alt Hacker NewsI'm not going to run interference against all the comments you're writing on this thread, because I don't think Signal needs the help and it would make the thread ultra-tedious. But during the brief window where people were taking Wire seriously as a Signal alternative, I'd occasionally write a comment or tweet like:
Were you aware that Wire keeps a high-fidelity plaintext database of exactly who talks to who on their platform?
And people were reliably startled. But all that was happening was that ordinary users have no mental model for how a secure messenger is designed, and hadn't thought through how serverside contact lists that magically work no matter what device you enroll in the system were actually designed.
So here I'll just say: the stuff you're saying about Signal is pretty banal and uninteresting. The SGX+Enclave stuff is Signal's answer to something every other mainstream messenger does even worse than that. By all means, flunk them on their purity test!
Even if you thought that SGX was bulletproof and pins were impossible to brute force, instead of just being 'better than what most other apps use' what possible justification is there for outright lying to users by claiming that their app doesn't collect any sensitive data when it does?
Signal is advertised and recommended to some extremely vulnerable people whose lives/freedom depend on their security. Signal owes users a clear explanation of the risks that come from the use of their software so that whistleblowers, journalists, and activists can make informed choices. Lying to those users is disgusting.
Seen most charitably, the fact that the very first line of their privacy policy page is an outright lie might be intended as a dead canary to warn users away as loudly as they can, but even in that case I'll be happy to say it plainly: Signal shouldn't be trusted.