Signal is a secure messaging app. Nevertheless, security comes in different degrees. The below list consists of facilities that can be used to make a secure messaging app:
- basic public-key cryptography for key exchange
- basic TLS connection
- government standard 256 bit AES
- in lieu of AES, your favorite encryption protocol — unless this for government
- Post-quantum cryptography
An app that is made of these protocols is only as secure as the metal it runs on. The metal can be compromised with a side channel attack. All of these thought-to-be secure protocols are also vulnerable to we-didn’t-think-of-that attacks. This is why the most secure computer networks, such as those of the intel community, are air-gapped, with no electrical connection to the outside world.
Signal is only as secure as the guarantee by the phone of no side-channel vulnerability, which isn’t much of a guarantee at all. Phones are uniquely vulnerable to the Evil Maid Attack. and the update difficulty resulting from monolithic compilation of the drivers with the linux based Android kernel. Secure messaging has a heritage of promises made and promises broken.
None of the above is strange to me, and it should not be strange to you. The modern penalty for naivete is severe. This is strange to me:
Why was Jeffrey Goldberg, the editor of The Atlantic a liberal magazine, a contact on Mike Waltz’s phone? The world of leakers is known to be byzantine, but what favor could Waltz possibly curry from Goldberg?
The things you really want to know tend to be the things you’ll never know.