I think the description of vulnerability is subjective in this case.
No, it really isn’t. The Signal protocol enables E2EE, meaning you don’t have to worry about the server infra (that is, even if you don’t buy that they’re using the FOSS server code they say they are, it’s irrelevant). The Signal protocol is open and has been examined forwards and backwards over and over by security researchers around the world. I can’t emphasize how many eyes are on this protocol because of how prolifically used it is, including by government officials worldwide. The app is FOSS, and like the protocol, it has a ton of eyes on it for the same reason. The app is a reproducible build, meaning that if Signal baited you with a fake app, it would be found out immediately.
It could be that signal is inherently more vulnerable than official channels, as Signal is a private corporation that has no motivation to disclose any failures in their security.
I don’t think the article is trying to blame Signal in any way, it’s just not the proper communication channel
Agreed. But here, I agree it’s not the proper channel 1) because it’s on their personal devices which the person you’re responding to clearly stated and 2) a Signal chat (likely intentionally on their part) bypasses crucial records keeping laws. A known vuln for example is if someone has access to your phone, they can link their own personal device and read your messages as they come up. But again, that requires access to your phone, which becomes problematic if and only if you’re using your own personal device rather than a secure government one.
and thus utilizing it is an inherent vulnerability no matter how secure their encryption may be.
No. Again, that’s not an inherent vulnerability. Using it on their personal devices is, but unless you can come up with a vulnerability in the app itself or the protocol itself, then you’re just agreeing with the person you’re replying to.
No, it really isn’t. The Signal protocol enables E2EE, meaning you don’t have to worry about the server infra (that is, even if you don’t buy that they’re using the FOSS server code they say they are, it’s irrelevant). The Signal protocol is open and has been examined forwards and backwards over and over by security researchers around the world. I can’t emphasize how many eyes are on this protocol because of how prolifically used it is, including by government officials worldwide. The app is FOSS, and like the protocol, it has a ton of eyes on it for the same reason. The app is a reproducible build, meaning that if Signal baited you with a fake app, it would be found out immediately.
They’re a corporation, sure, but in the sense that they’re a 501©(3), not a for-profit. Signal would have every incentive to disclose a failure in “their security” (where here that means their app or the protocol; again, what’s happening on the servers literally, provably, mathematically doesn’t matter). For a privacy org like this, it’s in their best interest to immediately report any problems that might compromise privacy.
Agreed. But here, I agree it’s not the proper channel 1) because it’s on their personal devices which the person you’re responding to clearly stated and 2) a Signal chat (likely intentionally on their part) bypasses crucial records keeping laws. A known vuln for example is if someone has access to your phone, they can link their own personal device and read your messages as they come up. But again, that requires access to your phone, which becomes problematic if and only if you’re using your own personal device rather than a secure government one.
No. Again, that’s not an inherent vulnerability. Using it on their personal devices is, but unless you can come up with a vulnerability in the app itself or the protocol itself, then you’re just agreeing with the person you’re replying to.