Technology Preview: Signal Private Group System(signal.org) |
Technology Preview: Signal Private Group System(signal.org) |
One interesting aspect of this is that Signal gets to do this, because they have immense goodwill with the cryptographic research and engineering communities; though it's no guarantee of soundness, they have the advantage of having the feature designed, implemented, and ultimately reviewed by cryptography engineers that aren't generally/economically available to other messaging projects.
This is either a reason you love Signal (raises hand) or can't stand Signal. My take is, if you're in the latter group, that's fine; I use Slack, too.
Today, on iOS, you can't move your Signal history to a new device, and on Android you can only do so by manually making an encrypted backup file and writing down a 30-digit passcode, completely separate from the normal Android process of moving to a new device.
People keep long histories of messages, going back a decade, containing pictures and memories that aren't stored anywhere else. Message history is valuable data.
This doesn't seem like a "new cryptographic research" problem, this seems like a "well-established crypto (encrypted files) plus integration with standard device backup/migration" problem.
I really like Signal, I think they're doing things very well, and I wish I could use it without being constantly at risk of data loss. And this doesn't seem like an uncommon request, from what I've found.
Is there something I'm missing that makes this a hard problem? Or is it just a problem that nobody has prioritized?
The Signal devs don't discuss their roadmap, as is their prerogative. The result is of course that no one knows if such features are even planned, let alone worked on. Half a decade (?) of sad and frustrated forum posts and GitHub issues attest to that. I scan through them from time to time to see if there's any word.
But! There was actually a tweet from Moxie just a few weeks ago in a thread started by Matthew Green, I think, hinting that they might be working on it. It did make me a little happier. But yes, five years is a long time to wait for this feature, and we don't know for sure if or when it's coming. Me, amidst all the frustration I am very happy for the software they are giving me almost for free (I've donated a little bit).
By the way, Josh, props to you for your patience and professionalism in the debian-devel thread about librsvg the other day.
The other sticking point is the phone number requirement. A (female) friend shared her “Signal” contact info with a professional acquaintance who doesn’t understand boundaries. After ignoring him on Signal, that led to unwanted SMS messages and even phone calls. For such a privacy-focused app, I don’t know why they are not more interested in protecting phone numbers.
I turned on timer (1 week) for all of my conversation.
Nothing stays more than a week and I do not keep any backup.
It's not for security or privacy reasons. I feel like I don't need a full history of all my conversations with everyone from the beginning of time.
This fits more to the real life model of having a conversation with someone. I don't record my conversations with people so why do I need to do it in chat apps?
My Whatsapp is the same. Don't need all the massive amount of chat history...
I'm also reluctant to release it publicly because I'm worried about the support burden, because, while I've made the experience as easy as possible, it's still not a great experience considering how Signal works. I expect to see a lot of angry users who don't realize (despite documentation) that they need to download the backup to their new phone before running the Signal app for the first time. And then I expect people who lose their backup encryption key to blame me that their backups are unrecoverable.
I guess at the very least I could open source it at some point, but the setup is a pain since you need to create a Google Cloud project authorized to use the GDrive APIs.
Signal really needs this built-in. It puzzles me that it hasn't happened yet, since I built this little app in under ten hours (and I hadn't touched Android development in a good 7 years and had no experience with the GDrive APIs).
I would love that. But even with WhatsApp it never worked for me.
Last three device switches:
Windows Phone to Android: Not supported. Android to Android: something went wrong. Android to iPhone: Not supported.
Yes. Pretty much the entire security model of Signal underpinned by this UX compromise. The way signal works at the moment, you sign up for an account with your phone number, your device generates a secret, and that secret is used to secure all your communication. You can pass that secret around devices (as long as you have a device that has it - or just the original phone, I can’t remember). You are also responsible for making sure the people you talk to are really who they say they are. When you first add a contact, it’s up to you to make sure they’re not an imposter, and if they have to reset their account their secret changes, and you have to verify who they are again. If somebody takes over their phone number on a new device, they have to generate a new secret, and while they may succeed in impersonating the person (depending on how vigilant their contacts are), they at least won’t get access to the message history.
To allow for recovery of message history, you have to escrow the secret somewhere. If you give it to the service provider, then the security model is thrown out the window, and you just invented FB Messenger. If you give it to the user to escrow, then you’ve just kicked the can down the road, because a consumer is just as likely to lose a secret as they are their device, and the ways they may choose to store it will make the whole system less secure for essentially no UX gain.
