Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If they're transparent, why don't they expose their commits to server code to the public?


This is a great example of what I'm talking about. Are you also commenting how you can't see the source of your phone's baseband, Google's services, your ISP's router firmware, WhatsApp's servers, Facebook's service's, etc?

Because Signal's client is open source it's considered a unique-to-Signal downside that we don't have access to the server's source. I feel like some people would bring up the server source issue if someone was asking if it would be a good idea to migrate off of Facebook Messenger.


Well Signal has put itself as a high privacy option, we are open, check out our code. Well we can check the client code but we dont know what you are running on the server.

FB, Google etc never claimed to be open source with their infrastructure.

So if WhatsApp cant be trusted as to what happens on the server, right now neither can Signal.

Can Signal show that what they are running on the server is the same as whats on Github? Are we just trusting them because we have been trusting them all along?


You don't need to trust the server with E2E encryption. If you can review and trust the client, the server only has access to the information that the client sends.

Even if they release up-to-date server code, we have no way to confirm that's the code that's running on their servers. People would then complain that they don't have shell access to the servers to ensure the code is what is expected.


Actually there's a way to check the code running on their servers. At least Signal claimed that:

Modern Intel chips support a feature called Software Guard Extensions (SGX). SGX allows applications to provision a “secure enclave” that is isolated from the host operating system and kernel, similar to technologies like ARM’s TrustZone. SGX enclaves also support a feature called remote attestation. Remote attestation provides a cryptographic guarantee of the code that is running in a remote enclave over a network.

https://signal.org/blog/private-contact-discovery/

But of course you need published source code and reproducible build.


Well one way you could confirm is to run your own instance of the server and run the client against it and the client works as if you are going against Moxie's server

Right now if you run the published server code and point the client certain features don't work. Doesn't that sound a little concerning ?


Huh? I googled "signal server" and got https://github.com/signalapp/Signal-Server


if you look at the changes, there havent been any updates since April 2020. Seems odd for it to have no changes in close to a year, esp after what we know happened last weekend ( when we know feature flags were added )

The forum has posts of people who cant even run their own instance of Signal.

So why arent they sharing what is happening server side




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: