signalapp / Signal-Android

A private messenger for Android.
https://signal.org
GNU Affero General Public License v3.0
25.68k stars 6.17k forks source link

Signal has been subverted! WARNING do not use it anymore! It is not secure #7937

Closed bchen7 closed 6 years ago

bchen7 commented 6 years ago

http://archive.is/55NnJ

Moxie (signal dev) takes 50 Million dollars from Facebook/CIA and now all of a sudden he forcibly removes the option to use passcode and mandates everyone to use fingerprints! This means there is no Constitutional protection of 4th amendment privacy as well it means it is far easier to break the security and offers in truth no endpoint security whatsoever. This comes on the heels of taking $50 Mil CIA /deepstate monies and then censoring anything that points out the usual nature of a so-called Privacy app that no longer even allows the use of passcodes or custom pin codes (not tied into the Android OS) as a means of securing itself... (why does Protonmail offer this? why does Mega offer this? why did Signal always offered this until Moxie took the $50 Mil in cash and another $20 mil in bitcoin?!!!))!)

Signal has been subverted! WARNING do not use it anymore! It is not secure http://archive.is/tF8I8

Signal is forcing an update in order to continue to use it. Even the apk version will stop working until end user is forced to update to the newest version of signal.

Problem is newest version of Signal has gotten rid of the passphrase in favor of forcing everyone to use a fingerprint for the screenlock. Now no one is able to set their own passwords anymore! Why this change?

Stranger still, there is now suddenly a mysterious retroactive flip-flop akin to the "Mandela Effect" whereby now the developer of Signal wants us all to beLIEve that it has always been the case that Signal never offered true "end to end encryption" at rest, and that the passphrase for the signal app was never anything more than a useless "screenlock"... When other users pointed out the blatant inconsistency in this regard, the developer promptly closed and then LOCKED the topic/issue at hand.

However, recall that not long ago Signal was praised by many as the only IM app that offers true end to end encryption at rest!

https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/ http://archive.is/jXFgP

To quote the Intercept article/review of Signal app in relevant part:

""Finally, online backups are a gaping hole in the security of WhatsApp messages. End-to-end encryption only refers to how messages are encrypted when they’re sent over the internet, not while they’re stored on your phone. Once messages are on your phone, they rely on your phone’s built-in encryption to keep them safe (which is why it’s important to use a strong passcode). If you choose to back up your phone to the cloud — such as to your Google account if you’re an Android user or your iCloud account if you’re an iPhone user — then you’re handing the content of your messages to your backup service provider.

By default, WhatsApp stores its messages in a way that allows them to be backed up to the cloud by iOS or Android. If you back up your phone to your Google or iCloud account, Signal doesn’t include any of your messages in this backup. WhatsApp’s gaping backup issue simply doesn’t exist with Signal, and there’s no risk of accidentally handing over your private messages to any third-party company.

""

Stranger still, there is now suddenly a mysterious retroactive flip-flop akin to the "Mandela Effect" whereby now the developer of Signal wants us all to beLIEve that it has always been the case that Signal never offered true "end to end encryption" at rest, and that the passphrase for the signal app was never anything more than a useless "screenlock"... When other users pointed out the blatant inconsistency in this regard, the developer promptly closed and then LOCKED the topic/issue at hand.

7553

http://archive.is/MvzRO

https://github.com/samlanning/Signal-Android/wiki/Using-Signal http://archive.is/mH0bJ

Previously before the change we had this official faq-> In relevant part:

"The first time you run Signal, it will ask you to create a passphrase. This passphrase will be used to encrypt all of Signal's secret information, including the keys used to encrypt your text messages. The security of your messages depends on the strength of this passphrase, so make it good. Signal can be configured to cache this passphrase in memory for as long as its running, or for a specific length of time, so you won't need to be constantly re-entering it in order to access or send messages. This passphrase cannot be recovered if it is lost." and "All text messages are encrypted with your passphrase before being stored. This encryption includes the bodies of the text messages themselves" under the "Secure Storage" section....

Now, after the change, fingerprints will be forced to be used for all security in place of the passphrase. They have entirely removed the ability to set a custom password or even to use a custom passphrase that is independent of the underlining phone OS security credentials!

I refuse to believe the developer of Signal is not aware of the fact that using fingerprints (as opposed to passwords) gives up the Constitutional rights and the Fifth amendment rights!

https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/01/18/minnesota-court-on-the-fifth-amendment-and-compelling-fingerprints-to-unlock-a-phone/?noredirect=on&utm_term=.a5fe7809afed http://archive.is/QEsru

I say boycott Signal, I say Signal has been subverted to the dark side. I say Signal is CIA, I call BS

v-po commented 6 years ago

"It was the Bilderbergers, the Trilateral Commission, etc, etc"

johanw666 commented 6 years ago

I still use a password, but even if I changed that I would have to type an unlock pattern or code. My device does not even have a fingerprint scanner, and if it had I would not use it for precisely that reason. Moxie does not force me to use it. Signal will happily use the code in that case.

P.s. this discussion belongs in the user fora at https://community.signalusers.org/

leethax666 commented 6 years ago

Where's the source on the payment?

johanw666 commented 6 years ago

@leethax666 he probably means this: https://www.wired.com/story/signal-foundation-whatsapp-brian-acton/

2-4601 commented 6 years ago

Duplicate copy-paste spam of #7676, #7725.