Added an article on why telegram sucks and a tutorial on creating eepsites
[kill9.git] / harmful / software / signal.md
1 # Signal considered harmful
2
3 Signal claims to be a ultra private instant messenger. It encrypts the
4 messages and there's no central server. Or is there?
5
6 Let's find out!
7
8 # Distribution
9
10 Signal always struggled with which should be the most easy thing (and
11 mandatory if you want users to use your thing) the distribution.
12
13 Being Signal Android/The Apple Garbage software, it should be
14 distributed in their respective stores. In Android, you can use
15 F-Droid. But Signal discourages getting Signal from F-Droid.
16
17 G\*\*gle Play Services are literally botnet. They allow software to
18 run in the background (for things like notifications). They also allow
19 the software to update in the background. Basically, G\*\*gle play
20 services is a rootkit, that allows \<thing\> to do anything with your
21 phone. Without you knowing!
22
23 For the longest time, **Signal would not work without *G\*\*gle Play
24 Services*** Thankfully, this is fixed since 2017, and Google Play
25 services are not longer needed.
26
27 **BUT** if you go to signal.org->get signal->Android **will redirect
28 you to G\*\*gle Play**
29
30 ## F-Droid
31
32 F-Droid is a repository that only gives you Free (as in freedom (and
33 as free beer)) software for Android.
34
35 Moxie [Don't want to use F-Droid as official way of
36 distribution](https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13335689)
37 because it does not allow auto-updating. Auto-upgrades are
38 harmful. And we all know that.
39
40 F-Droid supports upgrades. They're just manual. Android sucks and you
41 cannot do like `xbps-install -Su` to verify and upgrade all your
42 packages. You have to install the APKs one by one.
43
44 But the thing here is that F-Droid **supports** upgrades!
45
46 Moxie also claims that APKs could not be verified in another
47 store. This is [not
48 true](https://f-droid.org/en/docs/Signing_Process/).
49
50 Moxie could setup his own F-Droid repository (it's easy as crap). But
51 Signal cared more about important features that security-wanting
52 users. Such as [Emoji
53 reactions](https://signal.org/blog/more-reactions/) or [Animated gif
54 search, using 3rd party
55 websites](https://signal.org/blog/signal-and-giphy-update/)
56
57 ## Direct APK download
58
59 Anyways, You can [Download the apk from the official signal website
60 ](https://signal.org/android/apk/) but I had to use my search engine
61 to find this. So this is hidden as shit. Also, **it encourages to
62 download signal from G\*\*gle Play**
63
64 And the way to verify it is using `keytool` (whatever that is (I also
65 had to use my search engine to see that the hell that is))
66
67 To verify the file. I had to unzip the apk (what?), get to the
68 META-INF folder, and use keytool to verify.
69
70 Why don't just use `.sig` files to verify things? (Like any other Free
71 Software does with their binaries and source packages? (Also, every
72 sane repository does this with RSA))
73
74 Also: A checksum **IS NOT** a signature. Your local fed can break onto
75 your server, put a backdoored APK, and change the checksums. What a
76 fed cannot do though is to sign that backdoored APK with your PGP key,
77 because you need the private key to sign. Also the passphrase in any
78 sane implementation of OpenPGP, BTW F-Droid signs the packages
79 automatically.
80
81 # Signal desktop
82
83 ![Plus it is made in electron](/signal_desktop)
84
85 # Centralization
86
87 Signal claims to be a P2P messenger[^1], this is true I guess. But what is
88 not true is that the whole system is P2P. It has **centralized
89 servers**
90
91 Where does Signal stores your phone number, so you can use your
92 account in multiple clients? How do i get information about my
93 contact? Yup, they're stored in Moxie's servers!
94
95 Signal should be federated. Basically a federation are like email,
96 Lain can send an email from lainswebsite.net to qorg, whose email is
97 at vxempire.xyz, and nothing says you cannot do that.
98
99 I should be able to setup my own Signal server, in my own hardware. So
100 I'm in control of the logs and data. I can also let my friends to use
101 my server. And this server should be able to communicate to the
102 official signal servers.
103
104 BUT Moxie forbids this. Your fork of Signal cannot use the official
105 Signal servers. Because servers are not federated. This means that
106 Signal Fork's users cannot talk to official Signal users. No fork of
107 Signal will ever have any large user base.
108
109 Your Signal fork, also, can't have the name "Signal" on it. Because
110 that makes [Moxie
111 angry](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)
112
113 # Why is Signal recommended by security experts then?
114
115 Because they're trying to convince computer novices to use a secure
116 IM, you know, I don't expect my grandmother to setup her own XMPP
117 server. But I can expect her to use Signal since it is made for novices.
118
119 # Paranoia
120
121 Jack (Twitter's CEO), Elon Musk (Guy who wants to literally backdoor your brain) are suddendly recommending signal.
122
123 These guys sells your data to the highest bidder, why are them suddendly recommending a "private" and "secure" IM?
124
125 # Conclusion
126
127 XMPP does not have any of these problems.
128
129 Okay, <s>Signal is good</s>, but the things we have talked about here is not
130 what you expect from a "security focused" program. The chat itself is
131 P2P, and that's good. Also it is encrypted. So if you have to choose
132 between \<big corporate owned IM\> and Signal, choose Signal.
133
134 Did I mention it needs phone number to work?
135
136
137
138 [^1]: Signal services died in 2021-01-15. How could have this have
139 happened is it is P2P?