It is one BGP attack or compromised CDN admin way from compromising the masses.
This is one of the few points I agree with moxie on.
The only safe way to install software on an Android device requires you bootstrap trust via a system supplied package manager that enforces signature verification.
Lineage grabs unsigned binary blobs from a separate account with little accountability ( https://GitHub.com/themuppets ) to limit the blast radius of illegally distributing them and does not ship a package manager at all.
They expect degoogled users to do disable system signature verification to use an alternative app store like F-droid. Lineage is great if you want to turn an old device into a game system or something, but it should not be used on a device you need to be able to trust.
The only Google-free option to have a signed system-verified app supply chain on Android is use a ROM that bundles F-droid as a system trusted app manager like CalyxOS, RattlesnakeOS, or my projects, aosp-build, and #!os.
While F-Droid is far from perfect it is the only alternative path and Moxie refuses to allow apps to be distributed there because he openly admits he wants the usage metrics that come from Google/Apple distribution.
In effect, you either use Apple/Google ecosystems to run verified binaries, or compile yourself every week or two.
That's nice, but why should Moxie decide whether the Google Play Store is a trusted source for me?
If neither of these work for you, you are not wanted on the Signal network.
APKs do not bypass signature verification. Android still requires all apks to be signed, and only installs updates to apks that were signed by the same original key.
As for BGP attacks, the apk is distributed using TLS, so it needs more than that. That being said, CDN hacks are definitely an issue. But so is someone hacking their play store account or Google play itself.
You have to turn on untrusted sources to sideload an APK. It will verify a signature. The problem is the OS has no anchor to know if that signature is by the key of the party you expect, or that of a malicious adversary. Once you pin the wrong key it is like getting a bad HTTPs cert on first connection. All bets are off moving forward.
So he admits he cares about usage metrics more than privacy. which makes trusting signal a bit hard
36C3 - The ecosystem is moving | https://www.youtube.com/watch?v=Nj3YFprqAr8
Is it technically prevented or just frowned upon? The former would be strange, because fixing a bug in your own private fork would also exclude you from the network.
[1]: https://github.com/tw-hx/Signal-Android
[2]: https://forum.f-droid.org/t/we-can-include-signal-in-f-droid...
With that thinking we would all be using AOL.
Making a robust flexible protocol that can support a bunch of different client and service implementations is hard, but that is how we ended up avoiding email and web browsing being controlled by a single entity.
Matrix is solving the hard problem of providing the core functionality of tools like Slack and Whatsapp without sacrificing user freedom or asking you to trust any one entity.
This is what ethical engineering looks like, and I don't mind tolerating occasional growing pains in exchange for freedom.
+ It usually just works
+ Reasonable desktop experience (needs to re-link once a month or so, but otherwise independent and not terrible UX), good mobile experience
- Metadata handled by Amazon
- Phone number is a hard requirement, and changing your phone number means re-connecting to everyone
- Funding comes from Facebook from what I recall, and even with large amounts of their $100M invested, their expenses are 8 times larger than their income.
+ At least it's a foundation and their finances are not a black box!
~ With a build from an untrusted third party, you can make it work on Androids where Google Play Services are intentionally firewalled off.
~ No audit of the clients. The protocol, sure, but most bugs aren't introduced on a protocol level.
These are only things they could solve, i.e. that others do better. That their contact discovery solution (where you upload your phone book) is broken isn't a downside because nobody else has that figured out either.
That's rather broad, which metadata are you thinking about? Especially given the sealed sender feature. Assuming you have access to everything at Amazon, what can you deduce about Signal users?
I can think of:
- IP address (you can tell that this IP address sent some Signal message)
- size of messages
- timestamps of messages (when they were received by an Amazon server)
IP address leaks a lot of information but there are still workarounds, and it seems reasonable if you're in a no-trust model (meaning Signal's servers wouldn't be any better than Amazon's). In any case, that's way less information than other mainstream messengers.
On the other hand, one distinguishing feature regarding metadata is groups: group membership is not known by anyone outside of the group if I understand correctly, contrary to WhatsApp (and others).
Not really. Original funding came from NGO sources such as the Open Tech Fund.
Once users are in an ecosystem it takes years to convince them to change and only after they hit a high discomfort tipping point.
If Signal ran short on funding and got bought by Google or Facebook all the tracking would kick in and most users would stay.
We must stop herding people into walled gardens. It is unethical and always backfires.
