Signal makes it believable by providing source code and reproducible builds. It doesn’t rule out the possibility that they’ve done something clever with the random number generator, or have the app store you use give you a compromised app, or provide any protection against endpoint compromise, but it’s about as good as you can get.
Third party apps derived from theirs, which explicitly promise to log all your messages to a server somewhere, like TeleMessage, are, for obvious reasons, far less trustworthy.
Question: how can they even claim it’s e2ee if they also claim to log all the messages? Or is the claim that they log the messages in encrypted form? In which case any client(s) with the only copy of the keys could delete them, making the logs useless.
how can they even claim it’s e2ee if they also claim to log all the messages?
Who are the various "they"s in that question?
Signal claims that if you use the Signal app, it’s end-to-end encrypted. The Trump admin was using an unofficial Signal-compatible app TM SGNL which probably didn’t make those claims. And, Signal definitely never claimed that TM SGNL was end-to-end encrypted. In fact, it’s likely TeleMessage violated the copyrights and trademarks belonging to Signal with their app.
But, in the end, the messages were still technically end-to-end encrypted. It’s just that as soon as the messages arrived at one of those ends, they were sent to TeleMessage who archived them unencrypted in AWS. It’s still end-to-end encrypted, it’s just that one of those ends is incredibly leaky.
Even with e2e security there is 2 e’s that can get compromised, their use of a altered version of the app on one end is enough to cancel out the whole encryption part it, also on the other end.
But in this case it’s like they have a lock for their garage door that is different from the lock on their car so they can’t steal the car when somebody steals the key to the garage door, but then think they can leave the keys in the lock because there is a lock (encryption) on the doors.
Signal? Why wouldn’t they? Why would they want to claim E2EE, then steal people’s chats, and try really hard to make it completely invisible? Which would probably fail since it’s FOSS. Not everything is a conspiracy. Sure, they will sell user’s metadata eventually (if they aren’t doing it already) or become a paid app, maybe even add advertisments, who knows (nothing is safe from enshittification).
TeleMessage is a different thing altogether. Their “claim” is pretty much the opposite: take a known E2EE app and make it completely transparent.
Actually, I’m more surprised people continue to believe the ‘end to end’ claims of these companies.
Signal makes it believable by providing source code and reproducible builds. It doesn’t rule out the possibility that they’ve done something clever with the random number generator, or have the app store you use give you a compromised app, or provide any protection against endpoint compromise, but it’s about as good as you can get.
Third party apps derived from theirs, which explicitly promise to log all your messages to a server somewhere, like TeleMessage, are, for obvious reasons, far less trustworthy.
Question: how can they even claim it’s e2ee if they also claim to log all the messages? Or is the claim that they log the messages in encrypted form? In which case any client(s) with the only copy of the keys could delete them, making the logs useless.
Who are the various "they"s in that question?
Signal claims that if you use the Signal app, it’s end-to-end encrypted. The Trump admin was using an unofficial Signal-compatible app TM SGNL which probably didn’t make those claims. And, Signal definitely never claimed that TM SGNL was end-to-end encrypted. In fact, it’s likely TeleMessage violated the copyrights and trademarks belonging to Signal with their app.
But, in the end, the messages were still technically end-to-end encrypted. It’s just that as soon as the messages arrived at one of those ends, they were sent to TeleMessage who archived them unencrypted in AWS. It’s still end-to-end encrypted, it’s just that one of those ends is incredibly leaky.
I don’t know how they claim that would work. But it’s important to note that only telemessage makes that claim, not signal.
well they’ve also had great peer code reviews, and the reproducible builds lets you know they’re not putting a different version on the app store….
Even with e2e security there is 2 e’s that can get compromised, their use of a altered version of the app on one end is enough to cancel out the whole encryption part it, also on the other end.
But in this case it’s like they have a lock for their garage door that is different from the lock on their car so they can’t steal the car when somebody steals the key to the garage door, but then think they can leave the keys in the lock because there is a lock (encryption) on the doors.
Signal? Why wouldn’t they? Why would they want to claim E2EE, then steal people’s chats, and try really hard to make it completely invisible? Which would probably fail since it’s FOSS. Not everything is a conspiracy. Sure, they will sell user’s metadata eventually (if they aren’t doing it already) or become a paid app, maybe even add advertisments, who knows (nothing is safe from enshittification).
TeleMessage is a different thing altogether. Their “claim” is pretty much the opposite: take a known E2EE app and make it completely transparent.