On its 10th anniversary, Signal’s president wants to remind you that the world’s most secure communications platform is a nonprofit. It’s free. It doesn’t track you or serve you ads. It pays its engineers very well. And it’s a go-to app for hundreds of millions of people.
That’s no different from security through obscurity. If your system can’t support 3rd party clients properly, it is inherently insecure, especially in an e2ee context where you supposedly don’t have to trust the server. If a system claims to be e2ee, but tightly controls both clients and servers, that means they can rug-pull that e2ee at any point in time and even selectively target people with custom updates to break that e2ee. The only way to realistically protect yourself from that is using a 3rd party client (yes, I know, theoretically also reviewing every code change and using reproducible builds, but that’s not very realistic).
Now admittedly, Signal has started to be less hostile to 3rd party clients like Molly, so it’s not as bad anymore as it used to be.
That’s no different from security through obscurity. If your system can’t support 3rd party clients properly, it is inherently insecure, especially in an e2ee context where you supposedly don’t have to trust the server. If a system claims to be e2ee, but tightly controls both clients and servers, that means they can rug-pull that e2ee at any point in time and even selectively target people with custom updates to break that e2ee. The only way to realistically protect yourself from that is using a 3rd party client (yes, I know, theoretically also reviewing every code change and using reproducible builds, but that’s not very realistic).
Now admittedly, Signal has started to be less hostile to 3rd party clients like Molly, so it’s not as bad anymore as it used to be.