cross-posted from: https://kbin.projectsegfau.lt/m/tech@kbin.social/t/26889
Google just announced that all RCS conversations in Messages are now fully end-to-end encrypted, even in group chats. RCS stands for Rich Communication Services and is replacing traditional text and picture messaging, providing you with more dynamic and secure features. With RCS enabled, you can share high-res photos and videos, see typing indicators for your…
The trust doesn’t even have to be in the encryption, they could very well use the same signal protocol. They would only need a copy of the keys you are using and you wouldn’t even know… That’s the problem with closed source programs, there is no certainty that its not happening (and I’m not saying it is, I can’t prove it, obviously, but the doubt remains, we need to trust these companies not to screw us over and they don’t really have the best track record in that…)
As if you’re any more comfortable with open source software, actively vetting the code, building it yourself, running your own server.
For all you know, Signal keeps a copy of your keys, too. And happily decrypts everything you send and sells it to russian data brokers for re-sale to advertisers.
There is a post gathering all security audits performed on Signal messenger:
https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
And anybody can double check it, because it’s open source. And not only is it open source, but they have reproducible builds which mean you can verify that the apk you download is the same version as is hosted on github. They also have server code published. Pretty rare. Additionally experts in the field themselves endorse signal.
Your point is valid for many projects, as open source is not a guarantee for security. But signal is a pretty bad example for that.
But that’s kinda my point, you rely inherently on someone else doing what open source allows you to do. So in the end you can be tricked just the same.
I mean of course, Signal is a pretty clearcut case, but even with that one you - and I’m guessing here but tell me it ain’t true 😅 - probably do not actively verify things. You did not check the source code. You did not build your own APK to install it. I don’t think you can build the desktop version yourself but I ain’t entirely sure, granted. You probably did not probe the network data to see whether the built APK actually does what the source code promises it’ll do or has been swapped out for one that allows the server they’re running to log all messages sent.
And so on.
My point was entirely that even in the easiest of cases where we could do all of that, we do not actually do it. Hence the point of being able to do that is usually extremely moot.
And I say this as someone who, at work, checks external libraries we’re using, which is an insanely time-consuming job that entirely explains why no one in their right mind does this without being paid for it, that is, in their spare time for private use.
Signal had their server code published? I thought they closed sorced that. I even didn’t notice.
