35 comments

[ 2.3 ms ] story [ 56.7 ms ] thread
Im feeling pretty dumb even after reading the tldr. Can anyone who is well versed in this explain how this is better or safer? I read about the time, will it now be slower to send messages?
Sparse Post-Quantum Ratchet, or SPQR. Someone at Signal is a Roman history enjoyer.
Does this mean we're any closer to getting editable messages?
This is really impressive, especially the way they've used formal verification. Great work.
Its interesting to imagine that somebody [1] is already now capturing encrypted internet traffic and storing it all long-term, to then hypothetically in 40-50 years or something decrypt it and draw value from that information. I suppose to blackmail future politicians, learn military secrets, whatever.

[1] NSA

That's what I don't get - these folks must be more bullish than me on practical quantum computing. If you assume 20-30 years; there's no important military secrets left (what was China building in the late 90s?!) and how many politicians are in politics for that long?
Fantastic news! Awesome that the Signal team was able to deliver another first-class security feature.
Wow, this is one of the most well written cryptography articles I've ever seen.

I consider myself a fairly experienced software engineer with a moderate amount of professional experience in private sector encryption, so I'm not completely out of my element, but many articles along this vein have my eyes glazing over halfway through the breakdown.

This one was actually easy for me to follow the entire time for once, despite explaining something I'm not familiar with.

Strange that they are posting about the "signal ratchet" when they just removed it by launching cloud backups that use a static key? Since those cloud backups include disappearing messages, that feature completely undoes all of the forward secrecy in this protocol.
I would really like to see some modern comparisons of the Signal protocol to Matrix, MLS, etc. since it's hard to keep up with everything but it seems like things are still moving.
Maybe my reading comprehension is failing me, but what does this mean for existing messages? I guess nothing of the have already been 'siphoned' to a 3rd party. As it couldn't retroactively apply to data not under Signals control of course..but what about existing messages already within their control?
Is it true that Signal was funded by the CIA or is that disinformation to try to get people to mistrust it?
Signal is lacking a crucial safety feature. To cover some background, it is necessary to set "Who can see my number" and "Who can find me by number" both to "Nobody", as this lowers the chances of spam messages and attempted hacks. Once these are set, the only way for someone to start a conversation with you is if they know your Signal username or QR link, both of which you can set in your Profile. The issue is that your link can be saved unsafely by your Contacts, and can be used multiple times, also by others, leaking it to hackers who can then send you unsolicited messages to compromise your device. The safety feature that would be good to have is to allow someone to contact me only via a one-time use link that cannot be reused by anyone.
So far the biggest weakness of Signal is identification via a phone number. It's not only hackers who can spoof the numbers, but an authoritarian governments too may take ownership of a number at any moment.

Addressing future threats is good, but priorities should be different.

Also annoying: You cannot use the same Signal account from 2 different phones (with different SIM).
It's pathetic, isn't it?
This is actually disturbing, as the article suggests that all previous messages sent using Signal are decryptable with quantum computers. If there are people with, for example, selfhosted mailservers sending PGP encrypted emails to each other, then, while they have to worry about them not leaking out from the server either by someone hacking to it or someone sniffing the traffic with the encrypted messages beforehand, they know for sure that their messages are safe.

Meanwhile Signal users have been sending messages onto signal servers for years now, as far as I know they aren't sent directly through some p2p protocol. I don't know what their policy is about storing messages, and I believe that they have a lot of other countermeasures, but it still points to the problem with Signals centralized nature.

Why do you need the mailserver to be self hosted? just pgp encrypt client side
At first, I thought the article was published on an April Fools day...
Signal keeps cranking out brilliant crypto papers, but from a product perspective, it feels like they're throwing stuff at the wall to see what sticks. We've got post-quantum handshakes, stories and money transfer experiments, but still no SDK, no APIs, no bots. The official libsignal library is undocumented and incomplete. Large parts of functionality are still buried on clients. Don't get me started on "but they have published all protocol specs on their website, go on and roll your own library"! That's not how you run a product. It's borderline negligent for a platform used by millions.

Every other major messaging app exposes something to developers, but Signal is allergic to the idea. Makes me wonder if they even have a head of product because whatever they're doing now is a far cry from a coherent product strategy. Signal is basically a pile of hot cryptography duct-taped to a messenger that's more hostile than any product in Apple's walled garden. And that's from a day one user who's been advocating for them the whole way.

</rant> thanks to everyone involved in building the product <3

I want signal to act as a transport bus. In particular, I want to give certain contacts permission to ask my phone for its location, so I can give my wife that ability without sharing it with Google.

Signal has solved the identity part, now encourage others to build apps on it.

(2fa via Signal would be better than SMS, too, though I know this may be controversial!)

Post-quantum ratchets - cool.

Now if they could solve notifications not consistently appearing between iOS and android devices...

This is a good time to remind everyone the technically sound choice of hybrid crypto is discouraged by NSA. I wish they didn't. PQ is a major overhaul to crypto systems. Setting aside the risk of yet-to-be-discovered algorithmic vulnerabilities, there is a huge risk of implementation mistakes leading to compromise. Mature classical crypto should be used as a backstop by deploying PQ in hybrid mode along classical crypto.
Can users write their own clients

Can users self-host servers

I think they could use better moderation features.