They’ve been planning that for a long while. It requires first an e2e sync though, for contact lists, which is what the clientside secret (PIN) enables.
I dunno but for example Wire does implement addressing without giving phone number optionally if you sign in with an email and a password, which makes me less convinced of the necessity of forced PINs in this style to enable such cases (which should be optional in the first place). Same thing with syncing across devices which requires you opt in to add email/password combo to enable those features.
The point I was trying to make was more on how Wire made the whole password situation optional, I am aware of the conversation name and creation date being stored but that's an issue depending on the threat model for each user.
The main issue I see is with the intrusiveness of how Signal PINs are handled by the UI, this will only work to alienate users or encourage writing simple PINs that make them weak to use! It would've been much better had it been treated as a fully opt in feature and PINs treated more as passwords, without the constant bombardment of reminders to input it.
This can be placed behind a "sync" option for example and enabling it opens a dialogue explaining the need for password, from there it's up to the user to enable sync and in doing so they have to set a password like normal services.
"As we move to support additional features the Signal community has asked for – like addressing that isn’t based on phone numbers"
This is awesome. So important for people at risk like the human rights defenders, journalists, legal, LGBTIQ people we work with. Great to see Signal looking at this.
That's kinda weird timing. Signal's been asking me for a PIN for about 2 weeks now. Did Aurora screw up and give me an early version? Or did they just roll this out to users weeks ahead of publishing an announcement?
The exact same thing happened to me. They must be rolling it out gradually because it hasn't happen to my wife yet nor to several of my other contacts.
I just got the nag-alert a couple days ago. I don't really want to set a PIN, so I have been ignoring it. If they are going to force us all into the new system, maybe it is time to stop putting up with Signal's constant forced-upgrade treadmill and find some other means of secure communication.
This is going to be the reality of any data system which you want to have complete control over. I suppose it could also be a complex key you instead keep on your drive, but that has risks as well.
Maybe I should have been more explicit: the safety of my data at rest on a remote system hinges on Intel's oft-broken security code and a memorable password.
Normally I use 128-bit passwords (i.e., 22 mixed-case letters and digits) for any remote system. That's not really practical for something which prompts me to enter the PIN periodically (and I think Signal limits the PIN to 20 characters anyway).
I do not see any net benefit to storing my contact information on Signal's servers. If I want to rebuild my contact list, I can … ask my contacts for their Signal accounts.
It is important to memorize your PIN, and the reminders cannot be disabled. We cannot recover your PIN if you forget it.
You will see the reminders less frequently if you consistently enter your PIN correctly. The reminders will become more frequent if multiple attempts are necessary."
Hmm, because they use the word PIN (personal identification number) I set a 6 number PIN, I feel a bit stupid about that now. But then this means that my messages are in another place than my phone? A bit unclear from what the app told me...
Newer products seem to be tending to label something a PIN if it isn't stored by a third party, because this means it can't get stolen, and as a result it's safe to choose relatively weak human memorable secrets that would be unsuitable as a traditional "password" that we're all using password managers to store instead.
For example a Yubico Security Key can use a PIN. So I could use that as second factor for my Facebook. No matter how lazy, incompetent or even malevolent Facebook is, they never see that PIN, they just get a bitflag in which the Security Key promises it confirmed my identity before authenticating. If they insisted and I allowed them to, they could verify it's a real Yubico brand product (in reality Facebook don't do that) and maybe trust the bitflag on that basis, but even then they aren't learning what PIN I set, how long it is, anything useful.
You probably don't want to store such PINs in a Password Manager, although it's unlikely to be a big security problem to do so, they are intended to be human memorable unlike a "good" modern password.
I know my PIN yet it asks me everytime I open the app. It's extremely annoying. I wouldn't mind once a month, but it seems like it's 1 a week (which doesn't seem true, I feel like it's more every 2-3 days for me).
I just wish there was an option to ask less frequently.
You are the exception, the overwhelming majority of users don't use a password manager.
I agree that an advanced option to disable PIN reminder prompts would be nice, but I understand and respect the Signal team for focusing on more important things. I can live with a 5 second prompt every 2 weeks.
Of course, no argument there. A lot of those people are missing some features, like proper group management. Before it was stickers, GIFs, video calls, etc. Some people always find something lacking, it's just an excuse. But for other people they are real concerns.
Signal's challenge is to build features that other apps already have but in a way that respects their users' privacy. They make their share of mistakes but I'm deeply grateful for what they do and try not to lose sight of the important stuff.
You can respect Signal team, and still don't deny that this forced habit-building is UX anti-pattern. Which doesn't make sense anyway, because majority will not accept increased discomfort it creates, and minority which values security more do use pw managers.
Is it though? I use a password manager. I recently found out that I had saved the PIN for my Signal account into it, but since it was never integrated with Signal I immediately changed it when I needed Signal later and I even forgot I had set up a PIN.
Sure, that doesn't mean there is/was no better way to make this change. To provide more options for users, etc.
I'm simply saying that the PIN prompt worked for me over the last months (I successfully memorized it), and now with the new UI it prompted me to fill it with Keepass for Android. (And that's how I found the old PIN in Keepass.)
I was literally agreeing to that an advanced opt-out would make sense, but I disagree that it's a priority for the initial release. I think the majority of Signal users will tolerate the discomfort.
But the reason you don't forget it is probably because you recall it all the time. You definitely recall your phone number for purposes other than calling yourself.
This has given me a good idea for a study: find people who have changed phone numbers and see how many of those people can remember them. Then plot the data by the last time they used that number.
Anecdotal but I for one have been using grand Central/Google voice as the number I share with others since about 2008 and I don't remember any of the numbers I've used for the actual cellular carrier.
It is beyond comprehension that they think pin reminders being mandatory is ok. I have been a huge fan of signal from the beginning and this is single handily a deal breaker and has me looking for alternatives.
How did they not learn from this when they tried it with the activation lock.
Indeed. It's stupid. And it's very much scaring off their less technical users. My aunt is nearly 80, she's been using signal for years, and the other day she sent me a very confused message about the PIN. She doesn't understand why it's suddenly there, and she doesn't want it there. Neither do I. And there's no way to turn it off? I won't be recommending signal anymore. It used to be a mostly secure drop-in replacement for the default SMS app, and it was truly stellar at that. But if it's going to become a pain to use, what's the point?
Is there a reason more people don't use Wire? Its interface annoys me but I was under the impression it's E2E is pretty good and the source code is publicly available?
You mean the pre-existing “Registration lock” feature? I think they are using the same pin. I’ve had that set for years and I’ve been getting pin reminders for the last several months and I now see “Change your PIN” in my settings.
I have only set a reg lock pin. I never set any other pin. Then I uninstalled the app. Now when I installed it again today it is asking me for a PIN and the only PIN on Signal I have set was a reg lock pin which is not being accepted.
I remember the PIN and it's also stored in BitWarden and KeePass. Now I am locked out.
It sounds like it's on the roadmap. From the article:
> As we move to support additional features the Signal community has asked for – like addressing that isn’t based on phone numbers and chatting with contacts that aren’t saved in an address book – it means that more and more of this important supporting data can also be lost.
Signal and Matrix are pretty different thing honestly. It's like Whatsup vs Slack. I am not sure you would want your Dad to sign up to your Slack channel.
I don’t want my messages to be stored anywhere other than on my phone. I hate when companies push this bullshit on you. I keep on getting reminders to set a pin and I can’t turn it off.
I think one of the issues with software is that because it’s infinitely extensible, people just add more and more features, they don’t know when to stop. So they keep pushing features that satisfy 10% of their users to the detriment of the 90%. Slowly the app becomes bloated and extremely confusing to use.
Then use What’s App, there are a million solutions that solves your problem, signal was the only serious app that doesn’t store my messages somewhere else.
Then establish a handshake between two devices that you want to trust each other in the same way that you add syncthing devices.
If they still want to use a pen then there should be an option if it is an alphanumeric string to check a box that says this is managed by a password manager don't remind me for at least 6 months.
