Mastodawn

Soatok Dreamseeker Jun 18, 2025

I genuinely do not understand people who have deep fried opinions about Signal needing a goddamn phone number in 2025.

Many privacy nerds were outraged when you needed to give out a phone number to other people in order to talk with them. I was one of those nerds. They fixed that with the usernames rollout.

As a mobile phone app, Signal uses your phone number to bootstrap your enrollment into the protocol. This is literally the path of least resistance as an SMS replacement app, for most users.

If you want to know whether Signal can obtain enough metadata to target users that have enrolled, the answer is complicated.

The way profiles are encrypted, and how sealed sender works, makes any targeting seem infeasible. (Your profile key rotates, at mininum, when you block someone.)

Signal currently does not have IP addresses, etc. stored. If this changes in the future, it will not be retroactive. If you're worried about that, Molly boasts Tor support. Maybe that's fine. I haven't audited Molly, and won't.

Gianguido Jun 18, 2025

Soatok Dreamseeker

The people who tut-tut over the phone number requirement never articulate anything resembling a coherent threat model.

They also are quick to recommend alternatives with inferior cryptography.

Some days I just want to grab them by the shoulders and scream "SHUT THE FUCK UP YOU ARE HURTING PEOPLE" directly into their ears.

Soatok Dreamseeker Jun 18, 2025

"But if my threat model is Mossad, Signal could be forced to-"

No. Stop it. Your threat model isn't fucking Mossad--who could probably pwn half of the entire XMPP ecosystem with a single libxml2 zero-day. (Also maybe Matrix?)

"But my self-hosting"

Irrelevant.

"But jurisdiction"

You think Swiss privacy law will stop the CIA from doing another CryptoAG?

They probably have 10-20 of those floating around already. Private "no log" VPNs are an attractive target for that.

Soatok Dreamseeker Jun 18, 2025

Want to know more about Signal's cryptography?

https://soatok.blog/2025/02/18/reviewing-the-cryptography-used-by-signal/

None of the alternatives people recommend even come close to the standard they set.

Reviewing the Cryptography Used by Signal - Dhole Moments

Last year, I urged furries to stop using Telegram because it doesn’t actually provide them with any of the privacy guarantees they think it gives them. Instead of improving Telegram’s c…

Dhole Moments

Soatok Dreamseeker Jun 18, 2025

Some people seem to misunderstand this thread as an invitation to evangelize XMPP or Matrix in my mentions.

That isn't an invitation at all.

I will instead invite you to fuck off into the sun.

Soatok Dreamseeker Jun 18, 2025

Just a head's up: I'm muting this thread because my notifications are untenable.

EDIT: When I wrote this, 10 hours ago, it was the endless "fave/boost" notification sound that was problematic, not replies.

Soatok Dreamseeker Jun 18, 2025

I've unmuted this thread because I'm done working for the day.

Wow, some chucklefucks are quick to declare victory without a battle even taking place.

Tindra Jun 18, 2025

@soatok the one legit issue I’ve seen is needing a phone to sign up (even if you intend to use desktop) locks out people without smartphones.

Soatok Dreamseeker Jun 18, 2025

@TindrasGrove I never said Signal was perfect. These issues are annoying and need to be fixed.

Tindra Jun 18, 2025

@soatok oh, no doubt!

Just agreeing that your reply guys are not great at finding actual issues.

Snosrapkungfu (They/them)Jun 18, 2025

@TindrasGrove @soatok yeah for me it's not so much about "but phone number can be tied to me" as "i don't want to OWN a phone number". I'm so close to smartphone+data only sim as a daily driver. Phone numbers literally exist so that people i haven't allowlisted can contact me, and that's the single feature i DON'T want from a phone, in 2025. Signal, whatsapp (god i wish i could get off that without losing my whole fam) and stupid 2fa that won't let me use email are the only blockers left :/

Light Jun 18, 2025

@soatok
If you don't want a fight, don't pick one, asshole

@soatok I hear the sun is a great place to store encrypted data

Soatok Dreamseeker Jun 18, 2025

@arch Very high entropy (thermal).

Octavia Con Amore

pink_moon_and_stars

Succubard's Library Jun 18, 2025

@soatok unable to bring myself to exploit the population to bring in the billions needed to build a rocket to fuck off into the sun, please advise

Soatok Dreamseeker Jun 18, 2025

@OctaviaConAmore Heh. The alternative is "don't evangelize here".

Octavia Con Amore

pink_moon_and_stars

Succubard's Library Jun 19, 2025

@soatok that...seems much easier and more reasonable than building a fully functioning spacecraft

Felix Jun 18, 2025

I do want to know more about how signal solves (or doesn't) a specific problem, and i'm not sure your blog answers that. (At least i don't remember that it does)

Spcifically, what happens between 'private contact discovery' and sealed sender taking effect? Afaik, the envelope protects only after keys have been exchanged, but requesting keys would expose the social graph to a compromised signal-server instance. Do you know more or is this just not protected, only 'live' metadata?

Soatok Dreamseeker Jun 18, 2025

@newhinton So, I'm going to set aside IP addresses, because they're not currently being logged.

[Specifically,] what happens between 'private contact discovery' and sealed sender taking effect?

See https://soatok.blog/signal-crypto-review-2025-part-8/#addendum-2025-02-19 for what I wrote in February, but to summarize here:

The server sees a 96-bit delivery token, which it can map to a recipient.
The server doesn't see any metadata about the sender, only the recipient.
The recipient can force-rotate their delivery token every time they block a user.

I didn't look at private contact discovery at all. I generally don't like relying on secure enclaves for security properties.

That said, assuming that component is secure, what you end up learning is the Encrypted Profile data (which includes the delivery token). The potential for abuse here is very small.

Reviewing Signal’s Cryptography, Finale - Dhole Moments

Contents Introduction How Soatok Approaches Cryptography Audits Mapping Signal and Prioritizing Targets Message and Media Encryption Forward-Secure Ratcheting Protocols Miscellaneous Cryptographic …

Dhole Moments

Felix Jun 18, 2025

@soatok
Ahh, so *technically* there is no protection from (partial) social graph discovery, assuming *full* compromise of the entirety of signal's infrastructure. But only for newly initiated conversations, and ONLY for the initial exchange of keys between peers.

And assuming you know which user is behind a given ip-adress.

(You didn't specifically mentioned it, but i guess requesting a peers initial key is anonymous (besides the ip).)

1/2

Soatok Dreamseeker Jun 18, 2025

@newhinton My understanding is that Signal users communicate with the Signal server to deliver messages to each other, not peer-to-peer.

Felix Jun 18, 2025

@soatok ah yeah, i meant peer A requesting the initial key of peer B.

It would be known to the server that peer A's ip requested peer B's initial key (not it's ip), which is technically a relationship between IP A and peer B. But see my followup comment for my assessment.

Soatok Dreamseeker Jun 18, 2025

@newhinton Yeah, that's correct.

Felix Jun 18, 2025

@soatok
So there are two attacks one could try:

1. Take over the entirety of signal to get a tenuous relationship between two peers on the level of: "they *might* have communicated"
2. Exhaust publicly available inital keys, which amounts to a DOS-Attack and does not pose a security issue at all.

And if you are worried about 1., you're probably better off not using networks at all.

Okay, thanks for your answers, that roughly confirms my understanding on how chat-initiaton works.

Thanks! 2/2

Stanislav Ochotnický Jun 18, 2025

@soatok that's was a fun read. Thanks for taking that time to inspect and write it up.

Jyrgen N Jun 20, 2025

@soatok Urgh, Telegram’s the worst. Unfortunately I have to use it for one specific purpose, because reasons.

Is there any comparison of Signal with Threema?

I have been using Threema for longer than Signal exists, and I like it. The UI is really good, in particular the visualisation of the trust relationship with the other (unknown / known contact / checked public key => 🔴 / 🟡 🟡 / 🟢 🟢 🟢). I keep hearing Threema’s cryptography is rather good, but a comparison could be interesting.

Matilda Love Jun 18, 2025

@soatok it's conspiracy-theory thinking at its core. the goal isn't to improve security, it's to feel smarter than everyone else while feeding one's paranoia

Leon P Smith Jun 18, 2025

@matildalove @soatok Part of the challenge is that very few people actually get placed into the situations where they can genuinely appreciate security-oriented design features. In other words, there are a lot of posers that want to roleplay as security experts.

Another is that it's really easy to think your shit is secure, when in fact you haven't put enough thought and effort and testing and monitoring to really support that belief.

Also the gatekeeping culture surrounding cryptography is absolutely insane. It is *by far* my least favorite community to try to interact with, by a long shot.

I mean, when a certain prominent Haskeller tried to reinvent a message authentication code, I took the time to actually develop an attack to break it. He didn't understand what I had done as an attack, at first, but he came around and migrated to HMAC. In the end, that story was a success.

On the other hand, if you do actually do something that is geniunely interesting or useful, everybody will tell you to stop doing cryptography, without actually clearly articulating an issue with your idea.

Soatok Dreamseeker Jun 18, 2025

@leon_p_smith @matildalove

Another is that it's really easy to think your shit is secure, when in fact you haven't put enough thought and effort and testing and monitoring to really support that belief.

I run into this a lot.

Me, onboarding a client as I audit their code: "So what are your areas of highest concern?"

Them: "None at all. My thing is perfectly secure!"

Sigh.

Also the gatekeeping culture surrounding cryptography is absolutely insane. It is by far my least favorite community to try to interact with, by a long shot.

I won't defend it (and none of the cryptography people I hang with perpetuate it), but there's a good reason it exists: A lot of overconfident amateurs have soured the well over the past 60 or so years.

Alerta! Alerta!Jun 18, 2025

@matildalove @soatok And keeping the current state...

Matilda Love Jun 19, 2025

@heiglandreas @soatok oh of course. that way you don't have to do any more work or worry about anything! hooray for the status quo!

Antwan van Houdt Jun 22, 2025

@matildalove @soatok Does this extend to other areas too? As someone in security I sometimes feel weird for dismissing tool generated reports and advocating for compatibility in matters where PII is not of concern

@soatok My threat model is:

Overzelous border gaurds
Physical penetration of my home
Devices being stolen
Corporations sucking up my data

At no point does the thought of nation states cross my mind, because if they're looking in my direction I can assume I'm already pwned and should go live in the woods.

Andrey {.ru account};Jun 18, 2025

@soatok
A centralized service can go down, federated one cannot. So I still prefer self-hostable solutions over Signal, as they also have reliable cryptography.

Andrey {.ru account};Jun 18, 2025

@soatok
Btw, in case of restricting access to all foreign IPs in Russia (unlikely, but anyway), a federated network would be fragmented, but it would not be inaccessible at all.

Andrey {.ru account};Jun 18, 2025

@soatok
Sorry if you already answered such counter-arguments about centralization of Signal million times, I'm okay with reading a blog post if you have one, just send a link

Soatok Dreamseeker Jun 18, 2025

A centralized service can go down, federated one cannot.

Tell that to the pawb.social outages.

So I still prefer self-hostable solutions over Signal, as they also have reliable cryptography.

No, they fucking don't.

Pawb.Social Announcements

Announcements about Pawb.Social from the Admin Team. DMs sent to this channel will be reviewed by the Pawb.Social Admin Team. For on-platform moderation issues, please use the report / appeal system on Mastodon / Lemmy instea

Telegram

Andrey {.ru account};Jun 18, 2025

pawb.social

I mean, in a federated network you can just switch to a backup account on another server.
Or choose an instance in a specific country in case of strict censorship.

they don't

Yep, I read these posts. Matrix already switched to vodozemac which had security audits (not taking into account that most clients are unusable…)

Meko #nowar Jun 18, 2025

@darkcat09 @soatok btw friendly reminder that emoji reactions in XMPP/Matrix are somewhy unencrypted. Lol

Imagine getting jailed in Russia for extremist rainbow or trans flag reaction to some message

ablobcatgooglytrash

Andrey {.ru account};Jun 18, 2025

@yura
That's why you prefer DeltaChat? :)

Andrey {.ru account};Jun 18, 2025

Btw, @soatok, Delta uses a Rust implementation of safe subset of OpenPGP

Soatok Dreamseeker Jun 18, 2025

@darkcat09 @[email protected] To that I offer the Delta devs a heartfelt "good luck".

Meko #nowar Jun 18, 2025

Hmm. Looks like I'm blocked by @soatok or his server

blobcatthinkingglare

Meko #nowar Jun 18, 2025

Yeah, I'm definitely not shown at all at furry.engineer

blobcatgooglyshrug

@soatok @darkcat09

Furry.Engineer - Duct tape, hotfixes, and poor soldering!

An instance aimed at techies and engineers of all types within the furry fandom, but anyone is welcome. We're an LGBTQ+ friendly community and aiming to offer a safe space for our users.

Mastodon hosted on furry.engineer

Mirror Jun 18, 2025

@yura @soatok @darkcat09 looks like whole udongein.xyz are blocked. I am not surprised, tbh.

Udongein

Senhara Jun 18, 2025

@darkcat09 @soatok I suspect this doesn't work the way you think it does. Several high profile instances like snowdin.town have gone offline before, and without importing your full post history to another server (which is an imperfect solution in of itself and some instances might disable as doing that can crash the instance), it's incredibly hard to get all that historical data and reference it in conversation, not to mention the sheer inconvenience and service disruption is not enjoyable to any end user forced to deal with it.

Akkoma

Senhara Jun 18, 2025

@darkcat09 @soatok when we start talking about security and encryption in a federated manner, I'd wager a guess that if the host instance goes down, getting your historical data as a user on another instance gets much harder, if not realistically and practically unfeasible. However, I'm not a security researcher and I'm not a developer, so there might be ways to deal with them that I'm simply not aware of.

Andrey {.ru account};Jun 18, 2025

@senhara
I'm talking not only about ActivityPub fediverse, there are networks that don't tie an account to a specific server, but instead use a Decentralized ID (e. g. ATProto) / Nomadic Identity (Nostr). We hope to get it in AP too

Senhara Jun 18, 2025

@darkcat09 @soatok I still don't think this would work with any encrypted messaging app, or even in something like AP. If a server suddenly goes dark, how are you supposed to get information local to that server or shared with only one other server or client? It still has the same issue, as far as I can tell, even if the veneer is fancier.

I can imagine an architecture where only the clients know information would work better for a Decentralized ID... But in this case, who is the authoritive server about Decentralized IDs?

David Chisnall (*Now with 50% more sarcasm!*)Jun 18, 2025

I think a lot of people fail to understand how much harder it is to secure a federated system. The Signal servers are a very high-value target for harvesting metadata but in something like XMPP you are either on a large server (which sees a lot more metadata than Signal ever sees and may be harvesting it) or you're on a small one (and so have a tiny anonymity set and just knowing that you send traffic to that server leaks a lot). And compromising one of the servers involved leaks a lot. Unless you're running your own instance and talking only to people on that instance, some metadata goes to random other servers in unknown jurisdictions with varying privacy policies. If you are rubbing your own server for everyone you know then there's no need for an active attack: just seeing who makes TLS connections to that server gives more information than a full compromise of the Signal servers would.

The threat model I worry a little bit about is Signal or Google being forced to push out malicious updates to the client. I'd love for them to integrate reproducible builds and code transparency into their system.

The threat I worry far more about is the Signal Foundation running out of money. It costs something on the order if $1/user/year to operate Signal (WhatsApp was making a tidy profit charging that much, Signal seems to have slightly higher costs). The network needs to grow to be useful but needs to grow the number if donors in parallel to be sustainable. The main advantage if a federated or distributed system, to me, is the lack of a single point of financial failure.

Henryk Plötz Jun 18, 2025

@david_chisnall @soatok
> Signal or Google being forced to push out malicious updates to the client

Especially since Google has been working *hard* to enable that threat model.

It used to be that apps were end-to-end signed by the developer, and the devices would refuse updates signed by the wrong key.
Then Google offered a "convenience" feature where they held the signing key.
Which is now mandatory. Google can, at any point in time, just decide to ship an update to any app.

Soatok Dreamseeker Jun 18, 2025

@henryk @david_chisnall This is great and all, but it won't just break Signal.

It'll break all the other mobile apps, too.

cesarb Jun 18, 2025

@henryk @david_chisnall @soatok They can also force push an update, even when you have automatic updates disabled (as I found out the last time I looked, the way app installs and updates work in Android is that the Google Play app or site tells Google you want to do it, then Google sends a message to your phone telling it to do the install or update).

Soatok Dreamseeker Jun 18, 2025

@cesarb @henryk @david_chisnall This is not a Signal-specific issue, but a smartphone-general issue.

Henryk Plötz Jun 18, 2025

@cesarb Yes, since the very first Android, the "vending" app works via Google pushing the install command. *But* previously code on the device would independently (in a way that you could at least theoretically audit when using a custom ROM) verify that the signature comes from the same key as the existing package, where the security of the key lies with the developer.

This check is still there, but the key is now exclusively handled by Google, forcefully inserting Google into the trust chain.

VVelox Jun 18, 2025

@soatok @david_chisnall I don't think people are failing to grasp how that is hard.

I think the thing that often times gets missed here the context in which it is being discussed, which is a alternative to SMS and not a generalized messaging system. In which it is a really good and secure one.

But aye, lots of the security complaints about Signal are bullocks.

Botch Frivarg Jun 18, 2025

@soatok would self-hosting and not requiring phone numbers be nice? Yes. Are those features worth it to sacrifice any security over? No

If there existed something that had those features with the security of signal that would be better, but no such thing exists. And given the state of the world I'll take the security

David Chisnall (*Now with 50% more sarcasm!*)Jun 18, 2025

@deetwenty @soatok

I completely agree. I recommend Signal because the alternatives are worse. That doesn’t mean I’m happy with Signal. There’s a lot I’d like them to improve. But improving Signal is a lot easier than building something new and making everyone switch or getting one of the other alternatives to the same end goal.

jona 🔜 EH23 Jun 18, 2025

@soatok https://www.usenix.org/system/files/1401_08-12_mickens.pdf

nadja Jun 18, 2025

@soatok yes, this. So much this. It is infuriating and exhausting.