I Don't Trust Signal Either, But That's OK.
TL:DR: If you insist on a recommendation from a random Internet person, use a plurality of tools, compartmentalize your messaging activities by group and type, employ https:// and keep $2 in your pocket for the bus just in case. Oh, and in general don't put too much weight in messenger recommendations from anyone reachable via WhatsApp.
(Also this post is just me getting things out of my head and onto 1s and 0s. Please don't take it, or me too seriously. I am too retired to care about other peoples' security opinions. Opinions on cucubit cross-pollenation are of course welcome.)
I'm not on most social media but my friends are. Sometimes they send me hot takes on the issue of the day. The latest round of hot takes are all around instant messenger and chat apps. The most spectacular of these falls into two camps:
- Pavel Durov's arrest is a violation of my first amendment right to racist shitposting.
- Durov is an FSB plant, Telegram is a spook, use Signal because it's infallible.
There is a third camp, which is some 4d chess-type take of "My opposite outgroup holds this view on this and they're bad people, ergo I will adopt the opposite view". These remind me of why I'm not on most social media.
The obvious thing missing in these takes is nuance. When Soatok came after XMPP+OMEMO I did not speak up, not because he was right or wrong but because nothing he said affected the way I use XMPP. I use XMPP to talk to a collection of bots on a private server, and for that use case OMEMO largely doesn't matter. If I only used XMPP and on federated chats, I'd pay attention. But I don't, so I don't. There are lots of other cool XMPP uses and use cases that go beyond normal instant messaging.
When THC came after Telegram I thought I may as well write up my own thoughts, not to throw peanuts from the gallery but mostly because of thinking about how I use Telegram and other messengers. I mostly use Telegram to lurk, download things from groups and occasionally lightly troll my local area group. I don't see that being threatened regardless of whether Durov is an FSB plant or had to choose between the comfort of a French Jail or Russian skyscraper window.
I also sometimes use IRC. I'm intensely grateful security people don't look at IRC's security because they'd find it doesn't even encrypt messages at all! It turns out my use cases for IRC are identical to those for Telegram. Is one worse than the other? Telegram's worse from a centralization perspective. Probably from a phone app one too but I don't use Telegram's phone app. Like THC I'm aware of interesting undocumented APIs but again, these don't affect my use cases (they may affect yours).
I wouldn't use Telegram for anything important. That local group I hang out on? Local chat discussion about when a Person of Interest was returning to the area actually led to an arrest and conviction. Turns out law enforcement were monitoring the group chat.
Finally, I use Signal. Like Drew DeVault I also do not trust Signal. Some people say that Signal is too close to the US government, but I don't think they've ever been more in bed with the US government than Tor, insofar that they were funded with CIA-sourced money, are an NSL letter away from being compromised by three letter agencies, and left enough workarounds for the things they performatively do to not be a problem for said TLAs. I've written about some of my problems with Signal before, but the TL:DR is that to me at least the hagiography of Signal doesn't match up with the reality in a way not dissimilar to Tor. Others have discussed this before, and there's not much point rehashing those arguments here.
When people say that Signal doesn't hand over data they're right. But until recently your identity was 100% tied to a phone number. TLAs had metadata access including when you sent a message, the size of the message (ie if there was a large attachment), and significant volumes of further data could be obtained from Apple, Google, and your Telco.
"We kill people based on Metadata" - former head of the National Security Agency Gen. Michael Hayden.
Signal doesn't stop you from getting caught doing whatever the US deems bad. Signal's defences stem from deliberate design choices that enable and reinforce alternative disclosure routes for TLAs as paths of least resistance. Letting a million Signal instances bloom would've no doubt been the fast track to a National Security Letter asking for a backdoor. I suspect this is why setting up a proxy is so much easier than setting up a production instance and client.
Marlinspike had his reasons for not playing well with others, which I think Drew Devault has articulated better than I would here. Marlinspike's gone though, which a lot of people don't realise. So who owns Signal? The Signal Foundation, a 503c non-profit like OWASP so it must be good, right?
According to s1a of their latest Form 990 Signal is effectively owned by Meredith Whitaker, who despite gushing Op-Eds singing her praises as a privacy lover spent 13 solid years working at Google before realising what kind of place it actually was, Moxie Marlinspike (I believe this has changed but I'll await the next 990), and Brian Acton, co-founder of WhatsApp (and provider of Signal's $50 million loan). I don't use WhatsApp because it's owned by Facebook. I trust the founders of WhatsApp as far as I could throw them because they sold out to the worst privacy harvester in the universe either without understanding what kind of beast Facebook is, or they knew and did it anyway. I'm just unconvinced that the best solutions to problems created by Silicon Valley will come from the people and places that created them. So no, I don't trust Signal, but as my mate Guv would say, "It's good enough for government work".
When Soatok tells you to ditch your personal XMPP server + OMEMO for a centralized system that doesn't play well with others, effectively bought out by one of the guys behind this mess of shitty messengers in the first place, he's telling you his view as a cryptographer. He's not telling you something from a viewpoint of a full assessment of XMPP in total, in all use cases. His view on cryptography, and the cryptography of OMEMO is sound. His technical points on OLM are sound. It's often so much easier to shoot the messenger than change software architecture.
When THC tells you to keep Durov in jail that's an opinion (which they're entitled to). I'm not having a pop at Soatok or THC, they're good people. Their research is solid and views are carefully considered within the context of their worldview. All I'm saying is that their worldview may or may not match yours, and therefore their threat model may also not match yours.
Neither really provided a threat model (nor were they obliged to) so you when you read them you should bring your own. If you'd like a threat model, I'd suggest one from James Mickens:
In the real world, threat models are much simpler (see Figure 1). Basically, youâre either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then youâll probably be fine if you pick a good pass-word and donât respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOUâRE GONNA DIE AND THEREâS NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, theyâre going to use a drone to replace your cellphone with a piece of uranium thatâs shaped like a cellphone, and when you die of tumors filled with tumors, theyâre going to hold a press conference and say âIt wasnât usâ as they wear t-shirts that say âIT WAS DEFI-NITELY US,â and then theyâre going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere.
You probably don't need Mossad in your threat model. Signal probably does. Telegram probably does too. A Personal XMPP or IRC server probably doesn't while a major XMPP or IRC network probably does.
For me, I'll keep using IRC, XMPP, and SMS/MMS. I'll slowly phase out Signal and keep Telegram mostly at arms length. If Mossad want to know how my squash are growing they don't need to hack my messenger. They can come visit any time.