Is it still viable to use Signal for privacy in 2026? It’s centralized, and has had many suspicious occurrences in the past.(Unopen source server code, careless whisper exploit which is still active as far as I know, and the whole mobile coin situation.)

Thoughts?

  • BillMangionee@lemmy.ml
    3·
    4 小时前

    In my experience, the bigger issue is folks just completely ignore OPSEC once they get on signal.

    The centralized component is pretty concerning. Imagine if protests like in Iran earlier this year were to occur in the States. The Feds would immediately seize or DDOS those servers during nationwide unrest, before cutting the internet which is basically an inside out panopticon.

    EOD it depends on your threat model. You’re probably not on Signal if your life depends on it anyway.

    Plus, its always useful to not have my texts immediately read and sent to advertisers.

  • airikr@lemmy.mlEnglish
    11·
    3 小时前

    If you don’t care about sharing your phone number with Signal and a third-party company (Signal refuses to state what company it is) that send the text message with the activation code to you. And if you don’t care that everything will be saved on servers maintained by Amazon in USA.

    Then yes, Signal is the right app for you even in 2026.

    But if you do care (and you should) about your phone number and the location of your data, you should focus on something more privacy like XMPP (Snikket would be the easiest way to setup your own server) and SimpleX.

    XMPP (for an example Snikket) uses OMEMO and OMEMO is based on Signal Protocol.

  • Captain Aggravated@sh.itjust.worksEnglish
    15·
    17 小时前

    The stories I’ve heard where Signal messages have been extracted or otherwise accessed was from beyond either end. Someone invited a journalist to a private group chat. Someone handed someone else an unlocked device. The most alarming one is apparently Apple uploads every push notification your device gets to their servers. So if you are concerned about privacy there’s a feature in Signal to set push notifications to only say “you got a message” and not include the sender or message contents in the notification.

    I haven’t heard of Signal itself leaking messages.

    • Nangijala@feddit.dk
      2·
      5 小时前

      This is what people don’t get when it comes to that story about the journalist. You literally have to go out of your way to invite someone into a group chat. That does not happen on accident on Signal.

      I had to explain that to a few people who heard that story and were super skeptical about Signal being dangerous. Which is ironic because the same people would be using messenger and think nothing of it.

    • sakuraba@lemmy.ml
      2·
      9 小时前

      IIRC Android has the same issue with push notifications, if you really care about privacy you should disable showing any content from any messaging app in your notifications unless you want Google or Apple to collect it

  • AtHeartEngineer@lemmy.worldEnglish
    17·
    18 小时前

    Many people have already commented saying it’s good to go, but I also wanted to add, I have dug into their actual encrypted group messaging protocols a few years ago because I was interested in using it for a different use case, and I would say it’s pretty well thought out. I trust it, I use it daily, and I’ve looked at the code. I’m not, nor have I ever been, an auditor, but I have been paid to do cryptography and red teaming/cyber security from big orgs, so I would say I have some professional experience in the matter.

  • Zak@lemmy.world
    17·
    20 小时前

    Who do you want privacy from and why?

    That’s not a rhetorical question. It matters. If you want privacy from corporations and governments doing mass surveillance because you’re against mass surveillance in principle, Signal is great! As long as you don’t give janky apps permission to read your notifications, or you limit what Signal shows in its notifications, your device won’t leak to those kinds of threat actors. You can’t be sure everyone you talk to is as fastidious though.

    If the cops, gangsters, or similar are likely to target you and the people you’re talking to directly, there’s a good chance just using Signal without a security plan won’t keep them from getting the contents of the conversation as in this recent incident where the FBI extracted deleted messages from notification logs. To defend against that specific attack, everyone needs to configure Signal to keep message content and contact details out of the notification. Dedicated devices for secure communication set up by someone who knows what they’re doing are ideal in this situation. Signal is still a good choice here, but Signal alone won’t guarantee privacy.

    If you’re being targeted by an intelligence agency from a rich country that has allocated a significant budget to surveil you in particular, you’re probably screwed. There’s plenty of public information about how US government officials and contractors are required to work with classified information to get a sense of how you might try to mount a defense. It’s guaranteed to be inconvenient.

    • eldavi@lemmy.mlEnglish
      8·
      19 小时前

      agreed and to add to this:

      Dedicated devices for secure communication set up by someone who knows what they’re doing are ideal in this situation.

      becoming your own expert is unfeasible for 99.999999999999999999999999999999999% of people and expecting it is no different than expecting people to become their own lawyer, dentist, or doctor.

      If you’re being targeted by an intelligence agency from a rich country that has allocated a significant budget to surveil you in particular, you’re probably screwed

      the bar against protecting yourself from the local police in the united states is MUCH lower than the cia, nsa, mossad, etc. and should be the goal of most projects since it’s the most realistic and the most likely to happen; there’s next to nothing that can be done against he alternatives.

      the alternative is that unfeasible ultra high bar and judges in the united states have a history of holding people in jail for years for contempt of court of not providing passwords or using duress like options on their electronic equipment.

