Tuesday, January 19, 2021 [Tweets] [Favorites]

Signal Review

Josh Centers:

Signal had a bumpy start, but it’s now a well-polished and full-featured messaging app available for the most common platforms: iOS, Mac, Android, Windows, and Linux.

[…]

Every part of Signal is open source. The clients are published under the GPLv3 license, and Signal’s server code is published under the AGPLv3 license. All of Signal’s source code is available for public inspection on GitHub. I should point out that while I’m a big fan of open source and believe it makes for better security, it’s not a panacea. Unless you compile the final binary yourself, you can’t know for sure what’s in the code. That’s not to say that Signal is doing anything nefarious, just that it’s not impossible.

[…]

One of Signal’s most prominent critics is Chinese maker and YouTuber Naomi Wu, who claims that Chinese activists using Signal were arrested by the Chinese government. She has repeatedly pointed to two security vulnerabilities in Signal: the potential of compromised phone IMEIs and possible leaks from the phone’s keyboard software. To be clear, these concerns apply only to activists or people who are government-level targets.

Previously:

4 Comments

Maybe polished, but I still have issues of it refusing to self update, requiring me to manually download and copy into place. The most prevalent recommendation was to put it in the user application folder instead of the root application folder, but that didn't work.

I then realized that I'm still needing to run 10.12 at work and that could be the reason, but I have the same problem on 10.14 at home.

Maybe polished, but I still have issues of it refusing to self update, requiring me to manually download and copy into place. The most prevalent recommendation was to put it in the user application folder instead of the root application folder, but that didn't work.

I then realized that I'm still needing to run 10.12 at work and that could be the reason, but I have the same problem on 10.14 at home.

The issue has nothing to do with device IMEI. This has everythings to do with “Input Method Engines” that are used with Chinese, Japanese and Korean input.

The Naomi Wu issue is primarily that Mainland Chinese users use leaky, janky 3rd party *IMEs* (Input Method Engines) and that they should stay with the default one that came with the OS. (But they don’t want to because “Chinese IME autocomplete sucks”).

They’re trying to get Signal to fix an issue beyond their control, they should just stay wtih default keyboards/IMEs. The real issue is that “Journalists” should be properly briefing their sources and those sources should have their devices locked down properly.

Either that or Signal will make a 3rd party keyboard that if given “full access” on iOS will likely leak info (back) to Signal. ¯\_(ツ)_/¯

The issue has nothing to do with device IMEI. This has everythings to do with “Input Method Engines” that are used with Chinese, Japanese and Korean input.

Yeah, it seems Josh saw “IMEs”, thought “she must’ve meant IMEIs, surely?” and then extrapolated “it’s about both keyboard layouts and SIMs”. Which, apparently, no, it’s really just about keyboard layouts.

They’re trying to get Signal to fix an issue beyond their control, they should just stay wtih default keyboards/IMEs.

I think Naomi is simply saying that, given how widespread those IMEs supposedly are, Signal should offer better guidance. If the UI can detect your current keyboard layout (can it?), perhaps it should warn about compromised ones.

(I have absolutely no idea how good the built-in layouts are vs. how much better third-party ones are.)

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment