← Back to context

Comment by hobobaggins

2 years ago

Signal's vaunted double-ratchet encrypted groups have a severe weakness in the key exchange where the server can add itself as a participant.

Granted, this is pretty hard to solve when participants come online and offline at different times without having a trusted and always-online entity to handle the list of the current members (in the signal model, it's the server), but signal's still definitely not a silver bullet, even if people treat it like it is.

But if Signal gets pwned or captured, it can easily add itself into any group, or even add and remove instantly.

8 comments

hobobaggins

Reply
NotPractical  2 years ago

Wouldn't the group members at least be notified that someone joined the group? And the server would only have access to messages sent after that notification, right?

ianburrell  2 years ago

Do you evidence of that? Are you sure you aren’t confusing Signal and Matrix, which had that big? We would have heard about Signal after the Matrix bug if it also had it.

  • hobobaggins  2 years ago

    It's not really a bug. It's a design decision.

    There's no clear solution for it from an encryption perspective without a big tradeoffs (like requiring all participants to be online at the same time).

    Besides, the larger the group, the more likely that one of the nodes has been compromised anyway. Everything's a tradeoff -- don't depend on the security of a single solution if you're really trying to keep a secret; defense in depth.

    • ianburrell  2 years ago

      You haven’t shown that this flaw is in Signal in addition to Matrix.

      I heard about Matrix having that exact flaw, and if Signal had the same flaw, it would be big news. I remember Signal saying that they are not vulnerable.

    • wkat4242  2 years ago

      > There's no clear solution for it from an encryption perspective without a big tradeoffs (like requiring all participants to be online at the same time).

      I wonder if that's why Telegram's secret chats do in fact require users to be online at the same time for key exchange. I've used it before and I had to wait a while for the other party to come online.