As Signal get your phone number. Can we considerate this application as private ? What’s your thoughts about it ? I’m also using SimpleX, ElementX, Threema, but not much people using it…
Cheers
As Signal get your phone number. Can we considerate this application as private ? What’s your thoughts about it ? I’m also using SimpleX, ElementX, Threema, but not much people using it…
Cheers
Signal has a backdoor - like many other apps. It’s private in most situations but not for all… The backdoor is there, and as such, it will never be as secure and private as it could, or should, be…
Can you point it out so we can close it asap?
https://github.com/signalapp
(Iirc it’s up to date?)
Thx!
(I’m critical of Signal, but “in this economy” is the best I can hope to switch my friends to.)
The biggest security issue in Signal is the requirement for phone numbers and SIM cards. This basically forces all Signal users to identify themselves, and makes Signal highly vulnerable to government spying.
Can I get the ETA for fixing this?
Does it really? Iirc, you can determine: when the account was made, and when the last message was sent. This doesn’t sound ‘highly vulnerable’ to me… Doesn’t permit inspection of metadata e.g. contacts, so as vulnerabilities go it’s pretty weak sauce
A phone number uniquely identifies a person because in most of the world you need a government ID to get a phone number or a SIM card.
Which means that if one account is compromised, then everyone that person talked to is also compromised. You know what they talked with whom. It’s an incredible security risk that Signal devs refuse to acknowledge or fix.
If your threat model is deanonymisation of chat users via phone numbers after one chat is fully compromised, then yeah I guess you need to register the accounts with relatively ‘untracable’ phone numbers (ie unregistered or incorrectly registered burner sims), but that’s not my threat model. I’m more concerned about server-side broad-spectrum government surveillance than I am about targeted device seizures. And of course there are mitigations even with data access on device seizure, provided you’re unwilling to provide device passwords. But, like, if you’re cooperating to the point of providing passwords you’re probably sharing what you know about other users identities anyway, so it’s a very niche case this applies to.
It’s the threat model. E2E encryption is a niche ‘nice to have’. Protecting the anonymity of people who have said nasty things about politicians is the most important thing a chat app needs to do. Signal is security theater until they fix this.
No the most important thing a chat app needs to do is send messages between the intended recipients making them unavailable to anyone else. Signal does this. You’re worried about ppl receiving messages and knowing who they’re from. Generally knowing where a message is from is considered a feature – if you want anonymous broadcast, pick a different technology that’s geared towards that
this xkcd is always relevant: https://xkcd.com/538/
The most dangerous thread vector is the government forcing you to unlock your phone, and reading your messages. At which point using phone numbers becomes a huge problem.
Fancy encryption doesn’t matter when it’s obstruction of justice to refuse to unlock.