This is an unavoidable trade off. If you want the service provider to be able to recover your account, then they (or at least somebody in addition to you) has to have access to your secret. If you want your messages to be private, then you can’t allow for a 3rd party to be able to recover your account.
If there are photos that should be kept then there are other ways to back them up. Is there valuable context in the conversation that was had around the delivery of the photo?
Are messages backed up and restorable for other messaging systems, and have you ever needed to go through a restore process to look back through a conversation?
If it's for the purposes of software project development team discussion and history needs to be kept for legal reasons then I think Signal is intentionally not aiming at that demographic.
I get that there are special moments in life but, for me, the textual conversations around them are very secondary to the moments themselves. But then, in discussions I've had with other people, my opinion seems to be the exception.
Eh? Why either or? (and why are there people who can't stand it?)
Signal forces users to use phone numbers; some people don't like this because they want to use multiple ephemeral usernames so they can be 'Joe' to friends, 'kleptoclown' to their github group, 'dungeonmaster42' to their DND group, 'joesolutioner' to anyone who browses their personal website or business card, etc. that way they are not having to give out the phone number to strangers which represents Sim-jacking and spam risks.
If you create a signal group and invite folks to it, you cannot remove members from the group (this is being worked on now) without them clicking the 'leave' button or creating an entire new group sans whoever needs to go, which causes loss of group history.
Signal cannot have multiple mobile clients, only one mobile client and a single desktop version. WhatsApp Riot etc. all support clients in as many spots as you can login from.
Again -> these are focused nitpicks, but in most cases Signal is much better for upholding the promise of 'you send someone a message and you have a reasonable sense that ONLY THEY will be able to read it' compared to the likes of Line/WhatsApp/FB messenger etc.
It's OK in my books: a symptom of there being no server to step in and enforce a universal truth. You just have to understand what you're getting in exchange for the occasional inconveniences.
But the sometimes uncritical love people have for it doesn't help when it has issues.
The main categories of people I've encountered who aren't absolute Signal fans are:
* People who don't want to give out their phone number to random men.
* People who weren't impressed by Signal's security issues coming up at the same time that it was being pushed as the replacement for GPG.
I don't get why users can't be addressed by both phone numbers and a "signal id", if you opt-in to use a phone number for addressing, your phone will be verified and signal will resolve it to your signal id. If you opt out people will need your signal id to address you and you can't use it for SMS. What are the challenges with that?
If I have a signal private group system, signal can find out a ton about me and my associations with others using only that information. Many other messaging platforms do not nees this very sensitive information from me to function. And it does not support a desktop only app even if you give them a phone number and verify you control that number.
I am always reminded of General Hayden (Former NSA chief) was saying how they love PGP at the NSA because they can sniff metadata and know who talks to who, it lets them easily find who has something to hide so they can target them. Not that I have the NSA in my threat model but I am very sensitive to unnecessary metadata being generated
https://telegram.org/faq#q-if-someone-finds-me-by-username-m...
The problem is not which messaging app I want to use, it's which messaging app my friends are using.
That said, if I had to choose, I think Matrix has a slight edge in my books because it's a protocol rather than a silo. Even though Signal is private and open source, they are hostile towards people running their own Signal builds on company servers, and unwilling to federate with other servers.
Essentially, you run the official Signal app on the official Signal servers, or GTFO.
At the moment I share it with Google so I can share it with friends or family, which sucks.
I have been part of a group organizing protest in Beirut and I was surprised there was no clearly go to app that provided the security features we need.
We started off with WhatSapp because that's what everyone used before security became a concern. We then moved to Signal mostly to get auto-deleting messages. We then ran away to Telegram because there was no way to kick a compromised phone outside of a Signal group.
We considered using Wire which seemed to have what we needed but the interface was a bit clunky and it did not run well on all the phones of the group... We are currently evaluating an considering Keybase.io which seems to have all the feature too, but not sure how it will handle about a hundred people in the group...
If anyone has ideas about which apps are recommended for that (or has additional useful things) please help, the main things we need are:
- Encryption E2E is nice to have but not a deal breaker.
- Possibility to kick a user from the group, deal breaker ( a thug stole someone's phone in the protest once and another time we got a message saying someone's security code changed then they became inaccessible) both incidents ended up ok but there was no way to kick the person out of the group and proceed while clearing things out with signal.
- no old history kept of the conversation. Either auto-deleting messages set to short duration like signal, or if not possible we can survive with an admin at home deleting old messages constantly and clearing the chat for everyone in sensitive situations ( like telegram allows)
- Free. For various reasons, some people can't buy apps no matter how cheap.
- easy to use. Most protesters are not too technical.
- possibility to display sender and group but not the content of messages in the notifications.
- having an easy way to add password to the app itself. (nice to have)
- making screenshots inconvenient to take (just nice to have).
- Not tied to phone numbers also really nice to have but not mandatory.
Our main threat is riot police and pro government thugs taking protesters phones and forcing people to unlock them or running away before the phone is locked then snooping around. Very rarely are people alone when this happens so we almost always get a notification that X is compromised, so we clear chats and kick them out of the group before their phones are really compromised.
I don't think the government is running sophisticated deep packet inspection. I don't think our group has been infiltrated but that is always a possibility.
We are also trying to find some free device management solution to remotely track / lock and maybe wipe phones when they get taken.
Sorry for the wall of text... just though now might be a good time to ask...
> Note that a user who has acquired a group’s GroupMasterKey and then leaves the group (or is deleted) retains the ability to collude with a malicious server to encrypt and decrypt group entries. We deem this risk acceptable for now due to the complexities in rapid and reliable rekey of the GroupMasterKey.
Does this mean that the server and a deleted user can always collude to get the deleted user readded to the group? Also, is there no provable audit trail of who added or deleted whom? Unless I'm misunderstanding, it seems like deleting a user is therefore enforced only via server trust, but please correct me if I'm wrong.
No, the members of the group would be able to see that the deleted user is back, or whatever else has happened to the list. Signal's server isn't responsible for deciding who gets the group messages, only for storing the agreed list in encrypted form. So members don't need to trust that the server did as it was told.
Certainly if you have a group where you suspect a member of colluding with the Signal server to betray the group you should probably NOT remove that member but instead take the extra trouble to explicitly form a new group (without that member obviously).
Your point that the deleted user and the server can collude to add a rando to the group seems like a bigger deal, since it would be harder to catch.
To make the same point more critically, if the members need to constantly recheck the mapping of group name to membership list (to stop server cheating), then the scheme might not be buying much.
If we replace "the signal server" with "the authentication/authorization service ("the AD service" / the organization's internal certificate authority")...?
Maybe I'm just needlessly afraid of the complexity of managing a real world certificate authority (keeping it secure, keeping it running, keeping as much as possible off line..).
People advocate for Signal because it's arguably the least offensive of the available e2e options. Also the founder for Signal has a long history of doing good work in this area.
Just like Signal.
> I'm not sure if I'd trust the Telegram founders, and their commitment to open source seems questionable to me
Meanwhile Moxie Marlinspike's opposition to free software is evident. You use the client he dictates or fuck off. There's closed source software that respects freedom more than Signal.
The only reason I use Whatsapp is because it's what all my contacts use. It's everywhere. It's the de facto standard for text communication. And I hate the app. I hate its guts.
I read that whatsapp implemented the signal protocol, does that mean anything with respect to being able to communicate with people using a different app? Because I was hoping so, but I can't find a way to see my whatsapp messages in signal.
Anyway I wish both projects the best of luck.
p.s. support for ephemeral msgs was released on the server in RC yesterday.
Another aspect is that Matrix, if you’re technical enough, lets you set up a custom server for your secret group, which is somewhat less vulnerable to centralized metadata interception (though there are holes, like centralized mobile notification relays). Admittedly, this is mostly out of scope for Signal, which focuses on security for non-technical users.
Finally, to state the obvious, for many use cases, pseudonymity is safety. Along the lines of the “$5 wrench” XKCD, in practice the single most likely way for your secure messages to be disclosed is not through some clever protocol hack, but by their being pulled at rest from some conversation participant’s device – often with their active cooperation. Similarly, Signal’s deniability feature is cool, intentionally allowing users to forge cryptographically valid messages supposedly sent to them by others. But in practice, messages are typically leaked via screenshots, with no attempt made to detect forgery in the first place.
