Moving from WhatsApp to Signal is an important action, right now. WhatsApp’s parent company, Meta, has been involved in several cases of election interference: America in 2016, Trinidad and Tobago …
Could you explain a bit? I see main issue with Signal (though I’m not an expert, and they’re not strictly related to security): it’s centralized (and the server isn’t even open-source).
The question is also a lot about your threat model right?
The encryption being crap really does not depend on the threat model. Sure, in some threat models you may not need e2ee at all but in that case, what’s wrong with WhatsApp?
The issue with XMPP is that security really was an afterthought. Not only is e2ee an optional extension, but there are actually 2 incompatible extensions, each with multiple versions. Then you have some clients not implementing either, some clients implementing the older, less secure one. Some implement the newer one but older version of the spec with known issues. And of course, the few clients that implement it well become incompatible with other clients that don’t if you enable e2ee, so it is disabled by default.
That is all before you start looking into security audits or metadata harvesting.
No. XMPP would be the best choice.
Tell me you don’t know anything about security without telling me you don’t know anything about security.
Could you explain a bit? I see main issue with Signal (though I’m not an expert, and they’re not strictly related to security): it’s centralized (and the server isn’t even open-source).
The question is also a lot about your threat model right?
The encryption being crap really does not depend on the threat model. Sure, in some threat models you may not need e2ee at all but in that case, what’s wrong with WhatsApp?
The issue with XMPP is that security really was an afterthought. Not only is e2ee an optional extension, but there are actually 2 incompatible extensions, each with multiple versions. Then you have some clients not implementing either, some clients implementing the older, less secure one. Some implement the newer one but older version of the spec with known issues. And of course, the few clients that implement it well become incompatible with other clients that don’t if you enable e2ee, so it is disabled by default.
That is all before you start looking into security audits or metadata harvesting.
I guess that sucks because I make a living working in cyber security. What do I know, amirite? 🤷