The whole point of end-to-end encryption is that you don’t have to trust their server: it cannot read your messages. Then for metadata, the question is about what metadata they are receiving at all (if they don’t receive it, then you don’t care if the server is proprietary) and what they do with it (e.g. for the private contact discovery, the idea is that you can verify that the code receiving your contact list is doing what it should (it’s open source), and you can verify that this code is the one running in the secure enclave.

You don’t need the whole server to be open source: only the important parts.

Let me ask: why does it matter to you?

What’s that closed-source server side? What does it do? Source?

As far as I am concerned, I use Matrix as a replacement for Slack/Discord/IRC, where I absolutely don’t count on e2ee. And Matrix does that really well. For e2ee direct messaging, I use alternatives like Signal or Threema.

First, that’s completely unrelated to the very concept of MITM. Second, it also shows that you have no clue about how such protocols work (in Signal, in SimpleX, or anywhere else). I really don’t understand why people who are really into secure messengers often don’t really care about how they actually work… I mean it is damn interesting!

Not my point. Their webpage says that others (Signal included) are not protected against MITM (in the case of Signal, there is a note saying “if the server is compromised”). Which is plain wrong.

But probably those who made this attack were hackers, right? So “hit by a hacker attack” does not say that hackers are malicious, it’s just a way of saying that it was an attack made with computers (and not with, say, fighter jets).

I don’t think it’s inaccurate or generalizing (hackers are not necessarily cybercriminals, and cybercriminals are not necessarily hackers, but cybercriminal who attack a computer system with a hack are indeed hackers). It’s just a shortcut for “hit by an attack by cybercriminals who happen to be hackers, and used a skillset commonly attributed to hackers to execute their attack”.

If that makes sense :)

Oh, yet another messenger that pretends that it’s the only one that can prevent MITM. Abusive marketing, or plain misunderstanding of what e2ee means? Anyway I wouldn’t trust them just for that.

Signal introduced closed-source server side code last November.

What? I’m not aware of that. Source?

“Secure messenger” and “requires a telephone number” are not compatible concepts.

Following that logic, could we say that “secure messenger” and “requires a computer” are not compatible concepts, because the computer could be compromised? I mean, in the Twilio situation above, users got informed that the conversation key had changed (suggesting that they should verify the keys again if it matters to them). Now if your phone is compromised, you’re screwed, whether or not your secure messenger requires a telephone number.

So instead of writing “Signal hacked by hackers”

Pretty sure it was “Signal attacked by hackers”, but I get your point about “Signal hacked by hackers”, though I don’t think this would be worth an entire blog post :-).

trying to put in my mouth something I did not say.

On the contrary, I am trying to reformulate what I understood, so that you can confirm (or not) that I got your point. Don’t assume that people who disagree with you are in bad faith, and you’ll generally have a better experience communicating.

Anyway, that’s not constructive, let’s stop here.

This seems completely off-topic to me. I never said I have nothing to hide. The Signal client app (i.e. the part that you can audit, compile and run, not the server) provides a lot of privacy already: e2e encryption via the excellent Signal protocol, private profile, private groups, sealed sender. So in terms of metadata, the Signal server never knows what you write, who is in which group, and to whom you are writing. Again, from the client code that you can audit yourself before you run it.

On top of that, leveraging the secure enclaves, the Signal server (tries to) guarantee(s) the private contact discovery (based on the hashes of your contact list). Which means that if you trust the SGX enclave, all that the Signal server knows is your phone number. If you don’t trust the enclave, then you can assume that the server got access to your contacts when you did the discovery (i.e. when you installed the app).

That’s very, very, very far from saying I have nothing to hide.

So you’re saying that a “black hat hacker” cannot exist, because by definition a hacker is not a malicious actor. So everyone who is using the word “blackhat” is disrespectful towards those who identify as “hackers”, as much as using the N-word or F-word is disrespectful towards the respective communities. Am I getting that right?

Yes, I have been following Signal and alternatives since… well since TextSecure was only for SMS. And I find that many times people critical about Signal don’t really know much about it except for the fact that it uses the phone number (not the email).

Again, not saying it’s perfect. Just that for my threat model (which arguably is a valid threat model for billions of people), it’s a very good solution.

Whenever someone says “Signal is not good enough”, my answer is “what’s your threat model”? For me it’s a pretty damn good compromise given that all my friends and family are on it (as opposed to e.g. using WhatsApp or Telegram 99% of the time and a perfect alternative with one contact). The day I can realistically think about making my contacts move to a better alternative, I’ll do it. In the meantime, that’s the best I’ve got. And it’s not too bad, to be fair.

Extremely confusing how? I copied the first sentence in the “title” box, then the first two sentences in the “description” box, and the article again starts with those two…

Also the attack demonstrates that they could not do much, but still they got access to some accounts, which I believe qualifies for “some people where victim of an attack”. Or does it need to end badly for the title to be allowed to say that there was an attack?

EDIT: sorry, I actually had missed the title and copied the first sentence. Fixed!

To be fair, even though they bypassed the 2FA, they did not get access to previous conversations and contact list. That’s the point of the article, right?

First, I did not make the title, I just linked an article.

Second, I get that you wish people did not use the word “hacker” the way they do, but… isn’t it how natural languages work? Words mean what people them for. I wish “crypto” did not mean “cryptocurrencies”, butibn many contexts it does. That’s life.

Talking about clickbaits, what about linking to your blog everywhere you can? It’s completely off topic (the link is about Signal, your blog is about how people misuse a word according to you), but nobody complains, because apparently you thought it was relevant, just like the author thought that calling them “hackers” was fine.