In such an environment, the most effective defense overall is probably self-destructing messages, which Matrix... apparently doesn’t support, but will soon. (Yikes – like I said, I don’t use it.) But in cases where the people you’re talking to don’t need to know your real identity, pseudonymity is a close second. Its weakness is that people are bad at separating identities and maintaining opsec, but it’s still better than nothing. It’s strongest in cases where you’re part of a large group (say, of protesters): this greatly increases the chance that the adversary will be able to read your messages (with a mole in the group), but also means that they probably don’t care about you personally and would prefer to go after low-hanging fruit. Or even if everyone is equally protected, it increases the amount of time they have to spend going after each person, reducing the number of people they can find.
Anyway, I don’t want to be too negative. The world is certainly better off for Signal’s existence. Maybe Signal will add non-phone-number account support someday, solving two of the issues I mentioned in one blow. Maybe it won’t, but it’ll still be useful to many people, and its continuing cryptographic research will strengthen other messengers, including ones that target use cases Signal does not.
Still, I feel like there’s some dissonance. From a cryptographer’s perspective, Signal is head and shoulders above the pack; they really know what they’re doing, to an extent that practically nobody else does. But in other areas, Signal is just okay. Not bad, often better than average, but rarely outstanding. And that includes areas that impact security, like key transfer and the other things I mentioned.
https://en.wikipedia.org/wiki/Comparison_of_cross-platform_i...
You can sort the table by clicking on the column headers. The "E2EE group chat" column should be useful.
But it uses SMS to authenticate new sessions... we were a target of attack that exposed our group.
A few users had not set up two factor authentication so they woke to a warning from telegram that someone is logged in to their account from across the world.
Complete agreement. I'm glad for the work going into Signal, both in development and in research.
> By the way, Josh, props to you for your patience and professionalism in the debian-devel thread about librsvg the other day.
(OT)
The other year? That conversation took place late last year. Thank you, though.
That is fair, but... I'm willing to make a backup file and handle a 30-digit passcode. I don't want to sign up using a phone number. That's crazy. :-/
https://twitter.com/moxie/status/1174047779267604480
In theory they could keep using the native contact list and just stuff Signal usernames in there; iOS does have the APIs to do that, and I'd assume Android too.
If you know that Signal needs a special backup procedure. If you don't, you've lost your data.
Also, that process applies to manual backups and recoveries, such as for device-to-device transfer from a working device. It doesn't work nearly as well for performing regular backups of a working device in case it abruptly becomes a non-working device.
There's no way to do backup/restore with Signal on iOS.
Sure supports connecting via @username only, and I’ve seen a few people switch to it for this reason alone (also the UI is a bit sleeker)
There is no way to move messages from one iOS device to another (such as a new phone). My girlfriend recently got a new iPhone and wanted to transfer our Signal message history from her old iPhone onto the new one. She said it wasn't possible, and then I spent an hour or two reading about it figuring there must be some hacky awful way to accomplish it. I couldn't find one. This has been an open issue for years [0][1].
Android has an inconvenient backup flow (that involves randomly generated 30 digit PIN and manual transfer of file), but that's infinitely better than the total lack of options on iOS. I do wish Android (and iOS) had a method to download all message history to decrypted plaintext (or JSON) for use with other apps. If I own my data, decrypting it should be my choice.
I regret recommending to my girlfriend that we use Signal, and won't recommend Signal to more people after this.
[0] https://github.com/signalapp/Signal-iOS/issues/2542 [1] https://whispersystems.discoursehosting.net/t/ios-backup-kee...
I dislike it too, but understand the reasoning behind spam prevention and account authentication.
You seem to be missing the point here: this isn't even about storing your data on someone else's computer with some kind of key escrow, this is about local backups not even working. Apple only recently implemented iMessage "sync", but before that (and still now), iMessage data was backed up to your Mac and accessible in your backup, without any concern about it being on some server or key escrow issues. Signal is simply missing the ability to get your own data out of the app on iOS. (And like, to really underscore how this is not a fundamental issue with Signal, their Android app does have a data export feature. They just don't think this is important enough to prioritize for some crazy reason.)
The best solution I’ve seen for this is the BIP39 mnemonics that crypto wallets use (because they face exactly the same problem - making the user the ultimate custodian of the keys). But it’s still terrible and barely usable.
You can also do the 1Password approach and have other users that you trust store all or part of your key material. But all any of the solutions mentioned in this comment do is spread the problem around a bit, not solve it.
Persistent history that lasts many times longer than the lifetime of any one device is a required feature to fully replace chat apps that have such history.
BUT I've heard a lot of people request the feature of porting messages. I didn't realize people care about this till they started telling me (I have convinced a good number of my friends to switch to Signal). So I'd say that because the market is asking for it, implement it. (I do notice that it is only iPhone users asking me about how they can do this. Might be selection bias)
BTW, you can do this! [0] I'd think the easiest thing to do (I don't know iOS or Android at all) would be to create a backup to iCloud or Drive that will hold an encrypted file. Then a function for the reverse. Since I don't do anything remotely near mobile, is this not fairly easy to implement? Encrypted backup is one of the top requested features [1] and seems one of the easiest to implement.
[0] https://github.com/signalapp
[1] https://community.signalusers.org/c/feature-requests?order=v...
Side note: the only features I want are
- Not being tied to a phone number, or a way to add a user without a phone number
- domain fronting (... thanks Amazon... )[2]
I think both are in the spirit of what Signal is trying to do and would specifically help protestors in authoritative countries. That they can decrypt their phones and not reveal others in the group chats. But I understand that these requests are much more difficult than asking for encrypted backup.
If a fragment of a conversation is useful, I'd store it somewhere else safe just in case (Password Manager, as a secure note).
I'm pretty stubborn about preserving my chat history; it goes back across several phone upgrades. When my dad died earlier this year, I was glad of it. I get to scroll back and see what we talked about.
If my choice was between secure comms and keeping history, I'd take keeping history. Surely many people are in the same boat. So if Signal wants to be truly ubiquitous (which increases security for all users), they really have to solve common user needs.
Since I really dislike using chatlogs, and rather not keep any (and ever since the 90ies, I never have), I really like the 1 week timer on Signal.
(Not a "it works for me it should work for you", just wanted to share an anecdote :) )
Can't I build and use this if I want? It looks very open, but I haven't tried building my own client.
https://github.com/LibreSignal/LibreSignal/issues/37#issueco...
Yes, Signal's licensing complies to the letter of how we define free software. But that is irrelevant as it violates the spirit.
Also, identity is persistent since you're using a phone number and signal attaches the name you list to that phone number with a registration passcode that must be entered intermittently to keep receiving messages.
One strong indication you have that Signal isn't logging this stuff is that they had to wait until they were able to advance the state of the art in anonymous credentials in order to implement group access control at all.
In contrast, I cannot verify this new claim that my group memberships are protected. I have to trust them.
I think you are basically saying: ‘well, they built all this crypto that is only useful if you believe they’re not logging, so I believe they’re not logging.’
Prior to doing this cryptographic work, Signal simply went without having these features at all.
You don't have to trust, you can verify. This has been proven in court: https://signal.org/bigbrother/eastern-virginia-grand-jury/
Or look at how popular "Letters of Note" is: https://twitter.com/lettersofnote
Conversation is connection.
I have all my Signal messages set to auto delete after 7 days (or less). And I'm pretty happy with how that works. If I thought people at a bar were recording every conversation they had or could overhear forever, I'd talk less freely (and go to different bars).
Not everybody wants ephemeral chat. But I suspect more people _think_ that's what they've got - but in reality do not have...
There are tiers of conversation. Letters between famously literate people or during times of war have a value proposition on an entirely different scale to group chat messages.
It's about the value that the individual assigns to the content of the conversation (this is almost arguing against my stated position). But if that conversation is never re-visited anyway, the value is the status of Schroedinger's cat.
What content that is worthy of "Letters of note" is a) to be found in chat history? b) not already been saved elsewhere due to it's noteworthiness? c) going to be re-discovered by going back through hundreds or thousands of lines of conversation text on a mobile device screen? d) worth trawling back through hundreds or thousands of lines of conversation text on a mobile device screen?
Again, I'm aware that I'm an exception, but I think it's potentially natural human laziness to want to keep 'everything' in case it might be useful or valuable in a few years' time. Electronic hoarding.
I've recently setup an instance of NoteSelf to more easily track links to interesting articles and my own thoughts and ideas and various other things that I think are worthy of keeping. This is my form of targeted electronic hoarding. I'm in control of it, and it's robust enough to survive a mobile device theft, breakage, or some other kind of failure. Prior to that I write things down in journals, or other systems, some of which have been totally lost, but I don't find myself missing it or 'wondering what could have been'.
It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things' - for me, primarily, it's the far improved wheat / chaff ratio.
Conversation is connection. Yes. But recorded conversation is just a reminder of connection, not the connection itself. I think my argument falls down when it comes to someone that's passed away, and keeping their flame alive to some extent. I don't work like that, but I wouldn't expect it of others.
Second, time helps ("we were talking about it around this time of year").
Third, you don't necessarily know how valuable the conversation is when you first have it.
And fourth, pictures and video and similar.
> It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things'
I used to carefully archive every email in an appropriate folder. Now I only have one folder, "Archive", which contains all mail, and I use search to find what I'm looking for. (Search is all I used back when I had folders, too.) That requires far, far less work at the time of receiving a message.
Consider the time taken to carefully file something away, the difficulty of keeping such things organized manually, the ease of just automatically storing everything organized by time and people, and the likelihood of you successfully predicting in advance what you'll want later.
Only in retrospect. At the time, it's impossible to know. We happen to have (some of) Picasso's childhood artwork. What might it be like if we had da Vinci's and Bosch's and that of the Lascaux Caves artists?
Or look at the way Pepys' diary serves as an important source to historians for the details of daily life at that time. Or how Pompeii's graffiti gives us valuable historical insight: https://www.theatlantic.com/technology/archive/2016/03/adrie...
Destroying information now is expressing 100% confidence that nobody will have use for it later.
> It feels as if the point that I'm trying to make is that mindful archiving is a better solution than to just 'keep all the things' - for me, primarily, it's the far improved wheat / chaff ratio.
Depends on the cost of storage and retrieval, really. That was certainly true for, say, paper letters. But as the cost of storage and retrieval goes steadily down, manual archive selection becomes less and less worth it. Hoarding is only a problem IRL because it becomes expensive and unsafe. But my digital archives grow much more slowly than Moore's Law, so the cost to me of keeping all my email, photos, etc, is effectively zero. When I replace my backup drives every few years I spend about the same amount of money, and I keep having more and more space left over.
On the topic of plain text things (such as text messages) - how much data are you actually hoarding?
Let's say you type 100 words per minute for the next 40 years (and each word is 10 bytes). No sleep, no breaks, just 40 years of typing. Congratulations, you just produced 21GB of data. This fits on an SD card (<$30) or in the cheapest tier of cloud backup like Dropbox or Google Drive. You can search your 40 years of typing in well under a minute. If you remember the year you typed in, you can grep the data from that year in under a second.
I don't like the term "hoarding" for this. Hoarding has a negative connotation. Storage of plaintext is so incredibly cheap (and search so fast) that I feel that option value of retaining the text is almost always greater than the miniscule cost of storage and slower retrieval.
I don't think are any valid analogies between storing physical items and digital items, as digital storage and search is orders of magnitude cheaper. Consider the same experiment where one writes with pen and paper for 40 years, and then wishes to search for the name "George".
Making a decision of what to keep must be more expensive and time-consuming than just keeping everything.
Are you kidding? All the time!
Most commonly by first reminiscing and then searching out the appropriate part of the message log.
I keep a journal for exactlt these things
An email thread is useful and somewhat readable, and endless conversation between an individual or a group is less so.
But you're also right it would be a long con to go without these features for so long, develop state of the art cryptography to add them securely and privately, then not use that.
Store _what_ in plain text?
Right at the top of the article are some commonplace things other "chat" systems, even if they claim end-to-end encryption - store in a central database. Metadata, like the name of the group, a logo or "avatar" and then also the core fact of the group, a list of its members.
Signal's server doesn't end up knowing /any/ of those things. It doesn't need them for anything it does, so it never gets told what they are. It couldn't store them in plain text any more than it could your Signal messages.
With the proposed enhancement Signal's server would store the data so as to serialise access, but it would still be encrypted with keys the server does not have so it's meaningless to the server.
Members of each group learn a key (picked at random by the group's founding member) -- which Signal's server doesn't know -- and that key lets them decrypt the metadata about the group and encrypt new data if they e.g. decided to change the group's name, invite somebody to the group or remove someone from the group.
The part we can't _prove_ Signal is doing as a result of this work is the new use of Anonymous Credentials and Roles. Maybe Signal will actually let Alice add an entry to the members list for my group Carolines And Tiaras even though Alice isn't a member. This won't work very well, because since Alice isn't a member she can't add _correct_ entries, for example she can't add herself or a collaborator, but she can add gibberish and maybe annoy the group members.
Could they?
I am not clear that this is possible. I thought the entire point of "Alice provides a zero-knowledge proof to the server that she possesses an AuthCredential matching some particular entry" is that the server learns nothing about Alice other than her possession of a matching AuthCredential. Indeed, the paper says: "Because of the zero-knowledge property, the server has assurance that the user possesses such an auth credential without learning the UID certified by the credential, or other information that might link this use of the credential to other uses or to credential issuance."
It would be nice if someone more knowledgeable could confirm whether it is indeed possible for Signal to compromise user privacy while using this scheme. Is SheinhardtWigCo right when they write, "In contrast, I cannot verify this new claim that my group memberships are protected. I have to trust them."?
For example let's say a packet arrives from 10.20.30.40 [[ all IPs used are from 10/8 as examples I am aware that Signal probably rejects packets claiming to be from an RFC1918 network ]] which contains proof that group #1 member #4 has authorised adding a new member #8
SheinhardtWigCo believes this tells us that this identity (10.20.30.40) is a member of this group, group #1 and they suppose that Signal's server could in fact store this, and then perhaps later tell some Spooks a list of such members of group #1 and it could do this on a vast scale, so that it would be able to say for any "identity" (IP address) the list of all identities (IP addresses) which seem to be members of groups which that identity is also a member of.
Now, I don't think Spooks would find that very useful, but there you go, that's what SheinhardtWigCo thinks is a big problem here.
[ Edited to clarify early paragraph ]
Or an acknowledgement that it might have the capability to be used against you later.
Would you be happy for every word you ever said, in public or private, to be recorded and transcribed and searchable just in case it becomes an "important source to historians", or just as likely "an important source of parallel reconstruction data for $yourCountry{'nsaEquivalent'}"???
We never got a record of Pepy's bar discussions, only what he chose to record in his diary. I'm not sure we need my Signal messages stored for posterity either. Read my blog or Reddit posts, other stuff was intended and should stay private.
There's a good reason a bunch of interesting bars banned Glassholes...
What's hopeful in all this is that Signal is, slowly, catching up. Slack can roll out new features just by assigning a couple developers to it, and Signal has to coordinate new cryptographic research --- not just new cryptographic research, but research that produces something deployable at scale within the resources of a project like Signal! --- so Slack (and Wire and Keybase) are at a permanent advantage here.
But over time, Signal gets more and more usable without having to consider tradeoffs.
In some cases, an ability to have multiple independent accounts/identities (pseudonymity) would - unfortunately but practically - beat true cryptographic security that Signal offers. I mean, personally, I'm less concerned about platform (e.g. Wire or Whatsapp) or some government agency learning that I'm talking to my buddies at certain schedule, than mixing up my acquaintances from different groups together, having to maintain a single identity for them all. Some people I talked with didn't knew my name or phone number, and I would be uncomfortable if they would. For me, in my life I've said less things I wouldn't want governments to learn about, than times I've used a pseudonym/throwaway account to talk to people.
This loss of user data is not advertised well enough up front, and leaves users feeling tricked. In many contexts loss of user data is an even bigger sin than weak security.
Needing to say I have a new phone just trust me largely defeats the purpose.
So you consider accounts not tied to a phone number "Slack ergonomics"? Before WhatsApp that was the default.
Which is number one reason why I'm not even considering it
"some people don't like this because they want to use multiple ephemeral usernames"
That's not my reason: I don't want people I don't know to get my phone number through other people I know and trust, but are used to share everything online. Of course that would be possible without any social application as well, though using one makes it much more natural.
Then this one from their site: "Multiple mobile devices and Android tablets are not currently supported"
Triple facepalm here: this makes it even worse than Whatsapp I use (read: am forced to use) on an old tablet. Whatsapp sucks badly just at everything (didn't I write I'm forced to use it?) but at least I can read what I write.
Downvotes welcome, though advice on secure+open alternatives that don't assume I have a smartphone (I haven't one and don't plan to) would be more informative.
Maybe this is because of the social expectations of that it will work without such overhead but I just simply can't notice how all the "countermeasures" phone industry (and governments as this is a heavily regulated industry) are ignorance to elephant in the room...
Here is a story what has happened to Doubi (SSr developer.) He was a very well aware of anonymity risks, and he evaded police for years on end. China literally tried to do geolocate him by turning off the internet in entire cities, but to no result — he caught on to that, and started randomising his release timing, and avoiding releasing "hotfixes". So, the entire Chinese police and MSS been looking him for 4-5 years.
What has happened? A few month before his arrest, he registered a Twitter handle with a throwaway SIM card. Those are being usually sold by "grannies" in Chinese 2nd tier cities who peddle things like fake tax receipts, anonymous train tickets and such.
China either hacked Twitter, or had somebody bribed there, and they got the number. They then tracked down the granny who sold him the SIM card, and went on and checking every person door to door in that small town. Then, they found him.
He got 5 years prison, and 4 years of laogai (gulag)
This is wrong. You could always have multiple desktop clients. You can also add iPads as linked clients now. Personally, I have two desktops and an iPad linked to Signal.
WhatsApp doesn’t support linked devices at all, the web client connects through your phone. Signals linked devices function independently, you can power off your phone and they’ll still work.
You are right about the mobile client, but that's not true of desktop. I have Signal installed and setup on every desktop/laptop that I use without any issue.
Here is what Doubi's online followers figured:
State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.
Twitter haphazardly closed the breach in complete secrecy.
API hole explanation is excluded as people with 100% private accs got police visits.
People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.
2016 breach is also out of question.
The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.
https://mobile.twitter.com/robert_spalding/status/1134797195...
https://amp.ft.com/content/afd44222-5c34-11e9-9dde-7aedca0a0...
Not even doubting it, just wondering if there's more of a source that's laid out (work/timeline/etc)? It's supremely interesting and should probably be more well known if it's not already.
Early accounts explored the possibility of Chinese police exploiting SMS gateway, and password reset abuse, but it has since been confirmed that even users who lived for years in the West got deanonymised, and their relatives got harassed. MSS/police having fresh twitter user DB is the most probable explanation at this point.
Am I missing something? Or am I misinterpreting your story? You're saying that sign up bound to a Sim card is bad for Twitter and bad (worse) for signal?
I like Signal and it always makes me happy to see more people showing up there, but for now certain group chats will stay on other messaging services.
I can see how this makes sense for journalists, dissidents, diplomats, criminals, corporate executives, etc., but if data is under threat of disappearance, regular people should be warned away and told to use something else for day-to-day communication.
https://support.signal.org/hc/en-us/articles/360007059752-Ba...
No dice for iOS unfortunately.
In this respect a keybase like model makes more sense to me.
This is different from whether other users are told that my security keys just changed.
I have some friends I talk to in Signal groups. I have others I talk to in Slack. In both cases, the goal is the same: communicate privately with a known group of friends.
Signal's rationale is that if we actually secure this type of conversation, we can tell people not to accept insecure conversations because they're trading something you might want (actual privacy) for... not very much.
We've been here before on the Internet, at least twice now. When I was still (barely) a teenager Tatu Ylönen invented SSH and connecting to another machine was now secure instead of hopelessly insecure. And at almost the same time a bunch of people at Netscape invented SSL (which became TLS) and made the World Wide Web secure. It only took a few years for ordinary (relatively) people to _expect_ SSH not telnet and it took a bit longer for HTTPS but in both cases we got to a place where secure was the default and expected condition.
"[Signal is] really an engine for revealing people's true preferences for messaging, which, for many people, tend to be that they want all the ergonomics of Slack a lot more than they want cryptographically sound secure messaging."
This comparison to Slack makes no sense - Signal replaces texts and makes them end-to-end encrypted. It's a straight upgrade to texting (except, apparently, on iphone, where apple won't let the app send plain old texts and the "drop-in replacement" quality is neutered). It requires a phone number to use, and is linked to that phone number.
Signal is right to be what it is, and if Apple got out of the way, I would insist on replacing all texts with Signal. Replacing my Slacks with Signal or my Signal messages with Slack fails to type-check.
Thomas Ptacek is a big Signal advocate, as am I, but he doesn't like to think of it as a drop-in replacement for texting, whereas I do (because that's what it is and where it shines). I move texting onto Signal whenever I can.
Not saying Keybase is better; no dog in that fight, just curious if you had considered it.
If Signal wants to be broadly successful, they have to be as good from the perspective of the broad base of users.
People do literally compare them when deciding what group messaging app to use: https://news.ycombinator.com/item?id=21746863
For people like that, end-to-end cryptographic security is at best a nice-to-have. And I'd guess that's circa 90% of people.
Signal's true value comes when lots of people are using it. I never bother with secure email, because almost nobody I know has it set up. But I use Signal for the great bulk of my texting, because most of my friends are on it. If Signal wants that to be more and more true, they have to compete with the other tools people use for group communication.