141
Poland directs officials to ditch Signal in favor of 'secure' state-developed alternative
(www.theregister.com)
Press X to doubt
this post was submitted on 18 May 2026
141 points (98.6% liked)
Technology
84828 readers
3653 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
headlines in a few days:
security researchers discover 'radioactive' vulnerability in Polish government messaging app
So odd, I dont trust corporations now and dont trust governments
Not as stupid as the headline makes it sound. Signal is used in phishing attacks, whereas the home grown one is restricted to authorised users, making it more difficult.
Narrator: until someone else gains access
Yeah, I was careful to say "more difficult". This stops casual phishing.
Someone doesn't understand the first rule of How Not To Be Seen
Using an app that nobody else uses provides no entropy in which to get lost
Signal is great if you want some privacy chatting with friends and family.
More sensitive stuff dealing with state secrets? Probably not the best option.
Im sure some homebrewed app is more secure lol
Yeah because the Polish government cannot possibly create a secure messaging app of their own.
You know before cryptography was a software feature it was a crucial part of statecraft. IMO there is nothing wrong with states building their own secure communication software. It has more precedent than "download a US app" does.
The main problem is control ig. On Signal, someone can ask for a code or passwords to log into your account or get your data. If you have your own solution, you can have physical security keys to verify yourself, making it impossible to give anything to anyone via the internet. You can also monitor logins and make logins on new, unauthorized devices impossible.
Encrypting stuff is not really the hard part of keeping oblivious users safe. As far as that goes, they will be fine if they have people who know what they are doing use established, well audited implementations.
IDK about Poland but in Germany I know they just forked matrix and basically did a reskin of I lt afaik
mSzyfr was touted by the government as "the first secure instant messenger fully under Polish jurisdiction."
It does, however, rely on multi-factor authentication (MFA) provided by US megacorps. Microsoft is the recommended option...
Why?
users [can] retain access to messages even after logging out of the platform
This sounds great. Nothing bad could happen here. I'm sure the people developing this are competent.
An FAQ document for mSzyfr states that the messenger is built with a privacy-by-design philosophy, and explicitly notes that neither WhatsApp nor Signal fits this description.
Extremely competent, saying Signal is not private by design.
users [can] retain access to messages even after logging out of the platformThis sounds great. Nothing bad could happen here. I’m sure the people developing this are competent.
the article says:
Further, if users want to retain access to messages even after logging out of the platform, they must set up a recovery key, which the installation manual suggests storing in a password manager.
this is standard matrix thing. if you log out of matrix and don't do that, you're greeted with Unable to decrypt message after next login. this is because it's on-prem matrix instance (or instances) with mandatory 2fa (freeotp is an option) and registration process tying matrix identity to national id, and it's intended only for public administration internal use. you can't just walk up and register you have to work there, and as their threat model is about phishing, this does make sense
Extremely competent, saying Signal is not private by design.
While very disingenuous, it's not technically incorrect.
Signal is secure by design, and is extremely good at that with a very well designed and vetted cryptographic protocol.
But privacy isn't one of their primary goals, nor should it if it comes at the cost of security; for example, for the longest time you needed to share your phone number with everyone you wanted to talk to, and everyone in every group chat you are a part of could see it.
Really?! Based on their website, I'd say privacy is their primary goal, and personally I'd say they've done a great job at it
dig mx komunikator.narodowy.gov.pl
komunikator.narodowy.gov.pl. 3600 IN MX 0 komunikator-narodowy-gov-pl.mail.protection.outlook.com.
Changing the App doesn’t fix that morons are using it wrong and in an unsafe manner.
Maybe they should spent the money on mandatory IT security training.
I guarantee they already do that
And still the idiocracy prevails.
Humans are going to be the weak point of any system.
I was thinking this about getting off America servers and services. More a question of digital sovereignty security. But it is all do with hacking via humans by pretending to be support staff.
https://www.gov.pl/attachment/016ce48c-cb1f-481f-9e4c-6af05f322522
Page 6, Point 6
It's an Element X reskin.
I looked around for 5 minutes and couldn't find the source code.
that's reskinned, siloed matrix instance with maybe minimal changes
German Army does the same. No shame there.
I mean, yeah. But it's not some national open source project, and that was claimed. Also, i'd like to know how intensely it was audited, because it's something different from open-source matrix homeserver/element-x (it's the propertiary part of it)
Any ideas why it's always Matrix? Not even XMPP.
With not very performant servers and not very rich choice of clients, and still work in progress. And notably more fit for group chats rather than anything private and secure.
It's just Matrix being popular?
xmpp sucks balls for this scenario. there are incredible footguns in encrypted xmpp, it wasn't there from day one and mind you it's intended for non-nixos users. they have migrated from threema
I suppose. NOSTR-based Marmot is being developed now, it seems more interesting for me than XMPP or Matrix, but it's still a new thing.
i doubt that any national comms authority will want to have anything in common with nostr. big point of this thing seems to be that it's on-prem (or at least in country) and with tightly controlled access
You can have controlled registration and authorized relays with Nostr too.
But the part where deploying Matrix is simple is, I suppose, the main reason.
Maybe. Or they got the feeling to use a low-effort open protocol, that isn’t xmpp. I mean, they considered open whisper, for example, they would have to invest in a custom client.
With matrix they slap a new sticker on the software and call it a day.
France did that too with matrix fork « tchap »
How secure it is remains to be seen, but using Signal or Whatsapp or similar apps for official government business is to be avoided, anyway.
Agreed, but maybe for different reasons. Could you use Signal for government communication? Probably, but it would take intentional preparation, setup, and training of the end-users (most of whom are likely not security-minded or tech-savvy).
But practically speaking, governments should reasonably be developing an option that uses their own servers as relays, not ones controlled by a third party. Signal is run by a nonprofit (i.e. not driven by moneyed interests) and has survived court subpoenas for user data (because of how the useful data is stored encrypted at the endpoints, not the relays), but they do not have the same interests in nor are they developing a platform to keep government secrets safe.
Also, it's a central point of failure; even if it remains entirely uncracked throughout its lifetime, if the company goes under, those server relays will go, too.
I feel pretty safe as an end-user nobody, but I would be thinking twice if I was a government official.
Or any business. There’s always a back door if it’s not open source and self hosted.
Signal is open source....
Did you verify the code running on their servers is the same as the one in the repo though?
If you don’t compile and self host, it’s not safe.
Few years ago there were leak where polish officials were talking thorough one of the most popuar e-mail providers - wp.pl ;)
All institutional stuff still relies on teams and outlook.
after 2022 they shat their pants and bought threema license specifically to avoid it, and now migrated from that to matrix (this app)
the government said attackers impersonate Signal support staff and abuse this perceived trust to take over victims' accounts
the arguments they give for ditching Signal are basically present in every messaging platform, and people working in such high ranges shouldn’t be that vulnerable to social engineering attacks
kegsbreath has entered the chat
I'd be pretty pissed if governments' views on Signal come exclusively from US officials clearly misusing the software.
So just a Polish version of Max. Got it.
on-prem matrix instead of slack? literally 1984
So it's not domestic, apparently https://bartoszsroka.com/wp-content/uploads/2026/04/mSzyfr_vs_ElementX_Same_Platform_Report.html
yeah it's element-x