Mastodawn

https://signal.org/blog/signal-is-expensive/

Signal Dec 11, 2024

And if you want to know more about the economic reality behind running high availability, actually innovative tech…

Privacy is Priceless, but Signal is Expensive

Signal is the world’s most widely used truly private messaging app, and our cryptographic technologies provide extra layers of privacy beyond the Signal app itself. Since launching in 2013, the Signal Protocol—our end-to-end encryption technology—has become the de facto standard for private commu...

Signal Messenger

@signalapp If possible, wouldn't it be cheaper and as secure for the Signal Foundation to be on the receiving end of the account verification SMS? The new #signal user:

Installs the Signal app

Creates a new account by providing their phone number and desired username

The app encrypts number&username from step 2 and shows it together with a short declaration, e.g.:

I hereby open a Signal account. My hash is: gdhduehdbyrifhhdywuhdjcisncuqihdusjhdywofpaljwkduejgdhd

The user copies the text via copy button into the SMS app and sends it to the Signal Foundation phone number provided in the app

The Signal Foundation server decrypts the text, checks whether the phone number of the SMS sender matches the number provided in the hash. If the check succeeded, the app unlocks the account for the username provided in the encrypted text and links the phone number to the username.

Perhaps, step 3 and 4 can be automated in a way that the Signal app creates a SMS draft that the new Signal user just has to send out after double checking.

@duxsco @signalapp Wouldn't it be much cheaper and just as secure to not have SMS or phone number as a requirement at all?

SMS confirmations would be insecure, actually, because SMS is susceptible to MITM attacks. And I didn't even mention hijacking such as SIM swapping or phishing.

What's worse is that Signal relies on Twilio, a company that has already been breached numerous times, to send out SMSes, that come to about $6 million/year, which is mindbogglingly insane and a waste of money.

Even more so, because by sending an SMS, you directly expose your actual phone number, compared to a hash that Signal stores on their servers, so anyone breaching Twilio could read the phone numbers, or if Signal gets compelled by law enforcement, and if they collect the SMSes themselves, law enforcement could also find the phone numbers.

@alextecplayz @signalapp People moaned about the reliance of Signal on SMS already often enough for the Signal Foundation to be aware of people being displeased. I didn't see any point in adding to that. Considering that there will be no move away from SMS, at least, in the foreseeable future I wanted to just suggest an alternative approach to the current SMS based account verification that potentially doesn't incur these huge costs. I didn't make a statement on the level of security SMS provides. This has already been covered in the past, and there have been incidents with SMS verification and the use of SMS TANs without Signal Foundation seeing the need to improve user onboarding. No point going through this again and again.

@duxsco Still, the rest of the SMS concerns I raised are valid. MITM attacks, SIM hijacking or phishing, Twilio being compromised etc, it may actually worsen privacy if people had to confirm their accounts via SMS.

@alextecplayz You talk about security which has been chewed on over and over. I just want to provide a constructive suggestion for cost reduction. You don't need to tell me that SMS is s**t. I know that. Signal Foundation will not change that, a least, in the foreseeable future. You could switch over to Threema, but you will most likely have fewer contacts there.

@alextecplayz @signalapp With my approach, there wouldn't be a need for Twilio's services. The Signal Foundation just receives SMS.

@duxsco Yes, they'd receive the SMS, which means they'd also receive the user's ACTUAL phone number, unlike the encrypted hash Signal stores on their servers currently.

Which means, that if Signal gets compromised or subpoenaed by law enforcement, they would have to share both the hashed phone number AND the plaintext phone number, which would allow law enforcement or a nefarious third-party to directly create graphs that would identify specific users by matching the phone numbers to the hashes.

This is very dangerous, so it's not a good idea at all. Unless they decide to drop the phone number requirement altogether, they cannot switch their SMS approach without creating massive privacy issues for the user base.

@alextecplayz Signal already has your phone number with the current approach. I joined this thread to make user onboarding cheaper and not more secure. The Thread started with Signal pointing out costs.

@duxsco Signal already has a user's encrypted phone number, but they can't decrypt it. Your proposed approach hands Signal both the encrypted number and the plaintext number. Which, for Signal, just can't work from a privacy perspective.

They can reduce cost by de-centralizing Signal, and allowing it to federate. That and cutting compensation for employees, especially executives.

@alextecplayz With the involvement of Twilio, the phone number is already exposed with the current approach.

@duxsco Yes, it's exposed to Twilio specifically, but not Signal. So even if Twilio were to be breached, they couldn't match the phone numbers to accounts - not as easily as if Signal would receive SMSes directly.

