- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
“When you use Signal, your data is stored in encrypted form on your devices. The only information that is stored on the Signal servers for each account is the phone number you registered with, the date and time you joined the service, and the date you last logged on.”
This isn’t an ad, I wasn’t paid for this post. Just to clear the air: fuck facebook, fuck elon musk and twitter, fuck anyone who thinks this is a paid advertisement. I wish I was paid for this shit, I just wanted to spread the word. Thank you. 😀 👍
Signal is a great secure private messenger app until you realize that the keyboard is a third-party piece of software and is thus easily compromised. This is doubly so for people in CJK space where third-party IMEs are absolutely essential; Signal doesn’t provide its own keyboard under its control and it certainly doesn’t provide IMEs. So any keyboard/IME can phone home with everything you type into your “secure” app.
Signal’s duty never included input methods. Moreover, if you force a keyboard that doesn’t cover everyone’s keyboard tastes AND language AND typing methods, you suddenly are blocking people from using their own choices. Suddenly you are force-feeding a possibly bad keyboard implantation to many, and taking away interest from the app.
And, finally, there’s already plenty of free open source and privacy-friendly keyboards. There’s no need to reinvent the wheel for one single app. This is, all in all, a really poor idea.
If your claim is:
Yes, there is in fact a duty to at least warn people that their very means of input is an attack vector. Yet the Signal App public-facing messaging says nothing of the sort. Instead it says:
You have to go pretty damned deep in the documentation before you finally get the tepid warning about keyboard apps. Like really deep. With no actual mitigation suggestions or recommendations. Almost as if, you know, they don’t actually give a damn.
If your target market is security professionals, this is barely forgivable since they would presumably know about attack vectors like this. This, however, is what Signal seems to view their target market as:
And I, for one, think there’s a responsibility when security pros market to normies. A responsibility which Signal App has been actively dodging (they’ve had their feet held to the fire for this from multiple sources!) for years now.
Almost as if, you know, they don’t actually give a damn.
Almost.
Sorry, but Signal is still a messenger app. They didn’t set to make a keyboard app. You are barking at the wrong tree.
Sorry, but Signal is still a messenger app. They didn’t set to make a keyboard app. You are barking at the wrong tree.