  • Dessalines@lemmy.ml
    21·
    23 小时前

    PRODUCT PITCH: Hey everyone, I have a great idea for a secure / private messaging service.

    It’s hosted in the US, subject to its pervasive spying laws including national security letters.

    Also I need all your phone numbers.

    Also no you can’t host this yourself, I run the only server.

    Everyone who uses signal and supports it, is falling for this pitch.

    Why not signal?

    • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
      5·
      10 小时前

      One of the most sus things about Signal is the cult following it has. I really can’t think of any other chat app that will have people coming out of the woodwork advocating for it while telling you not to use anything else. There’s absolutely nothing special about Signal that would warrant this. It’s at best a mediocre user experience, it still handles a lot of things like switching devices really poorly. It’s open source in name only. There’s just no reason why it should be this popular on its own merits.

    • Voxel@feddit.uk
      4·
      16 小时前

      I read the article in the past, and it is still as flawed as it used to be. You’re quite extremist without much legitimate reason. Signal is and will likely stay for the foreseeable time one of the most secure and private messengers.

    • Voxel@feddit.uk
      1·
      19 小时前

      Everyone who uses signal and supports it, is falling for this pitch.

      No, because it does not reflect the truth. You’ve to see the full picture.

        • Otter@lemmy.ca
          2·
          17 小时前

          Did you mean to link a different article, that one doesn’t say anything about defense industry ties (from my quick skim). It does talk about how phone numbers are no longer required when connecting to someone else.

          Signal DOES have my phone number, but they can’t tell my government anything other than

          • yes I use Signal
          • yes I connected to it today

          This becomes even less important as the platform gets popular. I know some friends who work in healthcare that report that they’re switching to Signal (and WhatsApp unfortunately) as an alternative to texting/phone calls for staff/department group chats and non-patient related communications.

          • Dessalines@lemmy.ml
            4·
            17 小时前

            Signal DOES have my phone number but they can’t tell my government anything other than yes I use Signal yes I connected to it today

            This is incorrect. They also have your full name and address by extension, as well as those of everyone you communicate with.

            They’re also subject to national security letters, meaning the US state can get that info without a warrant.

            Just read the first article I posted, it gets into all this.

            The 2nd article is the signal CEO Meredith Whitaker interviewing with lawfare, which is a US defense industry think-tank.

            • Otter@lemmy.ca
              3·
              15 小时前

              This is incorrect. They also have your full name and address by extension

              I didn’t suggest otherwise. This was about whether they can correlate that to additional information. I am already assuming that the US government might try to maliciously compromise the servers, without needing the pretense of national security laws.

              I’m not an expert in cryptography or Signals codebase, but my understanding is that the client app uses separate connections to verify the session (something that can be tied to your phone number on a compromised server) and to send a message out. The initial contact discovery process can leak info if you are searching for specific phone numbers, and this could be mitigated by using the QR code or usernames to get an ID directly. The actual pre key fetch is sent as a separate request not tied to your session verification. So outside of timing attacks, it shouldn’t let Signal know who I am talking to day to day even if they know that I have connected to the person at one point.

              I think it’s cool that Simplex and Matrix allow selhosting, and especially Simplex’s 2 hop technique. That should make it much more difficult for someone trying to map things out. However if the average person is going to be using the default servers, I don’t see how a compromised server is any less of a problem than with Signal’s ones.

              I recommend Signal to non-technical users trying to get away from Facebook/Instagram/whatsapp. I might start recommending Simplex too if it gets popular enough and goes through a similar level of scrutiny that Signal had. I’m already comfortable using a variety of chat platforms / self hosting for myself.

              The lack of a phone number requirement does limit the extent of social graph mapping. I hope signal will do away with that requirement as they’ve promised to for some time. The risk though is spam, which is already a problem now that signal is getting popular.

              Just read the first article I posted, it gets into all this.

              I did look over it again, and I still find the CIA section to be silly. I’ll refer back to these old comments from myself and someone else:

              https://lemmy.ca/comment/5401873

              https://lemmy.ca/post/16397504/7661724

              The 2nd article is the signal CEO Meredith Whitaker interviewing with lawfare, which is a US defense industry think-tank.

              Again, I would say this is a big leap. The CEO agreeing to an interview with a think tank that has ties to the defense industry is not the same thing as Signal having ties to the defense industry. She has done many interviews talking about Signal, with a variety of orgs of different ownership and politics

      • Dessalines@lemmy.ml
        6·
        18 小时前

        People are not as stupid as these large centralized sites like signal keep telling you they are. Ppl figured out how to make accounts on different services, forums, and platforms since the internet began. It is no more difficult to make a matrix account, or install simpleX than it is anything else. My partner and I figured out simplex within 10 minutes.

