zlacker

[return to "Signal app downloads spike as US protesters seek message encryption"]
1. aeroph+Z4[view] [source] 2020-06-05 02:52:17
>>pera+(OP)
Honest question for those in the know: If I wanted to run my own personal “analysis” to verify the security of Signal, where would I start? Is it even possible? Just curious if there was a way to “know” rather than “trust”.
◧◩
2. raspyb+d5[view] [source] 2020-06-05 02:53:44
>>aeroph+Z4
Learn cryptography to a high level then read the source code?
◧◩◪
3. drdrey+J5[view] [source] 2020-06-05 02:58:51
>>raspyb+d5
How do you know that the binary you run actually corresponds to the source code you read?

EDIT: and would you then also review every commit to make sure nothing bad gets introduced? No, at some point you have to place trust in the vendor, the developers, independent audits, etc.

◧◩◪◨
4. ciaran+f6[view] [source] 2020-06-05 03:02:45
>>drdrey+J5
You can build the source locally, then compare the MD5 hash value of your build to (1) the hash value they post publicly for their build and (2) the actual hash value of their build once you download it.

Assuming all three match, you know that the binary matches the source.

Someone who is more technically inclined can probably go into more detail on this.

◧◩◪◨⬒
5. bawolf+ud[view] [source] 2020-06-05 04:28:52
>>ciaran+f6
MD5 is not safe for this use case. Assuming the provider is malicious, this is exactly the scenario where MD5 is broken (i.e. it is possible to make source code that compiles a certain way so that you can make another binary that has the same hash but is different. The bright side is the attack would have evidence as there would be certain patterns in the binary that could be detected if you knew how/where to look. That said, just use sha256)
[go to top]