Here are the four paragraphs of conclusion from that clickbaity piece ("Is Signal safe?") by @protonprivacy about @signalapp that is doing rounds.
-
Here are the four paragraphs of conclusion from that clickbaity piece ("Is Signal safe?") by @protonprivacy about @signalapp that is doing rounds.
1. "Signal remains widely regarded as the gold standard for secure private messaging for very good reasons. The Signal Protocol is extremely secure, and unlike most other apps that use the Signal Protocol, Signal collects almost no metadata from the Signal app."
1/🧵
-
Here are the four paragraphs of conclusion from that clickbaity piece ("Is Signal safe?") by @protonprivacy about @signalapp that is doing rounds.
1. "Signal remains widely regarded as the gold standard for secure private messaging for very good reasons. The Signal Protocol is extremely secure, and unlike most other apps that use the Signal Protocol, Signal collects almost no metadata from the Signal app."
1/🧵
2. "Signal is therefore vastly more private than any of its mainstream competitors, and with easy contact discovery and a wealth of advanced features, you might realistically convince your friends and family to actually use it."
2/🧵
-
2. "Signal is therefore vastly more private than any of its mainstream competitors, and with easy contact discovery and a wealth of advanced features, you might realistically convince your friends and family to actually use it."
2/🧵
3. "However, being hosted on AWS servers remains a concern in light of Signal’s reliance on SGX. There are a number of open-source encrypted messaging apps like Threema that try to address this and other perceived issues with Signal — such as its reliance on a centralized server and the need to supply a real phone number— some of which show great promise."
️ Warning, this one is not true – Signal does not actually rely on SGX for its privacy; see: https://hachyderm.io/@dalias/1157181395568442183/🧵
-
3. "However, being hosted on AWS servers remains a concern in light of Signal’s reliance on SGX. There are a number of open-source encrypted messaging apps like Threema that try to address this and other perceived issues with Signal — such as its reliance on a centralized server and the need to supply a real phone number— some of which show great promise."
️ Warning, this one is not true – Signal does not actually rely on SGX for its privacy; see: https://hachyderm.io/@dalias/1157181395568442183/🧵
4. "But none of these have undergone the same level of rigorous external scrutiny as Signal, and all of them have tiny user bases by comparison to Signal, which limits their practical usefulness."
4/🧵
-
4. "But none of these have undergone the same level of rigorous external scrutiny as Signal, and all of them have tiny user bases by comparison to Signal, which limits their practical usefulness."
4/🧵
The piece itself is relatively ok, apart from the SGX thing.
The problem is the clickbaity title suggesting Signal might not be safe.
Most people only read headlines and the first few paragraphs of articles, and so what they might incorrectly take away from this piece is that Signal's safety is somehow suspect.
It's not. Signal is safe.
This is outright *dangerous* at a time when effective, usable privacy and encryption tools are more important than ever – and under attack globally.
5/🧵/end
-
The piece itself is relatively ok, apart from the SGX thing.
The problem is the clickbaity title suggesting Signal might not be safe.
Most people only read headlines and the first few paragraphs of articles, and so what they might incorrectly take away from this piece is that Signal's safety is somehow suspect.
It's not. Signal is safe.
This is outright *dangerous* at a time when effective, usable privacy and encryption tools are more important than ever – and under attack globally.
5/🧵/end
@rysiek
> Signal is safe.#signal has long had issues with phone number leaks: even when set to hidden, phone numbers can sometimes be revealed.
this means that adversaries can get the phone numbers from an entire network of #signal users from just one compromised device.
this puts real people in real danger, but #signal is such a strong brand now that many would rather blame those who get hurt than take a critical look at their favourite chat app.
️more info, including links to some relevant #github issues:
https://veganism.social/@pelle/115673510840264510#signal doesn't take the phone number leaks seriously, and it's not clear to me from their replies whether they've fixed it. 🪲
#deltachat / #arcanechat (#decentralized #securityaudited #e2ee chat app) avoids accidentally revealing phone numbers by not asking for them. also, allowing for multiple profiles makes it harder for adversaries to track people across different chats, as opposed to #signal with its one profile per device policy.
if #deanonymization is a risk for you, then #signal is not safe. 🥸
unfortunately i had to experience this first hand, which is why i consider »signal is safe« unhelpful advice.
-
P pelle@veganism.social shared this topic
-
@rysiek
> Signal is safe.#signal has long had issues with phone number leaks: even when set to hidden, phone numbers can sometimes be revealed.
this means that adversaries can get the phone numbers from an entire network of #signal users from just one compromised device.
this puts real people in real danger, but #signal is such a strong brand now that many would rather blame those who get hurt than take a critical look at their favourite chat app.
️more info, including links to some relevant #github issues:
https://veganism.social/@pelle/115673510840264510#signal doesn't take the phone number leaks seriously, and it's not clear to me from their replies whether they've fixed it. 🪲
#deltachat / #arcanechat (#decentralized #securityaudited #e2ee chat app) avoids accidentally revealing phone numbers by not asking for them. also, allowing for multiple profiles makes it harder for adversaries to track people across different chats, as opposed to #signal with its one profile per device policy.
if #deanonymization is a risk for you, then #signal is not safe. 🥸
unfortunately i had to experience this first hand, which is why i consider »signal is safe« unhelpful advice.
@pelle @rysiek
For reference, here is the issue about accidentally being discoverable by phone number:
https://github.com/signalapp/Signal-Android/issues/14222This setting is not reliable and a single failure to set it results in your phone number to ACI (account ID) being revealed. Once revealed, it is difficult to reset ACI, you need to completely unregister and not just reinstall. On Signal server ACI and phone number are stored literally in the same database table of Signal server all the time.
