this post was submitted on 29 Jan 2025
105 points (97.3% liked)

Asklemmy

44784 readers
584 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

Greetings!

A friend of mine wants to be more secure and private in light of recent events in the USA.

They originally told me they were going to use telegram, in which I explained how Telegram is considered compromised, and Signal is far more secure to use.

But they want more detailed explanations then what I provided verbally. Please help me explain things better to them! ✨

I am going to forward this thread to them, so they can see all your responses! And if you can, please cite!

Thank you! ✨

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 17 points 1 week ago* (last edited 1 week ago) (29 children)

I can't speak about telegram, but signal is absolutely not secure to use. Its a US-based service (that must adhere to NSLs), and requires phone numbers (meaning your real identity in the US).

Matrix, XMPP, or SimpleX are all decentralized, and don't require US hosting.

[–] [email protected] 7 points 1 week ago (9 children)

As you say yourself (cryptocraphic nerd here):

Signal’s E2EE protocol means that, most likely, message content between persons is secure.

So a shame there are no free servers, are the server soft not open source, only the signal app itself?

[–] [email protected] 2 points 1 week ago (8 children)

The server is supposedly open source, but they did anger the open source community a few years back, by going a whole year without posting any code updates. Either way that's not reliable, because signal isn't self-hostable, so you have no idea what code the server is running. Never rely on someone saying "just trust us."

[–] [email protected] 1 points 4 days ago

Its impossible to verify what code their server is running.

Signal has posted multiple times about their use of SGX Secure Enclaves and how you can use Remote Attestation techniques to verify a subset of the code that’s running on their server, which directly contradicts your claim. (It doesn’t contradict the claim that you cannot verify all the code their server is running, though.) Have you looked into that? What issues did you find with it?

I posted a comment here going into more detail about it, but I haven’t personally confirmed myself that it’s feasible.

load more comments (7 replies)
load more comments (7 replies)
load more comments (26 replies)