@alextecplayz As soon as I type in my phone number in the app for onboarding and click on "submit", it's exposed in my eyes to Signal: data at rest vs. data in transit

@alextecplayz IMHO, the only way my phone number is not exposed is the number not being part of the equation. Mullvad does the right thing and doesn't collect data if not absolutely necessary:
https://mullvad.net/en/help/no-logging-data-policy

No-logging of user activity policy

We do not keep activity logs of any kind. Learn more about what this means and why we choose to operate this way.

Mullvad VPN

@alextecplayz IMHO, Signal just isn't an app for anonymous communication, possibly confidential communication, but definitely not anonymous communication.

@duxsco ...Signal is used everywhere by whistleblowers and journalists, at every major news outlet worldwide, that and SecureDrop for file sharing. It is supposed to be both confidential and anonymous, where needed. Thankfully usernames do help in this regard, but we'd cycle back to "Wouldn't it be great if Signal didn't require a phone number?"

@alextecplayz I hope nobody puts their life on the line by expecting that Signal ensures anomity. I have the same hope for VPNs. They don't grant anomity.

Wouldn't it be great if Signal didn't require a phone number?

I don't answer rhetorical questions. And, as I said, my initial post was about cost reduction.

fumnanya Dec 11, 2024

@alextecplayz @duxsco @signalapp yeah...i wonder why that isn't an option,,,but i guess it's cos they're tryna…idk limit spam or something?

a direct consequence of this is that users in Nigeria can't sign up because Twilio (or whoever) refuses to send SMSes to them: https://github.com/signalapp/Signal-Android/issues/13573

and of course, spending almost 50% of infra costs on SMSes is just…like nah cmon

I wish they had a phone-number-if-you-want-to-be-reached-easily option but they probably don't because of the social graph

Issues Registering with a Nigeria IP Address or Mobile Number · Issue #13573 · signalapp/Signal-Android

[x ] I have searched open and closed issues for duplicates [x ] I am submitting a bug report for existing functionality that does not work as intended I have read https://github.com/signalapp/Signa...

GitHub

@fumnanya Their rationale recently was precisely to limit spam by limiting this to phone number registration. Still, it's helpful to check their history, back when Signal was SMS-based TextSecure app. (https://www.reddit.com/r/signal/comments/vipot3/why_require_phone_number_to_sign_up/)

@fumnanya @alextecplayz @signalapp Spam could be mitigated in one way or the other via the hash I suggested.

Luna Lactea Dec 12, 2024

@fumnanya @alextecplayz @duxsco @signalapp The phone number requirement does nothing to prevent spam. It actually makes it easier for more spam accounts to be created than real users, because real users have to pay alot for a phone number, but scammers can easily buy VoIP phone numbers in bulk using shell companies that they set up to pretend to be real businesses.

𝟜𝟚𝟘 𝑠𝑖𝑛𝑐𝑒 𝟿𝟻 Dec 11, 2024

Martin

Dec 11, 2024

@signalapp I always make sure I have a badge next to my profile pic in Signal, it’s an important project and I do my best to support it!

@signalapp Nope…

arutaz Dec 11, 2024

@signalapp I will continue to donate until I can't use Signal.
And depending on the wote on Chat Control tomorrow, we'll se how long that is

Janik

Dec 11, 2024

@signalapp Happy to support you

s1m0n4 Dec 11, 2024

@signalapp done!
Thank you warmheartedly for your hard work ❤️

#Signal

Chao-c'Dec 11, 2024

@signalapp If only we could have decentralized network, where community of each node pays only for its own local expenses... oh wait...

CpyJx 🍉Dec 12, 2024

So use a decentralized network like Matrix? then realize how much slower development is because not all clients support all features. Decentralized Signal would be great, but I understand why they opt to keep it centralized. This is coming from someone who likes Matrix, sees its flaws and still can't recommend it to friends/family - aside from major security issues.

Ditol Dec 11, 2024

@signalapp
Btw., how is Signal financed? For a non-profit there is surprisingly little (actually no) easily accessible informaiton about your finances on your website. Maybe I am wrong and things are different in the USA, but from non-profits I am used to easily find their activities and finance reports. And this seems to me quite legitimately important, since the main thing I've learned about the "free" apps from Silicon Valley is that you have to check the business model in order to assess roughly if you are going to pay with your data or not.

https://projects.propublica.org/nonprofits/organizations/824506840

root42 Dec 11, 2024

@ditol @signalapp non profit finances are available here:

Signal Technology Foundation - Nonprofit Explorer

Since 2013, the IRS has released data culled from millions of nonprofit tax filings. Use this database to find organizations and see details like their executive compensation, revenue and expenses, as well as download tax filings going back as far as 2001.

ProPublica

Orca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Dec 11, 2024

@ditol @signalapp
You can find information about nonprofit orgs on ProPublica's nonprofit explorer:
https://projects.propublica.org/nonprofits/organizations/824506840

Signal Technology Foundation - Nonprofit Explorer

ProPublica

Ditol Dec 11, 2024

@Orca
Thank you. At least someone does the job for Signal.

@signalapp

🇺🇦 Lauteshirn 🏳️‍🌈Dec 11, 2024

@signalapp Thank you for your work! It's a great app and definitely worth a donation.

@signalapp Still centralized, still has a phone number as a requirement, cannot federate. No wonder it costs $50 million 🙁

CpyJx 🍉Dec 12, 2024

Use Matrix if you want federation. If you want ease of use and best in class privacy, use Signal.

Underfaker Dec 11, 2024

@signalapp

Please post in summer not before Christmas. There are 200 organizations that rember to share a donation post in December.

#privacy #encryption #foss #opensource

Jan Vlug Dec 11, 2024

@signalapp I would not say "deserve", but I would say we have the "right to". And I appreciate that #Signal allows people to exercise this right.

Frans Veldman ⁱ ᵃᵐ ᵃⁿᵗⁱᶠᵃ🚩Dec 11, 2024

Please make it a decentralized service. The way it is now is like Twitter versus Bluesky. Same stuff in a new package.

Allow developers to create a Signal compatible app, allow people to setup their own Signal instance.

Otherwise, you will just stay Whatsapp #2. All the eggs in one basket. One app, One instance.

Jan Vlug Dec 11, 2024

@FransVeldman @signalapp For that #matrix might be the answer. I'm using matrix more and more. But I convinced many people to start using signal in the past, and I won't make them change messenger again, but for myself, I'm moving more and more towards matrix.

Frans Veldman ⁱ ᵃᵐ ᵃⁿᵗⁱᶠᵃ🚩Dec 12, 2024

Exactly the same here. I even run my own Matrix instance. But I’m also hesistant to ask my friends to change messenger again.

utzer

Dec 11, 2024

@signalapp Donation ✅

Chris Wood Dec 11, 2024

@signalapp I use Signal to talk to almost every meaningful person in my life. It’s a fantastic piece of technology, run by a truly badass and altruistic organisation, and I think we are incredibly lucky to have such easy access to it.

Thank you for all your work. I have been donating monthly for 3 years, inviting others to join, and will continue to do so.

Howard Chu @ Symas Dec 12, 2024

@signalapp oh? You mean the Mobilecoin crypto scam isn't pulling in enough on its own?

njsg Dec 12, 2024

@signalapp For *anyone*? I thought it still required having a compatible smartphone and a phone number.

Or have things changed? I mean, if I can now register with and try Signal without these, I'll give it a try.

Luna Lactea Dec 12, 2024

@signalapp I need Signal but it is not available to me. This is because of the phone number requirement. I'm not the only person that's unable to use Signal due to the phone number requirement. I'd love to donate to Signal because I agree with the cause & I hear endless good things about it, but I also don't want to donate for something I can't use.

Also, SMS verification is insecure, see SIM swap attack. It also does not help that SMS is plaintext, so anyone listening can see when you've made a Signal account.

SIM swap scam - Wikipedia

@jackemled there are at least two ways around the phone number requirement for registration.

1. buy a prepaid Sim card which you only use for the registration and destroy afterwards.

2. during registration select "landline" and have Signal call you for the registration code if you have access to a landline phone.

Either way the phone number is not required anymore after initial account setup, including when transferring the account to a different device or using it on the desktop.

@fedops How do you sign in then? What if I lose control of a phone number? Can the same phone number create an account twice?

@jackemled the number is only used for the initial creation. Your identifier is a locally-generated ID. See: https://signal.org/blog/phone-number-privacy-usernames/

I'm on my 4th phone number since signing up for Signal.

As to your last question, I'm not sure but assume not.

Keep your phone number private with Signal usernames

Signal’s mission and sole focus is private communication. For years, Signal has kept your messages private, your profile information (like your name and profile photo) private, your contacts private, and your groups private – among much else. Now we’re taking that one step further, by making your...

Signal Messenger

@fedops Oh ok. Is there anything at all that a phone number might be used for after that? Unfortunately I need two Signal accounts if I'm going to have one at all.

@jackemled the number can (but doesn't have to) be used to exchange contact information with your partners. So no, it is not necessary afterwards.

If you need two accounts you will most likely need to use two different Sim cards or landline numbers, although you could certainly try to reuse the first for the second. Like I said, I don't know if it'll work. You will also not be able to use both identities on the same phone AFAIK.

@fedops Android lets you install the same app twice, so I could just log in with two copies of the app.

@jackemled how that? I'm assuming with the work/home profiles?

@fedops Yeah