Signal Vulnerability? Do Better News Media
Posted . ~3min read.
The news today is rampant with a discussion of Signal; mostly because of an idiotic use by the Federal Government. This post isn’t about the usage by Senior Level feds… for that, please see the direct source.
This post is about news outlets reporting that the Signal App had vulnerabilities making its usage insecure. This is not true.
Now, using Signal on a cell phone to discuss national security is not smart. It’s not secure for many reasons (none of which are the Signal app itself). The federal government, in hopes of protecting “secrets” has specific methods and tools for communication.
These methods/tools take into account all of the ways a person’s access can be compromised; including Phishing, hacking a device, interception of data, etc.
The news reporting refers to a bulletin release from the NSA warning of these types of vulnerabilities; which is different than a vulnerability in Signal itself.
Signal had a good summary posted on Bluesky:
Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there's misinfo flying around that might drive people away from Signal and private communications.
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities' in Signal. This isn't accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability
The memo used the term ‘vulnerability' in relation to Signal—but it had nothing to do with Signal's core tech. It was warning against phishing scams targeting Signal users.
Phishing isn't new, and it's not a flaw in our encryption or any of Signal's underlying technology. Phishing attacks are a constant threat for popular apps and websites.
In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events.
If you're interested in learning more, this WIRED article from February 19th (over a month ago) goes into more detail: https://www.wired.com/story/russia-signal-qr-code-phishing-attack/
Signal is open source so our code is regularly scrutinized in addition to regular formal audits. We constantly monitor security@signal.org for any new reports & act on them quickly while working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.
This is why Signal remains the gold standard for private, secure communications.
Signal is great for end to end encrypted communication
This said, if you choose to be in a group chat and not verify the people you’re talking to, well, that’s not Signal’s fault.
Personally, I prefer Matrix.
I use the Element client. Yeni prefers Fluffy Chat. To each their own.
There’s many reasons why I prefer Matrix (including being federalized), but let’s save that for another post.
When I talk to people on Matrix, I know that my communication is secure and I am able to see if I have verified the other end. Element does this with nice color coded shields. A green shield for example, means that I have personally verified that account as legit.
Whether you use Signal or Matrix, you can feel comfortable in your communication being private. The problem in today’s news isn’t the app or the tech… it’s the reckless disregard of common sense in how the idiots in the chat chose to communicate.
Don’t think they were reckless? Well, the fact they added a reporter to the chat and not a single person questioned it is proof enough.
To close, let me share a simply summary as only The Onion could create:
