Consider that your the french intelligence services and you need to setup secure communication for the french government.

• Would you use signal out of the box? Clearly not.
• Would you copy signal and setup your own servers and clients, same source, different end-points? Probably not.

If you said yes to either of the above, what if you were not a ally of the US, maybe Russia, China, DPRK… Does that change your answer?

What capabilities does the runner of a centralized service have?

• See all traffic
• Can block traffic
• Can slow traffic
• Can record all traffic
• Timing analysis of metadata

Does this mean Signal is a bad product? No not at all. But it does mean its very well positioned for intelligence harvesting. Add in storing private encryption keys in the cloud SVR relying on intel SGX security… and well… you get everything even decrypted messages.

The US controls Signal, the US controls Intel - Thus the US can get any code they want signed into SGX enclaves, thus the enclaves are pointless if your threat model includes the US as a adversary

Does this mean the protocol should be thrown away? No. Does this mean Signal shouldn’t be used (depends on use case)? No. Signal has value, but its not the ultimate form of privacy and security.

I support projects like Briar because there is till much improvement needed in this space.

Notice: I’m not telling others to “educate yourself”, if I didn’t want to talk to people I wouldn’t be here, or I’d link to the proper discussion. I dislike people who come to social places and act antisocially