• ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    3 months ago

    When you use a client, you are relying on the client’s crypto implementation to be correct.

    Nothing prevents this other client from using the same as the original app. When the alt client is just a fork, it’s even easier to check if they kept it intact or not.

    This is only one part of it and there’s a lot more to it when it comes to hardening the program.

    Something at which even the original Signal fails. It has received criticism multiple times (1, 2) for not being verifiable whether it’s been tampered with by the app’s distributor, and also for having included properietary google services dependencies which dynamically load further code from the phone which is also a security issue. Worthy forks solve both of these.

    Signal focuses on their desktop and mobile clients and they hire actual security professionals and cryptographers (unlike the charlatans in this thread) to implement it correctly.

    Last I heard (a month or so ago) the desktop client had serious unfixed issues.


    I think it further erodes your point that Signal is not just hostile in terms of not wanting it, but Moxie for instance has been very, very verbal about this.

    • ramenu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      Something at which even the original Signal fails. It has received criticism multiple times (1, 2) for not being verifiable whether it’s been tampered with by the app’s distributor, and also for having included properietary google services dependencies which dynamically load further code from the phone which is also a security issue. Worthy forks solve both of these.

      That’s unfortunate. I do hope that these forks don’t go and start making extensive changes though, because that’s where it becomes a problem.