this post was submitted on 14 Jan 2021
0 points (NaN% liked)
Privacy
31854 readers
160 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
But, we could install a version of signal client that's not compromised, which sends as little as possible, encrypted. So, a compromised server could deny the requests, because the client was modified or it couldn't work with the encrypted content the way it expected. This would automatically raise red flags, because the app doesn't work anymore. Has something like this happened?
And for the deploying modified versions to targeted devices. I know it's possible through orders or compromised server, but has it happened? If so, any sources regarding that.
That really doesn't matter, because a compromised server could get hoard a lot of info even assuming the message content is secure. I forget what video it was, but it was emphasizing linkability, what the western security orgs care about more than content, is linking your accounts to create a digital footprint.
Signal has everyone's phone number (its mandatory), and connections between accounts (timestamped messages with sender and recipient info). You can pretty much link a phone number to your identity, your name and address, credit cards, so a compromised signal server is a centralized place with everyone's social connections, message activity, names, and addresses.
But, signal has the concept of sealed sender (https://signal.org/blog/sealed-sender/), where signal doesn't know who is sending the messages.
This is when the government asked for data from Signal, "The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else." (https://signal.org/blog/looking-back-as-the-world-moves-forward/)
With my phone number, they could tie it to other services, but not with the contacts in Signal itself.
This is something related to how groups are secured - https://signal.org/blog/signal-private-group-system/
Sealed sender does nothing against timing correlation. It's really trivial correlate traffic over TCP connections and find out which pairs of IP addresses are communicating with each other.
Unsurprisingly, it's ineffective against users that exchange messages very rarely and effective with users texting every day.
Signal does nothing to mitigate this problem.