There are a million apps which store messages on a server, those users are already on those apps. The thing that differentiated signal is the data-less functionality.
No, the thing that Signal always aimed for was "Making mass surveillance impossible", and "privacy for the masses". If you remove the mass part, you remove the main goal of Signal.
The experts can maybe fork Signal, or use Matrix. Then there is always PGP/GPG.
What do you mean data-less? By design there has always been a Signal server.
Signal should not stay as the simplest possible iteration of an encrypted chat application. If we want more people to use privacy-concious applications, those applications need to evolve.
I don't know if I would say I do so Regularly, but I find having the history available useful on occasion for remembering or referencing prior discussions. Sometimes there's a link I've shared with one friend that I'd like to share with another friend some indeterminate amount of time later, and so it's convenient to just go to that first conversation and search through it.
Absolutely. I just searched way back one chat to find the size of a bike helmet I bought that I had mentioned there years ago, as mine has been stolen this afternoon. Others contain fond memories, cooking recipes, there is a group chat we have with locations and restaurants to visit. It's been useful on many occasions to have those logs as a kind of informal diary, because I mention most important events to at least one of my closest remote friends. Not having persistent chat logs is a dealbreaker for me.
Does it say that they're storing messages? The examples are all the metadata "Signal provides private groups, private contact discovery, private profiles, etc". I interpreted this as saying that my groups and contacts are synced, not the content of the messages.
I don’t think they plan to store messages, but essentially conversations and contacts. This is in reaction to the number one most requested feature: Allow usage without a phone number.
If Signal really puts messages onto their servers behind easy to brute force PINs with the only protection being the SGX pixie dust, and maintainers really don't see a problem with it, then the end to end promise of Signal becomes moot and I'd feel that they'd have betrayed their user's privacy.
However, this is not what they are announcing. Signal does not store any message content in the cloud. It's only your address book as well as the list of blocked accounts. So that you don't completely start from scratch when you lose your phone. This makes total sense.
If you assume that SGX is insecure and Signal can just brute force the PINs (definitely a legitimate view!), then address book equivalent data is already available to Signal in the form of who-talks-to-whom metadata. The only difference is that the metadata needs to be collected over a time span while address books only require short time compromises of the architecture. But this is a minor regression in security, for a large gain in usability.
I'm looking forward to hearing how they plan to prevent brute-forcing of these. A physical hardware device can wipe keys after a certain number of failures.
I definitely look forward to the ability to move Signal forward to a new device without losing all logs, and the ability to use Signal without tying it to a phone number.
The enclave is hardened against Spectre and LVI with this (BOLT/LLVM based), and other techniques:
https://github.com/signalapp/BOLT
The last build step before signing is a verifier that checks that there are no missed mitigations, built using Intel Xed, to try to avoid potential missing mitigations due to an LLVM or BOLT bug.
I'm familiar with Signal's usage of enclaves. The case I'm wondering about is what happens if someone seized (or surreptitiously accessed) Signal's servers, ran the unmodified enclaves, but fed in different PIN requests to those enclaves in a brute-forcing attempt. What prevents that?
The enclaves will flush the data (much like the hardware you mention in your first post) after some number of wrong PIN guesses.
To do this securely made the whole thing quite difficult, because it means we can never persist anything outside the enclave, or an attacker could unpersist into 1000 unmodified enclaves (who would never know about each other) and get 1000*N guesses.
That was precisely the kind of architecture I was hoping to see documented, yes. So you're locking data not just to the code running in the enclave but to the specific hardware the enclave runs on, and further doing something to prevent replay? And at the same time, providing resilience against hardware failure of the machine any given enclave runs on, and providing persistence?
Yeah, there is a 32 byte random serviceid generated inside the enclave when it starts in "new" mode, so it is locked to the serviceid, not the HW, so we can migrate off failing/failed hardware. The only way to get a non-random serviceid is to have keyspace transferred to you from an existing enclave, after mutual attestation. Clients verify the serviceid after attestation verifies the enclave.
Each partition of the keyspace lives on a 5 node cluster, running RAFT inside the enclaves to ensure the pin guess count is consistent.
If a node fails, or is failing, or we need to do maintenance, we transfer the partition from the old nodes to new ones, which transfers the serviceid as well. If you start a new enclave from scratch, it'll generate a new serviceid, and clients won't talk to it, and existing partitions will refuse to transfer to it since it already has a serviceid. In fact, it won't even be listening for incoming transfers, since it thinks it owns the entire keyspace.
We can also do a partial partition transfer that leaves the source cluster live, which we use to split up the keyspace more when we need to scale up.
There is no persistence (wouldn't be secure, attackers could do many parallel enclave resumes to get extra guesses), so the 5 nodes in the cluster live in geographically separated data centers, and we're real careful about things that could kill a node or process.
if it's anything like what other big players are doing: the attempts are limited and the code will destroy its knowledge of the key once you reach this limit.
Looking at the code quickly I see that nothing is documented and it's not clear what code gets executed there. So good luck understanding what they're doing. But it seems to be using Raft, probably to bring several HSMs to consensus on what's the state of the number of attempts. And it does seem to erase stuff if you reach some threshold of attempts: https://github.com/signalapp/SecureValueRecovery/blob/00d023...
My follow up question is: what prevents someone from destroying your account's backup key by entering wrong PINs for your account?
That isn't quite how it is implemented, there are no HSMs, we use SGX for that function instead. See my reply to Josh's follow up for details.
You need a random id not the phone number, so other users can't do guesses unless they get that random id somehow. The ID is stored on the phone, and if you lose it, when you reinstall Signal, the signal server will give it to you after SMS phone # verification.
A sim-jacker could nuke your key, but that seems like a lot of work for griefing. Signal of course, has the plaintext random id, so they could nuke your backup, but there are tons of ways Signal can DoS attack their own service. Stopping paying for the servers, for one.
I'm extremely disappointed about how this Signal PIN rollout has been handled. Signal refused to let me view my received messages until I created a PIN. I filed a bug report about it [1]. I don't know if I was just caught in an A/B test or what because it hasn't happened to all of my Signal-using friends but it happened to me.
I don't understand why it isn't just optional. They claim they want to protect my Signal data stored in the cloud. I don't want my data stored in the cloud. I want them to store nothing. I don't care about their Intel SGX whatever because I don't want to have to trust their servers in the first place.
Cloud storage is a complete non-starter for me. I started my company to get away from cloud storage [2]. The fact that they are forcing this on their users is making me seriously consider dumping Signal. I just don't know if there are any sane alternatives.
> I don't care about their Intel SGX whatever because I don't want to have to trust their servers in the first place.
Yeah: particularly given how Intel SGX gets broken every year :/... prime+probe, foreshadow, load value injection, plundervolt... Moxie's fetish for Intel SGX is extremely concerning.
SGX has simply just been shown to be incompatible with secure software and is impossible to justify. Signal can happily operate without the need for this sort of thing to begin with, but they keep insisting on weak solutions for no reason.
These weak solutions are actually enough to keep the government requests at bay, for the moment. Why go into crazy crypto theory if that's good enough right? That's what Apple and Google are doing as well.
As far as I understand, Apple is using dedicated secure enclave chips in their iCloud keychain service; the attacks against SGX are usually (admittedly, not always) side channel attacks due to being able to use the CPU for arbitrary insecure execution and then use that to extract information from the container. It is also my understanding that Apple controlled the keys for their hardware, and could watch themselves destroy the key: as far as they know, they can't access the data themselves and nor can anyone else... Intel SGX is subject to upgrade keys from Intel and their remote attestation can be forced by Intel: if a government wants the data they should bring the computer to Intel and start a similar battle to the one the FBI had with Apple on their older phones (where Apple already had a back door but didn't want to be forced to use it by signing a firmware to access the phone).
I’d really like to have a more sane version of Signal as a fork, which allows the maintaining of compatibility, but given how hostile they’ve been towards this sort of thing I suspect it would be unmaintainable.
