Mastodawn

To help protect Signal users from phishing and social engineering attacks, we’ve introduced additional confirmations and educational messaging in the app to help people better detect fraudulent profiles, especially message requests from scammers posing as Signal.

More changes are on the way.

Farshid Hakimy / فرشید 2d ago

@signalapp I think honestly the official Signal chat was the slippery slope here.
If it weren't for this chat, you could simply say that there will never be a Signal chat with Signal and every chat with Signal on the app is phishing.

Farshid Hakimy / فرشید 2d ago

@signalapp there were so many opportunities to implement the functionality of the official Signal chat into the app and not make it look like a chat.
For example there could have been a "new features page" with a banner at the top of the screen that opens it when there is a new feature and can be manually opened via the menu.
And it doesn't even make sense to implement it in a chat of you think about it, because there is no way to respond to the messages.

@farshidhakimy @signalapp

This is excellent design and security advice - I hope signal adapt the app.

Matthew 🖖1d ago

@farshidhakimy @signalapp Can confirm that. My grandma is on #Signal, #WhatsApp and #Telegram and she was confused on all of them when the app itself sent updates as texts and needed our help. 😭

@signalapp I hope you call it the Klöckner-Update.

Mensch, Marina 21h ago

@lbcp @signalapp "educational messages"

@signalapp Danke Julia!

@signalapp
"Update made because of the politicians - thank you for your work"

Ganon-dalf 2d ago

Nobody is XMPP, so we can't very well expect anyone to impersonate them. Yet another advantage of the XMPP protocol.

Everyone is glowing until proven innocent!

@Walruths @signalapp someone could still call themselves XMPP-Support or Server-Support or whatever. Of course we know that there is no such thing, but we wouldn't fall for Signal phishing-attacks either

Ganon-dalf 1d ago

@marco @signalapp

"Health Xmppector"

come right in!

@Walruths @signalapp Don't underestimate the normal user :D

👊🇺🇸🔥2d ago

@signalapp Avoid getting spam messages entirely by setting "Who can find me by phone number" to "Nobody". It's under settings > privacy > phone number.

@signalapp I hope you support some kind of optional verification in Keyoxide style.

E.g. "this Signal account verified they control this Mastodon account and this website", but with better wording so people don't just set up lookalike accounts and websites, but it still works to deter impersonation.

The main reason I use Keyoxide is because I got impersonated in Wordpress.org blogs (which do not provide any kind of authentication). AFAIK the only way to prevent that in that platform is using PGP signed messages, which are cumbersome, or using plugins that require login, which are annoying.

Talya (she/her) 🏳️‍⚧️✡️1d ago

@qgustavor @signalapp
you don't need keyoxide-style verification on Signal. that kind of verification is for public identities, meanwhile on Signal what you need is verification of channels — which you can do with safety numbers.

@Yuvalne @signalapp So you wouldn't want verification of public identities in Signal? Isn't that exactly the problem of people impersonating Signal? The two verifications don't exclude each other. Make it optional, not everyone has a public identity that needs to be verified, but for those who have, it's important.

Also, safety numbers? No one checks them. Maybe you and tech people, but never in my life did someone check others' numbers but me. Even with those numbers people apply scams every single day working around that: "hey, I got a new number! i broke my old phone!" "ok!" then some days later "I'm broke! can you send me some money?". It happens every single day! Even with security numbers!

Would an optional identify verification fix that? No. Would it improve in some cases? Yes.

Talya (she/her) 🏳️‍⚧️✡️1d ago

@qgustavor @signalapp i think you've just demonstrated exactly why website-based verification is maybe not a good idea. something website-based requires you to first know the website.
if the two of us are talking, then my safety number changes and the new person who may be me says "hey no worries, it's still me, see my profile even says verified" and that verification points to talya.net, how do you know it's me who owns that domain? and how you know it wasn't talya.xyz before?

Talya (she/her) 🏳️‍⚧️✡️1d ago

@qgustavor @signalapp because if you don't trust people to check others' safety numbers, can you trust them to know they're looking at the correct website verification? or will they just see "verified" and trust it?
heck, Signal specifically doesn't do verification for you. even if you scan the safety number QR, you still need to manually toggle verification. do we really think making this controlled by the other party makes things *more* safe?

wraptile 2d ago

@signalapp next step - enable `Settings → Account → Registration Lock` by default. Without it you don't own your signal account and all of this "safety" and "privacy" talk is pointless.

suomynona1405 1d ago

@signalapp damit ist die App nun auch behindertengerecht für die politische Elite in Deutschland, danke Signal❤️

@signalapp Please make phone numbers optional and add support for using Signal Desktop as the primary device

Pimp Wheel, M.D.1d ago

@scathach @signalapp right??

RE: https://mastodon.social/@aboutsignal/116487326466823321

@scathach At least the latter is in work

https://digitalcourage.social/@aboutsi[email protected]/116487326529124385
@signalapp

neutronstar 1d ago

@signalapp
Please add the option to change someone’s profile picture even when they’re not in your contacts or are hiding their phone number. So like the nickname feature but for the profile picture.

Alternatively the option to link a signal contact to a contact in your phone contacts. Without needing to use phone numbers that is.

Daniel Böhmer 1d ago

@signalapp The new "Name not verified" is a bit strange in a group chat for personal notes that I only use for myself and have been for months. Could you remove from those?

Ember is so tired of people.

@signalapp scammers on signal?? no! not possible!, signal requires a phone number to sign up which is absolutely impossible for scammers to get!!!

Enrico "meldrian" Michaelis 1d ago

@signalapp so, you go into "some of our users are really that incredible stupid" mode mainly because some german politician are really that incredible stupid.
I am so embarresed by this and deeply sorry for the lost of trust you guys gained in media in press, based on the "hurr di durr" behaviour of those ... humans.

Blanker Hans 🇮🇱 🇺🇦 🇵🇸1d ago

@signalapp Making Signal safe for Weinköniginnen. 👍

Ryan Castellucci (they/them)

@signalapp can I turn it off?

desktop management interface 💽 1d ago

@ryanc @signalapp … doubtful

Ryan Castellucci (they/them)

@domi @signalapp I know. But I can still whine. I've been using Signal since it was TextSecure...

@ryanc @signalapp Maybe use @mollyim as client instead?

@signalapp What does that feature do? Sorry, i am a bit confused.

flower 🌻1d ago

@blackwolf It's a way to prevent, or at least limit, the possibility of people getting scammed through phishing attacks. A warning of sorts, and a good reminder, I think

@daisy
@signalapp Hmm i see. Still a but confused when that will show.
Luckly i am quite resistant to phishing, as i had my faie share if anti phishing / takedown i did for a few years.

پویان Pouyan 1d ago

@signalapp please make sure that German translation is included.

ĞÖKÜ👻👻™1d ago

@signalapp go to settings & thn click on nobody see my no. & nobody find me by no.
Go to settings & thn click on no msg from unknown number.( block unknown)
Be safe 😎

@signalapp lol what the fuck is this dumbass shit

Pixelcode 🇺🇦1d ago

@chava @signalapp Ask Julia Klöckner (President of the Federal Parliament) and the other MPs who were phished by russian “Signal Support” teams

linrunner 1d ago

@signalapp next you need to address your most embarrassing own goal: the PIN reminder.