Signal2d ago

To help protect Signal users from phishing and social engineering attacks, we’ve introduced additional confirmations and educational messaging in the app to help people better detect fraudulent profiles, especially message requests from scammers posing as Signal.

More changes are on the way.

Show threadGustavo2d ago

@signalapp I hope you support some kind of optional verification in Keyoxide style.

E.g. "this Signal account verified they control this Mastodon account and this website", but with better wording so people don't just set up lookalike accounts and websites, but it still works to deter impersonation.

The main reason I use Keyoxide is because I got impersonated in Wordpress.org blogs (which do not provide any kind of authentication). AFAIK the only way to prevent that in that platform is using PGP signed messages, which are cumbersome, or using plugins that require login, which are annoying.

Show threadTalya (she/her) 🏳️‍⚧️✡️2d ago
@qgustavor @signalapp
you don't need keyoxide-style verification on Signal. that kind of verification is for public identities, meanwhile on Signal what you need is verification of channels — which you can do with safety numbers.
Show threadGustavo1d ago

@Yuvalne @signalapp So you wouldn't want verification of public identities in Signal? Isn't that exactly the problem of people impersonating Signal? The two verifications don't exclude each other. Make it optional, not everyone has a public identity that needs to be verified, but for those who have, it's important.

Also, safety numbers? No one checks them. Maybe you and tech people, but never in my life did someone check others' numbers but me. Even with those numbers people apply scams every single day working around that: "hey, I got a new number! i broke my old phone!" "ok!" then some days later "I'm broke! can you send me some money?". It happens every single day! Even with security numbers!

Would an optional identify verification fix that? No. Would it improve in some cases? Yes.

Show threadTalya (she/her) 🏳️‍⚧️✡️1d ago
@qgustavor @signalapp i think you've just demonstrated exactly why website-based verification is maybe not a good idea. something website-based requires you to first know the website.
if the two of us are talking, then my safety number changes and the new person who may be me says "hey no worries, it's still me, see my profile even says verified" and that verification points to talya.net, how do you know it's me who owns that domain? and how you know it wasn't talya.xyz before?
Show threadTalya (she/her) 🏳️‍⚧️✡️
@qgustavor @signalapp because if you don't trust people to check others' safety numbers, can you trust them to know they're looking at the correct website verification? or will they just see "verified" and trust it?
heck, Signal specifically doesn't do verification for you. even if you scan the safety number QR, you still need to manually toggle verification. do we really think making this controlled by the other party makes things *more* safe?
May 12 at 1:08pmWeb