127
submitted 8 months ago by ooli@lemmy.world to c/privacy@lemmy.world
top 19 comments
sorted by: hot top controversial new old
[-] jet@hackertalks.com 23 points 8 months ago* (last edited 8 months ago)

Unless signal demonstrates they can't link usernames to phone numbers, I call BS.

Privacy by policy is great, but it's not zero knowledge. Since they designed the system to ultimately identify people to phone numbers there will always be the potential they are logging all the username phone numbers hash lookup tables

[-] Stitch0815@feddit.de 15 points 8 months ago

It`s good to always be sceptic, however I have been using and following Signal for years and so far they have not given me a reason to misstrust them. You should read their answers when some judge with 0 digital competence tries to subpoena some chat protocol.

[-] LWD@lemm.ee 8 points 8 months ago

It would be big news if Signal failed to disclose a little-known caveat, let alone directly lie.

The functionality has been tested for at least a year, right? And the client side code is open source. They aren't hiding anything. The Molly fork has already implemented the same functionality.

[-] jet@hackertalks.com -1 points 8 months ago* (last edited 8 months ago)

Don't get me wrong. I like the signal foundation. They do great work. I'm just hesitant to claim that usernames are in anonymous way to talk to people on the internet.

If your model of signal is just I can communicate and encrypted with people I already know and who know me. Everything's fine. Nothing about the server compromises that. But when you introduce can I talk people anonymously, the model doesn't support that. Because the server has the capability to deanonymize.

If nothing else, somebody could simply brute force all the phone numbers, until their named contact shows up.

I just did some minor testing, right now, if you have a username that you want to post on the internet, like embarrassing_contact.01, like for political dissidents organizing, alternative lifestyle organization, disclosing sensitive information etc. if you already have the contact on your phone, but you try to send a message to the username. Signal will tell you oh it's the same person you already have this contact. So right there is a proof of concept of deanonymizing people

[-] RayJW@sh.itjust.works 2 points 8 months ago

If that is your threat model you can put your phone number privacy to no one. Then I can't see you use Signal even if I have your contact with your phone number saved and adding you with your username won't show you as my phone contact with the same phone number.

[-] jet@hackertalks.com 2 points 8 months ago

That's good feedback, I wasn't aware it existed. Thank you

[-] viking@infosec.pub 14 points 8 months ago

The article states that they are only saving a hashed copy of the currently set username, if any. While they might in theory keep more than that on hand, their policy has always been to minimize accessible data, and have responded in kind whenever subpoenaed, which is at least a very strong evidence.

The code is also fully open source for both server and client, so you could independently validate it yourself.

[-] MeanEYE@lemmy.world 2 points 8 months ago

Are you sure code for server is open source? I thought only the client was.

[-] viking@infosec.pub 11 points 8 months ago

https://github.com/signalapp/Signal-Server

Everything is completely open under AGPL 3.0, really neat.

[-] kenbw2@lemmy.world 9 points 8 months ago

Worth pointing out that a git repo doesn't mean that's what they're running on the server

I'm not saying don't trust Signal, but it's worth remembering that you are trusting them

[-] dwraf_of_ignorance@programming.dev 2 points 8 months ago

I think you are confused between telegram and signal.

[-] owatnext@lemmy.world 22 points 8 months ago

Still a bit miffed they removed SMS/MMS support.

[-] Dnn@lemmy.world 10 points 8 months ago

While I hate the dominance of WhatsApp in Europe, at least we hardly use SMS anymore. What's up with that in the US?

[-] ThirdWorldOrder@lemm.ee 9 points 8 months ago

Why is it that WhatsApp is so big in Europe? My dad is European but lives in Mexico. Only way to get through to him when he’s in Mexico seems to be through WhatsApp.

In the USA, I think the majority of people that use WhatsApp just use it for international purposes even though there is no rate difference sending a text via SMS.

[-] Dnn@lemmy.world 8 points 8 months ago* (last edited 8 months ago)

Well, it's big pretty much everywhere except for the US and China. It was the right app at the right time and due to its huge user base it's virtually impossible to get people to ditch it - even when it was bought by an evil tech giant.

It does have good and useful features though. SMS doesn't even allow group chats - that alone renders it utterly useless (I'm just ignoring it being clear text without any kind of security or privacy - those seem to be too abstract concepts for most people anyway).

[-] AA5B@lemmy.world 4 points 8 months ago

Laziness.

Every phone supports SMS. It’s not all that long ago that people had feature phones, but they also supported SMS. We went through thing like Facebook Messenger, but only for Facebook users, AOL Instant Messenger but only for AOL victims. Every texting/chat app has its followers but none have become dominant enough to unseat SMS.

I don’t care what texting app I use, and SMS has sufficient features (although RCS would be better). However I care most about contacting everyone I may want to, using one texting app. That’s SMS, no contest.

Or maybe credit the dominance of Apple. I use iMessages and most people I chat with do as well. However it seamlessly Integrates with SMS so I still get all my contacts in one place

[-] sic_semper_tyrannis@feddit.ch 3 points 8 months ago* (last edited 8 months ago)

SMS was a huge factor for getting my wife on a degoogled os

[-] corsicanguppy@lemmy.ca 4 points 8 months ago

My phone is set up as a tablet. It has a number but cannot send/receive SMS or calls.

It's so great.

But I guess signal's number-elitism isn't for me, still. K. I'll be cryin' into my $14 phone bills.

[-] LWD@lemm.ee 1 points 8 months ago

If you have a phone bill, you must have a phone number, right? Surely you can receive a single verification SMS without making a permanent dent in that phone bill.

this post was submitted on 06 Mar 2024
127 points (98.5% liked)

Privacy

4027 readers
37 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 1 year ago
MODERATORS