Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://mstdn.io/@ckrypto" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ckrypto</span></a></span> if@signalapp@mastodon.world wasn't complying with <a href="https://infosec.space/tags/CloudAct" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudAct</span></a>, <span class="h-card" translate="no"><a href="https://mastodon.world/@Mer__edith" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Mer__edith</span></a></span> would be in jail.</p><p>Not to mention even <em>if</em> Signal keeps their <em>"<a href="https://infosec.space/tags/OpenSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSource</span></a>"</em> code updated - which is <a href="https://www.youtube.com/watch?v=tJoO2uWrX1M&amp;t=887s" rel="nofollow noopener noreferrer" target="_blank">doubtful</a>, <em>NOONE</em> can actually <a href="https://infosec.space/tags/verify" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>verify</span></a> that it's the code you actually use - regardless if <a href="https://infosec.space/tags/backend" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>backend</span></a> / <a href="https://infosec.space/tags/Server" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Server</span></a> or <a href="https://infosec.space/tags/client" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>client</span></a> / <a href="https://infosec.space/tags/App" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>App</span></a>! </p><ul><li><a href="https://infosec.space/tags/Signal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Signal</span></a> is as secure as <a href="https://infosec.space/tags/AN%C3%98M" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANØM</span></a>, otherwise it would've been shutdown ages ago.</li></ul><p>Also if Signal was designed for <a href="https://infosec.space/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a>, it would've been <a href="https://infosec.space/tags/decentralized" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>decentralized</span></a> as <a href="https://infosec.space/tags/XMPP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMPP</span></a>+<a href="https://infosec.space/tags/OMEMO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OMEMO</span></a> and not demand <a href="https://infosec.space/tags/PII" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PII</span></a> like <a href="https://infosec.space/tags/PhoneNumbers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhoneNumbers</span></a> which oftentimes cannot be obtained anonymously in many juristictions <em>at all</em>!</p><ul><li>Only <a href="https://infosec.space/tags/MultiVendor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MultiVendor</span></a> &amp; <a href="https://infosec.space/tags/MultiProvider" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MultiProvider</span></a> standards can be secure, regardless if OMEMO or <a href="https://infosec.space/tags/PGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PGP</span></a>/MIME. </li></ul><p>By comparison, <span class="h-card" translate="no"><a href="https://chaos.social/@delta" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>delta</span></a></span> doesn't require any PII, only an <a href="https://infosec.space/tags/eMail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eMail</span></a> account, and <span class="h-card" translate="no"><a href="https://monocles.social/@monocles" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>monocles</span></a></span> isn't a <a href="https://infosec.space/tags/VCmoneyBurningParty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VCmoneyBurningParty</span></a> but sustainable due to <a href="https://infosec.space/tags/subscription" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>subscription</span></a> and they don't even require any personal details for <a href="https://infosec.space/tags/payment" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>payment</span></a>: <a href="https://infosec.space/tags/CashByMail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CashByMail</span></a> and <a href="https://infosec.space/tags/Monero" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Monero</span></a> are accepted.</p><ul><li>Not to mention neither <a href="https://infosec.space/tags/DeltaChat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeltaChat</span></a> nor <a href="https://infosec.space/tags/monoclesChat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>monoclesChat</span></a> are <a href="https://www.youtube.com/watch?v=tJoO2uWrX1M&amp;t=424s" rel="nofollow noopener noreferrer" target="_blank">pandering</a> <a href="https://infosec.space/tags/Shitcoin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Shitcoin</span></a> <a href="https://infosec.space/tags/Scams" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Scams</span></a> like <a href="https://infosec.space/tags/MobileCoin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MobileCoin</span></a> that <a href="https://www.youtube.com/watch?v=0DSGq9FQKU4" rel="nofollow noopener noreferrer" target="_blank">don't work</a> even for <a href="https://infosec.space/tags/TechLiterate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TechLiterate</span></a> <a href="https://infosec.space/tags/CryptoBros" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CryptoBros</span></a>! </li></ul> <p>Again: It's Signal alone who have to evidence they are trustworthy, and all I get are <em>"<a href="https://infosec.space/tags/TrustMeBro" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TrustMeBro</span></a>!"</em> replies, which means they are not to be trusted.</p><ul><li>Not to mention, it's just not sustainable to run a <a href="https://infosec.space/tags/service" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>service</span></a> without <a href="https://infosec.space/tags/revenue" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>revenue</span></a>, even if it's run entirely by unpaid volunteers and gets all it's <a href="https://infosec.space/tags/hosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hosting</span></a> and <a href="https://infosec.space/tags/costs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>costs</span></a> donated, someone has to pay for expenses due to <a href="https://infosec.space/tags/abuse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>abuse</span></a> of a service (which is an inevitability come mass adoption)...</li></ul><p>Whereas with <a href="https://infosec.space/tags/XMPP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XMPP</span></a> I can completely setup my own server and client, even build my own if I don't trust anyone else and pay someone to audit the code.</p><ul><li>Signal as a <a href="https://infosec.space/tags/centralized" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>centralized</span></a>, <a href="https://infosec.space/tags/SingleVendor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SingleVendor</span></a> &amp; <a href="https://infosec.space/tags/SingleProvider" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SingleProvider</span></a> service is inevitable vulnerable to <a href="https://infosec.space/tags/RubberhoseCryptoanalysis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RubberhoseCryptoanalysis</span></a>, and <a href="https://infosec.space/tags/Meredith" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Meredith</span></a> <em>will break</em> if not doing so means <a href="https://web.archive.org/web/20210226175949/https://twitter.com/thegrugq/status/1085614812581715968" rel="nofollow noopener noreferrer" target="_blank">jail for life until she does</a>!</li></ul><p>Whereas with XMPP &amp; PGP/MIME <a href="https://infosec.space/tags/eMail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eMail</span></a> I can layer <span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>torproject</span></a></span> / <a href="https://infosec.space/tags/Tor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tor</span></a> over it, make it an <a href="https://infosec.space/tags/OnionService" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnionService</span></a> and keep that thing under my bed with a <a href="https://www.youtube.com/watch?v=F59iKSrx63c&amp;list=PL2YepVFF1azEYo0c0HdYwykbp_AXchaIp" rel="nofollow noopener noreferrer" target="_blank">literal killswitch</a>...</p>