Is Signal instant messaging “compromised,” as Elon Musk claims?

Mini controversy in the encryption world. Elon Musk claimed that the messaging app Signalknown for its privacy protection tools, had “loopholes” that made it dangerous.

Is Signal less secure than the application claims? In any case, this is what Elon Musk seems to think, who published a message on his social networkknown flaws» and never corrected. Enough to cast doubt on the integrity of the well-known application, especially since the billionaire’s message followed the publication of an article half-heartedly accusing the Signal foundation (which publishes the software) of collaborating with the services of the American state.

A few days later, it was Pavel Durov, the CEO of the competing application Telegram, who allowed himself to question the security of Signal. In a message published on his application, the manager explains that the technical choices made by the structure behind Signal do not ensure the real confidentiality of messages exchanged on the platform. But then, what is it really?

Elon Musk contradicted by the community

Signal, in addition to being an instant messaging application, is also an encryption protocol in its own right. Open source, it is used in many other software, including WhatsApp and Skype. Due to its open nature, the algorithm has been audited by a number of encryption specialists who, according to an audit carried out in January 2024, did not find the famous “flaws» mentioned by Elon Musk. Signal’s security has long been praised by big names in digital technology like Edward Snowden… and Elon Musk in 2021. The European Commission has also adopted Signal to protect its communications since 2020.

These facts were also recalled by Meredith Whittaker, CEO of Signal who, in a long message in response to Muskexplains that “uA large community of cybersecurity researchers carefully reviews each update and combs through each of our files» to ensure that no piece of malicious code has slipped in. This context was also recalled in Elon Musk’s message via the famous “Community Notes”.

“Reproducible compilations”, shaky evidence

The doubts expressed by the CEO of Telegram are of another nature and more precise: he tackles the question of “reproducible compilations” of Signal. An important security principle, this concept poses the idea that by compiling the code of an open source application oneself one should obtain exactly the same cryptographic signature as that published by the publisher itself. A way to ensure that no piece of code has been injected when putting the application online.

Pavel Durov therefore explains that, unlike Telegram, Signal does not allow you to make reproducible compilations on its iOS app. Proof that Signal has something to hide. The reality, however, is more complicated than that. Due to the way Apple publishes its apps to its AppStore (each going through an encryption process), it is impossible to compare the signatures of a downloaded app and a locally compiled app. On Android, Signal passes the test of reproducible compilations without problem, however.

This is not the first time that Signal has come under fire for alleged design or security flaws in its service. Last December, it was the French government itself which cast doubt on this subject by promoting its Olvid application. But so far, no evidence of any security defect in Signal has ever been provided.

Source : Elon Musk – X