Actual title is "Mesibo emerges as the World’s Strongest Platform for End-to-End Encryption!"<p>This has less to do with Signal and it's more about promoting their own product.
Disclaimer: not a cryptographer. I’d love to hear what a professional has to say on the topic.<p>From what I’m reading in this article the main complaint is twofold:<p>1. No out of band key exchange
2. Old(ish) ciphers<p>I am not sure what an out of band key exchange gets you over OOB verification of a key exchange. If an attacker is MITMing you and you discover it using signal safety numbers, you probably stop using signal to communicate. If someone is MITMing you with this and you add some PSK, what happens? I assume the system just doesn’t work and messages can’t be sent. I guess that’s a bit better but isn’t a huge improvement.<p>As far as the older ciphers thing goes, I’m surprised signal is using an older cipher suite, but I’m not sure it really matters for their symmetric encryption. The double ratchet protocol uses a unique per-message key, so I’m not sure what risk AES-CBC+SHA2 presents over something like AES-GCM (which is not an ideal first choice AEAD construction either these days when things like OCB and DEOXYS-II exist and no longer have IP issues). I’d rather AES-CBC+SHA2 and not have cryptographic agility (which seems to be what is being proposed here) and a more fixed format than the shiniest possible algos and a cipher suite negotiation phase (which has caused so many issues before in other protocols).
Signal offers to validate public keys of contacts via a separate channel (QR codes) to detect MITM attacks.<p>The second claim is that the ciphers used are outdated. A counter-claim that can be made here is that signal relies on well established and widely used methods which ensures that any significant weaknesses are more likely to be found. So far there are none that result in practical attacks.