200

out of the loop, what's the problem with signal? (lemmy.ml)

submitted 2 days ago* (last edited 2 days ago) by Nuvalon@lemmy.ml to c/privacy@lemmy.ml

164 comments fedilink hide all child comments

i've just seen a comment in a post, in this very community, saying people trust signal because of missinformation (from what i could undertand).

if this is true, then i have a few questions:

-what menssaging app should i use for secure communications? i need an app that balances simplicity and security.

-how to explain it to my friends who use signal because i recomended?

-what this means for other apps in general?

you are viewing a single comment's thread
view the rest of the comments

[+] wildbus8979@sh.itjust.works -16 points 2 days ago* (last edited 2 days ago)

Second is that it runs on AWS. This isn't a problem in the sense that it's possible for it to still retain privacy while running on AWS. Some people don't like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.

Let's not pretend the hypervisor doesn't have full access to the VMs memory and execution. The only thing protecting the Signal server is Intel SGX.

[-] someacnt@sh.itjust.works 52 points 2 days ago

I don't think Signal trusts the AWS server either, that's the point of E2EE encryption.

[-] wildbus8979@sh.itjust.works 5 points 2 days ago

I'm not claiming the contents of the messages are at risk here. You're social graph and metadata though is another story.

[-] pkjqpg1h@lemmy.zip 9 points 2 days ago

The only data they store are account creation time and last connection time.

https://signal.org/bigbrother/district-of-columbia/

[-] wildbus8979@sh.itjust.works -2 points 2 days ago* (last edited 2 days ago)

Well no, they store more data than this. They store your contacts as well, that's how they can do contact discovery. There's a hashing and linked list mechanism for it. It's better now. But it used to be a simple hash, something for which you could build a rainbow table in a few hours, at the worst.

It also.foesnt really matter if the software itself can easily be tampered with in memory by the hypervisor. Like I said, they are putting a lot of trust in Intel SGX. And thus the data doesn't need to be stored for issues to arise.

[-] pkjqpg1h@lemmy.zip 8 points 2 days ago

https://signal.org/blog/private-contact-discovery/

Since the enclave attests to the software that’s running remotely, and since the remote server and OS have no visibility into the enclave, the service learns nothing about the contents of the client request. It’s almost as if the client is executing the query locally on the client device.

[-] wildbus8979@sh.itjust.works -3 points 2 days ago* (last edited 2 days ago)

... Providing you trust Intel SGX.

[-] pkjqpg1h@lemmy.zip 1 points 2 days ago

Providing you trust Intel SGX (and AWS for giving them access to actual SGX and not just emulating a compromised instruction set)

😃

conspiracy begins...

[-] wildbus8979@sh.itjust.works 2 points 1 day ago

What conspiracy? CPU bugs aren't a conspiracy, they are just a fact. Amazon's involvement with American three letter agencies isn't a conspiracy, it's a fact.

[-] Ontimp@feddit.org 6 points 1 day ago* (last edited 1 day ago)

Yea but if you worry about CPU bugs there is no such thing as trust, no matter who owns the infrastructure. Any software can have critical bugs and any system that can be accessed remotely can be compromised. Personally I'd trust the people at Signal that they have made a reasonable architecture section to balance availability and privacy

[-] Count042@lemmy.ml 1 points 2 days ago* (last edited 1 day ago)

I don't take anything from someone I don't trust that also explicitly doesn't use warrant canaries because he says they don't work in contradiction to every legal authority.

It's also an issue that they run the signal server on one single AWS region.

It isn't hard or even all that expensive to run on multiple regions.

[-] wildbus8979@sh.itjust.works -2 points 2 days ago

It's not me you need to tell this though.

this post was submitted on 20 Mar 2026

200 points (90.3% liked)

Privacy

47356 readers

669 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS