Ask HN: Is Washington Post correct in saying Signal is unsecure?

50 points by killjoywashere ↗ HN
https://www.washingtonpost.com/national-security/2025/03/26/trump-signal-chat-war-plan-texts-released/

By Alex Horton and Missy Ryan

"the conversation that occurred over an unsecure, commercially available messaging platform."

My understanding has been that Signal is actually well out ahead of other platforms in terms of respecting user privacy, so this seems confusing to me. Has Signal failed an audit that I'm unaware of?

109 comments

[ 3.2 ms ] story [ 202 ms ] thread
I think the "unsecure" is relative - instead of something in-house, locally hosted, and up to the required standards for classified information
Security/cryptographic strength are indeed relative, they depend on the 'threat model' being used.
Just guessing but perhaps what they meant was that Signal allows one to invite anyone into a chat thread whereas their actual in-house classified comms will not permit that without going through a massive chain of approvals and being assigned custom hardware.
That, and it's vulnerable to the usual sort of attacks that governments are capable of.

If your threat model is "local cops" or "nosy people" then Signal seems very secure. If your threat model is "Enemies of the US" then honestly... nothing short of a SCIF is going to cut it.

True and even a SCIF is not foolproof. From the 50's to the 90's the US and Soviet military played a lot of fun games one of which included typing up a classified document in a SCIF and the Russians met up with the contest judge with an exact replica of the document. There were thousands of such games. I learned about many of them in the military. Between those stories and the fact we bought transmitter parts from them during the cold war showed me that each nations military were never enemies, just the bureaucrats were.
I think Signal is the only usable option for trusted fully e2e-encrypted messaging today. Even the military is using it in some countries.
look into SimpleX
Since I never heard of it before, I looked it up.

It's some website https://simplex.chat/ with some claims about privacy because they don't use user ID:s (uh).

Do explain to me why anyone should trust this sus russian project [1] over the well regarded Signal?

1: https://find-and-update.company-information.service.gov.uk/o... (proof of russian natinality of Evgeny Poberezkin)

Unsecure in terms of being vulnerable to state spying on cell phones. Not of network interception, but rather compromised phones where a foreign adversary can read all your phone's data.

From this perspective, all phones are insecure. Classified government stuff isn't ever supposed to be on commercial smartphones in the first place.

The kind of security Signal provides is sufficient for people who aren't active targets of foreign states.

I remember how big of a deal it was when Obama wanted to keep his Blackberry. I have a colleague that used to work for RIM, and he's alluded to work he did for that effort that he's still unable to discuss.
Remember when Hillary used a private email server? Trump and MAGA were chanting to "Lock her up!"
Remember how she wasn't locked up? That set the precedent.
> Remember how she wasn't locked up? That set the precedent.

Locking her up would have set a far worse precedent, and I think that the other norm-breaking behavior of the current administration does not support the idea that prior punishment of past administration members for insecure data management would have led this administration to more secure data practices.

No better time than the present to establish a better precedent. Though more realistically, nobody needs to be going to jail in either case - but if there are zero consequences for anyone involved well, that's telling for a leader who frequently criticizes his opponents for not firing people when they do poorly.
A non-encrypted email server under a desk with a rogue email address where foreign officials have written that is not a .gov domain, not monitored, not seizable, is like deleting evidence. It’s possibly accessory to treason when you are Minister of State.

Using Signal is still against all rules, but at least it’s not unencrypted.

It proves that all governments bypass monitoring of their communications, even Google’s CEO when they discussed by auto-deleted chats.

I realize that government is terrified of the Captains of Industry, but it really should have cracked down on that hard and made it clear that if it happened again, the next crackdown would guarantee there wouldn't be a third repeat.
> not monitored, not seizable, is like deleting evidence

Like Signal?

>> Mike Waltz set disappearing message time to 4 weeks [0]

[0] https://www.theatlantic.com/politics/archive/2025/03/signal-...

Hmm. Well the issue is that he's using Signal, and that it's on a consumer grade phone, that is akin to deleting evidence.

But at this point disappearing message is more like limiting how bad this behavior is rather than aggravating circumstances.

I mean he's wrong to be using that setup but if using it I much prefer those illegal messages not be present anymore when he loses his phone or something.

(comment deleted)
Desktop operating systems are less secure than phone ones so any desktop messenger is more insecure.
Well, top secret information isn't permitted on internet-connected desktop computers either.

But the thing about desktop computers is that they're not connecting to cell towers all the time. So if WiFi is disabled too as a precaution, and they're only connected to private secure networks via Ethernet and not the internet, you can consider them secure in terms of protecting classified secrets.

