Theoretically, you can check the code actually running on the Signal servers is the code they publish under a free and open source licence, using the hardware-based TEE attestations the servers will return
Someone more knowledgeable than me may have managed to do so, I haven’t.
See every other comment in this thread describing in great detail why you are wrong, but that you fundamentally DO NOT UNDERSTAND how any of this works whatsoever.
This is key and I don’t think Signal shies away from this. You MUST trust the code you’re running. We know there are unofficial Signal builds. You must trust them. Why? Because think of it this way. You’re running a build of Signal, you type a messages. In code that text you type then gets run through Signal’s encryption. If you’re running a non-trustworthy build, they have access to the clear text before encryption, obviously. They can encrypt it twice, once with their key and once with yours, send it to a server, decrypt theirs and send yours on to it’s destination. (for example, there’s more ways than this).
RIotingPacifist@lemmy.world 1 month ago
You’re just replacing trust in Meta with trust in Signal without understanding why Meta is vulnerable to this.
Is Signal more trustworthy, probably, is Signal safe from the attack described, absolutely not.
axx@slrpnk.net 1 month ago
Theoretically, you can check the code actually running on the Signal servers is the code they publish under a free and open source licence, using the hardware-based TEE attestations the servers will return
Someone more knowledgeable than me may have managed to do so, I haven’t.
felbane@lemmy.world 1 month ago
Tell me you don’t understand how Signal’s E2E mechanism works without telling me you don’t understand how Signal’s E2E mechanism works.
RIotingPacifist@lemmy.world 1 month ago
Tell me you don’t understand what E2E encryption is without telling me you don’t understand that the limits of E2E encryption.
just_another_person@lemmy.world 1 month ago
See every other comment in this thread describing in great detail why you are wrong, but that you fundamentally DO NOT UNDERSTAND how any of this works whatsoever.
RIotingPacifist@lemmy.world 1 month ago
You fundamentally DO NOT UNDERSTAND how security works, go play with your algorithms and stop spamming my replies.
in_my_honest_opinion@piefed.social 1 month ago
Um, security is based largely on emcryption algorithms.
anon_8675309@lemmy.world 1 month ago
This is key and I don’t think Signal shies away from this. You MUST trust the code you’re running. We know there are unofficial Signal builds. You must trust them. Why? Because think of it this way. You’re running a build of Signal, you type a messages. In code that text you type then gets run through Signal’s encryption. If you’re running a non-trustworthy build, they have access to the clear text before encryption, obviously. They can encrypt it twice, once with their key and once with yours, send it to a server, decrypt theirs and send yours on to it’s destination. (for example, there’s more ways than this).
pressanykeynow@lemmy.world 1 month ago
The code can be okay but it’s delivery method(aka Google), the OS(aka Google) or the hardware can be compromised.