[kill9.git] / harmful / software / signal.md
1 # Signal considered harmful
3 Signal claims to be a ultra private instant messenger. It encrypts the
4 messages and there's no central server. Or is there?
6 Let's find out!
8 # Distribution
10 Signal always struggled with which should be the most easy thing (and
11 mandatory if you want users to use your thing) the distribution.
13 Being Signal Android/The Apple Garbage software, it should be
14 distributed in their respective stores. In Android, you can use
15 F-Droid. But Signal discourages getting Signal from F-Droid.
17 G\*\*gle Play Services are literally botnet. They allow software to
18 run in the background (for things like notifications). They also allow
19 the software to update in the background. Basically, G\*\*gle play
20 services is a rootkit, that allows \<thing\> to do anything with your
21 phone. Without you knowing!
23 For the longest time, **Signal would not work without *G\*\*gle Play
24 Services*** Thankfully, this is fixed since 2017, and Google Play
25 services are not longer needed.
27 **BUT** if you go to signal.org->get signal->Android **will redirect
28 you to G\*\*gle Play**
30 ## F-Droid
32 F-Droid is a repository that only gives you Free (as in freedom (and
33 as free beer)) software for Android.
35 Moxie [Don't want to use F-Droid as official way of
36 distribution](https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13335689)
37 because it does not allow auto-updating. Auto-upgrades are
38 harmful. And we all know that.
40 F-Droid supports upgrades. They're just manual. Android sucks and you
41 cannot do like `xbps-install -Su` to verify and upgrade all your
42 packages. You have to install the APKs one by one.
44 But the thing here is that F-Droid **supports** upgrades!
46 Moxie also claims that APKs could not be verified in another
47 store. This is [not
48 true](https://f-droid.org/en/docs/Signing_Process/).
50 Moxie could setup his own F-Droid repository (it's easy as crap). But
51 Signal cared more about important features that security-wanting
52 users. Such as [Emoji
53 reactions](https://signal.org/blog/more-reactions/) or [Animated gif
54 search, using 3rd party
55 websites](https://signal.org/blog/signal-and-giphy-update/)
57 ## Direct APK download
59 Anyways, You can [Download the apk from the official signal website
60 ](https://signal.org/android/apk/) but I had to use my search engine
61 to find this. So this is hidden as shit. Also, **it encourages to
62 download signal from G\*\*gle Play**
64 And the way to verify it is using `keytool` (whatever that is (I also
65 had to use my search engine to see that the hell that is))
67 To verify the file. I had to unzip the apk (what?), get to the
68 META-INF folder, and use keytool to verify.
70 Why don't just use `.sig` files to verify things? (Like any other Free
71 Software does with their binaries and source packages? (Also, every
72 sane repository does this with RSA))
74 Also: A checksum **IS NOT** a signature. Your local fed can break onto
75 your server, put a backdoored APK, and change the signatures. What a
76 fed cannot do though is to sign that backdoored APK with your PGP key,
77 because you need the private key to sign. Also the passphrase in any
78 sane implementation of OpenPGP, BTW F-Droid signs the packages
79 automatically.
81 ## Centralization
83 Signal claims to be a P2P messenger, this is true I guess. But what is
84 not true is that the whole system is P2P. It has **centralized
85 servers**
87 Where does Signal stores your phone number, so you can use your
88 account in multiple clients? How do i get information about my
89 contact? Yup, they're stored in Moxie's servers!
91 Signal should be federated. Basically a federation are like email,
92 Lain can send an email from lainswebsite to qorg, whose email is at
93 vxempire.xyz, and nothing says you cannot do that.
95 I should be able to setup my own Signal server, in my own hardware. So
96 I'm in control of the logs and data. I can also let my friends to use
97 my server. And this server should be able to communicate to the
98 official signal servers.
100 BUT Moxie forbids this. Your fork of Signal cannot use the official
101 Signal servers. Because servers are not federated. This means that
102 Signal Fork's users cannot talk to official Signal users. No fork of
103 Signal will ever have any large user base.
105 Your Signal fork, also, can't have the name "Signal" on it. Because
106 that makes [Moxie
107 angry](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)
109 # Why is Signal recommended by security experts then?
111 Because they're trying to convince computer novices to use a secure
112 IM, you know, I don't expect my grandmother to setup her own XMPP
113 server. But I can expect her to use Signal since it is made for novices.
115 # Conclusion
117 XMPP does not have any of these problems.
119 Okay, Signal is good, but the things we have talked about here is not
120 what you expect from a "security focused" program. The chat itself is
121 P2P, and that's good. Also it is encrypted. So if you have to choose
122 between \<big corporate owned IM\> and Signal, choose Signal.
124 Did I mention it needs phone number to work?