mSzyfr was touted by the government as “the first secure instant messenger fully under Polish jurisdiction.”
It does, however, rely on multi-factor authentication (MFA) provided by US megacorps. Microsoft is the recommended option…
Why?
users [can] retain access to messages even after logging out of the platform
This sounds great. Nothing bad could happen here. I’m sure the people developing this are competent.
An FAQ document for mSzyfr states that the messenger is built with a privacy-by-design philosophy, and explicitly notes that neither WhatsApp nor Signal fits this description.
Extremely competent, saying Signal is not private by design.
users [can] retain access to messages even after logging out of the platform
This sounds great. Nothing bad could happen here. I’m sure the people developing this are competent.
the article says:
Further, if users want to retain access to messages even after logging out of the platform, they must set up a recovery key, which the installation manual suggests storing in a password manager.
this is standard matrix thing. if you log out of matrix and don’t do that, you’re greeted with Unable to decrypt message after next login. this is because it’s on-prem matrix instance (or instances) with mandatory 2fa (freeotp is an option) and registration process tying matrix identity to national id, and it’s intended only for public administration internal use. you can’t just walk up and register you have to work there, and as their threat model is about phishing, this does make sense
Extremely competent, saying Signal is not private by design.
While very disingenuous, it’s not technically incorrect.
Signal is secure by design, and is extremely good at that with a very well designed and vetted cryptographic protocol.
But privacy isn’t one of their primary goals, nor should it if it comes at the cost of security; for example, for the longest time you needed to share your phone number with everyone you wanted to talk to, and everyone in every group chat you are a part of could see it.
Why?
This sounds great. Nothing bad could happen here. I’m sure the people developing this are competent.
Extremely competent, saying Signal is not private by design.
the article says:
this is standard matrix thing. if you log out of matrix and don’t do that, you’re greeted with Unable to decrypt message after next login. this is because it’s on-prem matrix instance (or instances) with mandatory 2fa (freeotp is an option) and registration process tying matrix identity to national id, and it’s intended only for public administration internal use. you can’t just walk up and register you have to work there, and as their threat model is about phishing, this does make sense
While very disingenuous, it’s not technically incorrect.
Signal is secure by design, and is extremely good at that with a very well designed and vetted cryptographic protocol.
But privacy isn’t one of their primary goals, nor should it if it comes at the cost of security; for example, for the longest time you needed to share your phone number with everyone you wanted to talk to, and everyone in every group chat you are a part of could see it.
Really?! Based on their website, I’d say privacy is their primary goal, and personally I’d say they’ve done a great job at it