The more we try to make encryption mainstream, the more difficult it gets because the mainstream interacts with computers predominately via browsers. The mainstream won't adopt something that isn't highly similar to what a browser has to offer in terms of media richness (photos, videos, html), so you see Signal choosing technologies like Electron, a browser, to develop their native applications. The heart of what signal is and does well (encrypt, decrypt, authenticate) is dwarfed by a pile of code that was added to make signal usable by the mainstream. Desktop Signal, in terms of code and complexity, is no longer a security product -- it's an application with a web-like media experience that happens to tack on a very good library to do encryption and authentication.
As we all know, sometimes vulns are in broken crypto, but most of the time they're in a gotcha beneath a mountain of code.
The more we try to make encryption mainstream, the more difficult it gets because the mainstream interacts with computers predominately via browsers. The mainstream won't adopt something that isn't highly similar to what a browser has to offer in terms of media richness (photos, videos, html), so you see Signal choosing technologies like Electron, a browser, to develop their native applications. The heart of what signal is and does well (encrypt, decrypt, authenticate) is dwarfed by a pile of code that was added to make signal usable by the mainstream. Desktop Signal, in terms of code and complexity, is no longer a security product -- it's an application with a web-like media experience that happens to tack on a very good library to do encryption and authentication.
As we all know, sometimes vulns are in broken crypto, but most of the time they're in a gotcha beneath a mountain of code.