According to Elon Musk, Signal has "known vulnerabilities that are not being addressed"

Pretty insane for him to make such a bold claim like this with no evidence to back it up. :pensive:

https://twitter.com/elonmusk/status/1787589564917490059

1 Like

Nope, this is just standard Elmo level insane.

16 Likes

Signal isn’t a Twitter/X competitor. Is there some other competing messaging service he’s bankrolling?

1 Like

Only thing I can think of is X encrypted DMs

3 Likes

Feels like standard FUD campaign rather than a real desire to improve things on the side of Signal.

On the flip side it should probably be addressed just to give the middle finger back to this guy.

6 Likes

elon being elon or huge if tru :person_shrugging:

https://twitter.com/mer__edith/status/1787958712595784166

That’s how a mentally stable professional deals with something like this :slight_smile:

7 Likes

He is right actually. Currently, Signal stores recovery information including Signal PINs on highly insecure Intel SGX enclaves, which have many security vulnerabilities. It’s absolute madness. So if you have a 4-digit signal pin, which is easily brute-forced, then a threat actor could easily exploit SGX’s security vulnerabilities, get your Signal pin, then use that to look at your contacts.

Stop trusting people, start being trustless. And dont use signal pins lol

Also Signal does not have an official foss version and depends on google libraries and google play notifications, which is definitely a vulnerability

2 Likes

Elon didn’t include any of this. Do we know for certain this is what he is referring to? Or, is he fear-mongering because he’s about to announce XYZ.

Criticizing signal is fine, but a broken clock is right twice a day.

5 Likes

GrapheneOS on Mastodon did mention that Signal and WhatsApp have a big attack surface, and specifically mentioned something about Signal. I had a look for the post, but I can’t find it. I’ll edit this comment when I do.

he mentions absolutely no sources, no CVEs that haven’t been patched, no 0 days that Signal has ignored etc

man’s just blabbing about something for the sake of generating artificial interactions on Twitter.

5 Likes

Everyone please do not take anything he says as correct, ever. In fact, you would be safe to assume the opposite of what he says is generally true. He has been debunked to the ground by Common Sense Skeptic and others.

3 Likes

He obviously lack any proof to back it up, or read some political article about Signal.

But it is true that Signal have known vulnerabilities that are not being addressed

No sandbox on Linux

Shit Sealed Sender implementation.

Relying on SIM to sign up is always an attack vector How a Third-Party SMS Service Was Used to Take Over Signal Accounts

  1. Yes it changed a while ago. They are now storing exactly the kinds of informatio... | Hacker News
  2. There's a good article on the topic here: https://www.vice.com/en/article/pkyzek... | Hacker News
  3. This has been true for many years now. At the time it caused a major uproar amon... | Hacker News
2 Likes

Telegram CEO just issued a very interesting statement at a interesting timing.


:shushing_face: A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad :ninja:

:disguised_face: The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference :service_dog:

:man_detective: An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick :clown_face:

:man_detective: Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick :zzz:

:shield: Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private :muscle:


1 Like

Tell that liar to just shut up lmao Telegram is privacy nightmare (personal number leak and OTP hijack)

They also give data to feds https://www.xda-developers.com/telegram-released-user-data-to-german-authorities/

EDIT:

It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference

LMAO sure The Most Backdoor-Looking Bug I’ve Ever Seen

Because it sucks, they even agree themselves.

Signal’s CEO talked about it recently https://twitter.com/mer__edith/status/1787958712595784166

or of the binaries we ship, would be detected almost immediately even on platforms like iOS where reproducible builds are not currently possible (BTW, please pressure Apple to make them possible).

You have to add DRM spyware into apps submitted to App store, so it will never be reproducible.

2 main issues:

  1. Apps submitted to AppStore must be encrypted with FairPlay DRM (even if free / oss ). The .ipa file is useless, you have to extract it at runtime (root).
  2. only Xcode can compile apps, macOS is hard to containerize so matching the build env is tricky
7 Likes

Thats exactly why I say it is an interesting statement.

Yeah, sure. Everything have not-knowed vulnerabilities. Maybe in 400 years a vulnerabilitie on Pron will be find. It doesnt matter that “invisible” existing vulnerabilities that no-one in the earth know of. You know what? Tesla have serious knowed of vulnerabilities that have been not addressed

2 Likes

Well, some interesting criticism. But some points:

  1. Because US government makes encryption tools and later follow people doesnt mean encryption was figured initially to follow people: they are different departments. Because a department of US government (or any country) do x, doesnt meean other departmets are going to align with x or viceversa. Look, for example, at Startpage. Private, and owned by an Ad group (1system). Ot makes startpage bad? No, bacuse startpage have different admins and different circumstances and goals.

2 To answer that criticism, Session seems to develop a new encryption (correct me if i am wrong).

  1. Telegram isn the only app: SimpleX is going to beat every other app. Is somewhat buggy at the moment, but it is just a matter of time.

  2. Okay so:
    Signal: open source, US, rejects criticism, experts on encryption agree that it is good

Telegram: open source, Russia, launches a competition of bug bounty

Session: open source, Australia, NGO.

SimpleX: Vc funded, US???, encryption of Signal, can run self hosted if paranoid

1 Like

Sorry for the ortography, but the digital keyboard isnt very fun