Hello Everyone,

This is something I’ve been thinking about in the wake of many users joining Signal, due to WhatsApp’s new privacy policy changes.

When it comes to the mobile client (in case of Android), we could verify its integrity by checking the source code & the APK’s integrity using reproducible builds (https://signal.org/blog/reproducible-android/).

When it comes to the server, it is possible that it could get compromised in many ways.

My question is, when it comes to privacy & security, does the server integrity matter if we are reasonably sure the client isn’t compromised in any way or doesn’t transmit anything that the server could access in a meaningful way.

And, this could apply to any service that has both FOSS client & server or just FOSS client.

  • Rugged Raccoon@lemmy.mlOP
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    4 years ago

    In that sense, then any messaging service, with an open client that has the same features as Signal & a server that’s either closed or open but compromised, should be ok, right? because the client doesn’t trust the server and ensures that it doesn’t send anything that can be interpreted by the server. The server either has no choice but to work with such a client or doesn’t.

    From your earlier reply, I understand that a closed server can’t be forked or can do this & that with the data sent, but at the same time, the Signal team has a tight lid on its ecosystem well. I don’t see anyone self-hosting Signal server or running a custom client, at least the people I know don’t.

    Note: Here, I’m assuming that I’ve manually installed a version of the open client that I know isn’t tampered with & has a solid implementation, not directly from any store.

    • Dreeg Ocedam@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      4 years ago

      The fact that their tech is FLOSS means that if someone wants to build a messaging service that has the same privacy features as Signal, they can without starting from scratch.

      I don’t see anyone self-hosting Signal server

      If they suddenly announce that Signal is bought by Facebook (it can’t really happen because it’s a non-profit), there will be other organisations that will start their own Signal based services.