with Matrix because it's a federated protocol.
>The signal server code is also available online if you want to check the metadata it stores
Again, they "promise" that's the code they are running.
Look, all of this is more or less ok if you are a private user. But we are talking about state security here. You can't run your country security by believing some US company they will do all they can to secure you. That's just not enough.
If signal has their server code open, then why not take that code and run it ourselves?
>Not if the server is yours. Which is possible with Matrix because it's a federated protocol.
Actually, Matrix leaks even more metadata:
1) they do none of the sealed sender stuff
2) anyone that messages you from their server, knows exactly where your server is because they need to connect to its IP address to send you the message in the first place
3) all of this is logged on all the matrix servers your messages pass through
>Again, they "promise" that's the code they are running.
Part of the point of Signal is that the security of the cryptography does not matter on what the server is running.
And for some functions, like the [private contact discovery](https://signal.org/blog/private-contact-discovery/) stuff, the [open source] client itself performs remote attestation on the [open source] server software to verify that it is what is expected to be running.
>But we are talking about state security here. You can't run your country security by believing
Well, the Signal folks have done a pretty good job of securing everyone's instant messaging for the past few years. And the EU embracing them for their external messaging is better than not using crypto at all.
Here are also some examples of other states using Signal as well: [India](https://theprint.in/india/telegram-signal-whatsapp-what-gandhis-kejriwal-badals-use-to-keep-their-calls-private/329578/), [Australia](https://www.theguardian.com/media/2015/mar/25/the-weekly-beast-malcolm-turnbulls-got-a-new-app-hint-its-not-tinder), the [US](https://thehill.com/policy/cybersecurity/333802-sen-staff-can-use-signal-for-encrypted-chat) itself, the [US military](https://www.militarytimes.com/flashpoints/2020/01/23/deployed-82nd-airborne-unit-told-to-use-these-encrypted-messaging-apps-on-government-cellphones/) and a [British political party](https://www.theguardian.com/politics/2019/dec/17/tories-switch-to-messaging-app-signal-to-curb-whatsapp-leaks).
> some US company they will do all they can to secure you.
They're actually a non-profit organisation and all their stuff is open source on GitHub. You can also read a bit about their history and efforts to go more mainstream in this recent article [here](https://www.wired.com/story/signal-encrypted-messaging-features-mainstream/).
>If signal has their server code open, then why not take that code and run it ourselves?
You can totally do that, it does not support federation out of the box but nothing about the Signal protocol means that it can't be decentralised like that. But you'll find that most people prefer convenience over running software themselves.
Thank you for bringing this up here
> ***The French State creates its own secure instant messenger***