You can't have end to end encryption without ends. That said, I have managed to write encrypted end to end communication, using wireguard no less, that doesn't tell a third party server who is talking, or what they are saying.
This is single user talking to single user, though. I know it gets more complex when you have more users than that.
First question after Moxie Marlinspike talk at the CCC conference was: "When will Signal not base itself on a mobile phone number, I am an activist from Iran"
The critique of metadata being hard is fair, the claim that sealed sender is “totally useless” is not. It’s a small, incremental hardening step in a very messy design space, not a magic invisibility cloak, and judging it as the latter sets the bar unrealistically high for anything that still wants to be a drop-in WhatsApp replacement.
I always thought sealed sender was something they implemented for their own sake. The less metadata they can see is better. As a user that means you have to trust them in what they say regarding the data they keep anyway.
Regarding sealed sender I don't think they ever fixed the statistical method of identifying sealed senders described in the "improving sealed sender" paper from 2019 (?), meaning it is pretty useless anyway if signal decided they wanted to identify senders.
Signal is in an impossible position. On one hand, it needs to appeal to the crowds currently using WhatsApp and happily syncing their entire contact list to Facebook/Meta, so that they can be profiled and a social graph can be built. That crowd needs it to be super simple and "just work". If it doesn't do that, people will criticize it for being difficult to use.
On the other hand, it needs to provide ultimate security, even though there is always a compromise between security and convenience. If it doesn't, geeks will criticize it for not being secure enough.
I read through this. I don't think Proton Mail is a good replacement for Signal (it's worse because Proton does log and share IP addresses of users with a court order).
One thing I dislike about Signal on its privacy posture is that the moment you register, anyone who already has Signal and has your phone number in their contacts list will get a message saying you're on Signal. This is a good way for others with bad intentions to know about your presence on the platform. The options to hide your phone number are available only after registering on Signal (after this broadcast has already happened) and when the user figures out that this is possible somewhere deep in the settings.
On registration Signal could ask whether to inform all random people who happen to have your number. But since unused/discarded phone numbers are recycled by carriers to other customers within a matter of weeks or months or years (depending on where you are), your presence on Signal may be sent to someone you've never ever known or has known you. Signal ought to remove this broadcast on registration. Telegram (and I guess WhatsApp) also suffer from the same issue.
I'm sorry but I don't think this guy did his homework correctly. You don't need a phone number anymore to use Signal. You still need one to register, but not to communicate with anyone. You can simply share your username for that. So you can just buy a prepaid card with cash, register, and then throw it away, and it will never be linked to your real identity.
Signal is not perfect, but it's still the best we have.
The article confuses confidentiality with anonymity/pseudonymity.
Signal has always aimed to ensure confidentiality in the simplest way possible.
People forget that there are anonymous systems or systems that do not require a telephone number but they are incredibly painful to set up. You either have to go through physical checks with QR code exchanges to validate participants or have some kind of web of trust (no one has fond memories of PGP key signing parties).
The same goes for decentralization. On paper, everyone wants decentralization. But when it comes to interconnecting hundreds of servers with different rules, moderation and legislation, and protocol versions, it becomes hell and no one wants to have to manage it (e.g. Mastodon).
There are objective reasons why these systems are not popular.
The other problem is that the very use of this type of software becomes a marker. I am convinced that the majority of Olvid users work for the French government, for example.
Iranian activists who are checked at the border or elsewhere with any uncommon communication application have already lost, regardless of the security of the application.
Crypto-punks are a niche group that can accept this type of usage constraint. My grandmother cannot, but she can use Signal and she will be one user among millions.
It is, as far as I know, an unsolved problem how to implement full metadata transparency on a mobile device.
For example, Aztec, a privacy focused blockchain, requires recipients to download the entire block to determine if any private message is addressed to them (and BTW use techniques resembling Signal's double ratcheting in creating these identifiers) [1]
This is infeasible on mobile devices. At best, it allows the user to select a proxy server they trust to identify messages intended for them and forward a notification.
These are all spy-apps anyway. To me it always looked as if the US government is just a thin fake-coat over this operation. There is a reason they dislike people having secrets. No spy agency wants people to have secrets. Cops asking for an ID without a probable cause is another reason that then ties into the legal system. I feel that most governments overreach what they can do in general; they have a tendency to grow in what they claim is their concern when it really is not.
It doesn't sound like SimpleX solves this either [0]:
> There is still a risk that a server maliciously records all queues and messages (even though encrypted) sent via the same transport connection to gain a partial knowledge of the user’s communications graph and other meta-data.
> this feature is very technically complex, and totally useless
Now, to break your confidentiality, Signal would have to have a relatively complex system setup for trying to match up messages and deanonymize people. You could imagine many scenarios where a bad actor (agency) attempts to trick Signal into logging metadata. This now requires a lot more information, and if nothing else would give you a level of deniability.
