Comment by dijit

You’re always so quick to call Signal the gold standard, but in reality, it’s not the untouchable system you claim.

I’d trust pre-Microsoft Skype, Telegram, and Signal about the same; none are bulletproof when the provider controls both client and server.

That’s the real crux, and you’re glossing over it. Skype pre-2011 ran TLS and encrypted storage, held up under global scrutiny with no major leaks, and matched Telegram’s client-server model with optional E2EE.

Post-Microsoft? it got gutted: NSA’s PRISM, Chinese eavesdropping, Mac OS X backdoors, the works.

This proves my point: when client and server are under one roof, a compromise, hack or coercion becomes possible.

Signal’s Double Ratchet E2EE, that locks down past and future messages against server breaches and its open-source code plus reproducible builds invite scrutiny that makes backdoors harder to hide, but here’s the truth: Signal’s client and server are still one entity and they have hid updates from users before. A malicious update, pushed via TOLA or CLOUD Act pressure, can snag plaintext before encryption, E2EE be damned.

Most users don’t verify builds. Transparency’s nice, but it’s not a forcefield. Telegram’s optional E2EE and Skype’s old-school TLS setup aren’t inherently worse for low-threat users who just need protection from external hacks, not state-level malice.

You’re waving Signal’s flag like it’s untouchable, but in practice, the provider’s grip on the client levels the playing field. That’s why I stick to OMEMO or OTR over XMPP or IRC: decentralised, battle-tested protocols that don’t chain me to one entity’s whims. I run them myself, no middleman, no trust roulette. Your “agreement” smells like a victory lap, but you’re dodging the real issue: single-entity control is the Achilles’ heel, not the protocol’s name.