Greetings!
A friend of mine wants to be more secure and private in light of recent events in the USA.
They originally told me they were going to use telegram, in which I explained how Telegram is considered compromised, and Signal is far more secure to use.
But they want more detailed explanations then what I provided verbally. Please help me explain things better to them! ✨
I am going to forward this thread to them, so they can see all your responses! And if you can, please cite!
Thank you! ✨
The server is supposedly open source, but they did anger the open source community a few years back, by going a whole year without posting any code updates. Either way that’s not reliable, because signal isn’t self-hostable, so you have no idea what code the server is running. Never rely on someone saying “just trust us.”
Signal has posted multiple times about their use of SGX Secure Enclaves and how you can use Remote Attestation techniques to verify a subset of the code that’s running on their server, which directly contradicts your claim. (It doesn’t contradict the claim that you cannot verify all the code their server is running, though.) Have you looked into that? What issues did you find with it?
I posted a comment here going into more detail about it, but I haven’t personally confirmed myself that it’s feasible.