this post was submitted on 18 Jul 2026
111 points (99.1% liked)

Open Source

47942 readers
316 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 7 years ago
MODERATORS
 

Which is your preferred messaging app? I just want some insights about these two.

You may share other messaging apps too.

you are viewing a single comment's thread
view the rest of the comments
[–] Bazoogle@lemmy.world 2 points 22 hours ago* (last edited 22 hours ago) (1 children)

I read it. They also have no source or evidence.

Signals database, which we must assume is compromised due to its centralized and US domiciled nature, has a few important pieces of data;

You can't simply say "we must assume" as evidence. In fact, they implemented "Sealed sender" in 2018 where they are not able to see who the message is being sent to.

They are also legally required to provide all information they have on users for warrants and subpoenas. Any time they do that, they post the (slightly redacted) document they provided to the courts. See the list here: https://signal.org/bigbrother/ This confirms they did not have any metadata on those users. The only info they have is what they openly state (phone number, date of registration, and last time a message was sent).

While there may be other US government requests they are not alllwed to disclose, they were legally required to provide the same information to the courts, and we can see what they provided.

And sure, while the US government funds Signal, you know who else endorses it? Edward fucking Snowden. If anyone knows about secure messaging, it's the man that physically removes the microphone and camera from his phones before using them.

[–] dessalines@lemmy.ml 0 points 14 hours ago* (last edited 14 hours ago) (1 children)

You can't simply say "we must assume" as evidence.

Okay yeah you definitely didn't read it. Large sections in that doc just before that are on phone number identifiers, NSLs, and 5-eyes countries, the US goverment pushing signal in privacy spaces... literally the reasons why signal isn't trustworthy. Unless you can tell me what an NSL is, then I'll assume you didn't read it.

While there may be other US government requests they are not alllwed to disclose, they were legally required to provide the same information to the courts, and we can see what they provided.

Did you ignore the large section on NSLs? These come with a gag order, meaning its illegal for signal to notify their users about them being spied on.

In fact, they implemented "Sealed sender" in 2018 where they are not able to see who the message is being sent to.

This is a "just trust me" from signal, since neither of us have access to their centralized DB, but you also ignored two paragraphs down, where it showed that with message timestamps and recipient information, this would be trivial to find the real sender of a message, regardless of sealed sender. Again, actually open source software can't say "just trust me" like signal can, we actually have to show code to prove it, and let people run that code in a private manner.

And sure, while the US government funds Signal, you know who else endorses it? Edward fucking Snowden. If anyone knows about secure messaging, it's the man that physically removes the microphone and camera from his phones before using them.

Elon musk and jack dorsey also endorse signal. An endorsement means nothing, especially for centralized software based in a 5-eyes country.

[–] Bazoogle@lemmy.world 1 points 10 minutes ago

Large sections in that doc just before that are on phone number identifiers, NSLs, and 5-eyes countries, the US goverment pushing signal in privacy spaces…

Two things:

  1. Get a burner phone with cash
  2. This has nothing to do with the claim Signal collects metadata.

If Signal stored a DB of messages sent and received, they would legally have to provide that for a court warrant. The fact they did not provide that to the courts proves they do not store that data.

Did you ignore the large section on NSLs?

No, those are the government requests I mentioned in the quoted section. I just didn't say "NSL". Their example with Lavabit was fundamentally different since Lavabit was in control of the TLS keys and was able to decrypt the content, but they refused. Signal is complying without giving anything to the government because they have no way of decrypting the messages, even if they wanted to.

actually open source software can’t say “just trust me” like signal can, we actually have to show code to prove it, and let people run that code in a private manner.

Open Source: Open source is the practice of publishing digital resources publicly alongside their source code or source files, enabling use, study, modification, and redistribution.

Here is there Server source code with GNU AGPLv3 license. I'd say that fits the definition of open source.

I recognize there isn't a way to confirm they are running the code they published. Even signal has recognized the server source code trust issue:

Of course, what if that’s not the source code that’s actually running? After all, we could surreptitiously modify the service to log users’ contact discovery requests. Even if we have no motive to do that, someone who hacks the Signal service could potentially modify the code so that it logs user contact discovery requests, or (although unlikely given present law) some government agency could show up and require us to change the service so that it logs contact discovery requests. More fundamentally for us, we simply don’t want people to have to trust us.

https://signal.org/blog/private-contact-discovery/

That's why the set it up to minimize the required trust. The client side code is fundamentally built to make the trust required in Signal to be very minimal. You can build the client app from the source code and confirm everything in it.

An endorsement means nothing, especially for centralized software based in a 5-eyes country.

Edward Snowden is mentioned several times, and quoted, on the 5-Eyes wikipedia as a whistleblower. If the worlds most famous 5-Eyes whistleblower endorses Signal as a way to hide from the 5-Eyes, that's a pretty damn good endorsement. I recognize that means nothing to you, and that's fair. I'm more so pointing out the humor.

I will concede that the US government could force Signal to start collecting metadata and we would have no way of knowing. I do think they would fight it, or move to another country, given they have threatened to withdraw services from other countries already. It's not a great comparison, since the Government was trying to get access to message contents rather than metadata, and Signal would only be stopping service and not change country of operations.

Regardless, Signal is convenient. We all know the balance between security and convenience, and Signal is a good middle ground. It's a single app users can download, and it's quick to setup, and they can use the same phone number/contacts they already have. They don't have to determine a server they want to create their account on, learn what federation is, etc. Signal is a good option, and I would 100% tell people to use Signal over Whatsapp, Telegram, RCS, and especially SMS.

If we wanted to discuss the problems with something like Matrix, it would also be very flawed. You shift the trust to the home server of your choosing not to keep the metadata (It's not realistic to ask a random person to start their own server). It has a much larger attack surface, between the different clients, servers, bridges, bots, extensions, etc. Even if Matrix itself is relatively secure, it only takes a single integration with a vulnerability to compromise their data. For example, they may bridge Matrix to Slack for specific use case, but if that bridge gets compromised then you could be vulnerable.