I think I liked Signal better when it was just encrypting text and sending it over SMS. I noticed recently that someone has been maintaining such a fork, under the name "Silence", but haven't had a chance to try it yet.
I used Silence as my primary SMS app for several years while I was on Android. Overall I had no complaints. Beware though, they seem to have been booted out of the Play Store at some point, so you might need to install through F-Droid.
From what I understand, they are fine with forks of Signal as long as these forks have distinct branding and don't depend on OWS services to operate, I'd imagine because they don't want the operational burden of ensuring the compatibility of third party clients nor confused users going to OWS for support instead of the third party devs.
Does homefort sync over the lan or it requires a 3rd party/ proxy broker? It says "The mobile app connects to your home computer" which concerns me a bit as it sounds like a VNC headline.
The idea is to use try to use NAT traversal (i.e. STUN or UPnP) to get a direct connection, and otherwise relay (i.e. TURN) with end-to-end encryption. I'm hoping IPv6 will eventually allow direct connections everywhere so nothing needs to be relayed.
I haven't built that stuff yet though so the current version requires that your home computer has a public IP address and that you open a port in your router. Obviously it's only usable by technical people right now, but I do eventually want this to be something my mom can install and use on her own.
Isn't the point of something like this PIN that the only thing stored on the cloud is an encrypted blob that they don't have the keys to? That way it doesn't matter if SGX or similar breaks or not, since the encryption is only happening on your devices. The PIN is the key.
The PIN is a very short key, so the only real protection is that Intel SGX (which notably gets broken every year, and so this doesn't actually work) is preventing people from getting access to the encrypted data to brute force the key; the enclave then enforces some limit on the number of attempts (and maybe some rate limit on the speed of attempts).
The client allows them to be alphanumeric, but the default is 4 numbers. The irritating behaviour of repeatedly asking for it to be entered at awkward times means people will just set it to 1337 and call it a day.
I haven't even opened Signal since hearing about this update, so I don't know how irritating the prompts are, but I did see this in the blog:
>Because Signal doesn’t have access to your keys – or your data – your PIN isn’t recoverable if you forget it, so our apps help you remember your PIN with periodic reminders. Don’t worry, these reminders get less frequent over time.
Having read that, I doubt I'll get too irritated at the reminders and eventually they'll go away. You have a point that anyone who hasn't read the update blog will have no similar hope and might use something easy. I guess I'd hope the Signal user base is more security conscious than that. For instance, I know my PIN is going to be alphanumeric and immediately stored my password database.
You can fill it in with your password manager at every prompt?
There is a large segment of people who don't like complicated passwords and will not use a password manager, so the PIN scheme w/ advanced options and password manager integration is the way to thread that needle.
> It's not optional because its purpose is incompatible with that.
I don't blame signal for forcing strong PINs, I don't know what's their purpose, but non phone number identifiers don't require cloud storage. The contact list (with the associated public keys) does.
What? How? You just need a key (password). If you are able to log into that "identified" then you are online with that and others can message you on that, and the network will route messages to your client.
There's nothing to store up to this point.
And if people want backups they can optionally enable that. Or the network could support multiple clients signed in for the same "identified" and allow those authenticated and authorized clients to sync/backup among themselves.
I was quite disappointed as well. I guess the only way to go is to use a strong password, which is NOT "memorizable" and hope that the reminder banner won't show up too often. Very sad ...
I think they've messed up badly with this update. I have several friends who want to get rid of Signal because they could not access their messages until they've set up a PIN.
Imagine needing to configure and remember a PIN on the spot when you need to urgently read your messages.
I've lobbied for signal, and gotten friends and family to join. Most are annoyed by the PINs and some have left.
Their handling of PINs seems quite contrary to their goal of pretty good security for the largest possible number of people.
It's VERY frustrating to have your device asking for pins every time you use it. I'm trying to protect from attackers on the internet, not someone who is going to assault me. After all if they assault me for my phone they can assault me for my pin. Single devs need to read https://xkcd.com/538/
Still stupid, shouldn't they ask if I want that functionality? Not like it's going to be hard to brute force a user's PIN.
They should explain what the pins is BEFORE they ask. What it looks like is you are going to be locked out of signal if you make a mistake. Not like the average signal user is watching the whisper systems blog.
> Not like it's going to be hard to brute force a user's PIN.
I guess it depends on if you buy into SGX. Lots of people don't.
> Still stupid
Yeah, this isn't making anyone happy it seems. Still, they are a small organization and having configuration increases maintenance burden. As long as Signal keeps operating as non-commercial product, I will keep cutting them slack.
> Still stupid, shouldn't they ask if I want that functionality?
It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects.
Every other consumer messaging app in the world solves this by storing all of that information in plaintext on their servers. We're trying to do something privacy preserving instead, and have done a fair amount of engineering work to try to make it as frictionless as we possibly can.
If you have ideas for how we can achieve the same ends with less friction, we're definitely interested in the feedback.
> Not like it's going to be hard to brute force a user's PIN.
Check out this blog post for more information about the technology:
>It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects.
I see a lame excuse.
Lets be real: Groups have never worked very well in Signal, so people use alternatives. It's been my experience that at some point it screws up and everyone has to delete the group and we start over again.
Contacts are stored by Apple, Google, Microsoft, and/or their work email provider for a large majority of the population. Only the minority using burners might care and they are likely already used to setting up lists every time they burn a device.
Put a checkbox in the app for: 'Store my blocklist and profile info in Apple/Google's backup system. This will share info with them'. Some users will want that, others won't. Quite a few people would like to have Signal's message backups included in an offline iOS backup, their complaints have fallen on deaf ears. Stop pontificating and give the option. It was a bigger compromise on your end creating a Signal Desktop app than it was to provide an option to include message exports in an encrypted backup.
Say what you will about Telegram, they made a much more reasonable compromise with their 'secure messaging'. This feature is not in their desktop apps as the attack surface of a desktop/laptop is too large. Secure chats instead focus on ephemerality and are torn down after completion. It's a more realistic threat model.
>Check out this blog post for more information about the technology:
> "It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects."
You could say:
"Hi there! Do you want to keep a backup of your conversation metadata locally, or via the cloud? The latter requires you to be badgered for a pin every day and lose all your data, even the information that the pin doesn't protect, if you lose it. The former allows you to backup to a file you can save on your computer, and store a password in your password manager!"
I think calling it a PIN and asking for it so frequently is part of the problem. It certainly induces me to use a shorter one than I would otherwise like (since I keep having to enter it so often _right_ at the time I am trying to use the app).
Asking for it once at the time of a new registration, install, or a restore/reinstall would be far more preferable to me. Treating it more like a "filevault" key or an "encryption phrase/password", would certainly encourage me to use a much longer key and just put it into a password manager (and/or write it down and put it somewhere physically safe).
Can the pin be 1111? I use a similar pin for the app Threema. Better than nothing I guess and easy to remember. (Also, after restarting the device I have to enter a complicated password.)
Edit: Now I see. Signal wants to save data in the cloud. My Threema PIN is just for my device.
>I guarantee you, the vast majority of Signal users are only using it because they have some weird privacy-obsessed friend (i.e. us) that has roped them into using it. They don't care enough about Signal to memorize a PIN and get constantly tested on whether they remember it. They want it to just work.
Right now if you re-install Signal on your device, you lose all your messages. That's already a very bad user experience, but imagine how much worse it would be if you lost your entire address book in that moment as well.
Right now that's not a problem because your social graph is in the address book on your phone, and isn't managed by Signal. This is one of the primary reasons that Signal uses phone numbers for addressing: it leverages an existing user-owned and user-managed social graph. However, what we've repeatedly heard from users is that they don't want addressing to be based exclusively on phone numbers for a variety of reasons.
