Quokk.auSignal knows who you’re talking to – Sane Security Guy
sanesecurityguy.com/articles/signal-knows-who-y…
16 Comments
Comments from other communities
CubitOom
ikiddOf course they do. That’s what requiring phone numbers does. There is no other reason to continue this requirement except removing anonymity. It’s to respond to pen orders.
BlizzardSomeone dug out a 2 year old article.
irmadladAt the blinding speed of technology development in today’s timeline, I rarely go back more than a couple years. It’s usually stale and outdated even just 2 years ago.
ClotI saw this in hackernews bro😣
RodgeGrabTheCat 🇨🇦🏴☠️So? Its still a two-year-old outdated article.
It was on the trending page of hackernews so I thought it would be relevant. But ok I get your point
Wasn’t Signal only able to disclose first and last timestamps when a user has connected to their servers when receiving legal requests? I just assumed their protocol made it so that they can’t do it, or they theoretically can but don’t store such logs.
LambdaRXThankfully i don’t have this problem, almost all of my contacts use only proprietary messengers instead of this shady Signal.
None of my friends use Signal, so I’m in four group chats where I’m the only member (Journalists from The Atlantic notwithstanding). One is for transferring files between devices, one is for notes, one is for reminders, and one is for frequent backups of things like my browser bookmarks.
I don’t really get it,
Sticking with the snail mail analogy, what happens when two pen pals keep sending mail to each other from their homes without including return addresses in their envelopes? The postal service might not know who exactly is sending each piece of mail but, over time, they would know that Address A in Lower Manhattan, New York, keeps on getting one-way mail from the post office in 3630 East Tremont Avenue, the Bronx, New York; and Address B in the Bronx keeps on getting one-way mail from the post office in 350 Canal Street, Lower Manhattan.
I mean, no, all they know is that they ALL users get one way mail all the time?
The “over time” in “but, over time, they would know that…” does a lot of heavy lifting. Would they? How would they know that?
Sure, if there were only two participants in the system, I would agree. But we have way more than 2 users on signal.
ZakSomeone logging timestamps for messages received on both ends of a conversation would be able to determine that two people are probably talking to each other given enough data. Signal is probably not doing that, but Signal’s other security guarantees provided by an open source client that encrypts communications end to end hold even if the organization was infiltrated or taken over by a bad actor. The anonymity of participants in a conversation is not protected as strongly as the contents of messages.
PiraHxCxSteadily growing userbase, 70m active users last year. At any time of the day, seems like timestamps will only show what time each user is usually awake.
Cooper8Does Delta Chat / Arcane Chat suffer from the same vulnerability?
From https://delta.chat/en/help#sealedsender
Does Delta Chat support “Sealed Sender”?
No, not yet.
The Signal messenger introduced “Sealed Sender” in 2018 to keep their server infrastructure ignorant of who is sending a message to a set of recipients. It is particularly important because the Signal server knows the mobile number of each account, which is usually associated with a passport identity.
Even if chatmail relays do not ask for any private data (including no phone numbers), it might still be worthwhile to protect relational metadata between addresses. We don’t foresee bigger problems in using random throw-away addresses for sealed sending but an implementation has not been agreed as a priority yet.
Deleted by moderator
Too bad its creator seems to like Trump https://mstdn.social/@rysiek/114630877715286899
I prefer deltachat https://delta.chat/
Kinda of a poor write up. I have my issues with this but signal doesn’t really use phone numbers internally, it uses hashes of phone numbers. It’s not as straight forward as this article makes it seem, and this is readily available information that the author could have found.
Hashing doesn’t really do anything because there are too few possible phone numbers. Easy to bruteforce. See the researchers who enumerated the WhatsApp users database recently via the internet…
Hold up. They also have profile pictures and other stuff. So Meta offered the option to create a global phone book, but also to create a phone book of children worldwide + a timeline of profile pictures. Meta’s statement was that it wasn’t a big deal because it was public data…
So Meta’s pedos dream phone book is something else entirely.
My vague memory is that Signal doesn’t keep that information, so it couldn’t be subpeona’d, indeed they’ve been asked for it before and declined to share.
BUT IT’S MOOT IF YOUR MESSAGES ARE VIEWED by sender or receiver ON ANDROID, WINDOWS OR IOS. Those operating systems can just view everything you type regardless.
How does signal match your contacts based on their phone number then?
by having you trust intel instead of themselves: https://signal.org/blog/private-contact-discovery/
Oh but that’s still better than I expected.
Hence “vague memory”. I don’t know.
In addition to that, in most European countries you have to register with your ID in oder to get a mobile phone number. So its provably end-to-end related to your identity.
I prefer apps that require no phone number. Like Threema, SimpleX, Session, Status, XMPP, or Tox.
The main advantage of Signal was the SMS integration, which meant you no longer had to use the SMS app itself. In addition, SMS messages were displayed like a chat. That’s why it needed to be linked to your cell phone number, but since they’re no longer allowed to offer that anyway, they could have done a clean sweep of existing accounts and adapted the entire login process.
I would hope so. It’s facilitating us talking; it kinda has to know who I am trying to talk to.
Should’ve known this was going to be an ad for SimpleX. They have a hard-on for anti-Signal content. It’s nearly as laughable as GrapheneOS’s hate for anything not GrapheneOS.
SimpleX is good tho.
Sure, if you like Nazis
Sorry what?
Well use some p2p messenger with tox protocoll