i've just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).
if this is true, then i have a few questions:
-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.
-how to explain it to my friends who use signal because i recomended?
-what this means for other apps in general?
Given what you've said, Signal is still what you want and is good for it.
There are two main issues people have with Signal:
First is that it requires a phone number to sign up. That makes some people who want it to be truly anonymous unhappy. It's not meant to be anonymous, though. It's meant to be private. Those aren't the same thing.
Second is that it runs on AWS. This isn't a problem in the sense that it's possible for it to still retain privacy while running on AWS. Some people don't like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.
Personally, I know these risks and still find it to be the best balance between privacy, security, and ease of use.
And what about suspicion of intrusions in some accounts of european imlrtznts poeple by the FSB recently ?
I don't know if it's a social ingeneering
But now, i think "good enough" attitude is not the good idéal, we are not in 2000' it's finish....
Another app exists :
Session
simpleX
Anonymous messenger
Briar
Twinme
But it' always better to use a verified and audited app, need to have a safe team
https://fr.euronews.com/2026/03/12/des-pirates-informatiques-lies-a-la-russie-ciblent-les-applications-de-messagerie-de-respo
Let's not pretend the hypervisor doesn't have full access to the VMs memory and execution. The only thing protecting the Signal server is Intel SGX.
I don't think Signal trusts the AWS server either, that's the point of E2EE encryption.
I'm not claiming the contents of the messages are at risk here. You're social graph and metadata though is another story.
The only data they store are account creation time and last connection time.
https://signal.org/bigbrother/district-of-columbia/
The thing if someone has memory access Signal doesn't need to store anything, transiting data is now available. For example all of your contacts when doing contact discovery. It used to be a simple hash, something for which you could build a rainbow table in a few hours, at the worst. It's lightly better now, but still.
Don't take it from me, take it from Moxie:
https://signal.org/blog/private-contact-discovery/
It also doesn't really matter if the software itself can easily be tampered with in memory by the hypervisor. Like I said, they are putting a lot of trust in Intel SGX.
And let's not even get into the digital sovereignty issues, and financing of right wing billionaires. Yes, running on AWS is an issue. It's multiple issues even.
https://signal.org/blog/private-contact-discovery/
... Providing you trust Intel SGX (and AWS for giving them access to actual SGX and not just emulating a compromised instruction set)
😃
conspiracy begins...
What conspiracy? CPU bugs aren't a conspiracy, they are just a fact. Amazon's involvement with American three letter agencies isn't a conspiracy, it's a fact.
Yea but if you worry about CPU bugs there is no such thing as trust, no matter who owns the infrastructure. Any software can have critical bugs and any system that can be accessed remotely can be compromised. Personally I'd trust the people at Signal that they have made a reasonable architecture section to balance availability and privacy
I don't take anything from someone I don't trust that also explicitly doesn't use warrant canaries because he says they don't work in contradiction to every legal authority.
It's also an issue that they run the signal server on one single AWS region.
It isn't hard or even all that expensive to run on multiple regions.
It's not me you need to tell this though.