        • swelter_spark@reddthat.comEnglish
          3·
          11 小时前

          So true. My non-technical friend asked about more private ways to communicate after things started to go bad where we live, and she had no problems understanding SimpleX. The actual user experience is a lot like FB Messenger, IMO.

        • bad_news@lemmy.billiam.net
          2·
          12 小时前

          Oh, I’m not saying people can’t figure it out, but most normies won’t try on principle or something. Hell, I’ve gotten pushback from software engineers when asking them to do Matrix. Signal is known enough that most normies will use it, though, and it at least is not explicitly known to be centrally backdoored in terms of the encryption like a Whatsapp, which in my experience is the other option normies will bear.

          • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
            3·
            10 小时前

            Most normies aren’t using Signal either, they’re all on Whatsapp and fb messenger. You’d be asking them to switch platforms to use Signal just as you would with any other app.

            • bad_news@lemmy.billiam.net
              1·
              9 小时前

              I successfully have multiple normies in my life on Signal. The no account/password is a big selling point. It’s not perfect, but it’s better than iMessage or Whatsapp, which are the two “this is good enough” options I see normies in my life wanting to use.

              • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
                3·
                9 小时前

                Vast majority of people, outside a tiny technical niche, aren’t on Signal. And if you’re going to get people to switch anyways, then why choose Signal when there are far better alternatives around.

                • bad_news@lemmy.billiam.net
                  1·
                  9 小时前

                  My sister and wife and parents aren’t going to use Matrix or SimpleX. The no account or password, you just install on your phone and it’s like iMessage basically sells them in a way I could NEVER get enough buy in for anything else. The way I see it, Signal’s primary problem is the metadata availability, but the government knows I talk to my family, presumably, what I want to hide is the contents, which are as far as anybody knows, E2E as long as you’re not using the Israeli Molly, but evil, app the Trump admin uses. I have tried since Threema to get these people on better platforms, Signal is a win in this case.

  • listless@lemmy.cringecollective.io
    137·
    1 天前

    The client is open source, so it doesn’t matter what the server code is, you can see everything the client sends and therefore tell what possible data is being collected.

    It’s run by a non-profit so there’s no shareholders to please.

    Your messages and decryption key are not stored on their servers.

    It’s been independently audited.

    They have publicly posted responses to user information requests where they only provide the account creation date and last access time.

    The (admittedly incompetent) US government recommends using Signal (for non-classified information) and top officials have been caught using it (Houthi Working Group).

    You can never be 100% sure, but it appears to have excellent security and privacy.

    • slazer2au@lemmy.worldEnglish
      15·
      22 小时前

      Not to mention the FBI admitted that the only data from Singal they get is when the account signed up and when they last connected and they are very unhappy about so little information.

    • FauxLiving@lemmy.world
      45·
      1 天前

      and top officials have been caught using it (Houthi Working Group).

      For me this is the gold seal.

      These guys desperately don’t want records of their acts to become public record and they have the authority to outright ask US Intelligence ‘Can you guys get access to this?’ and the app they choose is Signal.

  • communism@lemmy.ml
    11·
    22 小时前

    As per usual, the answer is “depends on your threat model”. For a lot of sensitive communications, the centralised design and therefore ability to correlate metadata is a no-go. But if you’re just using it e.g. as a WhatsApp replacement to message your friends, it’s fine. It’s still the most polished and normie-friendly e2ee foss messenger.

  • nolan@monero.you
    9·
    23 小时前

    if you are super private person or want to be anonymous, maybe you can choose SimpleX.

  • nutbutter@discuss.tchncs.de
    39·
    1 天前

    A lot of people use Signal. It may not be the best solution out there, but it is so, so, so much better than the proprietary alternates.

    One good thing is that a normie can easily use it as an alternative to WhatsApp, since the app design is so similar. I mean, it is easy for family and friends to understand and start using Signal, compared to something like Matrix or XMPP.

    And if someone needs a little more hardening, they could use the fork called Molly, which has a few more security benefits over the stock app.

  • electric_nan@lemmy.ml
    29·
    1 天前

    Yes. You will find a lot of randos saying no, but the consensus among security professionals and researchers is that it is still the current standard. Not to say that it doesn’t deserve scrutiny or criticism, or that other projects aren’t important to develop.

    • whyNotSquirrel@sh.itjust.worksEnglish
      4·
      21 小时前

      Also, will I be able to reach people with any alternatives? It’s not like they’ll all switch to the app I choose, or at least I’m not that popular for them to follow me anywhere, well… worse, I still have to open Messenger (FB/meta) from time to time to get in touch with some of them 🤮🤢

      • SreudianFlip@sh.itjust.works
        1·
        17 小时前

        They don’t have phone numbers? I will risk the known exposure through the phone system before anything Meta or LinkedIn. Basically if fb or insta is your contact choice, I am going to phone or sms instead.