Comment by borski
2 years ago
But it’s irrelevant, as the chats are end to end encrypted regardless. So sure, they’d know you had a Signal account, but not the contents thereof.
2 years ago
But it’s irrelevant, as the chats are end to end encrypted regardless. So sure, they’d know you had a Signal account, but not the contents thereof.
Well, to link with recent news, do you think talking with the late Alexey Navalni over Signal would protect you from russian police? They'd still be able to see that you talked to him.
And then what's the point of the super duper encryption?
In Signal, probably no. Signal has this sealed sender functionality hiding significant amount of metadata from passive observer and active examination post-communication: https://signal.org/blog/sealed-sender/
What Russian police would be able to see, that in a given time period of certificate rotation at most X people communicated to Navalny.
Signal does not know who you correspond with. The only information they keep is the account creation timestamp, and the date that the account last connected to the Signal service.
You may have confused this information with WhatsApp which indeed keeps a lot of metadata on each user.
Signal absolutely knows who you correspond with. How could they otherwise route your chat messages?
They promise to throw this information away, which is nice but not possible to verify.
They also employ a roundabout way of encrypting this data, but as they rightly point out in their article that describes the scheme, encrypting or hashing phone numbers is not safe from a malicious attacker. The space of all possible phone numbers is so small that it could be brute forced in the blink of an eye.
You place all your trust in Signal (and Google/Apple) when you use them. That may be better than the alternatives, but it's still something we should be honest about.
That said, keep in mind that Signal and Google/Apple can also trivially backdoor your software, so unless you take specific precautions against that, the details of their middleman protection isn't terribly important.
1 reply →
https://news.ycombinator.com/item?id=39414322
2 replies →
> They'd still be able to see that you talked to him.
Signal has no access to metadata, including participants in a conversation. All they know is the date of account creation and the date of the last connection.
However, if they got access to Navalni's phone, then they of course can see everything Navalni can.
> However, if they got access to Navalni's phone, then they of course can see everything Navalni can.
Aha :)
Do you people also want the relevant xkcd? The one about the wrench...
That is not true. That is now how Signal works.
Unsure why the downvotes, but I assume it’s from this misunderstanding of the Signal protocol.
Even encrypted data is not irrelevant. The frequency of messages is relevant, as is how many messages are sent how quickly, the total package size can be revealing if they arent hella padding the data, there is a lot you can learn just from the data. Total obfuscation is ideal.
If you are worried of an adversary that is using numerical analysis on the frequency of messages to somehow undermine you, I’d recommend not using a smartphone or internet connected device. And perhaps medication.
Good to hear that you have nothing to hide, comrade.
2 replies →
It's not irrelevant, but the exposure is reduced.
If a person is a member of a terrorist network - or friends with someone who is - the fact that a warrant could force Signal to expose that link could mean that a court is then more likely to approve increased surveillance of your (non-Signal) communications because of that link.
On the other hand if you are a woman on Tinder and using Signal to communicate with matches, this doesn't expose you to the person you have just matched with adding your number to their phone book, uploading it to LinkedIn and then finding where you work (which is what you can do with a phone number).
My feeling is this is a reasonable compromise, but it is important people understand what it does and doesn't protect you from.