Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/link2xt/statuses/114225558237845382">l (link2xt@fosstodon.org)'s status on Wednesday, 26-Mar-2025 08:24:16 JST</a><a href="https://fosstodon.org/@link2xt" title="link2xt@fosstodon.org"><img src="https://gnusocial.jp/avatar/240605-48-20240206014942.webp" width="48" height="48" alt="l" style="position: absolute; left: 0; top: 0;">l</a><div><a href="https://mastodon.world/@signalapp/114225510349311465" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://mastodon.world/@signalapp">@signalapp</a> Why Signal does not publish those formal audit reports? </p><p>Wiki page <a href="https://community.signalusers.org/t/overview-of-third-party-security-audits/13243" rel="nofollow noreferrer">https://community.signalusers.org/t/overview-of-third-party-security-audits/13243</a> only contains research papers. There was a TextSecure audit <a href="https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/" rel="nofollow noreferrer">https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/</a> and some evidence that in 2018 Signal paid Doyensec LLC., but no audit reports published.</p><p>For comparison, WhatsApp publishes its security audit reports and Wire published some (but not all): <a href="https://codeberg.org/kuketzblog/www.messenger-matrix.de/issues/40" rel="nofollow noreferrer">https://codeberg.org/kuketzblog/www.messenger-matrix.de/issues/40</a><br>Briar, Threema, Delta Chat, Session, SimpleX Chat all published at least some audit reports.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4792902#notice-9388907">In conversation</a><time datetime="2025-03-26T08:24:16+09:00" title="Wednesday, 26-Mar-2025 08:24:16 JST">about a month ago</time> <span>from <span><a href="https://fosstodon.org/@link2xt/114225558237845382" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@link2xt/114225558237845382">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: community.signalusers.org</div><h5><a href="https://community.signalusers.org/t/overview-of-third-party-security-audits/13243">Overview of third-party security audits</a></h5><div></div></header><div>Let’s collect past security audits here:  Formal audits     Year Auditor(s) Sponsor App/Component Published Link Last update / extended     2013 iSEC Partners (NCC Group) Open Technology Fund RedPhone and TextSecure ❌ Blog post    2014 Frosch et al. German Ministry of Research and Education TextSecure Protocol ✅ PDF    2016 Schröder et al. Internet Society Key fingerprint verification ✅ PDF    2016 Cohn-Gordon et al. Various research grants Signal Protocol ...</div><footer></footer></article></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/">https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/</a></h5><div></div></header><div></div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: codeberg.org</div><h5><a href="https://codeberg.org/kuketzblog/www.messenger-matrix.de/issues/40">"Last security audit" row, definition of "security audit"</a></h5><div> from <span>kuketzblog</span></div></header><div>Briar has a security audit from 2024: https://www.opentech.fund/security-safety-audits/briar-security-audit/
Audit report is at https://www.opentech.fund/wp-content/uploads/2024/06/report_briar-android.pdf
Currently linked ETHZ Applied Cryptography group analysis is not an audit: https://briarpro...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
l (link2xt@fosstodon.org)'s status on Wednesday, 26-Mar-2025 08:24:16 JSTl
in reply to
- Signal
@signalapp Why Signal does not publish those formal audit reports?
Wiki page https://community.signalusers.org/t/overview-of-third-party-security-audits/13243 only contains research papers. There was a TextSecure audit https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/ and some evidence that in 2018 Signal paid Doyensec LLC., but no audit reports published.
For comparison, WhatsApp publishes its security audit reports and Wire published some (but not all): https://codeberg.org/kuketzblog/www.messenger-matrix.de/issues/40
Briar, Threema, Delta Chat, Session, SimpleX Chat all published at least some audit reports.
In conversationabout a month ago from fosstodon.orgpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: community.signalusers.org
  Overview of third-party security audits
  Let’s collect past security audits here: Formal audits Year Auditor(s) Sponsor App/Component Published Link Last update / extended 2013 iSEC Partners (NCC Group) Open Technology Fund RedPhone and TextSecure ❌ Blog post 2014 Frosch et al. German Ministry of Research and Education TextSecure Protocol ✅ PDF 2016 Schröder et al. Internet Society Key fingerprint verification ✅ PDF 2016 Cohn-Gordon et al. Various research grants Signal Protocol ...
2. No result found on File_thumbnail lookup.
  https://www.fox-it.com/be/research-blog/working-with-the-open-technology-fund/
3. Domain not in remote thumbnail source whitelist: codeberg.org
  "Last security audit" row, definition of "security audit"
  from kuketzblog
  Briar has a security audit from 2024: https://www.opentech.fund/security-safety-audits/briar-security-audit/ Audit report is at https://www.opentech.fund/wp-content/uploads/2024/06/report_briar-android.pdf Currently linked ETHZ Applied Cryptography group analysis is not an audit: https://briarpro...

Public

Embed Notice

HTML Code

Corresponding Notice