zlacker

[return to "Signal app downloads spike as US protesters seek message encryption"]
1. aeroph+Z4[view] [source] 2020-06-05 02:52:17
>>pera+(OP)
Honest question for those in the know: If I wanted to run my own personal “analysis” to verify the security of Signal, where would I start? Is it even possible? Just curious if there was a way to “know” rather than “trust”.
◧◩
2. raspyb+d5[view] [source] 2020-06-05 02:53:44
>>aeroph+Z4
Learn cryptography to a high level then read the source code?
◧◩◪
3. drdrey+J5[view] [source] 2020-06-05 02:58:51
>>raspyb+d5
How do you know that the binary you run actually corresponds to the source code you read?

EDIT: and would you then also review every commit to make sure nothing bad gets introduced? No, at some point you have to place trust in the vendor, the developers, independent audits, etc.

◧◩◪◨
4. RL_Qui+X5[view] [source] 2020-06-05 03:00:32
>>drdrey+J5
Determinism.

https://tests.reproducible-builds.org/debian/reproducible.ht...

We're making great strides into software being completely deterministic. The Bitcoin project for many years has had completely deterministic binaries and a ceremony process for GPG signing the output with many individual parties.

◧◩◪◨⬒
5. drdrey+Zb[view] [source] 2020-06-05 04:08:25
>>RL_Qui+X5
See my other comment about determinism: https://news.ycombinator.com/item?id=23424925

Trying to get a bit-to-bit equivalent of a binary lifted from the app store sounds challenging to say the least.

◧◩◪◨⬒⬓
6. ryukaf+1d[view] [source] 2020-06-05 04:21:29
>>drdrey+Zb
Yes, this is more difficult than it sounds - but GP linked to the reproducible builds project which has gotten there already for a lot of software.

See also Guix, which provides tools to challenge servers providing binary packages to see if they match a locally-built version: https://guix.gnu.org/manual/en/html_node/Invoking-guix-chall...

[go to top]