←back to thread

It looks like Signal isn't as open source as you thought it was anymore

(www.androidpolice.com)
242 points raybb | 2 comments | 06 Apr 21 18:04 UTC | HN request time: 0s | source
Show context
ndiscussion ◴[06 Apr 21 18:42 UTC] No.26715675[source]
It's been like this for a while, and the project owner's attitude is pretty negative overall. I do use signal daily, but I believe it's likely compromised ala lavabit.
replies(4): >>26715714 #>>26715934 #>>26716233 #>>26718058 #
morelisp ◴[06 Apr 21 18:46 UTC] No.26715714[source]
What's in the Signal server to be compromised?
replies(2): >>26715770 #>>26716093 #
corty ◴[06 Apr 21 18:49 UTC] No.26715770[source]
List of phone numbers? Pairs of communication partners? Timing and size of messages? Metadata about transferred media? There is still a lot, sufficient for targeting a drone strike as the usual wisdom goes.
replies(3): >>26715815 #>>26716325 #>>26716566 #
1. ViViDboarder ◴[06 Apr 21 19:31 UTC] No.26716325[source]
Signal doesn’t store lists of phone governments have lists of phone numbers. Comunication partners are hidden from the server using Sealed Sender for many conversations.

The rest of this could possibly be obtained, it it wouldn’t require a patch to the server as message sizes and timestamps likely appear on disk somewhere. Though the data is encrypted, you could tell “x received a message from some party (sealed sender prevents knowing who) at y time of roughly z size”.

replies(1): >>26716606 #
2. corty ◴[06 Apr 21 19:54 UTC] No.26716606[source]
Signal still uses and verifies phone numbers, so at some point they will pass through their infrastructure. They could still save them, knowing the source code they use gives at least at hint that they don't.

Sealed sender also is based on the pinky-swear that the infrastructure distributing the sender auth certificates doesn't correlate identities and connections with the messaging infrastructure. And that the server receiving the enveloped messages doesn't log. So all based on trust based on believing the right source code is running somewhere.

When access to that source code is restricted suddenly, of course people are worried.