Privacy

31854 readers

152 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

What happens when Signal server gets compromised ? (lemmy.ml)

submitted 3 years ago* (last edited 3 years ago) by javik@lemmy.ml to c/privacy@lemmy.ml

4 comments fedilink hide all child comments

Hello Everyone,

This is something I've been thinking about in the wake of many users joining Signal, due to WhatsApp's new privacy policy changes.

When it comes to the mobile client (in case of Android), we could verify its integrity by checking the source code & the APK's integrity using reproducible builds (https://signal.org/blog/reproducible-android/).

When it comes to the server, it is possible that it could get compromised in many ways.

My question is, when it comes to privacy & security, does the server integrity matter if we are reasonably sure the client isn't compromised in any way or doesn't transmit anything that the server could access in a meaningful way.

And, this could apply to any service that has both FOSS client & server or just FOSS client.

you are viewing a single comment's thread
view the rest of the comments

[–] javik@lemmy.ml 0 points 3 years ago* (last edited 3 years ago) (1 children)

But, signal has the concept of sealed sender (https://signal.org/blog/sealed-sender/), where signal doesn't know who is sending the messages.

This is when the government asked for data from Signal, "The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else." (https://signal.org/blog/looking-back-as-the-world-moves-forward/)

With my phone number, they could tie it to other services, but not with the contacts in Signal itself.

This is something related to how groups are secured - https://signal.org/blog/signal-private-group-system/

[–] federico3@lemmy.ml 1 points 3 years ago

Sealed sender does nothing against timing correlation. It's really trivial correlate traffic over TCP connections and find out which pairs of IP addresses are communicating with each other.

Unsurprisingly, it's ineffective against users that exchange messages very rarely and effective with users texting every day.

Signal does nothing to mitigate this problem.