Fundamentally any centralised message relay system will have enough metadata to know something about participants and maybe even things like message frequency. If you truly want anonymous communication it has to be p2p.
This is ultimately a usability issue. The Signal app has a feature called sealed sender. The assumption is that a feature actually does what it is intended to do. Signal makes no effort to inform the user about the limitations of this feature. My experience is that almost all Signal users that actually know about sealed sender think that it actually provides some practical benefit. Users that do not know the limitation of a tool are unlikely to use that tool properly.
This sort of thing is depressingly common in the world of encrypted messaging. It is really common for a user to not know about the requirement to do identity verification with E2EE for example.
27 comments
[ 3.3 ms ] story [ 44.5 ms ] threadthe question was if signal is secure and private, and the answer is about anonymity
is it secure and private - it is, is it anonymous - it's not, or at least, to some degree
This is single user talking to single user, though. I know it gets more complex when you have more users than that.
https://media.ccc.de/v/36c3-11086-the_ecosystem_is_moving
Also, what about Briar/Berty as alternative?
https://play.google.com/store/apps/details?id=org.briarproje...
https://apps.apple.com/app/id1535500412
Just use SimpleX.
Regarding sealed sender I don't think they ever fixed the statistical method of identifying sealed senders described in the "improving sealed sender" paper from 2019 (?), meaning it is pretty useless anyway if signal decided they wanted to identify senders.
On the other hand, it needs to provide ultimate security, even though there is always a compromise between security and convenience. If it doesn't, geeks will criticize it for not being secure enough.
One thing I dislike about Signal on its privacy posture is that the moment you register, anyone who already has Signal and has your phone number in their contacts list will get a message saying you're on Signal. This is a good way for others with bad intentions to know about your presence on the platform. The options to hide your phone number are available only after registering on Signal (after this broadcast has already happened) and when the user figures out that this is possible somewhere deep in the settings.
On registration Signal could ask whether to inform all random people who happen to have your number. But since unused/discarded phone numbers are recycled by carriers to other customers within a matter of weeks or months or years (depending on where you are), your presence on Signal may be sent to someone you've never ever known or has known you. Signal ought to remove this broadcast on registration. Telegram (and I guess WhatsApp) also suffer from the same issue.
I suppose this Sealed Sender issue is problematic for some people, but it's not enough for me to seriously consider jumping ship.
Signal has always aimed to ensure confidentiality in the simplest way possible. People forget that there are anonymous systems or systems that do not require a telephone number but they are incredibly painful to set up. You either have to go through physical checks with QR code exchanges to validate participants or have some kind of web of trust (no one has fond memories of PGP key signing parties).
The same goes for decentralization. On paper, everyone wants decentralization. But when it comes to interconnecting hundreds of servers with different rules, moderation and legislation, and protocol versions, it becomes hell and no one wants to have to manage it (e.g. Mastodon).
There are objective reasons why these systems are not popular.
The other problem is that the very use of this type of software becomes a marker. I am convinced that the majority of Olvid users work for the French government, for example.
Iranian activists who are checked at the border or elsewhere with any uncommon communication application have already lost, regardless of the security of the application.
Crypto-punks are a niche group that can accept this type of usage constraint. My grandmother cannot, but she can use Signal and she will be one user among millions.
For example, Aztec, a privacy focused blockchain, requires recipients to download the entire block to determine if any private message is addressed to them (and BTW use techniques resembling Signal's double ratcheting in creating these identifiers) [1]
This is infeasible on mobile devices. At best, it allows the user to select a proxy server they trust to identify messages intended for them and forward a notification.
1 - https://www.taurushq.com/blog/enhancing-token-transaction-pr... (search for "synchronizer")
> There is still a risk that a server maliciously records all queues and messages (even though encrypted) sent via the same transport connection to gain a partial knowledge of the user’s communications graph and other meta-data.
[0]: https://github.com/simplex-chat/simplexmq/blob/master/protoc...
Using phone numbers as IDs or a verification method is a horrible practice, not to mention that it forces you to use a phone in the first place.
Now, to break your confidentiality, Signal would have to have a relatively complex system setup for trying to match up messages and deanonymize people. You could imagine many scenarios where a bad actor (agency) attempts to trick Signal into logging metadata. This now requires a lot more information, and if nothing else would give you a level of deniability.
Almost feels like another CryptoAG with Snowden recommending it so much when he knows that metadata is enough.
https://molly.im/
How does Signal make money to be able to afford their AWS subscription? Do corporate clients pay for it or something?
That MySudo service he mentions in the article sounds quite interesting as well. Has anyone given it a try?
This sort of thing is depressingly common in the world of encrypted messaging. It is really common for a user to not know about the requirement to do identity verification with E2EE for example.