I don’t think many people understand how the TS or Secret networks of military bases are connected.

It wasn’t long ago that we were subject to stringent military standards for hosting these networks on site but once they came through, there was never any re-certification.

That is inherently very untrue. Mobile phones are targeted differently than desktop PCs, but this general statement is wrong as it is.
It also doesn't adhere to gov't record keeping policies / laws.
> Unsecure in terms of being vulnerable to state spying on cell phones

Signal forces us to use Android or iOS. Doesn't it look suspicious? I would happily use it on my desktop with Qubes OS, but I can't do it without a much less secure smartphone.

If QubesOS supports Flatpaks sufficiently, then it might run the Signal Desktop app (though if you want to register a new account, you do have to have a phone number, which is also possible virtually these days anyway)
Yes, Flatpaks are supported. However the untrusted, vulnerable phone will have a full access, won't it?
Only if you use a phone with it. Does the official server actively filter numbers from VoIP providers?

As much as I want to say "screw the developer's nonsense, just compile it yourself and do as you please" honestly why bend over backwards to use such a platform when solutions such as Matrix are available?

I agree and use Matrix myself. I just don't understand the Signal hype on HN.
It all depends on your security requirements. For me it is insecure compared to almost any anonymous internet chat since it requires your mobile number, a serious and unnecessary security risk. Burner phones are illegal in the EU, it isn't the privacy paradise its marketing sometimes tries to project.
Also it’s not just the app — it’s the fact that the app is running on unsecured private devices in unsecured locations.
They're not saying it's not secure for normal conversation, but not up to the national security standards for such coversations. It not being a proper tool for the job is what makes it "unsecure".
Yes, this. I was about to post my own comment and will instead reply and upvote yours.

This strikes me as setting the conversation to be whether it's 'secure', and can then everyone can discuss that part - instead of the fact that's not where or how that conversation should have been happening at all.

come on dude.

"unsecured" as in "not a secure comms system managed and approved by the NSA", which for the US government is normally considered a bad thing.

for normal people who don't want the NSA to be managing their comms then Signal is approximately the best possible choice, along with not being a fucking idiot while using it.

The issue isn't the cryptographic strength—the issue is that it doesn't provide capabilities for an organization to manage it (such as preventing unknown parties from being added to group chats).
Any system you can invite someone into willy nilly isn't really that secure. At least it doesn't give them the full chat history.
It isn’t less secure than it was before the messaging scandal.

What will reporters use moving forward? Facebook messenger? /s

My understanding - largely based on this person's blog - is that Signal is the best secure messaging app that exists today: https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-sig...
no, simplex chat is https://simplex.chat/
No, my RandomThingie is even *-er
Ain't no one using a chat app named after a virus I have on my lips.

But actually, I imagine there's significant friction to using a new "hyper-secure application" after the encrochat debacle.

Nope. The US military has better (or at least more secure) messaging systems.
... based on Microsoft Lync :-) Yes, what a step forward.
When you work for most public corporations, you aren't allowed to bring personal devices linked to company servers to specific countries. You need to bring a burner device instead, because you are perceived as a target for corporate espionage.

This is like that, except the government and the type of people on the list are even better targets for their personal devices. The government has strict rules about secrecy and communication for military operations, and strong punishments for not following these protocols, because they can lead to a loss of life.

This is a different sort of "unsecure". The platform itself may be "secure", but the device, being in public where someone could take a picture of military secrets, etc. isn't.

It's called BYOD. Corporations have flirted with it for 10-15 years. The C-suite far too often is allowed privileges and exceptions like aristocracy that sacrifice and weaken the security of the organization.

Also, even for corporate-managed devices, as an example, Meta has specific requirements and procedures for taking devices to and returning them from contentious places like mainland China.

Well, unsecure in the sense that a reporter was mistakenly added to a group chat they certainly should not have been in. A secure app in this context would prevent random people from being added to secure areas.
Notably, it’s a common feature in a corporate environment, even though the stakes are typically much lower.
A secure app in this context also couldn’t be loaded on any random smartphone and allow you to login with single-factor authentication.
It's entirely possible that other "unsecure" people were on this and other chats without going public with it!
How could anyone know, unless they have contributed to Signal's repo ?

Presumably within Signal, there are plenty of weak points. And certainly Signal's ability to modify their app as they please doesn't fit within the OPSEC guidelines.

The question is: why would one of the most powerful militaries on the planet use a consumer app, regardless of its reputation ?

And the answer is: because the Trump administration is compromised.

> And the answer is: because the Trump administration is compromised.

By whom, exactly? Who benefits? Russia, somehow?

It seems more likely that the administration officials fear being monitored and their conversations leaked by staffers, and they wanted to avoid official recordkeeping requirements. The former may have some merit (though I doubt anyone is going to leak plans to attack Houthis, regardless of their feelings about the Trump administration), the latter is likely illegal and deserving of investigation.

Originally, I thought it was Russia.

Lately I've been wondering if its Israel or Saudi Arabia

"Secure", particularly when used in the casual general public sense, is a pretty overloaded term. All real security is in the context of a specific threat profiles, and makes tradeoffs vs other required functionality. Signal is definitely "secure" in the sense of its core cryptography and design, and it's aimed to be of practical value to the global general public. But that requires being able to scale massively, making authentication more convenient and leaving more up to the users, who won't tend to have their own sophisticated centralized auth system, IT support, and constant life/safety critical stuff being thrown around. Signal provides tools that can be used for better assurance in who you're talking to but it doesn't simply take that out of users' hands entirely because for its use case that simply isn't feasible.

For small vetted group top secret conversations by a sophisticated organization, it makes more sense to have something where inviting anyone who hasn't already been brought into the magic circle with physical interaction is simply impossible. If technically unsophisticated users are important, ideally one would have fully vetted tech support who will be monitoring all participants and doing the verification work for them. All managed via central systems and heavily walled off with multiple layers from crossing between high and low sides. If they want to talk to the general public, they should use physically different devices. Worse scaling, far more friction, but that's OK for top levels of a big organization in the context of extremely sensitive information.

Signal is a tool and a decent one, but no tool is good for absolutely everything and trying to use a hammer as a saw isn't a defect in the hammer it's a problem with the user/organization trying to do something so foolish.

No, they're wrong. Signal is considered extremely secure, which is why journalists and government uses it. Some people like to criticize anything Trump does, right or wrong.

That being said, the Signal non-profit entity is located in the US, so probably subject to the same risks as WhatsApp and Messenger; namely US courts compelling them to share data.

But the difference is that Signal has been architected from the start to retain much less (meta)data on the server, so that even if the Signal Foundation is compelled to share the data they have, that data will be extremely limited to the point of being mostly useless.
Thinking more in the sense of being forced to introduce a backdoor, weaken encryption, in the future which would give the US more data. Yes the encryption algorithm is theoretically very secure.

Any entity that operates in the US has to abide by US laws, after all. Probably not a concern for US citizens since they're allowed due process but creates risk for non-Americans looking for a truly secure messenger, especially if they live in a place that is currently at odds with US policy (Canada, Europe).

There are laws about this sort of thing that have severe penalties attached. When I was in the Navy handling encryption gear I had to sign a paper that stated that I understood that compromise of the secrets I'd been entrusted with could lead to the death penalty. Are you saying that shouldn't be true? Or shouldn't be true for people above a certain level?

Are you claiming that Signal running on consumer iPhone and Android devices where Pegasys and 0-days are for sale is secure?

Are you claiming that it's secure to conduct classified business on a platform where you can add anyone to the conversation without the appropriate documented approvals?

I have no idea what the US government's policy is, especially across branches. I'm not American.

I do know that the Signal algorithm is considered among the most secure, and has been considered the safest option for political dissidents, journalists, etc...

I also know some governments do use commercially available messengers (and OSes, and phones).

The CIA director also seemed to indicate that Signal was installed on all their phones.

On March 25, CIA Director John Ratcliffe told the Senate Intelligence Committee that when he became director, he was given a phone with Signal pre-loaded. He was briefed that Signal was “permissible” for work use, and “That is a practice that preceded the current administration to the Biden administration.”
It is permissible for non-classified stuff, the way you and I (and indeed, even the tightest of fed agencies) use teams.

Christ people, at work if I send some emails without encryption I would be fired. If I knowingly tried to get around records laws I would be fired.

The amount of motivated reasoning, just to excuse anything these incompetent and WILLFULLY bad at their jobs shitheads do is infuriating.

We publicly know about tools like Pegasus and competitors Predator, Hermit and I would confidently assume hundreds of other tools that dont publicly advertise themselves. (they all might be using the same handful of 0days for all we know)

There are multiple public price lists for 0days, Crowdfense currently has iOS full Zero Click Full Chain listed as $5m-$7m

And thats a long way to say - thats correct, its insecure. For the price of $7m any adverse of the US (or friendly country, who cares) can read all these government messages (who knows how many more Signal groups exist without the Atlantic editor)

That would be the cheapest way to get US confidential information in the history of spy agencies. The NSA budget is $10B per year

The assumption of anyone should be - everything in my iPhone and Android phone can be read for $7m. The conversations im having in front of my iPhone can be recorded for $7m. Then the only question left is - is the information worth more than that

If the answer is yes, assume your phone is compromised and only talk near it / message using it, information you understand will become public

The sentence applies the "unsecure" adjective directly to Signal as a "messaging platform", not to the phone itself or the wider context. Signal by itself is secure. No need to mince words here, the Washington Post is simply wrong.
puts on tinfoil hat

The coverage of this story has felt a lot like it's being used as an excuse to trick people into believing that Signal is nOT a sECuRe mESsAGing APp to discourage regular people from using it.

