<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[This is a good thread.]]></title><description><![CDATA[<p class="quote-inline">RE: <a href="https://mastodon.world/@signalapp/116478659183004819" rel="nofollow noopener"><span>https://</span><span>mastodon.world/@signalapp/1164</span><span>78659183004819</span></a></p><p>This is a good thread. I like how carefully they take responsibility for where they could have done better, and at the same time very clearly state what isn't a problem with Signal.</p>]]></description><link>https://forum.fedi.dk/topic/89a461a2-75ec-4f0a-a4c2-025f0fb290c6/this-is-a-good-thread.</link><generator>RSS for Node</generator><lastBuildDate>Wed, 15 Jul 2026 21:51:15 GMT</lastBuildDate><atom:link href="https://forum.fedi.dk/topic/89a461a2-75ec-4f0a-a4c2-025f0fb290c6.rss" rel="self" type="application/rss+xml"/><pubDate>Mon, 27 Apr 2026 21:51:45 GMT</pubDate><ttl>60</ttl><item><title><![CDATA[Reply to This is a good thread. on Tue, 07 Jul 2026 22:53:38 GMT]]></title><description><![CDATA[<p><span><a href="/user/pelle%40veganism.social">@<span>pelle</span></a></span> <span><a href="/user/david_chisnall%40infosec.exchange">@<span>david_chisnall</span></a></span> <span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span> </p><p>i'm genuinely surprised that an organisation (signal) that is normally so alert and aware of such issues is making this error</p><p>is it a case of an overly powerful product owner pushing this past dissenting voices?</p><p>if so then the president/ceo of <span><a href="/user/signalapp%40mastodon.world">@<span>signalapp</span></a></span> needs to hear from us</p>]]></description><link>https://forum.fedi.dk/post/https://mathstodon.xyz/users/rzeta0/statuses/116881150334330177</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://mathstodon.xyz/users/rzeta0/statuses/116881150334330177</guid><dc:creator><![CDATA[rzeta0@mathstodon.xyz]]></dc:creator><pubDate>Tue, 07 Jul 2026 22:53:38 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 07 Jul 2026 16:41:55 GMT]]></title><description><![CDATA[<p><span><a href="/user/pelle%40veganism.social" rel="nofollow noopener">@<span>pelle</span></a></span> <span><a href="/user/xgranade%40wandering.shop" rel="nofollow noopener">@<span>xgranade</span></a></span> </p><p>Signal has a weird blind spot for security usability. A year or so ago I wrote down a list of half a dozen simple things they could do to improve it. And none of these were particularly difficult things but they’ve never been a priority.</p>]]></description><link>https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116879688714485392</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116879688714485392</guid><dc:creator><![CDATA[david_chisnall@infosec.exchange]]></dc:creator><pubDate>Tue, 07 Jul 2026 16:41:55 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 07 Jul 2026 15:48:00 GMT]]></title><description><![CDATA[<p><span><a href="/user/david_chisnall%40infosec.exchange">@<span>david_chisnall</span></a></span> <span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span><br /><a href="https://veganism.social/tags/signal" rel="tag">#<span>signal</span></a> has now decided to use official release notifications that look almost indistiguishable from a regular chat, just to train users even harder to fall for phishing attacks. <img src="https://forum.fedi.dk/assets/plugins/nodebb-plugin-emoji/emoji/android/1f611.png?v=7979fdcf9c7" class="not-responsive emoji emoji-android emoji--expressionless" style="height:23px;width:auto;vertical-align:middle" title="😑" alt="😑" /></p>]]></description><link>https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116879476687818409</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116879476687818409</guid><dc:creator><![CDATA[pelle@veganism.social]]></dc:creator><pubDate>Tue, 07 Jul 2026 15:48:00 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Wed, 29 Apr 2026 01:52:45 GMT]]></title><description><![CDATA[<p><span><a href="/user/pelle%40veganism.social">@<span>pelle</span></a></span> <span><a href="/user/david_chisnall%40infosec.exchange">@<span>david_chisnall</span></a></span> <span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span> The prompt appears less over time. I get it once per month.</p>]]></description><link>https://forum.fedi.dk/post/https://ioc.exchange/users/Avitus/statuses/116485492901341096</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://ioc.exchange/users/Avitus/statuses/116485492901341096</guid><dc:creator><![CDATA[avitus@ioc.exchange]]></dc:creator><pubDate>Wed, 29 Apr 2026 01:52:45 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 14:04:10 GMT]]></title><description><![CDATA[<p><span><a href="/user/david_chisnall%40infosec.exchange">@<span>david_chisnall</span></a></span> <span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span><br />yea, i guess it's a trade-off, but repeated nagging pop-ups asking for your PIN unrelated to any user action within the app is perhaps not the best way of to teach users to never give out the PIN.</p>]]></description><link>https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116482706669377615</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116482706669377615</guid><dc:creator><![CDATA[pelle@veganism.social]]></dc:creator><pubDate>Tue, 28 Apr 2026 14:04:10 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 13:03:06 GMT]]></title><description><![CDATA[<p><span><a href="/user/pelle%40veganism.social" rel="nofollow noopener">@<span>pelle</span></a></span> <span><a href="/user/xgranade%40wandering.shop" rel="nofollow noopener">@<span>xgranade</span></a></span> </p><blockquote><p>whatever <a href="https://infosec.exchange/tags/signal" rel="tag">#<span>signal</span></a>'s reasons are for badgering users for a <a href="https://infosec.exchange/tags/PIN" rel="tag">#<span>PIN</span></a>, it's clearly a design choice they made, because other secure messengers don't do this.</p></blockquote><p>The choice is either:</p><ul><li>Periodically ask people to enter their PIN, or</li><li>Deal with people complaining that they forgot their PIN and are locked out (or, ideally not possible):</li><li>Provide an insecure way of recovering an account after you are locked out.</li></ul><p>The PIN entry UI looks nothing like an incoming message.</p>]]></description><link>https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116482466576356379</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116482466576356379</guid><dc:creator><![CDATA[david_chisnall@infosec.exchange]]></dc:creator><pubDate>Tue, 28 Apr 2026 13:03:06 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 12:30:29 GMT]]></title><description><![CDATA[<p><span><a href="/user/david_chisnall%40infosec.exchange">@<span>david_chisnall</span></a></span> <span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span><br />whatever <a href="https://veganism.social/tags/signal" rel="tag">#<span>signal</span></a>'s reasons are for badgering users for a <a href="https://veganism.social/tags/PIN" rel="tag">#<span>PIN</span></a>, it's clearly a design choice they made, because other secure messengers don't do this.</p><p>and clearly this design choice has some harmful consequences, which i don't think it's fair of them to just <a href="https://veganism.social/tags/victimblame" rel="tag">#<span>victimblame</span></a> away.</p>]]></description><link>https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116482338323179344</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116482338323179344</guid><dc:creator><![CDATA[pelle@veganism.social]]></dc:creator><pubDate>Tue, 28 Apr 2026 12:30:29 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 12:04:10 GMT]]></title><description><![CDATA[<p><span><a href="/user/pelle%40veganism.social" rel="nofollow noopener">@<span>pelle</span></a></span> <span><a href="/user/xgranade%40wandering.shop" rel="nofollow noopener">@<span>xgranade</span></a></span> </p><p>Without the phone number, you'd still need a mechanism for authenticating new devices, which would be a password or a PIN.  With the phone number, the first step is there for you and the PIN is defence in depth, without it you still have the same problem.</p>]]></description><link>https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116482234785310252</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116482234785310252</guid><dc:creator><![CDATA[david_chisnall@infosec.exchange]]></dc:creator><pubDate>Tue, 28 Apr 2026 12:04:10 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 11:12:54 GMT]]></title><description><![CDATA[<p><span><a href="/user/david_chisnall%40infosec.exchange">@<span>david_chisnall</span></a></span> <span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span><br />yes, exactly: <a href="https://veganism.social/tags/PIN" rel="tag">#<span>PIN</span></a> is needed to reaqcuire your account — using your <a href="https://veganism.social/tags/phonenumber" rel="tag">#<span>phonenumber</span></a>! — because without PIN, <a href="https://veganism.social/tags/signal" rel="tag">#<span>signal</span></a> account data would be vulnerable to <a href="https://veganism.social/tags/SIMswapattack" rel="tag">#<span>SIMswapattack</span></a>, right?</p>]]></description><link>https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116482033197325434</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116482033197325434</guid><dc:creator><![CDATA[pelle@veganism.social]]></dc:creator><pubDate>Tue, 28 Apr 2026 11:12:54 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 09:12:08 GMT]]></title><description><![CDATA[<p><span><a href="/user/pelle%40veganism.social" rel="nofollow noopener">@<span>pelle</span></a></span> <span><a href="/user/xgranade%40wandering.shop" rel="nofollow noopener">@<span>xgranade</span></a></span> </p><blockquote><p>they've been training users to fall for re-register <a href="https://infosec.exchange/tags/scams" rel="tag">#<span>scams</span></a> by constantly prompting users to re-enter your <a href="https://infosec.exchange/tags/PIN" rel="tag">#<span>PIN</span></a> (and the PIN is only necessary because phone numbers are used for sign-up).</p></blockquote><p>No, the PIN is required to reacquire the account if you lose all connected devices.  If they used any other unique identifier as the account handle, the PINs would still be required.</p>]]></description><link>https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116481558329497157</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://infosec.exchange/users/david_chisnall/statuses/116481558329497157</guid><dc:creator><![CDATA[david_chisnall@infosec.exchange]]></dc:creator><pubDate>Tue, 28 Apr 2026 09:12:08 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Tue, 28 Apr 2026 08:55:18 GMT]]></title><description><![CDATA[<p><span><a href="/user/xgranade%40wandering.shop">@<span>xgranade</span></a></span><br />it kinda is an issue with <a href="https://veganism.social/tags/signal" rel="tag">#<span>signal</span></a> tho.</p><p>they've been training users to fall for re-register <a href="https://veganism.social/tags/scams" rel="tag">#<span>scams</span></a> by constantly prompting users to re-enter your <a href="https://veganism.social/tags/PIN" rel="tag">#<span>PIN</span></a> (and the PIN is only necessary because phone numbers are used for sign-up).</p><p><a href="https://veganism.social/tags/signal" rel="tag">#<span>signal</span></a> are good at <a href="https://veganism.social/tags/victimblaming" rel="tag">#<span>victimblaming</span></a> whenever there's a security incident.</p>]]></description><link>https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116481492164809362</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://veganism.social/users/pelle/statuses/116481492164809362</guid><dc:creator><![CDATA[pelle@veganism.social]]></dc:creator><pubDate>Tue, 28 Apr 2026 08:55:18 GMT</pubDate></item><item><title><![CDATA[Reply to This is a good thread. on Mon, 27 Apr 2026 21:55:03 GMT]]></title><description><![CDATA[<p>Like, it's both very true that a phishing attack against Signal users isn't a vulnerability with Signal, and that given the high value of Signal accounts, they can and should do more to proactively resist phishing attacks. They don't let either one of those truths overshadow the other, and good on 'em.</p>]]></description><link>https://forum.fedi.dk/post/https://wandering.shop/users/xgranade/statuses/116478895960746288</link><guid isPermaLink="true">https://forum.fedi.dk/post/https://wandering.shop/users/xgranade/statuses/116478895960746288</guid><dc:creator><![CDATA[xgranade@wandering.shop]]></dc:creator><pubDate>Mon, 27 Apr 2026 21:55:03 GMT</pubDate></item></channel></rss>