Is Signal the Most Secure End-to-End Encrypted Messaging App? (1 SBD reward for most helpful/specific answer to final question in this post))
I recently ran across a somewhat disturbing article regarding some pretty glaring red flags as concern Telegram, a well-known and widely used "secure" SMS and group message app, and its security protocol.
Cryptography and encryption at their core aren’t about faith, jurisdictions or laws. It all comes down to math. Very complicated, borderline-magic-math, but still math. And just like when you were in school, you have to show your work or you don’t get any marks...
The biggest red-flag with Telegram isn’t that they don’t show their work; that we have no idea what encryption algorithm they use; whether or not it’s secure; or whether it has any backdoors. The red flag is the fact that they decided to invent their own in-house encryption algorithm.
SOURCE.
As such, I am considering a switch to Signal.
Signal claims that, unlike Telegram and other groups claiming to offer similar services, all messages and calls made from within the app are end-to-end encrypted. Other apps, like Telegram, provide an option for a "secret chat," but as the source code and encryption algorithm are not made open and transparent for scrutiny and review, no one can really verify whether or not these "secret" chats are actually secret at all.
A recent legal battle involving an FBI subpoena seems to corroborate the claims of Open Whisper Systems, the software company behind the app:
In light of all of the above, it certainly seems this app is far superior to Telegram. One question I do have, though, and maybe something someone who understands coding and encryption can answer for me, is this:
EVEN THOUGH THE ALGORITHM AND SOURCE CODE IS MADE AVAILABLE FOR AUDIT AND SCRUTINY, HOW CAN WE BE SURE THAT THE SOURCE CODE MADE AVAILABLE IS ACTUALLY THE CODE BEING RUN BY THE APP?
This may be a totally naive and stupid question. All the same, how can I be sure that this app is not simply a product of the state, presenting a source code that is not even being used by the app? I guess coders and security experts auditing the source code could somehow verify it is indeed the same code being run by the app? Any help anyone can afford me in understanding this would be greatly appreciated!
~KafkA
Graham Smith is a Voluntaryist activist, creator, and peaceful parent residing in Niigata City, Japan. Graham runs the "Voluntary Japan" online initiative with a presence here on Steem, as well as Facebook and Twitter. (Hit me up so I can stop talking about myself in the third person!)
Hey @kafkanarchy84, so you wanna verify that Signal actually implemented the Open Whispers Systems TextSecure Protocol (or Signal Protocol) as it's publicly available through GitHub in the Signal app.
Well, you can send and receive Signal messages with a command line tool, based on the protocol library (here's a link for the JAVA version), and communicate between Signal app and your own command line tool (built by you from Github code).
That should work and proves that the encryption and decryption protocol used in-app is the same as the opensource documented protocol in GitHub.
Hope this is helpful for you :)
1 SBD on the way. Thanks!
nice
I'm far from programming. So I'll sit nearby and wait for a qualified answer too)
I am not a programmer and I can not answer your question. I can only wait for the answer. I believe you will get the right answer from the experts.
While I'm no programming guru, if the encryption algorithm is provided for audit, it could be used bu auditors to decrypt messages sent across the platform independent of the app. If it's bogus, it wouldn't decrypt messages sent via the app, right?
I don't know the answer to your question either buddy, however if you want a private chat with no chance of being bugged you need the device below. Hack proof dude!
😂😂😂😂😂😂
ok i try this app. thanks for your information
The only way to know if the code is actually being ran, is if you build the software yourself. It's usually easy to just clone the repository off of github and follow the build instructions for your system of choice, and that way you can be 100% sure that the code you're running is the code you can access.