Secure messaging (Signal)

I use Signal by whisper systems, will this be ported to the librem5 phone. If it isnt and i have to stick with text messaging then its not worth the money for this phone imo. Also, how do we know the powers that shouldnt be havent put a mole in the team to insert a spying tool into the os?
Also if i buy it via bank transfer how safe is my money?

Hi,
at the moment we (Purism) do not have the resources to do a Signal port to our system. But since all of our sources are free anyone is free to do that, we would welcome it.
The freedom of all of our code is also the best tool against any “mole” as you call it. All of our code is public and we are pushing as much of it upstream as we possibly can where it gets reviewed by many many people, not only by fellow team members. It can also be fully audited at any time by anyone interested - in contrast to e.g. most of the Android installations our there.
I can not comment on the safety of money wire transfers, this is something the banks have to take care of.
Cheers
nicole

5 Likes

First things first I think you shouldn’t trust Signal as

I was wrong and did not remember right why Signal can be less effective at protecting privacy

it’s not open source and free (It does have the GPL3 but if I remember right it’s just the app side, the server side is a black box).

the Android version uses GAPPS (a standalone version exists but it’s not on F-Droid

Outdated information

so you have to keep track of updates and re-download it every time

) and the iOS version somehow phones some bits of infos to Apple.
Purism will integrate the matrix protocol by default (which is FLOSS) and you will have the possibility to use a bridge to Signal if some people don’t want to migrate to matrix so you’ll still be able to communicate with them.
I don’t know if there will be any official Signal app (there is a desktop Linux package that exists, don’t know if it will work).

There’s no foolproof answer to that but all I can say is that Purism is a social purpose company and they do all they can in your best interest and as a security mesure everything is free.

Can’t really answer you about that since it’s really dependent on banking systems but I think you can sleep well, your money should be pretty safe.

Edit: @nicole.faerber answered your concerns while I was writing mine.

Actually the signal code is here:


also a C library exists:

so it should be possible to do so. But as I mentioned before our resources are limited and ATM we do not have any to create something like this on our own. One approach would be to add this as a plugin to Chatty:

which is a multi protocol chat application that we started for the Librem5.

Cheers
nicole

4 Likes

I thought Signal was open source?? Ive got all my mates onto it. Thats what you get for trusting Steve Griffiths of Security Now podcast. I listened to a police interview and the detective said messaging apps like whatsapp can be decrypted and signal uses the same encryption i believe. I assumed that was the phone itself that could be cracked but you need to have it.

My mistake here, I somehow mistook Signal with Telegram so I’m sorry about spreading false information, the real thing is I migrated from Signal to matrix because Signal uses GAPPS.

Gapps? Does using matrix to sens signal messages reduce its encryption?

GAPPS, Google apps or Google services if you prefer is a part of Android that sends data to Google (in this case it’s used to send you notifications), some custom roms (like Lineage OS) comes without them and are often more trustworthy than the stock rom of your phone.

I don’t think that using a matrix bridge would harm the encryption on Signal, everything should be safe. I just proposed this alternative in case there would not have a Signal app on the Librem 5. (I would not expect it from day 1)

Thanks for clearing that up. Scottiestech.info on youtube does a video of how google tracks you even in flight mode with your sim card removed. Its hideous. Do you track every letter you type, link you click? Also, how will vpn’s work out of the box?

If Purism is a US company it wont be safe and secure for long. The US is a member of the 5 eyes countries. What are your thoughts?

Yep it is, and you can expect this kind of practices from any GAFAMs (Google Amazon Facebook Apple Microsoft) (or most of the tech companies that has got some financial interest).

No (you can check all the source code of everything that Purism uses), and Purism has no interest in doing any of that since their market is privacy oriented devices and services while being a social purpose company.

I assume it will since GNOME supports it OoB on desktop. (can’t say I’m a 100% sure about that but I’m pretty confident, anyway if it doesn’t support it on day 1 you can expect an update/patch from Purism and/or the community pretty fast as it’s a really important part of the system)

Even if they are a US company I have faith in Purism and I really trust them, so for me it should be fine, but anyway they have a warrant canary that shows you that they haven’t been “corrupted” by any kind of intelligence agency. (and we can’t just start a company on Mars and have our own set of rules) :slight_smile:

2 Likes

The google-free version shows update notfications and you can download and install it with two clicks.

Too bad. I was hoping for signal, also because purism made some comments in this direction. Signal is an important feature for the L5 as I think many of the potential customers are using signal and don’t want to give it up.
I like the concept of matrix but I don’t think it will ever (in the near future) get any mass adoption.

1 Like

Signal is open source but you have to use and trust their servet, you cannot use your own server, that’s why i prefear matrix and support matrix is the best things for purism because everything is open. I prefear the purism team will focus to bring e2ee on fractal for day1 this is important.
If someone else will bring signal, telegram on librem i’ll be happy but i wont use it, can’t trust someone else pc

What about Protonmail app? If I have to use Firefox for my emails it will be a chore because I’d have to input my password every day.

So, everybody should host their own matrix server?
I host many services myself but you still have to be realistic. I would say the risk to get compromised is higher with such an approach because it’s hard to keep all instances updated and if average Joe ist hosting his own server, how secure will it be?
This is why I think signal is a good compromise.

1 Like

There was a statement about development by the community but not by Purism I think:

I haven’t found any trace of such a development since then.

1 Like

Last time I checked you couldn’t do that, so again sorry for the outdated knowledge.

1 Like

The average jou could use purism or matrix server, tech people can host their server, signal do not offer this choice

Well theoretically it does, the issue is no federation.

@Yuno Umm haha, sorry, but Signal can be used without Gapps now adays. After an update its able to work without Google Services or MicroG and will recieve SMS instantly.
Not too easy to know this if you haven’t touched Signal for… that long… I get that! :3