If we're not using that social graph, then where does the Signal-specific social graph live? For every other app in the world, the answer is that it lives in a server-side plaintext database. Snapchat, WhatsApp, Telegram, Matrix, Wire, FB Messenger, Skype, etc etc... they're all just storing your entire social graph in a plaintext database (along with a bunch of other stuff, like your groups, profiles, etc).
Given the way that technology has developed (devices are fundamentally designed for a world of clients and servers), it's probably not possible for us to build something that makes no use of servers. Instead, we've focused on building something that doesn't store or transmit any sever-side plaintext.
For instance, when you set your Signal profile name and avatar, that lives "in the cloud" so that other Signal users can retrieve and display it. But it's encrypted (https://signal.org/blog/signal-profiles-beta/), so only your contacts can see it (not us).
With Signal Private Groups (https://signal.org/blog/signal-private-group-system/), again we have to store data "in the cloud," so that there's a canonical data source for group management, but again all of the contents are encrypted so that only group members can see it (not us).
In this case, we're using Secure Value Recovery to ensure that a future addressing scheme that's not based on phone numbers is available across app reinstalls, phone switches, phone loss, etc. We could have just done what every other consumer messaging app in the world has done (store it in plaintext on the server), but we built this instead. It is the most user-friendly option that we could conceive of while still being privacy preserving, and took a lot of engineering work.
We're going to keep looking at all the feedback we've gotten, though, to try to make it the best experience we can.
The point is not to force this idiocy on people. Losing my messages and contacts when setting up a new device is actually a great feature. I regularly delete them and signal even has a feature to do so automatically. And forcing people to create a pin in the ui is just lousy ux. Until I read this article, I had no idea what that meant and just wanted it to go away. Now I want it to go away even more.
Edit: it's especially stupid if you can't use a pw manager with it. I haven't tried it because I don't want to set one. Once I'm forced, I'm going to ditch signal. Fuck that.
I have two comments, one about the signal pin implementation as it exists now, and one possible Avenue forward to obviate the need for signal pins under certain circumstances.
for signal pins today, there should be an option to not be reminded of it because the user has a password manager. The option to not remind could be buried in the settings with a big scary warning that says if you do not get reminded again you will lose everything.
Signal pens can be bypassed entirely in the cases where users have multiple devices such as a linked phone or desktop.
One device sets a strong alphanumeric pin and sends it to the server. Users can share an ID unique to each signal installation on each of their devices. Each individual device has the ID for every other individual device. For each device that does not know the signal pin, it can request it from a device that does have the signal pin and or the device that made it. If a signal installation has the pin and gets a request for the pain from another device ID that it knows about, it provides it.
This device ID exchange behavior is used in syncthing to support e2ee peer-to-peer file sync, and could be used for syncing metadata in the situation where one device has its installation lost or reinstalled and needs to be repulled from the central servers.
An existing device(s) is told the Id of a new device and the new device is told about the existing device(s). None will communicate with the other without already having the user enter the device ID.
Once the two installations have handshaked, the existing device tells the new device what the seignal pin is and it can download it from the signal server.
For users who do not wish for cloud storage could have their device treat another device as the canonical source for the data post handshake and the data could be synced over lan or using stun/turn.
> Right now if you re-install Signal on your device, you lose all your messages. That's already a very bad user experience, but imagine how much worse it would be if you lost your entire address book in that moment as well.
How about letting people back this up? There's no way to do this on iOS or in the desktop app. You're solving a problem of your own making with a solution your core audience of privacy conscious users does not want.
I'm not sure why you're being downvoted? Backups are an essential feature of chat apps, and it seems pretty sane that a lot of Signal users don't want any information stored in the cloud, full stop.
> Right now if you re-install Signal on your device, you lose all your messages. That's already a very bad user experience, but imagine how much worse it would be if you lost your entire address book in that moment as well.
Why not just allow users to load their data into the cloud with a pin or password? My friends that use Signal because I pressure them into it (remember, that's why a lot of people use Signal) just want a one click upload/download. Generally these are also iPhone users, which currently doesn't allow this. Why not just give a one-click option to sync into drive or iCloud? Make it optional too (for the privacy folk who are generating your userbase). Doesn't this solve the whole problem?
If Signal PINs came with a feature that made it possible for me to not have my identity tied to a phone number I'd have understood (and accepted?) this release and rollout better.
There must be at least 99% of the users that have phone number contacts only, because dealing with usernames is a hassle to begin with. And why not store username-only contacts in the phones normal address book to begin with?
Why force this "feature" on everyone? There is ZERO reason for Signal to do this.
I might as well use WhatsApp if you're going to start doing this shit, but I guess that's the point.
> Right now if you re-install Signal on your device, you lose all your messages.
Right now, if I re-install Signal on a new device, it will (hopefully) prompt me for a Signal-generated passphrase that I've stored very securely, and then allow me to restore everything, messages and address book, from a backup that I've diligently made and stored under an additional layer of encryption together with the rest of my data.
Will that facility remain available? Will the backup remain encrypted with the strong passphrase, or will any app with access to external storage be able to exfiltrate something that the Signal Foundation would be able to decrypt under the assumption that SGX is broken?
While I've so far been impressed with Signals' choices (prioritizing security but staying usable), I'm extremely disappointed with the new reliance on SGX, and forcing me into this scheme would likely get me to ditch Signal.
In particular, if I get a dialog forcing me to set a PIN, I'm out (at that point, Signal will be broken for me anyways - I'm using it to talk to very non-technical users that react to UX changes with a blank stare; they won't be able to use the app if a mandatory modal popup shows up, and flying over to teach them how to deal with it isn't exactly an option right now.)
I use Signal so I don't have to trust opaque stuff happening at a third party. From my understanding, Secure Value Recovery relies heavily on SGX, and becomes mostly equivalent to plain text (brute-forcing a short PIN) if you don't trust SGX.
I can see why the ability to store a social graph and other metadata on Signal's servers would be a useful feature for users who don't want to tie their Signal data to their phone number and/or a plaintext social graph, and it would make sense to give users the opportunity to opt into that functionality. But for those of us whose social graph is our phone's contact list, having it forced upon us is a significant step backwards in terms of UX while adding essentially no value.
One of the things that made me optimistic about broad adoption for Signal prior to this change is that it was basically zero-friction for Android users to use Signal over the stock messaging app, aside from the few seconds it takes to download Signal and enter your phone number. But bugging the user for a PIN all the time is a significant reason to stick to the stock messaging app (or any other one, for that matter) and makes it a lot harder for me to recommend Signal in good faith to friends and family who don't care about privacy.
I think you are overreacting. Other, more popular messaging apps, also have prompts and yet they are used by hundreds of million of people.
In my opinion as power users we forget what regular users want and need, and are not willing to give up a little of what we like. But think of the benefits (phoneless sign ups and much much better private groups, to begin with) and tell me they don't outweigh the cons (a PIN prompt once every 2 weeks, in the marginal case).
moxie, I want to thank you and the entire team at Signal for all that you're doing to further e2e crypto and making mass surveillance more difficult for nefarious actors around the world. You're making everyone's communications safer.
Currently signal is asking for a pin periodically to allow migration to a new device every few years when a user gets a new phone.
Instead of typing in a pin few days/weeks for years, why not just have an export feature that users can select. Have users fill out an encryption key, then 1 minute later when they grab their new phone they can type it in again.
Ideally this would work from the desktop client, a tablet client, and phone clients. So if my device dies, is stolen, or sold I can restore my history from any other signal client I run.
Or maybe use the IOS approach which allows users to cloud sync to keep history (if they want), or to turn it off, which is less convenient, but more secure.
Either approach would save 10s or 100s of pin entries, and still provide a good user experience when switching phones.
> For every other app in the world, the answer is that it lives in a server-side plaintext database. Snapchat, WhatsApp, Telegram, Matrix, Wire, FB Messenger, Skype, etc etc... they're all just storing your entire social graph in a plaintext database
This is true for today's Matrix network, but we do have peer-to-peer Matrix working now too (as previewed at https://fosdem.org/2020/schedule/event/dip_p2p_matrix/) which stores the metadata purely on the clients.
