Signal no longer open source?

Hello to all,

I just ran into this video from the privacy YouTuber The Hated One saying Signal is heading the wrong direction and is not even open source anymore!

I’m curious for thoughts from the /e/ community on this… What do you think?

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

1 Like

First of all: everyone can make youtube videos, everyone has an opinion about anything and everything, and everyone has the right to believe these opinions or not.

Personally, I still have the most faith in traditional media. For tech-related matters, I have a few websites (with a long and good reputation) that I regularly consult to keep myself informed.

Social media and/or youtube are not a reliable source for me, this is a choice I have made for myself. So I’m not even going to bother watching this video.

As far as I know Signal is still open-source and you can check it on github :

5 Likes

The video just explains, that the server code was not OpenSource for one year. It does not say this about the apps. Currently the server code is OpenSource. What the video implies is, that Signal is in danger of being taken over by someone because they want to include a new digital currency into the app. This may open the app for a takeover by financial interests just as it originally happened to WhatsApp. The political direction of the cancel culture makes it seem possible. But currently Signal seems to be one of the best choices for now if you want to keep in contact with people who only have your phone number and are willing to switch from WhatsApp.

In the long run it might be better to switch to a federated model like Matrix (e.g. the Element app) or XMPP with OMEMO encryption (e.g. the Conversations app), or even to a peer to peer approach like Briar or Jami.

6 Likes

Well said! I downloaded Jami a while ago, and have been hearing good things about Matrix for a while now, but am glad to hear of the other two applications that you mentioned. ‘Briar’ and ‘Conversations’ are new to me, and I am now curious to investigate them! = )

2 Likes

The server code wasn’t publicly updated in the repository, causing all the rumors about not being open source. It was a legit concern, but Signal reacted with updating their repository with every pull request made since the last time they showed the server code.

3 Likes

I think many people are overstating the importance of what happened with Signal’s server code.

The whole point of end-to-end encryption is that you don’t have to know what’s happening on the server. The encryption/decryption process happens on the endpoints, the devices where the client is running i.e., where the app is installed. The code for the Signal client has remained publicly available and up to date.

In addition, you can’t be sure that the code published is the same code running on those servers (unless you happen to have access to that server).

Of course, this shouldn’t mean that delaying code publishing is okay. But give credit where credit is due, it’s just not that big a deal. For those curious here’s a comment from their CEO.

3 Likes

Thank you all for responding, more than I expected in just a single day. All points of views and alternatives are much appreciated and I got a better picture of the situation now. :pray:

2 Likes

Otherwise you can think about delta Chat, in that case the privacy and security level depends on your email provider.

In all those discussions Threema seems to be always the underdog. I have a lot of friends using Threema, some of them parallel to Signal. The app is not expensive and the client source code has been made public lately. Threema has some nice features, that makes it worth a look.

1 Like

Well, with a degoogled OS it is not possible to get Threema, because you can only pay for it with Google services. But they don’t exist in /e/.

Please have a look here: https://shop.threema.ch/

You do not need google or apple stores to buy threema. You can directly buy it from their website. This option is not very well known but is there since… I don’t know but for many years already.

I’ve used that many times, and it is a great way to buy vouchers for others - to make them install threema. Give it a try

1 Like

Well, that’s not quite right. You can just install the app via an official apk package after you received a unique code from threema past your purchase. You don’t need Google Play Services. The app receives regular otr updates from time to time. For Push messages threema depends on Google Cloud Messaging, what one can use via MicroG.

I kind of agree, but you are missing an important point: indeed, the server source code doesn’t have to be published to trust the security of the service thanks to end to end encryption from an open source client. But it has to be published if you want to be able to run the service yourself, which may be needed if OpenWhishperSystem goes in the wrong direction. That may or may not happen. To have access to the server source code is one more way to guarantee us that they won’t go evil, otherwise we will simply fork it.

That’s true and for any other project like Nextcloud I would completely agree with you, but Signal is one of those projects that is not really meant (by the developers) to be self-hosted even while it theoretically can since it’s open source.

The way that Signal works you would have to modify the client to point to your own server. The official servers are not going to share their information with yours. Basically what will happen is that only you and a few others would be the only ones using your private Signal. And because you control your own server, even with the old (server-side) code you can still do it just fine if that is your goal.

If you are worried about security, it’s unlikely that someone who happens to know an undisclosed vulnerability in the old Signal code will randomly target your server and hack it. Even if that happens, the client-side encryption which is updated would mean all you have to do is restore from a backup.

And that’s another thing. Even with the new code already available, you still need to keep your own server up-to-date, review logs, make backups, etc. That’s a lot of trouble just to talk to the very few people that are going to download a modified Signal client. So who is really affected by this? We’re talking mostly about people who are doing it for testing, experimenting and learning. Very few people in the grand scheme of things and is not like they couldn’t continue doing this.

It’s not a good thing that an open-source project goes dark, especially for a whole year. I hope this doesn’t happen again with any project. But if it does it’s important to look at the context to understand the extend and severity of the issue. In this case? Barely noticeable for most people.

Hm, no sorry. Server code source matters more than that. It’s not only about me and my friends. If OWS really messes up, some trustworthy actor like the mozilla foundation, the apache foundation, or the FSF, could step up and deploy the service in a few weeks, rebranding it and make it available in the Play Store. Then if the mess from OWS really is big, with all the newspapers talking about it and the new alternative, people could switch. Of course, not everyone will switch, maybe no big actor will step up, etc. But with the code available, it is technically possible. And because it is possible, OWS can’t mess up, or they will kill their product. So, the server code being open is important, it is the guarantee for us that the future can be bright.

I don’t disagree with this. But the possibility of another company assuming development (after rebranding, etc) was never off the table. And it would really be a matter of implementing security patches since the critical component of Signal was being actively developed and published.

If instead, say, the developers had decided to quit the project for whatever reason. That’s fine, the technology is right there for anyone to use and work on. And it works. There is no need to blow things out of proportion at the first sign of trouble.

There really isn’t much more to say on the matter. Open source projects are resilient like that, we all know that, and there was never reason to think differently this time around.