Comment on Lawsuit Alleges That WhatsApp Has No End-to-End Encryption
floofloof@lemmy.ca 12 hours agoYour threat model seems to be an app whose published source code doesn’t match the published app, and whose published version uses a side channel not in the source code to leak messages in plaintext to a server. If that’s what we’re worried about then decentralization of the app’s main messaging channel makes no difference. The sneaky side channel could still be there in any app, centralised or decentralized.
That’s a theoretical worry to be mitigated through integrity checks on published open-source apps. The worry with Meta and WhatsApp is much more immediate: a known bad actor with a closed-source app, many domains they could use to leak keys or unencrypted messages, and a fawning relationship with the fascist and surveillance-hungry US Government. I’d still put significantly more trust in Signal even though it is centralised.
RIotingPacifist@lemmy.world 12 hours ago
You’re right decentralization would help because you could isolate yourself from the corporate server sending the instructions for you to leak the messages.
But ultimately you’re right integrity checks of apps are a better way to address this and fortunately it seems Signal do produce reproducible builds. github.com/signalapp/Signal-Android/…/README.md so is secure from this kind of attack (unless there is a backdoor in the published code)