Signal allows you to add anyone to a conversation, without any requirement that they be vetted for security clearance, have a Common Access Card, or other centralized identity provider approval. Signal guarantees that you can't spoof the identity of a participant in a conversation (as long as you've verified their keys) but doesn't do anything to limit who you can add to a conversation. The cryptography is secure, but it's not intended for organizational use and doesn't support the sorts of centralized authentication that governments require. So it's not secure for those uses. The Washington Post is correct, but missing nuance.
Soatok wrote a good blog post about this that was discussed yesterday: https://news.ycombinator.com/item?id=43471223 The Practical Limitations of End-to-End Encryption (41 points, 42 comments)

The gist is that there are potential threats that any end-to-end encryption cannot fully protect against. Signal is a good provider of that encryption, but there are other considerations to protect highly confidential data, and Signal often lures non-technical users into disregarding those.

End to end encryption doesn't make the ends secure, just the channel between them.

Not something the average Jane needs to worry about, but people discussing military action should.

Edit: if Jane's phone gets hacked, they're going to swipe her credit cards and send messages to all her whatsapp contacts asking to borrow money urgently and here's a convenient Revolut link*. Not exfiltrate her Signal messages.

* whatsapp thing is for real, the latest scam making the news around where I am.

If it is know that secret agencies are using Signal, then it is almost certain that other agencies are working to exploit that.

An obvious attack on Signal is to get one of your people a job working there, or to bribe/blackmail and existing employee, and have them install a backdoor or other exploitable code (maybe a secret weakening of the encryption?).

That raises an interesting question. Are all of these agencies using the build from the Play/iOS stores or is there a build based on the audited public repo?
It's missing the point of the story to focus on this aspect. The characters involved in this event were not using Signal because they thought it was secure. They used Signal because they intended to break and knew they were breaking the law.
Yes, thank you for saying so. I agree. And that's what should be being discussed everywhere.
For this specific chat, what law were they breaking?

(I'm not defending the Trump administration's law-keeping in general. I'm asking about this specific set of communications.)

https://www.archives.gov/about/laws/presidential-records.htm...

The Vice President of the United States cannot use Signal "disappearing messages" to correspond with anyone for any purpose.

Ah. Those rules.

What you say is true. But if a technique makes it so that 1) they don't preserve a record for the future, and 2) they do leak (or risk leaking) information that can kill service people, I personally care more about #2.

(Ironic that, in trying to not leak to future investigators/prosecutors, they increased the risk of leaking to foreign adversaries. Shows which threat they're focused on.)

(comment deleted)
In this case, assuming you are using Signal on iOS, the app could very well decide to send all the decyphered messages of targeted users (users that say a certain thing, or users with a certain name) to a 3rd party server. If they wanted to be undetected in all cases, they could leak data via the timing of the network packets.

And they could do all that without even knowing it, just by using a compromised toolchain.

Long story short, unless the SW (the app, the OS, the toolchains) and the HW have been audited, you have no idea what's going on.

For the threat profile of top leadership of the US government, yes, Signal is not secure. Signal runs on phones and phones can be compromised or lost, which can grant non-authorized individuals the ability to read the messages.

Spyware like Pegasus [0] has been able to use zero-click exploits to penetrate target phones and read messages as though they were the phone's owner.

The US has the best SigInt capacity in the world. The leaders of the US government know that phones are not secure against sophisticated adversaries and they know that we have very sophisticated adversaries. It's deeply troubling that so many of our leaders were so comfortable discussing Secret level plans in such a reckless and illegal way, and it's extremely likely that hostile adversaries have fly-on-the-wall level access to extremely sensitive US planning.

[0] https://en.wikipedia.org/wiki/Pegasus_(spyware)

> The US has the best SigInt capacity in the world.

How can anyone, including the top SigInt people in the US, know that? It has surely always been part of the principles of good spycraft that, if you've got fantastic SigInt (or other -Int) capabilities, then the best way to take advantage of them might be to make sure that nobody else knows about them.