>You can further use tools like Wireshark to show that the data sent away from your device is encrypted
That's pretty pointless. Everything is encrypted nowadays, what you want to know is if it's encrypted well enough to not be easily decrypted by any actors.
But you know how the encryption works—the entire Signal protocol is public and described in minute detail (see https://www.signal.org/docs/). You can use Wireshark to make sure Signal isn't lying, i.e., to verify that the client adheres to the protocol. This is possible since you do have access to the keys.
afaik that's their next step- introduction of usernames. Or you can use Element/Matrix, that is based on signal encryption protocol but does not need phone nr
> afaik that's their next step- introduction of usernames
In the time that usernames not phone numbers have been their "next step" they have introduced; gifs, encrypted audio and video calls, a built in scam crypto payment scheme, snapchat stories clone and a cryptographic upgrade to defeat quantum computing.
Changing from phone number to username is apparently hard.
as they said - all their infra was relying on mobile phones, so maybe all other features are really easier to implement compared to rewriting all architecture and providing backwards compatibility
I went digging for information on this because somewhere in my mind this claim was installed as true, but your skepticism re-activated my skepticism.
It seems that the Matrix protocol offers optional end-to-end encryption on a room-by-room basis via Double Ratchet Algorithm that was introduced by the Signal Protocol [0]. This is the academic paper that Wikipedia cites for that claim [1].
So it uses a part of the Signal protocol. That is interesting, and I did not know that, but that does not mean it uses the Signal protocol in its entirety.
He was talking about the encryption of the Signal eptocol, which explicitly doesn't include stuff like message format.
The core idea of the signal protocol is the ratcheting algorithm, which provides the actual qualitative security benefits, this the only real important thing.
Also he was explicitly stating it is based on it, I feel like you are arguing just, because you were so sure yet so wrong in your previous comment
Because it was created to be a secure replacement for text messaging. I gather that in some parts of the world people don't use text messages so much anymore, so this may not seem obvious, but in the US, Signal was primarily adopted as a secure alternative to SMS. People who routinely texted each other's phone numbers could simply install Signal and continue doing exactly that, with the added benefit of encryption.
I guess the question was referring to how do we know it's e2ee and not simple server-client encryption? Ideally, it would be nice to be able to add additional custom encryption on any client, so that ppl that really need it will be extra protected
Your phone's client encrypts it to a public key of the receiver phone's client. The associated decrypting key never leaves that receiving phone (verified by looking at the source code). You know it's the correct public key if you check the "security code" thing (not that many people do that, but hopefully enough people do that any tricks would be caught)
> You can further use tools like Wireshark to show that the data sent away from your device is encrypted.
Data sent away from your device is encrypted on Facebook Messenger and Telegram too, but that doesn't mean anything if it's decrypted upon arrival at the server, or if the receiver backs everything up in plaintext.
25 comments
[ 5.1 ms ] story [ 73.4 ms ] threadhttps://hax0rbana.social/@adam/111236822600142276
https://news.ycombinator.com/item?id=37888531
Nitter,
https://nitter.net/signalapp/status/1713789255359619171
Would there be any way to independently verify a claim?
I am working on some E2EE as well while trying to answer the question with full transparency.
Download a binary and trust the moment it is typed the content is encrypted.
You can further use tools like Wireshark to show that the data sent away from your device is encrypted.
So yes, this is fairly straightforward.
That's pretty pointless. Everything is encrypted nowadays, what you want to know is if it's encrypted well enough to not be easily decrypted by any actors.
Phones leak data that remove privacy.
In the time that usernames not phone numbers have been their "next step" they have introduced; gifs, encrypted audio and video calls, a built in scam crypto payment scheme, snapchat stories clone and a cryptographic upgrade to defeat quantum computing.
Changing from phone number to username is apparently hard.
It seems that the Matrix protocol offers optional end-to-end encryption on a room-by-room basis via Double Ratchet Algorithm that was introduced by the Signal Protocol [0]. This is the academic paper that Wikipedia cites for that claim [1].
[0] https://en.m.wikipedia.org/wiki/Signal_Protocol#Influence [1] https://link.springer.com/chapter/10.1007/978-3-319-45982-0_...
The core idea of the signal protocol is the ratcheting algorithm, which provides the actual qualitative security benefits, this the only real important thing.
Also he was explicitly stating it is based on it, I feel like you are arguing just, because you were so sure yet so wrong in your previous comment
I was only "pretty sure" in my original comment, not "so sure!" :)
Data sent away from your device is encrypted on Facebook Messenger and Telegram too, but that doesn't mean anything if it's decrypted upon arrival at the server, or if the receiver backs everything up in plaintext.
But even if there was, I'm not sure why you're assuming that someone would need to get their head checked if they are using a default feature.
Even if you turn off link previews you would still receive link previews. You just don't send the link previews.