#openpgp traditions and #signal both bind a cleartext identifier, phone number or email address, to a cryptographic key. It opens up attack vectors as the servers/orgs controlling this binding can interfere.
#deltachat avoids such cleartext identity bindings by creating random #chatmail addresses, as transport only. The cryptographic key becomes the identifier and we want it hidden from the transport layer. Only people being in end-to-end encrypted chat need to identify each other, after all.
@delta@chaos.social You should also add that Signal's development, servers, foundation, and business are all in the United States, and all subject to US Jurisdiction.
#Signal
@Linux @delta Any significance of this is negated because Signal has very little data about users.
https://signal.org/bigbrother/
The cops have to provide a phone number, and in all cases Signal can only say "yes, this number was registered". They don't know the identity of the number owner, who they talk to, what they've said, where they're located etc. unlike WhatsApp, Telegram, Facebook Messenger etc.
@Avitus@ioc.exchange @delta@chaos.social In the United States, you're responsible and potentially liable for content that transmit over your services. That is how the government in the past were able to shut down sites and services that eventually were overrun with illegal content, for example. Additionally, in the United States, you can receive a court order, ordering you not to reveal the government's involvement with your products or services. Also, how previous people who have used such products or services, still faced justice.
Now, none of this should worry you if you're not breaking the law. However, laws change, and unfortunately, so does freedom of speech. We have a government regime who is picking people off the streets and sending them to jails in other countries. That same government regime is threatening our allies, such as Canada and Greenland.
What you're saying and doing, right now, may be perfectly legal, right now. I am more concerned with the possible unknown tomorrows.
@Avitus @Linux sure signal is so far the best central messenger when it comes to handling privacy on potentially hostile infrastructure. However any seized phone can reveal phone numbers of group members. Collecting IP addresses are another attack vector. Cloudflare which serves encrypted blob files may be able to identify IP addresses of all signal group members who download an encrypted file. It's not data that the signal organization itself has access to but certainly an attack vector.
@feld@friedcheese.us @delta@chaos.social @Avitus@ioc.exchange CloudFlare is also not secure in the way people imagine it to be. Many people use CloudFlare, thinking it will mask their server. It does not.
This provider here, will show you the real server of every site behind CloudFlare https://search.censys.io/
@Linux @delta @feld We went from talking about if Signal is safe to now talking about serving subpoenas to organizations other than Signal, and gaining physical access to devices. That in itself is a testament to how safe Signal is. Whether a subpoena is served to CloudFlare, or what a given person's threat model is, is irrelevant to what Signal itself does to protect its users.
@Avitus@ioc.exchange @delta@chaos.social @feld@friedcheese.us That you know of. -- That is the point.
When in doubt, pick a provider outside US Jurisdiction.
@Linux @delta @feld "That you know of" doesn't apply when Signal reports the subpoenas they receive and their responses with the data they provide:
https://signal.org/bigbrother/
This is going in circles. No service is Fort Knox. You have to accept some level of risk whether that be the service itself going bad or some outside force prying sensitive information from the service.
Signal, as shown at the link I've now provided three times and has been totally ignored throughout this conversation, mitigates first and third-party risk by collecting as little data as possible so they don't have it to give.
@Avitus@ioc.exchange @delta@chaos.social @feld@friedcheese.us I can spit out well crafted public relation statements too, along with convincing marketing of my fight against the government as well. But I am still in the United States, and if I was the President of Signal, you should not trust me either.
The risk assessment is this: There can be no United States for me to trust anything at the present moment. Because the United States Government has gone rogue and is not even obeying court orders at the moment. This is the justice system you're putting your faith in right now. -- Good luck.