There are no servers, other than rendezvous points to seed the network. (It's still vulnerable to traffic pattern analysis, but we're working on that - and Signal suffers this even more).
It's also worth noting that because Matrix doesn't tie identity to phone numbers (or anything else), the 'social graph' which is built up is of limited use if it's built up of anonymous personae.
It’s frustrating that we can’t still use a local address book for this. vCard is an extensible format, so a contact vCard could very well contain a Signal-specific identifier. I don’t know if the various mobile contact APIs support this though; I suspect not.
My partner uninstalled Signal when it failed to work from within the UAE and could not contact me. If she wouldn't have done it then, she would now with this PIN nonsense. At least we can text via Wire.
> Currently, that also happens to mean that if your hands accidentally lose your phone to the toilet, your information in Signal is lost along with it.
If I understand the settings correctly (just opened Signal on my phone to explore this), you can require the PIN for re-registering (like after losing a device) and set up a 7-day lockout for failed PIN entries (not sure the number of permitted failures before lockout). This would greatly reduce the speed of brute force, though could also be used for a nice denial of service.
This was bound to happen. Signal is a non-federated messenger controlled by a single organization hostile to alternative clients. It isn't much better than WhatsApp/Facebook.
If I set up a PIN and decide I no longer want one (or what it entails) - how do I undo that decision? Or is it strictly opt-in without a way to opt-out after the fact?
The way the Signal PIN feature implementation has been handled by the Signal team is extremely disappointing.
The blog post completely fails to explain why this feature is mandatory, and why users are now locked out of being able to view their messages until they setup a PIN. The Signal app has now essentially taken all messages hostage, and users are unable to access messages until they create a PIN.
I am a huge proponent of Signal, but this is unacceptable behavior.
Completely agree. My wife showed me her phone the other day and asked "what's this PIN nonsense in signal", which I hadn't seen yet. The messaging, UI and overall UX missed the mark. What happened, Signal??
I've been using Signal PINs for a long time to lock the app to my SIM card and unfortunately they are a real pain. This sounds exactly the same.
First off the app is incessant about asking you to enter your PIN to prove you know it; this prompt is supposed to get less frequent and I suppose it does but is still way too frequent. Some of us are competent at storing secrets in a password manager and this is like a punishment for us because it can easily take several minutes to go retrieve the strong password, copy it, paste it in.
It actually reduced the security for me; I started out with maybe a 16 or 20 digit PIN and cut it to a smaller number of digits that I could memorize. (I still haven't memorized them!)
There were also issues with Signal's implementation of the feature. I chose quite a long PIN (>20 digits) at first for security only to find out later from them that it was above the silently imposed limit. Later when I went to verify the PIN it would not work because whatever silent truncation was done when establishing the PIN was not re-performed on verification so it did not recognize the PIN.
I've found that tapping next to the registration lock PIN prompt will dismiss it on Android. A "dismiss" button and a "don't ask me again, I won't lose this" checkmark would make much more sense to me.
This option should be labelled according to the reality rather than people's wishful thinking
"Don't ask me again, when I lose this I am OK with losing the account and messages"
There's probably a pithier way to express that we could get into the common lexicon as I foresee it being useful in many places. Maybe we can just label it "Yolo!" ?
I mean, for a start the messages are stored locally, it doesn't protect the messages server-side, because they are never stored on the server. All the pin does is keep the server-side data, i.e. your address book and conversation information, safe.
Secondly, outside of encryption, it should not be Signal's job to enforce whether a logged-in user of a phone can see that user's content. It is the operating system's job to enforce user-level security, and users of Signal are unlikely to keep their phones without a pin, fingerprint, or other level of authentication.
The fact that you cannot turn off the option to lose all your messages when you lose a pin that you have been forced to set is horrific for those of us that rely on conversation history as a memory aid, and is precisely the reason why I have refused to set a pin.
And if you take into account the "lending phones to kids" scenario it gets worse because that just means that when your 4yro kid gets your phone they can irrecoverably delete all your messages, simply by playing around with it.
I like the security-mindedness of Signal, but some of their choices baffle me. They go through all this trouble to create an encrypted cloud storage, which many people in the target audience of Signal do not want, while not even giving iOS users the simple option of creating an offline backup of their messages (in fact, they actively disable this option). This issue has been open for more than four years [1] and even has a $1000 bounty [2].
Don't understand the negative comments here and on their subreddit... Secure Value Recovery and the associated PIN seems like an advance in the state of the art -- nobody else seems to do this. All users have to do is remember a few numbers.
I find it surprising that many users got so upset by the software asking them to set a password that they removed the app... seems a bit extreme. I guess if it was part of a "sign-up" flow, people would have been primed for it... But even then, it takes like just a minute to do it? /shrug
Plenty of apps add annoyances and nags for new features that uses don't necessarily care about. They correspondingly lose users and gain ire for doing so.
That the motivation and end feature is good is beside the point - they have simply gone about this in a very abrasive way and seem to think they 'know better'.
I have a pin for my sim-card, a pin for the phone encryption, pins for each of my 4 credit cards, a pin for the office door, a pin for my work phone, a pin for the computer smart-card login..
Meanwhile on Telegram everything just works more or less as is has always done.
If I click on settings I get a "menu" called "Passcode & Face ID". There's a button saying "Turn Passcode On", and a help text saying: "Note: if you forget the passcode, you'll need to delete and reinstall the app. All secret chats will be lost."
While I personally have big questions around the encryption in Telegram I think Telegram takes a much more effective approach towards making it available: by default it is just a very good messaging application that is a good replacement for Facebook Messenger and WhatsApp and almost everything else except Signal.
On top of that it provides secret chats which are end to end encrypted (and can also be set to automatically disappear), and an option for deleting all my data if I don't log in within 1, 3, 6 or 12 months.
Except that I don't trust Telegram because they seem to ship a marketing-first, cryptography-later sort of product. IIRC initially their "E2E encryption" could be decrypted on the server. In contrast, Signal seems to put strong encryption first.
Facts are that whatever e2e encryption telegram allegedly offers needs to be invoked per-conversation as a 'secret chat' and is not availabe on dekstops, normal conversations are ¯\_(ツ)_/¯ -encrypted
It has different problems than skype, fb messenger and WhatsApp.
For starters it doesn't give my raw metadata including who I talk to, when and so on to Zuckerberg, or unencrypted chat logs of both sides of a chat to servers in USA.
So far - unless I've missed something big - there's nothing to suggest they aren't trying to stick to their plan to keep keys and encrypted data on different servers in different jurisdictions..?
And the Durov brothers weren't running a massive ad and tracking network last I checked.
Why is signal so eager to make changes. It has been pestering me to create profile names,I don't want that so I ignore it. That's just a small drop in the bucket but why fix it isn't broken? Why not make things optional.
This b.s. is starting to remind me of the systemd crap lin Linux. I am at a point where I prefere paid open source apps and services (with a free tier) so the devs have incentive to listen to users.
It worked well a year ago,now they are ruinig it. I constantly have problems with Signal where it takes hours at times to deliver the message and this translates to real world problems and misunderstandings with people for me. Just fix the bugs,make new features optional and opt-in unless you absolutley have no choice.
I use both Signal and WhatsApp. Honestly, only use the former to communicate with my friends who insist on using Signal. Found this PIN nonsense annoying but who really cares. Ultimately, I have to contact these friends so I'll jump through their hoops till the hoops make my friends leave.
198 comments
[ 7.1 ms ] story [ 4508 ms ] thread> PINs will also help facilitate new features like addressing that isn’t based exclusively on phone numbers
The main issue I see is with the intrusiveness of how Signal PINs are handled by the UI, this will only work to alienate users or encourage writing simple PINs that make them weak to use! It would've been much better had it been treated as a fully opt in feature and PINs treated more as passwords, without the constant bombardment of reminders to input it.
