Many of the security design flaws in signal have had little to no direct impact on usability.
For example, for years we asked for a simple mechanism which could be used to view a users key and mark it as identified, to prevent MITM -- even one buried in a menu for advanced users (who could at least act as canaries against widespread interception). Not only was the request turned down but usually responded to with vigorous personal attacks against the requesters.
Subsequently once a fingerprint validation method was added it was gratuitously bound to be pair-wise, making it largely unusuable -- e.g. post a pgp signed signal fingerprint that any of your contacts could use to transfer trust from an existing key. Requests for a non-pairwise version, even as just some advanced thing that grandma never sees ... again, hostility.
The constant logic-bombed auto-expiring software that make signal effectively open-source-in-name-only. etc.
I think signal is fine as an insecure messanger: Unencrypted communications protocols should have no place in on the internet today. But to advance it as a security tool almost certainly puts people's lives and freedom at risk.
Common usage of signal has zero security against MITM: users aren't effectively notified that the contacts keys have changed-- and given how often users lose/wipe phones perhaps that's really the best that can be done for normy friendly software.
If that's how it is, that's how it is. Some resistance against passive monitoring is still a critical upgrade. But don't call it secure: if you do people will do and say things using it that they wouldn't otherwise.
> Many of the security design flaws in signal have had little to no direct impact on usability.
By far the biggest complaint I read about Signal is "It uses phone numbers, and I don't like that". While I agree that I'd prefer to be able to make up my own unique/random identifier, there's absolutely no doubt in my mind that the downside of phone numbers was far far outweighed by the benefits of usability. Most of my friends use Signal, I seriously doubt I'd have been able to help make that come true if the contact discovery features - along with their side channel privacy leaks - didn't work as well as they do. In retrospect, if I were trying to kickstart a global-scale network of secure messenger users - I'd make exactly the same choice today as Moxie did back then.
> users aren't effectively notified that the contacts keys have changed
That's just not true. Its become a running joke amongst my friends that Signal Safety Numbers changing is how we know when people broke or upgraded their phones.
I assume it's a defensible question of priorities.
In spite of the many issues to complain about signal it's still a lot better than what $random_person would likely use otherwise.
Do we do the most good for the world by under-representing signal's weaknesses and overstating its security in order to maximize the people using it over choices that are worse and cheerlead its development, or do we do the most good by trying to be frank and being critical of its limitations (at least some of which are pretty nitpicky), potentially at the expense of the discussion causing people to continue using clearly worse alternatives?
Personally I answer this conflict like this: Outside of a techy venue I don't go into any details about signal's limitations-- I tell people they should use it, but don't assume it keeps them private from governments, google, or other powerful parties.
And even there, if I send a message to you and on receipt the software finds that your key has changed, my client sends it again to the new key. Which means that even if I was savvy enough to catch the message, it's tool late and potentially a critical secret has already been disclosed to a MITM by the time I see it.
For example, for years we asked for a simple mechanism which could be used to view a users key and mark it as identified, to prevent MITM -- even one buried in a menu for advanced users (who could at least act as canaries against widespread interception). Not only was the request turned down but usually responded to with vigorous personal attacks against the requesters.
Subsequently once a fingerprint validation method was added it was gratuitously bound to be pair-wise, making it largely unusuable -- e.g. post a pgp signed signal fingerprint that any of your contacts could use to transfer trust from an existing key. Requests for a non-pairwise version, even as just some advanced thing that grandma never sees ... again, hostility.
The constant logic-bombed auto-expiring software that make signal effectively open-source-in-name-only. etc.
I think signal is fine as an insecure messanger: Unencrypted communications protocols should have no place in on the internet today. But to advance it as a security tool almost certainly puts people's lives and freedom at risk.
Common usage of signal has zero security against MITM: users aren't effectively notified that the contacts keys have changed-- and given how often users lose/wipe phones perhaps that's really the best that can be done for normy friendly software.
If that's how it is, that's how it is. Some resistance against passive monitoring is still a critical upgrade. But don't call it secure: if you do people will do and say things using it that they wouldn't otherwise.