Comment by 1vuio0pswjnm7 5 days ago
If the Signal Messaging LLC is compromised, then "updates", e.g., spyware, can be remotely installed on every Signal user's computer, assuming every Signal user allows "automatic updates". I don't think Signal has a setting to turn off updates
Not only does one have to worry about other Signal users being compromised, one also has to worry about a third party being compromised: the Signal Messaaging LLC
They aren't allowed to tell you by law, and courts work with prosecution to keep implementation details away from the public, and investigators will engage in parallel construction to obfuscate the sources of evidence. That's just on the normal law enforcement side.
Once you get into the national security side, the secrecy is even higher.
"Carrying this speculation a step further, it is possible that the available tools have been compromised either in individual instances or en masse. Even where security products are open-source, adequate security evaluations are difficult to conduct initially and difficult to maintain as the products evolve. Typical users upgrade their software when upgrades or packages are offered, without even thinking of the possibility that they may have been targeted for a Trojan horse."
Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press: Cambridge, 2007), 372
Italics are mine
Signal Messaging LLC is US-based and needs to follow CALEA[1] by law.
[1] https://en.wikipedia.org/wiki/Communications_Assistance_for_...