| ▲ | heavyset_go 5 hours ago |
| This is one of the reasons it's crucial that the next set of secure messaging systems does away with tying real phone numbers to accounts. One phone gets compromised and the whole network is identified with their phone numbers. |
|
| ▲ | saguntum 3 hours ago | parent | next [-] |
| I haven't tried it, but Signal supports not sharing your phone number/just communicating with usernames: https://signal.org/blog/phone-number-privacy-usernames/ You still need to use your phone number to sign up, though. |
| |
| ▲ | jack1243star 2 hours ago | parent [-] | | > You still need to use your phone number to sign up, though. Which defeats the whole point. What if the FBI politely asks Signal about a phone number? | | |
| ▲ | Grisu_FTP an hour ago | parent | next [-] | | I might be misremembering or mixing memories but i remember something about them only storing the hash of the number. So the FBI cant ask what phone number is tied to an account, but if a specific phone number was tied to the specific account? (As in, Signal gets the number, runs it through their hash algorythm and compares that hash to the saved one) But my memory is very very bad, so like i said, i might be wrong | |
| ▲ | electromech an hour ago | parent | prev [-] | | They publicly publish these requests. You can see how little information is provided — just a phone number and two unix timestamps IIRC.
https://signal.org/bigbrother/ |
|
|
|
| ▲ | 1vuio0pswjnm7 3 hours ago | parent | prev | next [-] |
| If the Signal Messaging LLC is compromised, then "updates", e.g., spyware, can be remotely installed on every Signal user's computer, assuming every Signal user allows "automatic updates". I don't think Signal has a setting to turn off updates Not only does one have to worry about other Signal users being compromised, one also has to worry about a third party being compromised: the Signal Messaaging LLC |
| |
|
| ▲ | longitudinal93 5 hours ago | parent | prev | next [-] |
| Hiding your phone number is a setting now. Has been for well over a year. |
| |
| ▲ | heavyset_go 4 hours ago | parent | next [-] | | You can't sign up without one, and it being an option means people who are in danger won't do it. Also, if someone's phone is confiscated, and you're in their Signal chats and their address book, it doesn't matter if you're hiding your number on Signal. It's better to just not require such identifying information at all. | | |
| ▲ | godelski 2 hours ago | parent [-] | | That's true for any system where you have contacts linked. Same thing happens when you have names and avatars. If you don't want to link your contacts... don't link your contacts... But this doesn't have the result that the GP claimed. The whole network doesn't unravel because in big groups like these one number doesn't have all the other contacts in their system. For people that need it: | Settings
|- Chat
| |- Share Contacts with iOS/Android <--- (Turn off)
|- Privacy
| |- Phone Number
| | |- Who Can See My Number
| | | |- Everybody
| | | |- Nobody <----
| | |- Who Can Find Me By Number
| | | |- Everybody
| | | |- Nobody <----
| |- App Security
| | |- Hide Screen in App Switcher <---- Turn on
| | |- Screen Lock <---- Turn on
| |- Advanced
| | |- Always Relay Calls <-----
If you are extra concerned, turn on disappearing messages. This is highly suggested for any group chats like the ones being discussed. You should also disable read receipts and typing indicators.Some of these settings are already set btw | | |
| ▲ | Quothling 29 minutes ago | parent [-] | | I would imagine that the issue that people have here isn't so much that you can hide from other users, but whether or not you can hide your information from the company behind Signal. I'd assume that if you can't hide from the company, then you can't hide from the US government. We know that you can extract messages from a compromised phone because they aren't encrypted at rest. Which I guess would mean that even if you have disappearing messages and similar, your messages could proably still be extracted from a group chat with a comprimised user in it. If we go full tinfoil, then do you really trust Apple and Google to keep your Signal keys on your device safe from the US government? It's probably not that bad, but I do know that we're having some serious discussions on Signal here in Europe because it's not necessarily the secure platform we used to think it was. Then again, our main issue is probably that we don't have a secure phone platform with a way to securely certify applications (speaking from a national safety, not personal privacy point of view). |
|
| |
| ▲ | webdoodle 4 hours ago | parent | prev [-] | | Can you easily sign up without a phone number though? | | |
|
|
| ▲ | whateveracct 2 hours ago | parent | prev | next [-] |
| Physical keys are the real path. Sign every message with your Yubikey. |
|
| ▲ | MDWolinski 4 hours ago | parent | prev | next [-] |
| Zangi does this. No idea on their overall security posture compared to Signal, however. |
|
| ▲ | trollbridge 5 hours ago | parent | prev | next [-] |
| Gee, like any of competing systems like Session. |
| |
|
| ▲ | inetknght 5 hours ago | parent | prev [-] |
| If only we knew this would happen when these products were launched... Oh wait, we did. |