This can be placed behind a "sync" option for example and enabling it opens a dialogue explaining the need for password, from there it's up to the user to enable sync and in doing so they have to set a password like normal services.
That's just my 2 cents ¯\_(ツ)_/¯
This is awesome. So important for people at risk like the human rights defenders, journalists, legal, LGBTIQ people we work with. Great to see Signal looking at this.
And my copy started preventing me from using it entirely yesterday with a full-screen un-dismissable popup[1] :(
[1]: https://i.redd.it/4sip5dcw9iy41.png [2]
[2]: https://www.reddit.com/r/signal/comments/giw4if/the_signal_p...
This is going to be the reality of any data system which you want to have complete control over. I suppose it could also be a complex key you instead keep on your drive, but that has risks as well.
Normally I use 128-bit passwords (i.e., 22 mixed-case letters and digits) for any remote system. That's not really practical for something which prompts me to enter the PIN periodically (and I think Signal limits the PIN to 20 characters anyway).
I do not see any net benefit to storing my contact information on Signal's servers. If I want to rebuild my contact list, I can … ask my contacts for their Signal accounts.
https://support.signal.org/hc/en-us/articles/360007059792-Si...
"Can I turn off these reminders?
Why call it a PIN and not a password to begin with? Is there a difference I'm missing?
If it’s not user friendly, the user will defer to convenience over security. Signal PINs do support alphanumeric strings FYI.
If you have a password manager, use a string. If not, a PIN works just fine.
The whole PIN thing has changed quite a bit in the past 6 months or so.
https://signal.org/blog/secure-value-recovery/
No, only supporting data: "Your profile, settings, and contacts will restore when you reinstall Signal."
For example a Yubico Security Key can use a PIN. So I could use that as second factor for my Facebook. No matter how lazy, incompetent or even malevolent Facebook is, they never see that PIN, they just get a bitflag in which the Security Key promises it confirmed my identity before authenticating. If they insisted and I allowed them to, they could verify it's a real Yubico brand product (in reality Facebook don't do that) and maybe trust the bitflag on that basis, but even then they aren't learning what PIN I set, how long it is, anything useful.
You probably don't want to store such PINs in a Password Manager, although it's unlikely to be a big security problem to do so, they are intended to be human memorable unlike a "good" modern password.
I just wish there was an option to ask less frequently.
> I just wish there was an option to ask less frequently.
It asks you when you open Signal until you lock it again, no? (At least on Android.)
I agree that an advanced option to disable PIN reminder prompts would be nice, but I understand and respect the Signal team for focusing on more important things. I can live with a 5 second prompt every 2 weeks.
Signal's challenge is to build features that other apps already have but in a way that respects their users' privacy. They make their share of mistakes but I'm deeply grateful for what they do and try not to lose sight of the important stuff.
Sure, that doesn't mean there is/was no better way to make this change. To provide more options for users, etc.
I'm simply saying that the PIN prompt worked for me over the last months (I successfully memorized it), and now with the new UI it prompted me to fill it with Keepass for Android. (And that's how I found the old PIN in Keepass.)
According to this, the prompts should settle down to once every 14 days:
https://support.signal.org/hc/en-us/articles/360007059792-Si...
I'm never going to forget my mobile number, I don't need to keep calling myself to remember it.
This has given me a good idea for a study: find people who have changed phone numbers and see how many of those people can remember them. Then plot the data by the last time they used that number.
How did they not learn from this when they tried it with the activation lock.
If it's supposed to be an easier alternative to a passphrase, then okay, but stop showing me the freaking notification to setup a PIN...
I remember the PIN and it's also stored in BitWarden and KeePass. Now I am locked out.
> As we move to support additional features the Signal community has asked for – like addressing that isn’t based on phone numbers and chatting with contacts that aren’t saved in an address book – it means that more and more of this important supporting data can also be lost.
I think one of the issues with software is that because it’s infinitely extensible, people just add more and more features, they don’t know when to stop. So they keep pushing features that satisfy 10% of their users to the detriment of the 90%. Slowly the app becomes bloated and extremely confusing to use.
If they still want to use a pen then there should be an option if it is an alphanumeric string to check a box that says this is managed by a password manager don't remind me for at least 6 months.
The experts can maybe fork Signal, or use Matrix. Then there is always PGP/GPG.
https://github.com/signalapp/Signal-Server
Signal should not stay as the simplest possible iteration of an encrypted chat application. If we want more people to use privacy-concious applications, those applications need to evolve.
However, this is not what they are announcing. Signal does not store any message content in the cloud. It's only your address book as well as the list of blocked accounts. So that you don't completely start from scratch when you lose your phone. This makes total sense.
If you assume that SGX is insecure and Signal can just brute force the PINs (definitely a legitimate view!), then address book equivalent data is already available to Signal in the form of who-talks-to-whom metadata. The only difference is that the metadata needs to be collected over a time span while address books only require short time compromises of the architecture. But this is a minor regression in security, for a large gain in usability.
I definitely look forward to the ability to move Signal forward to a new device without losing all logs, and the ability to use Signal without tying it to a phone number.
The enclave is hardened against Spectre and LVI with this (BOLT/LLVM based), and other techniques: https://github.com/signalapp/BOLT
The last build step before signing is a verifier that checks that there are no missed mitigations, built using Intel Xed, to try to avoid potential missing mitigations due to an LLVM or BOLT bug.
To do this securely made the whole thing quite difficult, because it means we can never persist anything outside the enclave, or an attacker could unpersist into 1000 unmodified enclaves (who would never know about each other) and get 1000*N guesses.
Each partition of the keyspace lives on a 5 node cluster, running RAFT inside the enclaves to ensure the pin guess count is consistent.
If a node fails, or is failing, or we need to do maintenance, we transfer the partition from the old nodes to new ones, which transfers the serviceid as well. If you start a new enclave from scratch, it'll generate a new serviceid, and clients won't talk to it, and existing partitions will refuse to transfer to it since it already has a serviceid. In fact, it won't even be listening for incoming transfers, since it thinks it owns the entire keyspace.
We can also do a partial partition transfer that leaves the source cluster live, which we use to split up the keyspace more when we need to scale up.
There is no persistence (wouldn't be secure, attackers could do many parallel enclave resumes to get extra guesses), so the 5 nodes in the cluster live in geographically separated data centers, and we're real careful about things that could kill a node or process.
Looking at the code quickly I see that nothing is documented and it's not clear what code gets executed there. So good luck understanding what they're doing. But it seems to be using Raft, probably to bring several HSMs to consensus on what's the state of the number of attempts. And it does seem to erase stuff if you reach some threshold of attempts: https://github.com/signalapp/SecureValueRecovery/blob/00d023...
My follow up question is: what prevents someone from destroying your account's backup key by entering wrong PINs for your account?
You need a random id not the phone number, so other users can't do guesses unless they get that random id somehow. The ID is stored on the phone, and if you lose it, when you reinstall Signal, the signal server will give it to you after SMS phone # verification.
A sim-jacker could nuke your key, but that seems like a lot of work for griefing. Signal of course, has the plaintext random id, so they could nuke your backup, but there are tons of ways Signal can DoS attack their own service. Stopping paying for the servers, for one.
I don't understand why it isn't just optional. They claim they want to protect my Signal data stored in the cloud. I don't want my data stored in the cloud. I want them to store nothing. I don't care about their Intel SGX whatever because I don't want to have to trust their servers in the first place.
Cloud storage is a complete non-starter for me. I started my company to get away from cloud storage [2]. The fact that they are forcing this on their users is making me seriously consider dumping Signal. I just don't know if there are any sane alternatives.
[1]: https://github.com/signalapp/Signal-Android/issues/9632
[2]: https://homefort.app/
Yeah: particularly given how Intel SGX gets broken every year :/... prime+probe, foreshadow, load value injection, plundervolt... Moxie's fetish for Intel SGX is extremely concerning.
Which, imo, is a pretty reasonable decision.
