Our great sponsors
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
src
Read-only git conversion of OpenBSD's official CVS src repository. Pull requests not accepted - send diffs to the tech@ mailing list.
-
Zulip
Zulip server and web application. Open-source team chat that helps teams stay productive and focused.
-
-
Mattermost
Mattermost is an open source platform for secure collaboration across the entire software development lifecycle..
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
1) You need to audit that code, which.. everyone will have to do.
2) https://signal.org/blog/reproducible-android/
> the Signal Android codebase includes some native shared libraries that we employ for voice calls (WebRTC, etc). At the time this native code was added, there was no Gradle NDK support yet, so the shared libraries aren’t compiled with the project build.
a good answer in my opinion, but it means what you run from the play store is not reproducible and thus can never really be confirmed to be what the sources actually include. There are also binary blobs needed for interacting with Google Play.
3) Signal is openly hostile to third party client implementations: https://github.com/LibreSignal/LibreSignal/issues/37
Oh dear, you definitely chose the wrong person to accuse of not auditing their code.
I'm typing this from my OpenBSD laptop, which, I assure you, I have audited extensively; but that's hardly relevant to this topic.. I just think it's funny that you would assume this of me. I'm also big on system-transparency[0] and micro systems like Oasis Linux[1] which attempt to limit things being able to hide.
Granted, nothing is perfectly secure.
But, again, besides the point entirely.
Your central thesis is that nothing is safe.
Why, then, should I not just use telegram? Or VK, or WeChat?
We have consensus in the HN community that those chat systems (especially telegram) are inherently insecure. Why?
Don't worry, I'll answer for you: Because they do not support E2EE except when specifically asked to, and because they used their own encryption.
This is enough for the security community to decide that Telegram is a bad product(tm).
I'm not arguing in defense of telegram, I'm just letting you know what happens to "secure messengers" under a microscope.
The same criticism has not been levied to Signal, despite them offering no more protection in real terms than HTTPS would. There are theoretical safety-nets but nothing you can concretely audit.
Your argument that "it's their code they can do what they like" holds as much water as an inverted plate, given the context that they've chosen to live under.
So, instead of attempting to talk me down with and Argument from fallacy[2]
[0]: https://www.system-transparency.org/
[1]: https://github.com/oasislinux/oasis
[2]: https://en.wikipedia.org/wiki/Argument_from_fallacy
A belief you hold strongly because you have never enjoyed the beauty of an operating system code you can actually read I guess: https://github.com/openbsd/src
OpenBSD is a lot of code, sure, but far from insurmountable, the drivers are few and quite generalised.
I can’t really say how long it took me to read it because it was over a few years of getting curious and diving in, but it wasn’t much.
I’d say if you were to study the code for 8 hours a day it would probably take about 3-5 weeks.
That said: I’m not claiming that I did a full security audit and found all the bugs: I am stating outright that I have read every line of code in the source tree, and the majority of the code that I run from ports, it’s simple enough that you can do that.
And yes; I still get horrified at a lot of the ports; not everything is perfect.
Exceptions include Chromium and firefox due to sheer complexity, (and I have had reason to dive into those: the tweaks file is fun); and I have read the majority of the GCC code too (which somehow is much less complex and is quite easy to wrap your head around once you’ve read the dragon book than the browsers).
A few open source options (some with hosted plans)
- [Zulip](https://zulip.com/)
