Valid Signal privacy issues shrugged off while patches quietly rolled out(403forbiddenblog.blogspot.com) |
Valid Signal privacy issues shrugged off while patches quietly rolled out(403forbiddenblog.blogspot.com) |
~~
hi there! signal did not start silently rolling out patches because there is nothing here to patch. friday’s releases were part of our regular cadence of shipping features and improvements to the apps.
by design, SNs don't change when doing a signal device transfer or when making a linked device change, because the key material doesn't change. we explained this several times and even added to our support article/FAQ. no behavior here has changed.
This doesn't appear to be anything of the kind. Signal has implemented a migration system so that people can move to a new phone without changing the safety number.
Then a bunch of references to the promises Signal makes about re-verifying if the safety number changes. Since the safety number doesn't change, none of those actually apply.
I think this is probably a sensible default for many people engaging in casual conversations.
However, this notification should probably be configurable. That way you can be notified when communicating with high risk individuals.
It is like copying your PGP private keys from one device to another. The associated public keys are still in your correspondents key stores, certified or not. Nothing changes for them and there is no reason for them to know what you have done.
There is nothing here for Signal to do. Their issue is is the one that everyone who creates an encrypted E2EE messenger faces. There is no good analogy for cryptographic identities. So it is hard to produce a good conceptual model that the user can use to understand what they should expect and how they should react.
Third false alarm in college - no one left dorm.
Third false alarm working overseas (required we wake up etc) everyone turned off buzzers.
The author apparently expects the safety number to change in order to alert the person on the other end that there "might be a hostage situation," evidently not realizing that the attacker could just, well, use the unlocked phone right in front of them.
So from that point of view it would be legitimate to argue that I might want to get notified if one of my contacts transfers his account. I can then double check : “Did you just transfer your signal account to a new device or was that an attacker?”
That might only be interesting for high-risk users though and could impair the UX. Why not make it optional?
There are many cases where an attacker can access a device for a short time and/or without the owner realizing that the phone was tampered with.
and the concepts and UX research surrounding Safety Numbers (what they are, how they're represented, and how we found they bring the most utility to the platform) in these 2016 & 2017 blog posts:
https://signal.org/blog/safety-number-updates/ https://signal.org/blog/verified-safety-number-updates/
The main function of safety numbers is to theoretically prevent mass mitm of Signal.
- Accept that you misunderstood and have mostly wasted your time by pursuing unnecessary research. Refocus on new vuln research.
- Become indignant and accuse the developers of being uncooperative and conspiratorial by refusing to validate your research. Double down on publicizing your original research.
Which response is correct hinges on whether the developers are justified in denying the vulnerability. As a reader, I was prepared to have the second response but after reading the article I feel the first - this was a waste of everyone's time.
The end of end-to-end is the two messaging devices. That is all and in almost every case, it’s enough.
Same answer. They don’t control the input, they just keep it safe once it’s in transit.
It makes sense to attack and work on problems that are actually happening and are solvable within some level of aspiration.
I’m not sure how things work on either mobile OS. Perhaps there can be more clear language and notifications on if everything is being passed to the virtual keyboard developer or not.
Unless you mean Apple, Google, and other Android manufacturers themselves. That’s beyond the scope of any E2E stuff.
I don't see how this is a problem at all. This was actually a feature that many Signal users wanted to use - they didn't want to re-verify safety numbers every time that they had to reinstall Signal or switch to a new phone.
> We don't want anyone to get hurt by way of trusting privacy guarantees which may be more conditional than they appear from the docs!
> If Bob notices the chat safety number with Alice has changed and then Alice sends a bunch of suspect-sounding messages or asks to meet in person and Bob has never met Alice in person before, for example, Bob should be wary. After Alice for example is forced to provide device passcode or unlock their device with their fingerprint or face, Alice's device could be cloned over to a new device by way of quick transfer functionality without Alice's consent, and the messages could be coming from the cloned device rather than Alice's actual device.
Respectfully, this doesn't make any sense. Signal provides security from device to device, it doesn't stop someone from pointing a gun to your head and looking at your messages or pretending to be you after stealing your phone. If someone has the physical possession of your phone necessary to perform a device transfer, then you're already screwed. The idea that a safety number change would alert the person on the other end that you're being held hostage is outlandish and is completely divorced from any normal use of Signal.
I could ask you for your device under the pretense of making a phone call and then secretly transfer your account to my device. I could then secretly read your chats from my device and no one would be aware of it - until you check the amount of active sessions in settings.
If you can’t secure your physical phone, all digital security is moot.
But in general, if the migration is done securely then migrating the key material seems fine too. By cutting down on benign cases where something changes, this makes the safety number change warning something that warrants more attention.
Signal used to silently fail if you changed device. I guess not much has changed.
Um, not that I know of. A quick check, though, the QR code is a bunch of binary data, so I dove into the source code: https://github.com/signalapp/libsignal-client/blob/4446b648f...
> very amused that the author censored part of the QR code, but not the human readable text below it containing the exact same data
So what is it now, does it contain the phone numbers or not? Am I allowed to be 'very amused' at you for also not knowing what's in the QR code? :-)
Any phone numbers are censored in the screenshots, only the safety number is not. But the QR code doesn't contain the phone number, as you just saw in the source code (assuming I correctly identified the relevant part, I just looked for uses of qr codes, found getScannableFingerprint and followed the trail through libsignal from there).
Strictly speaking, though, the QR is not the same as the text below: the safety number below doesn't appear to include a version number (same file, lines 14-16). But that's just a technicality.
Either way, I was also amused as my understanding was also that the QR code is the same as the 'safety number' shown below. What confuses me is that the author knows what a CVE is and knows all the right channels to do responsible disclosure, but is apparently confounded by the situation that no key change is shown when they key didn't change. I am rather happy that you can keep your key material: I'd go insane if I had to reverify everyone who adds a new device legitimately (try Wire if you want that experience), I'd certainly stop doing it for any but the most stable and important of contacts. I'd also somehow need to establish a second encrypted channel to exchange the new key material because I don't meet most people in real life these days.
Edit: Signal’s blog refers to it as a hash[1]. It’s apparently essentially just a hash of the contact’s public key, so rotating that causes the hash change.
and yours*. They're concatenated with deterministic sorting such that they are the same on both devices.
Which is a big pain because that means I can't simply tell everyone my public key, I have to explain that half the number is their own key and that they can ignore the non-matching part, which is dangerous advice... it could have been so simple but moxie is moxie
It was renamed from "fingerprint" because to those unfamiliar with cryptography, "fingerprints" are things used when a crime has been committed. There was a study out some years ago that illustrated that most of the crypto jargon in use is not helpful in conveying mental models to laypeople.
The thing this proposed change would protect against is, if an attacker gets access to a participant's unlocked phone, and then transfers their Signal account, it will notify the other participants.
But an attacker can just as easily retain access to the original phone and send and receive messages with it - either physically, or by installing malware (a RAT or something) and remotely accessing the phone.
And when you move devices, because of the way the Signal ratchet works (I think), the original device doesn't get access to send or receive messages. So a device move is detectable if the original phone is returned.
At least "fingerprint" directly maps to the idea of an aspect of something that relates to the identity of someone.
I dunno, could you call this a "serial number"? The root problem here is that our culture does not have the idea of a cryptographic identity in the first place.
Vetting personnel isn’t necessary, nor is it sufficient, to protect information.
Protecting more than just the information, is a different argument.
If we’re talking about securing personal information that has a physical footprint of a cell phone, vetting personnel is irrelevant. Never let your phone leave your person, on pain of death, so to speak.
If we’re talking about securing a building, vetting personnel is just an extension of physical security, anyways.
All of those checkboxes will ultimately reduce to being an extension of physical security.
The temporary access threat model is a common criticism that people use, but it is largely incoherent. Once you are making human judgements like "enough time to transfer a signal account but not enough time to install a rootkit" things quickly break down into meaninglessness.
If you leave cryptographic keys lying around unprotected they should be assumed to be compromised.
This is what you originally responded to. I paraphrased it. The "heavy lifting" meme that you've employed is rarely more than a shallow dismissal. Be better.