this post was submitted on 21 Sep 2021
38 points (72.1% liked)
Asklemmy
43831 readers
967 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Don't use Briar.
Briar [0] gets funded by the OTF [1]. If you're unfamiliar with the OTF, they're publicly listed as a subsidiary of Radio Free Asia, a US state-run organization whose main goal (along with the other “Radio Free” incarnations such as Radio Free Europe, or Free Cuba Radio) is regime change for those Asian governments who don’t align with the US’s foreign policy interests.
The Radio Free agencies underwent a public re-branding in the early 1990s, but they are in effect the same CIA misinformation organizations from the 1950s:
What Allen Weinstein, one of the founders of the National Endowment for Democracy (NED), another US “human rights” regime change org said of his organization applies equally to the Open Technology fund: “A lot of what we do today was done covertly 25 years ago by the CIA.”
The fund is designated to: “support open technologies and communities that increase free expression, circumvent censorship, and obstruct repressive surveillance as a way to promote human rights and open societies.”
One should question the commitment of a fund that dedicates itself to “obstructing surveillance”, while being created by a government who runs the most expansive surveillance system in world history. And how the US might define the terms “human rights”, and “open society” differently from those who know the US’s history in those areas.
[0] https://briarproject.org/
[1] https://www.opentech.fund/results/supported-projects/briar/
[2] https://dessalines.github.io/essays/why_not_signal.html#cia-funding
/s
Just a light jab, no harm intended.
All kidding aside, Briar is a great option, but so is Signal.
Signal enforces E2EE, is open source, has reproducible[3] builds (you can trust the app is what's in public code), and best of all, because it is the gold standard of modern secure messaging apps, is under the scrutiny of many security experts. Finally, Signal has undergone various security audits [4] which they make public.
The reality of the situation is that if you're a person of significant interest, someone with enough power can theoretically compromise you. The only way around it is to go completely open source hardware AND software, read every line of code, understand it, and compile everything yourself.
I will say, while I'm a Staunch supporter of Signal, Briar is what I'm keeping my eyes on for the future. It still needs to reach feature parity with most modern apps, and make it stupid easy to connect with people who are already in your contacts (I'm not going to ask my grandma to install Briar), but the tech behind it is pretty great [5] and only getting better.
[3] Only for Android.
[4] https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243
[5] https://briarproject.org/how-it-works/
Yes, we should absolutely put extra scrutiny on radio free asia funded projects. But is briar a single, centralized US hosted service? Does it require you, like signal, to give it info that links to your real identity? Did it close its server source code off for a year? Is it possible to download it from f-droid so you can verify its builds are secure? Does it depend on google or amazon?
No. But Briar runs over the Tor network, another project funded by the OTF [0]. Side note, the Tor Project has received $3 million USD from the OTF/CIA, can you trust it when a researcher was able to identify Tor users 100% of the time in a lab experiment and 81% of the time in real-world tests [1][2]?
Signal never touted anonymity, only privacy. You need to understand your threat model to make an informed decision. Also, if a single researcher was able to de-anonymize Tor users 80% of the time in real life, what chance do you have with a more powerful nation-state, unlimited funds, and ownership of various exit nodes?
"Never attribute to malice that which is adequately explained by stupidity" - in this case, we can replace stupidity with a million things that have nothing to do with compromising your privacy, the client is still completely E2EE, open source and has reproducible builds.
You can download the app directly from Signal [3] or even build it yourself [4] to verify the build in the play store matches the code on github
If you're using an Android phone, you're likely already depending on Google, although you can still run it on a de-google'd phone. I'm using Signal on a Pixel with stock Android and a OnePlus without any ties to Google using LineageOS, it works great on both phones! It does run on Amazon infrastructure, but again, we've seen Tor is not guaranteeing anyone anonymity anyways.
How is this a negative? Some people want this and if you don't want it, don't use it.
The server is basically plumbing/a router. The bulk of the Signal "magic" happens in the E2EE app. Can you verify that your Briar messages aren't hopping through government run Tor bridges/relays/exit nodes?
[0] https://www.opentech.fund/results/supported-projects/tor-project/
[1] https://www.vice.com/en/article/4x3qnj/how-the-nsa-or-anyone-else-can-crack-tors-anonymity
[2] PDF warning: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf
[3] https://signal.org/android/apk/
[4] https://signal.org/blog/reproducible-android/
EDIT: I do want to add - I'm 100% pro-Briar. It's really easy to attempt to discredit something if you don't understand a threat model, link legit sources, and speak to real flaws, nothing is 100% secure. That said, in today's climate, message privacy is something that Signal can provide with very few compromises in usability.
I'll say it again, I want Briar to succeed and everything I've posted above is just a "devil's advocate" stance to point out that Signal is, today, just as good if not better than most options out there.
I know that you are doing this conspiracy thinking on purpose to confront Dessalines about their bias, but while this is not obvious to everyone:
While it is true what you say, it is beyond meaning for the most usage of Briar. The researchers result depended on a honeypot that served a large file. Don't have contacts that act as honeypot and you're safe. When chatting with strangers, the technique discovered by that researcher might not be relevant to Briar, but I have not enough knowledge to make a claim about that.