Our great sponsors
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
If you're looking for a Keybase replacement, check out Peergos (https://peergos.org). Peergos is a P2P E2EE global filesystem and application protocol that's:
* fully open source (including the server) and self hostable
* has a business model of charging for a hosted version
* designed so that you don't need to trust your server
* audited by Cure53
* fine-grained access control
* identity proofs with controllable visibility
* encrypted applications like calendar, chat, social media, text editor, video streamer, PDF viewer, kanban
* custom apps - you can write your own apps for it (HTML5), which run in a sandbox which you can grant various permissions
* designed with quantum resistance in mind
You can read more in our tech book (https://book.peergos.org) or source (https://github.com/peergos/peergos)
Disclaimer: co-founder here
I think you're missing the part where they are in the trying to figure out how to relax that constraint phase (they have not yet) and having trouble in paradise. They're run into all the issues and nuances elucidated in this thread. They have been receiving pretty intense feedback from people who have stopped using their product because of the concessions made. And even saw their product forked the minute it became clear what they were doing: https://getsession.org.
All of your answers are in the links I provided, I'm more than happy to help, but please make an effort too.
Here is the data that gets collected and stored in the cloud:
https://github.com/signalapp/Signal-Android/blob/3553a28683d...
> It also doesn't store any lists of who you contact; this claim is false.
The entire point of Signal adding pins was to protect the data Signal now stores so that you can recover it. That includes: your contacts, profile, and settings. Signal is required to store your contacts in order for that to happen.
Signal does not every try to deny that they collect and store your contacts. They just don't say so plainly and they often present the fact in misleading ways. Here's one example of them explaining their reasoning for storing your contacts on their servers:
"We're trying to add support for identifiers that aren't phone numbers, since that's what we've heard from users. If we do that, your signal contacts can't live in your address book anymore. Every other app just stores that in plaintext on their servers, which we don't want to do." [source](https://twitter.com/moxie/status/1277737851107471360?s=20)
> You linked to a repository that uses Intel SGX which is used in this instance specifically to address your false claim that the e2e encryption used is easily bruteforced.
It doesn't "address my false claim" it supports it. Again, please read the links. Especially https://community.signalusers.org/t/proper-secure-value-secu... since it addresses both the brute force issue, and why SGX is not able to protect the data. You might find https://community.signalusers.org/t/sgx-cacheout-sgaxe-attac... helpful as well.
Signal (or, more accurately, one of its predecessors) used to use client-side private set intersection for contact discovery, but this scales poorly [1].
Now they use a solution based on Intel SGX and server-side trusted computing [2].
[1] https://signal.org/blog/contact-discovery/
[2] https://signal.org/blog/private-contact-discovery/
From my 5-minute reading of the Signal source code it seems that disabling the PIN results in the generation of a random 256-bit master key for cloud storage encryption:
https://github.com/signalapp/Signal-iOS/blob/main/SignalServ...
The primary developer has stated previously that cloud storage is used even with the PIN disabled:
https://community.signalusers.org/t/beta-feedback-for-the-up...
Yep, we built a super minimal ipfs replacement - ipfs-nucleus (https://github.com/peergos/ipfs-nucleus) with added block level access control, which is also post-quantum.