Rufo’s article went viral, and was shared by Twitter founder Jack Dorsey, and Ethereum inventor Vitalik Buterin, and Elon Musk commented, “Yup, concerning.” Musk then claimed without evidence that “there are known vulnerabilities with Signal that are not being addressed. Seems odd…” Musk’s tweet was refuted by X’s own Community Notes.
Most importantly, Telegram’s Durov used Rufo’s blog post and the conservative energy behind it to promote Telegram as an alternative and made sweeping claims about the security of Signal without having anything to back it up: “A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly ‘secure’ messaging app, are activists used by the US state department for regime change abroad,” Durov wrote on his own Telegram channel. “An alarming number of important people I’ve spoken to remarked that their ‘private’ Signal messages had been exploited against them in US courts or media ... for the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private.”
One of the greatest things in the world, imo, is how these idiots promoted an insecure platform for shitheads to think they're conspiring in private.
In fact, the folks running Signal — notably Moxie Marlinspike and Meredith Whittaker — have a long history of effective security & privacy activism. Whittaker was one of the organizers of the Google Walkouts, one of the more effective pieces of tech worker activism in recent history. And Moxie has bumped heads with the US intelligence community more than once, and famously with the Saudis too.
Signal's hostility to 3rd party clients, and their refusal to publish on F-Droid is a massive red flag. I will not be using until they start following common sense.
Why will they not use F-Droid?
They won't directly support it because in their view the Google Play process is a more secure way of verifying they supplied the binaries than is possible of f-droid. If reproducible builds were possible maybe there could be some mechanism to verify a given binary is built from a given commit of the source tree.
Doesn't Google play store also modify and build the binary themselves to "generate and deliver APKs that are optimized for each device configuration, providing users with more efficient apps"?
https://support.google.com/googleplay/android-developer/answer/9859152#apk