Matt BlazeMar 24

Signal provides:

- Excellent protection against third party interception of communications (wiretapping).

- Limited protection against compromised (hacked) or lost devices

- No protection against certain common usage mistakes (accidentally including a reporter in your large group war planning chat).

Show threadMatt BlazeMar 24

If you look at the systems that are supposed to be used for classified communications, the underlying cryptography isn’t particularly different from Signal (the AES cipher can be used to protect classified material). That’s not what failed here.

The difference is that systems like Signal are designed to *facilitate* communication with anyone. Classified systems are designed to *limit* communication to authorized recipients.

Both are sensible for their respective - very different - purposes.

Show threadity [unit X-69]Mar 24

@mattblaze

Infodump follows aimed at nobody in particular:

AES is the symmetric cipher, Signal uses ECC (on Curve25519 & derivatives: So X25519 and Ed25519) for the DR protocol, and ML-KEM as the KEM for the initial key exchange.

ECC is not quantum-safe: You can recover a private key from the public key and decrypt communication if you have a quantum computer. The protection from using a PQC (post-quantum) KEM for the initial key exchange is limited.

Additionally, Signal has a specific threat model, which can make using it insecure for a lot of usecases. For one, it is not anonymous. This means that it does not protect your identity, it only protects your messages. Aka it is fine for chatting with trusted parties, but dangerous for chatting with untrusted parties.

Show threadMatt BlazeMar 24
@ity thank you for the cryptography lesson. I am new to all this stuff.
Show threadity [unit X-69]Mar 24
(Edit: Yes I googled the name after. I still think it's okay to infodump about cryptography even to someone that knows more cryptography than me.)
Show threadMatt BlazeMar 24
@ity you’re clearly the expert here. Probably too advanced for me to be able to follow.
Show threadity [unit X-69]Mar 24

@mattblaze I am starting to feel like I said something wrong here ?

If there's any mistakes in what I said feel free to correct me, I am always eager to learn ^^

Show threadVoid TurtleMar 24

@ity

Matt Blaze is a well know academic security expert, so he's poking fun at being lectured on systems he understands very well lol

Show threadity [unit X-69]Mar 24
@void_turtle If what I said came off as lecturing then apologies as that was not my intention, I was moreso infodumping to any interested readers (since this is public social media)
Show threadVoid TurtleMar 24

@ity Additional context you might be missing: He was commenting specifically on this breaking news story wherein top level US government people accidentally added a journalist to their signal loop planning military strikes, so the quantum safety (or lack thereof) of signal and the lack of anonymity is pretty irrelevant to this specific issue. Your post might have come off as lecture-y for this reason

https://www.theatlantic.com/politics/archive/2025/03/trump-administration-accidentally-texted-me-its-war-plans/682151/

The Trump Administration Accidentally Texted Me Its War Plans

U.S. national-security leaders included me in a group chat about upcoming military strikes in Yemen. I didn’t think it could be real. Then the bombs started falling.

The Atlantic
Show threadity [unit X-69]Mar 24

@void_turtle Ah, yea I was missing that context completely :(

I don't keep up with US news anymore, it's too depressing

Show threadblausand 🐟
@ity @void_turtle
What an absolutely hilarious way of learning who @mattblaze is 🤣
Mar 25 at 1:51amWeb