zlacker

[return to "Signal app downloads spike as US protesters seek message encryption"]
1. AnonC+ul[view] [source] 2020-06-05 06:17:12
>>pera+(OP)
The biggest drawback with Signal for protesters is that it exposes the user's phone number to everyone else in groups (just like WhatsApp does). There is no way to even hide the fact that you have an account on Signal. I can add phone numbers by enumeration into my contacts and Signal will show who among my contacts is on it. If the authorities don't use tactics like they did in Hong Kong, the protesters may be safe from being spied on (or worse).
◧◩
2. hjek+7m[view] [source] 2020-06-05 06:25:10
>>AnonC+ul
Signal is not only used by protesters[0][1] so discovering that a phone number is connected to a Signal account by no means implies that the phone is used by a protester.

[0]: https://www.militarytimes.com/flashpoints/2020/01/23/deploye...

[1]: https://www.theguardian.com/politics/2019/dec/17/tories-swit...

◧◩◪
3. unicor+Mt[view] [source] 2020-06-05 07:56:37
>>hjek+7m
That doesn't change the fact that all phone numbers are visible to all group members. All it takes is one rogue participant to reveal the identities of all members. If that actor has access to triangulation data they now have identity, location history, words and possibly images/video.
◧◩◪◨
4. m12k+0w[view] [source] 2020-06-05 08:21:50
>>unicor+Mt
Yeah, it's optimized for communication between trusted parties (e.g. Snowden and a journalist) - as such the focus is on verifying the identity of the other person, not hiding it. It'd be cool if they figured out a group chat setting that was optimized for groups like protesters trying to coordinate - show your identity only to users you are directly connected with/have verified/whitelisted, but hide your identity to everyone else.
◧◩◪◨⬒
5. cyphar+yJ[view] [source] 2020-06-05 10:41:02
>>m12k+0w
Except the whole point of OTR-like messaging was that you can communicate with someone who you can't be entirely sure you trust in perpetuity (that's why messages in Signal and similar systems don't have non-repudiation -- neither party can prove to a third party that a message really was sent by the other party). Now, obviously the metadata worry is separate to how the message cryptography is implemented but it does seem odd to have a threat model which is somewhat confused on this question.
◧◩◪◨⬒⬓
6. nix23+fW[view] [source] 2020-06-05 12:48:20
>>cyphar+yJ
But with signal you can verify that person, its like the opposite of otr.

https://signal.org/blog/safety-number-updates/

[go to top]