I haven't built that stuff yet though so the current version requires that your home computer has a public IP address and that you open a port in your router. Obviously it's only usable by technical people right now, but I do eventually want this to be something my mom can install and use on her own.
>Because Signal doesn’t have access to your keys – or your data – your PIN isn’t recoverable if you forget it, so our apps help you remember your PIN with periodic reminders. Don’t worry, these reminders get less frequent over time.
Having read that, I doubt I'll get too irritated at the reminders and eventually they'll go away. You have a point that anyone who hasn't read the update blog will have no similar hope and might use something easy. I guess I'd hope the Signal user base is more security conscious than that. For instance, I know my PIN is going to be alphanumeric and immediately stored my password database.
There is a large segment of people who don't like complicated passwords and will not use a password manager, so the PIN scheme w/ advanced options and password manager integration is the way to thread that needle.
They want to add signal identifiers that aren't phone numbers. If such identifiers are to communicate with you, you need to store what's necessary.
I don't blame signal for forcing strong PINs, I don't know what's their purpose, but non phone number identifiers don't require cloud storage. The contact list (with the associated public keys) does.
What? How? You just need a key (password). If you are able to log into that "identified" then you are online with that and others can message you on that, and the network will route messages to your client.
There's nothing to store up to this point.
And if people want backups they can optionally enable that. Or the network could support multiple clients signed in for the same "identified" and allow those authenticated and authorized clients to sync/backup among themselves.
Imagine needing to configure and remember a PIN on the spot when you need to urgently read your messages.
Their handling of PINs seems quite contrary to their goal of pretty good security for the largest possible number of people.
It's VERY frustrating to have your device asking for pins every time you use it. I'm trying to protect from attackers on the internet, not someone who is going to assault me. After all if they assault me for my phone they can assault me for my pin. Single devs need to read https://xkcd.com/538/
They should explain what the pins is BEFORE they ask. What it looks like is you are going to be locked out of signal if you make a mistake. Not like the average signal user is watching the whisper systems blog.
I guess it depends on if you buy into SGX. Lots of people don't.
> Still stupid
Yeah, this isn't making anyone happy it seems. Still, they are a small organization and having configuration increases maintenance burden. As long as Signal keeps operating as non-commercial product, I will keep cutting them slack.
It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects.
Every other consumer messaging app in the world solves this by storing all of that information in plaintext on their servers. We're trying to do something privacy preserving instead, and have done a fair amount of engineering work to try to make it as frictionless as we possibly can.
If you have ideas for how we can achieve the same ends with less friction, we're definitely interested in the feedback.
> Not like it's going to be hard to brute force a user's PIN.
Check out this blog post for more information about the technology:
https://signal.org/blog/secure-value-recovery/
I see a lame excuse.
Lets be real: Groups have never worked very well in Signal, so people use alternatives. It's been my experience that at some point it screws up and everyone has to delete the group and we start over again.
Contacts are stored by Apple, Google, Microsoft, and/or their work email provider for a large majority of the population. Only the minority using burners might care and they are likely already used to setting up lists every time they burn a device.
Put a checkbox in the app for: 'Store my blocklist and profile info in Apple/Google's backup system. This will share info with them'. Some users will want that, others won't. Quite a few people would like to have Signal's message backups included in an offline iOS backup, their complaints have fallen on deaf ears. Stop pontificating and give the option. It was a bigger compromise on your end creating a Signal Desktop app than it was to provide an option to include message exports in an encrypted backup.
Say what you will about Telegram, they made a much more reasonable compromise with their 'secure messaging'. This feature is not in their desktop apps as the attack surface of a desktop/laptop is too large. Secure chats instead focus on ephemerality and are torn down after completion. It's a more realistic threat model.
>Check out this blog post for more information about the technology:
Ah yes, the complex technology that relies on the insecure broken thing from Intel: https://arstechnica.com/information-technology/2020/03/hacke...
You could say:
"Hi there! Do you want to keep a backup of your conversation metadata locally, or via the cloud? The latter requires you to be badgered for a pin every day and lose all your data, even the information that the pin doesn't protect, if you lose it. The former allows you to backup to a file you can save on your computer, and store a password in your password manager!"
Asking for it once at the time of a new registration, install, or a restore/reinstall would be far more preferable to me. Treating it more like a "filevault" key or an "encryption phrase/password", would certainly encourage me to use a much longer key and just put it into a password manager (and/or write it down and put it somewhere physically safe).
Edit: Now I see. Signal wants to save data in the cloud. My Threema PIN is just for my device.
This cannot be stressed enough
they probably got served with a secret order from the gov.
Right now that's not a problem because your social graph is in the address book on your phone, and isn't managed by Signal. This is one of the primary reasons that Signal uses phone numbers for addressing: it leverages an existing user-owned and user-managed social graph. However, what we've repeatedly heard from users is that they don't want addressing to be based exclusively on phone numbers for a variety of reasons.
If we're not using that social graph, then where does the Signal-specific social graph live? For every other app in the world, the answer is that it lives in a server-side plaintext database. Snapchat, WhatsApp, Telegram, Matrix, Wire, FB Messenger, Skype, etc etc... they're all just storing your entire social graph in a plaintext database (along with a bunch of other stuff, like your groups, profiles, etc).
Given the way that technology has developed (devices are fundamentally designed for a world of clients and servers), it's probably not possible for us to build something that makes no use of servers. Instead, we've focused on building something that doesn't store or transmit any sever-side plaintext.
For instance, when you set your Signal profile name and avatar, that lives "in the cloud" so that other Signal users can retrieve and display it. But it's encrypted (https://signal.org/blog/signal-profiles-beta/), so only your contacts can see it (not us).
With Signal Private Groups (https://signal.org/blog/signal-private-group-system/), again we have to store data "in the cloud," so that there's a canonical data source for group management, but again all of the contents are encrypted so that only group members can see it (not us).
In this case, we're using Secure Value Recovery to ensure that a future addressing scheme that's not based on phone numbers is available across app reinstalls, phone switches, phone loss, etc. We could have just done what every other consumer messaging app in the world has done (store it in plaintext on the server), but we built this instead. It is the most user-friendly option that we could conceive of while still being privacy preserving, and took a lot of engineering work.
We're going to keep looking at all the feedback we've gotten, though, to try to make it the best experience we can.
Edit: it's especially stupid if you can't use a pw manager with it. I haven't tried it because I don't want to set one. Once I'm forced, I'm going to ditch signal. Fuck that.
for signal pins today, there should be an option to not be reminded of it because the user has a password manager. The option to not remind could be buried in the settings with a big scary warning that says if you do not get reminded again you will lose everything.
Signal pens can be bypassed entirely in the cases where users have multiple devices such as a linked phone or desktop.
One device sets a strong alphanumeric pin and sends it to the server. Users can share an ID unique to each signal installation on each of their devices. Each individual device has the ID for every other individual device. For each device that does not know the signal pin, it can request it from a device that does have the signal pin and or the device that made it. If a signal installation has the pin and gets a request for the pain from another device ID that it knows about, it provides it.
This device ID exchange behavior is used in syncthing to support e2ee peer-to-peer file sync, and could be used for syncing metadata in the situation where one device has its installation lost or reinstalled and needs to be repulled from the central servers.
An existing device(s) is told the Id of a new device and the new device is told about the existing device(s). None will communicate with the other without already having the user enter the device ID.
Once the two installations have handshaked, the existing device tells the new device what the seignal pin is and it can download it from the signal server.
For users who do not wish for cloud storage could have their device treat another device as the canonical source for the data post handshake and the data could be synced over lan or using stun/turn.
How about letting people back this up? There's no way to do this on iOS or in the desktop app. You're solving a problem of your own making with a solution your core audience of privacy conscious users does not want.
Why not just allow users to load their data into the cloud with a pin or password? My friends that use Signal because I pressure them into it (remember, that's why a lot of people use Signal) just want a one click upload/download. Generally these are also iPhone users, which currently doesn't allow this. Why not just give a one-click option to sync into drive or iCloud? Make it optional too (for the privacy folk who are generating your userbase). Doesn't this solve the whole problem?
Why force this "feature" on everyone? There is ZERO reason for Signal to do this. I might as well use WhatsApp if you're going to start doing this shit, but I guess that's the point.
Right now, if I re-install Signal on a new device, it will (hopefully) prompt me for a Signal-generated passphrase that I've stored very securely, and then allow me to restore everything, messages and address book, from a backup that I've diligently made and stored under an additional layer of encryption together with the rest of my data.
Will that facility remain available? Will the backup remain encrypted with the strong passphrase, or will any app with access to external storage be able to exfiltrate something that the Signal Foundation would be able to decrypt under the assumption that SGX is broken?
While I've so far been impressed with Signals' choices (prioritizing security but staying usable), I'm extremely disappointed with the new reliance on SGX, and forcing me into this scheme would likely get me to ditch Signal.
In particular, if I get a dialog forcing me to set a PIN, I'm out (at that point, Signal will be broken for me anyways - I'm using it to talk to very non-technical users that react to UX changes with a blank stare; they won't be able to use the app if a mandatory modal popup shows up, and flying over to teach them how to deal with it isn't exactly an option right now.)
I use Signal so I don't have to trust opaque stuff happening at a third party. From my understanding, Secure Value Recovery relies heavily on SGX, and becomes mostly equivalent to plain text (brute-forcing a short PIN) if you don't trust SGX.
One of the things that made me optimistic about broad adoption for Signal prior to this change is that it was basically zero-friction for Android users to use Signal over the stock messaging app, aside from the few seconds it takes to download Signal and enter your phone number. But bugging the user for a PIN all the time is a significant reason to stick to the stock messaging app (or any other one, for that matter) and makes it a lot harder for me to recommend Signal in good faith to friends and family who don't care about privacy.
In my opinion as power users we forget what regular users want and need, and are not willing to give up a little of what we like. But think of the benefits (phoneless sign ups and much much better private groups, to begin with) and tell me they don't outweigh the cons (a PIN prompt once every 2 weeks, in the marginal case).
Instead of typing in a pin few days/weeks for years, why not just have an export feature that users can select. Have users fill out an encryption key, then 1 minute later when they grab their new phone they can type it in again.
Ideally this would work from the desktop client, a tablet client, and phone clients. So if my device dies, is stolen, or sold I can restore my history from any other signal client I run.
Or maybe use the IOS approach which allows users to cloud sync to keep history (if they want), or to turn it off, which is less convenient, but more secure.
Either approach would save 10s or 100s of pin entries, and still provide a good user experience when switching phones.
This is true for today's Matrix network, but we do have peer-to-peer Matrix working now too (as previewed at https://fosdem.org/2020/schedule/event/dip_p2p_matrix/) which stores the metadata purely on the clients. There are no servers, other than rendezvous points to seed the network. (It's still vulnerable to traffic pattern analysis, but we're working on that - and Signal suffers this even more).
It's also worth noting that because Matrix doesn't tie identity to phone numbers (or anything else), the 'social graph' which is built up is of limited use if it's built up of anonymous personae.
My partner uninstalled Signal when it failed to work from within the UAE and could not contact me. If she wouldn't have done it then, she would now with this PIN nonsense. At least we can text via Wire.
Duh. Because they explicitly disable backups.
Surely they'd have to do more work than iterate through a possibly as small as 4-digit key?
The blog post completely fails to explain why this feature is mandatory, and why users are now locked out of being able to view their messages until they setup a PIN. The Signal app has now essentially taken all messages hostage, and users are unable to access messages until they create a PIN.
I am a huge proponent of Signal, but this is unacceptable behavior.
First off the app is incessant about asking you to enter your PIN to prove you know it; this prompt is supposed to get less frequent and I suppose it does but is still way too frequent. Some of us are competent at storing secrets in a password manager and this is like a punishment for us because it can easily take several minutes to go retrieve the strong password, copy it, paste it in.
It actually reduced the security for me; I started out with maybe a 16 or 20 digit PIN and cut it to a smaller number of digits that I could memorize. (I still haven't memorized them!)
There were also issues with Signal's implementation of the feature. I chose quite a long PIN (>20 digits) at first for security only to find out later from them that it was above the silently imposed limit. Later when I went to verify the PIN it would not work because whatever silent truncation was done when establishing the PIN was not re-performed on verification so it did not recognize the PIN.
This option should be labelled according to the reality rather than people's wishful thinking
"Don't ask me again, when I lose this I am OK with losing the account and messages"
There's probably a pithier way to express that we could get into the common lexicon as I foresee it being useful in many places. Maybe we can just label it "Yolo!" ?
... that would encapsulate the basic reality that no one can actually remember all their ~500 secure passphrases.
Secondly, outside of encryption, it should not be Signal's job to enforce whether a logged-in user of a phone can see that user's content. It is the operating system's job to enforce user-level security, and users of Signal are unlikely to keep their phones without a pin, fingerprint, or other level of authentication.
The fact that you cannot turn off the option to lose all your messages when you lose a pin that you have been forced to set is horrific for those of us that rely on conversation history as a memory aid, and is precisely the reason why I have refused to set a pin.
And if you take into account the "lending phones to kids" scenario it gets worse because that just means that when your 4yro kid gets your phone they can irrecoverably delete all your messages, simply by playing around with it.
1: https://github.com/signalapp/Signal-iOS/issues/967
2: https://www.bountysource.com/issues/28598496-message-export-...
I find it surprising that many users got so upset by the software asking them to set a password that they removed the app... seems a bit extreme. I guess if it was part of a "sign-up" flow, people would have been primed for it... But even then, it takes like just a minute to do it? /shrug
Plenty of apps add annoyances and nags for new features that uses don't necessarily care about. They correspondingly lose users and gain ire for doing so.
That the motivation and end feature is good is beside the point - they have simply gone about this in a very abrasive way and seem to think they 'know better'.
I have a pin for my sim-card, a pin for the phone encryption, pins for each of my 4 credit cards, a pin for the office door, a pin for my work phone, a pin for the computer smart-card login..
I'm very fine with not having a pin for Signal.
Meanwhile on Telegram everything just works more or less as is has always done.
If I click on settings I get a "menu" called "Passcode & Face ID". There's a button saying "Turn Passcode On", and a help text saying: "Note: if you forget the passcode, you'll need to delete and reinstall the app. All secret chats will be lost."
While I personally have big questions around the encryption in Telegram I think Telegram takes a much more effective approach towards making it available: by default it is just a very good messaging application that is a good replacement for Facebook Messenger and WhatsApp and almost everything else except Signal.
On top of that it provides secret chats which are end to end encrypted (and can also be set to automatically disappear), and an option for deleting all my data if I don't log in within 1, 3, 6 or 12 months.
There's a lot of problems around Telegram from their marketing to their crypto implementation to their incentives.
But please stick to the facts.
For starters it doesn't give my raw metadata including who I talk to, when and so on to Zuckerberg, or unencrypted chat logs of both sides of a chat to servers in USA.
And the Durov brothers weren't running a massive ad and tracking network last I checked.
> There's a lot of problems around Telegram from their marketing to their crypto implementation to their incentives.
That said there are multiple ways around the monetization problem as long as you aren't trying to become a Silicon Valley unicorn:
- 1 USD pr user like WhatsApp
- Paid stickers and storage like MeWe
- Extra storage and extra features like Evernote
- Paid API access
- etc
This b.s. is starting to remind me of the systemd crap lin Linux. I am at a point where I prefere paid open source apps and services (with a free tier) so the devs have incentive to listen to users.
It worked well a year ago,now they are ruinig it. I constantly have problems with Signal where it takes hours at times to deliver the message and this translates to real world problems and misunderstandings with people for me. Just fix the bugs,make new features optional and opt-in unless you absolutley have no choice.