What advantage does Signal protocol have over basic public key encryption?

Punk-BatSoup-Stasi 2.0 punks at tfwno.gf
Sun Jan 31 16:59:45 PST 2021 

On Sun, 31 Jan 2021 16:28:59 -0800
David Barrett <dbarrett at expensify.com> wrote:

> Thanks for all the great comments!  Combining the responses:
> 
> I asssume when talking about design proposals, for secure comms, that
> > always Android and iOS devices are used. Are people aware when using such
> > devices, about zero-click exploits, from Pegasus (NSO Group, or
> > FinFisher/FinSpy? I sold my smartphone exactly for that reason and switched
> > to a dumb phone
> 
> 
> Yes, I talk about this a bit here:
> https://gist.github.com/quinthar/44e1c4f63f84556a9822ebf274dc510a#the-feds,
> but...
> 
> 
> exactly right. And the open source OS should be running on non-compromised
> > hardware. Oh, wait.
> 
> 
> That.  In the real world, we can't all hand build and personally operate
> our own billion dollar fab to ensure atomic-level security of our entire
> vertical supply chain.  And even if you could... who's to say the Feds
> don't sneak in and swap your device with a perfect duplicate when you
> aren't looking?  Ultimately if you are trying to protect yourself from the
> combined might of, oh, 8 billion other people, 


	How is 'the feds' equivalent to 'the combined might of, oh, 8 billion other people'?

	You seem to have misuderstood my remark. I wasn't saying that you shouldn't focus on open source OSes AND more important, audited hardware. 

	My whole point is that UNLESS you have audited hardware, then all your software is worthless. A point that should be pretty much self-evident on a list like this. 


> you're going to have a tough
> time of it.  I'm not building for that use case (nor is anyone else). 


	So you're not doing anything useful. As to your comment about 'anyone else', it's factually wrong. 

> I'm
> building for the billions of people who aren't trying to protect themselves
> from the Feds, 


	the US 'feds' and their accomplices in other 'jurisdictions' are the only threat that people should really care about. Again, this fact should be obvious on this mailing list. 


> but from other more common (even if more mundane) privacy  threats.

	such as? 

> 
> 
> https://www.nitrokey.com/news/2020/nitropad-secure-laptop-unique-tamper-detection
> 
> 
> How do you know they aren't an NSA front?  Ultimately, you can't.  


	OK, so how do we know you're not an NSA agent? 


> At some  point you've got no choice but to trust someone.

	....

> 
> 
> It would make sense to contribute or work with a project like Signal rather
> > than making a new messenger
> 
> 
> Well my job is to secure the privacy of Expensify's millions of users, 


	what the hell is your  site anyway? The name sounds like a joke, and it's a blank page unless people run your javashit malware.

More information about the cypherpunks mailing list