Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm not sure signal actually solves the key distribution issue, it re-issues keys for users semi-often which have a feature to verify the new keys, but most users won't. It also has a potential frontend distribution problem through the App Store (apple/google could be compelled to distribute a compromised Signal App to specific users).


Theoretically at least Android has a TOFU-like system where the developer signs the app (although Google also has a product where Google manage the keys which developers can sign up for). That doesn't help people who are specifically targeted as it's within Google's control on most devices to change that via updates to system components or to hold back critical security updates selectively via the Play Store channel but it does raise the bar a bit.


I am really suspicious of signal, just because it's promoted so much.

I think it is secure, if, you don't install it via google and you actually do verify your contacts, but the NSA might relying on the fact that most people will not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: