The Atlantic has released the entire Signal chat among Trump senior national security officials. It shows that Defense Secretary Pete Hegseth provided the exact times of warplane launches and when bombs would drop — before the men and women flying those attacks against Yemen's Houthis this month on
  • TheTechnician27@lemmy.worldEnglish
    191·
    6 days ago

    I think the description of vulnerability is subjective in this case.

    No, it really isn’t. The Signal protocol enables E2EE, meaning you don’t have to worry about the server infra (that is, even if you don’t buy that they’re using the FOSS server code they say they are, it’s irrelevant). The Signal protocol is open and has been examined forwards and backwards over and over by security researchers around the world. I can’t emphasize how many eyes are on this protocol because of how prolifically used it is, including by government officials worldwide. The app is FOSS, and like the protocol, it has a ton of eyes on it for the same reason. The app is a reproducible build, meaning that if Signal baited you with a fake app, it would be found out immediately.

    It could be that signal is inherently more vulnerable than official channels, as Signal is a private corporation that has no motivation to disclose any failures in their security.

    They’re a corporation, sure, but in the sense that they’re a 501©(3), not a for-profit. Signal would have every incentive to disclose a failure in “their security” (where here that means their app or the protocol; again, what’s happening on the servers literally, provably, mathematically doesn’t matter). For a privacy org like this, it’s in their best interest to immediately report any problems that might compromise privacy.

    I don’t think the article is trying to blame Signal in any way, it’s just not the proper communication channel

    Agreed. But here, I agree it’s not the proper channel 1) because it’s on their personal devices which the person you’re responding to clearly stated and 2) a Signal chat (likely intentionally on their part) bypasses crucial records keeping laws. A known vuln for example is if someone has access to your phone, they can link their own personal device and read your messages as they come up. But again, that requires access to your phone, which becomes problematic if and only if you’re using your own personal device rather than a secure government one.

    and thus utilizing it is an inherent vulnerability no matter how secure their encryption may be.

    No. Again, that’s not an inherent vulnerability. Using it on their personal devices is, but unless you can come up with a vulnerability in the app itself or the protocol itself, then you’re just agreeing with the person you’re replying to.