Comment by palata
8 hours ago
I don't have a definitive opinion on such messaging apps. I like that it bridges between different services, trying to free the users from the lock-in, but...
If I talk to someone on Signal today, I know that they are probably using the official Signal on the other side. With the guarantees that I know from Signal. Now what if half of the users of Signal were using a third-party app? How much can I trust this app?
Say Matrix has a bridge to Signal. I talk to someone over what looks like Signal from my end, but it goes to some third-party server that pretends to be Signal and then relays those messages to my friend on their Matrix client. As a Signal user, I cannot know it, but my conversation is not E2EE anymore. And it kind of defeats the point of using Signal entirely, doesn't it?
I guess my point is that in terms of security, there is value in making it possible to verify that both ends are using the official Signal app, by locking it as much as possible (e.g. with DRM-like technology). But of course it's annoying to be locked in. Even though I don't feel personally super locked into Signal: I could move to another similar app in a minute. But again people tend to be lazy and don't want to switch apps. It's a hard problem, I guess.
That app already exists. It's called TM SGNL. The Department of War used it. It sent all their messages in plain-text to an Israeli server that was leaking memory dumps to the public internet (a la Heartbleed), 600GB of which were collected by hackers and sold on the dark web. Worst case scenario. That's not a fantasy, that literally happened. Do you still trust Signal?
That just reinforces what I said. It was not a problem in Signal, it was a problem with this third-party.