lol whatever i've done
[kill9.git] / harmful / software / signal.md
CommitLineData
884ad6f3 1# Signal considered harmful
2
3Signal claims to be a ultra private instant messenger. It encrypts the
4messages and there's no central server. Or is there?
5
6Let's find out!
7
8# Distribution
9
10Signal always struggled with which should be the most easy thing (and
11mandatory if you want users to use your thing) the distribution.
12
13Being Signal Android/The Apple Garbage software, it should be
14distributed in their respective stores. In Android, you can use
15F-Droid. But Signal discourages getting Signal from F-Droid.
16
17G\*\*gle Play Services are literally botnet. They allow software to
18run in the background (for things like notifications). They also allow
19the software to update in the background. Basically, G\*\*gle play
20services is a rootkit, that allows \<thing\> to do anything with your
21phone. Without you knowing!
22
23For the longest time, **Signal would not work without *G\*\*gle Play
24Services*** Thankfully, this is fixed since 2017, and Google Play
25services are not longer needed.
26
27**BUT** if you go to signal.org->get signal->Android **will redirect
28you to G\*\*gle Play**
29
30## F-Droid
31
32F-Droid is a repository that only gives you Free (as in freedom (and
33as free beer)) software for Android.
34
35Moxie [Don't want to use F-Droid as official way of
36distribution](https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13335689)
37because it does not allow auto-updating. Auto-upgrades are
38harmful. And we all know that.
39
40F-Droid supports upgrades. They're just manual. Android sucks and you
41cannot do like `xbps-install -Su` to verify and upgrade all your
42packages. You have to install the APKs one by one.
43
44But the thing here is that F-Droid **supports** upgrades!
45
46Moxie also claims that APKs could not be verified in another
47store. This is [not
48true](https://f-droid.org/en/docs/Signing_Process/).
49
50Moxie could setup his own F-Droid repository (it's easy as crap). But
51Signal cared more about important features that security-wanting
52users. Such as [Emoji
53reactions](https://signal.org/blog/more-reactions/) or [Animated gif
54search, using 3rd party
55websites](https://signal.org/blog/signal-and-giphy-update/)
56
57## Direct APK download
58
59Anyways, You can [Download the apk from the official signal website
60](https://signal.org/android/apk/) but I had to use my search engine
61to find this. So this is hidden as shit. Also, **it encourages to
62download signal from G\*\*gle Play**
63
64And the way to verify it is using `keytool` (whatever that is (I also
65had to use my search engine to see that the hell that is))
66
67To verify the file. I had to unzip the apk (what?), get to the
68META-INF folder, and use keytool to verify.
69
70Why don't just use `.sig` files to verify things? (Like any other Free
71Software does with their binaries and source packages? (Also, every
72sane repository does this with RSA))
73
74Also: A checksum **IS NOT** a signature. Your local fed can break onto
7a1ab46f 75your server, put a backdoored APK, and change the checksums. What a
884ad6f3 76fed cannot do though is to sign that backdoored APK with your PGP key,
77because you need the private key to sign. Also the passphrase in any
78sane implementation of OpenPGP, BTW F-Droid signs the packages
79automatically.
80
81## Centralization
82
83Signal claims to be a P2P messenger, this is true I guess. But what is
84not true is that the whole system is P2P. It has **centralized
85servers**
86
87Where does Signal stores your phone number, so you can use your
88account in multiple clients? How do i get information about my
89contact? Yup, they're stored in Moxie's servers!
90
91Signal should be federated. Basically a federation are like email,
7a1ab46f 92Lain can send an email from lainswebsite.net to qorg, whose email is
93at vxempire.xyz, and nothing says you cannot do that.
884ad6f3 94
95I should be able to setup my own Signal server, in my own hardware. So
96I'm in control of the logs and data. I can also let my friends to use
97my server. And this server should be able to communicate to the
98official signal servers.
99
100BUT Moxie forbids this. Your fork of Signal cannot use the official
101Signal servers. Because servers are not federated. This means that
102Signal Fork's users cannot talk to official Signal users. No fork of
103Signal will ever have any large user base.
104
105Your Signal fork, also, can't have the name "Signal" on it. Because
106that makes [Moxie
107angry](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)
108
83c182ad 109# Why is Signal recommended by security experts then?
110
111Because they're trying to convince computer novices to use a secure
112IM, you know, I don't expect my grandmother to setup her own XMPP
113server. But I can expect her to use Signal since it is made for novices.
114
884ad6f3 115# Conclusion
116
117XMPP does not have any of these problems.
118
119Okay, Signal is good, but the things we have talked about here is not
120what you expect from a "security focused" program. The chat itself is
121P2P, and that's good. Also it is encrypted. So if you have to choose
122between \<big corporate owned IM\> and Signal, choose Signal.
123
124Did I mention it needs phone number to work?