Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
Signal-Server
Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS
Sorry, where's the vulnerability in _signal_ here?
The TLS proxy is not sufficient. Marlinspike addressed this in their incredibly childish PR [0]:
>As we said in the blog post, it is nothing more than a simple TLS proxy as an interim solution to help people while we're working on something more scalable and more robust
I'm not so sure they made it clear they were working on another solution in that blog post [1], but it's a known problem that proxies can be fingered. I don't see the value add here and I can't read this as anything other than "boo hoo, we weren't listened to".
[0]: https://github.com/signalapp/Signal-TLS-Proxy/pull/15#issuec...
[1]: https://signal.org/blog/help-iran-reconnect/
If you see their timeline and screenshots here [0], it says they weren't allowed to post in the forum.
[0] https://github.com/net4people/bbs/issues/60
It's useful when e.g. Roger Dingledine who represents the entire Tor Project wants to make a public statement. It's pseudo-intellectual BS when some random GitHub account with edgy repos like https://github.com/studentmain/fuck-signal-tls-proxy does it.
> instead of forking and building solutions
What would you fork? The signal server code that hasn’t been updated in almost a year[1]?
If that is truly the same code that we use with signal today, would your fork work with this same network? Or would it be it’s own 1-server network all alone?
[1]: https://github.com/signalapp/Signal-Server
That was only added 19 days ago - after months of people (politely) asking for it to be acknowledged as a serious concern.
https://github.com/signalapp/Signal-Android/commit/0a29ffcf4...
> there isn't a currently easily available obvious way to have private secure conversations.
Ricochet[1] works really well. It uses Tor hidden services to communicate. Your Ricochet ID is your onion address. To add a contact, you input their Ricochet ID and a short message, and Ricochet connects to their onion address and sends a contact request. If the contact request is accepted then you'll each show up as a contact on each other's client and can chat whenever you want.
Tor is really perfect for this, you can't get more private or censorship-resistant than Tor.
The UI is currently not great, but that's not a protocol problem.
The biggest problem with Ricochet is that hardly anyone is using it.
[1] https://ricochet.im/