With XMPP I can run (and audit) eveything myself. You can't do this with Signal. Some proprietary messenger that's hostile to 3rd party clients aswell as also wanting my phone number will never compete with tried and tested open source technology like XMPP. There is a reason military and government orgs use their own infrastructure.
> With XMPP I can run (and audit) eveything myself.
You're saying this in response a blog post where I basically did an over-the-weekend audit of Signal's cryptography. I don't know if you understand the irony of that.
I dislike this as well, but since the introduction of usernames, it's at least no longer required to give strangers your phone number to converse with them.
> will never compete with tried and tested open source technology like XMPP.
The converse is true: XMPP+OMEMO do not qualify as a Signal competitor. I've outlined my reasoning in the linked post.
Until the entire ecosystem uses the latest version of the protocol, encryption is always on, and there is no plaintext fallback, XMPP is a poor solution for private communications.
> There is a reason military and government orgs use their own infrastructure.
Are you insisting that XMPP is "military grade encryption"?
You can't trust the server on Signal. Anything else, especially theoretical navel-gazing about plaintext fallbacks or make-believe audits of the client half of the system is inconsequential against the simple fact: You can't trust the server on Signal.
You don't have to. Reproducible builds, audited E2E and the other technical details combine to remove the need to trust the server for anything other than availability.
Anything else is uninformed navel-gazing about the risk without understanding the subject.
But the server on signal may store who communicates with whom. The most important information of all; and they can even connect that to phone numbers, so they've basically got everbody's real names.
Neither of those have anything to do with that kind of security. The preparation process for sealed sender looks very complicated and iffy, but maybe someone has checked that the protocol is secure-- I don't see any reason for such a complicated procedure, and I see such complicated procedures as something which can only be intended to hide insecurity, but let's assume it is.
You still have connect to them and deliver this to the signal servers. They'll have your IP and will know approximately where you are physically.
There is no way to make this kind of thing secure without some kind of remailer system and without many peer-to-peer connections.
Almost all proper anonymous remailers have been shut down. What remains, Tor for example, are insecure parodies of an anonymous remailer, and this is justified to the users as being for the sake of speed, but makes the system useless for anonymity. Even Mixminion is insecure if you can observe the full network, since you can count the packets received by the clients and there aren't dummy packets.
> The preparation process for sealed sender looks very complicated and iffy, but maybe someone has checked that the protocol is secure-- I don't see any reason for such a complicated procedure, and I see such complicated procedures as something which can only be intended to hide insecurity, but let's assume it is.
I did, in fact, check it when writing TFA.
> You still have connect to them and deliver this to the signal servers. They'll have your IP and will know approximately where you are physically.
Okay, let's actually think this through.
You have millions of people using Signal. When you send a message, the message is encrypted such that only the recipient can decrypt the envelope to verify if you're even permitted to send to them. The only thing the server gets is an encrypted envelope and some 96-bit random string that tells the server where to send the envelope.
This 96-bit random string is derived from your profile key (which is also encrypted and, at minimum, rotates every time you block someone).
Let's assume Signal's server has been maximally pwned by the NSA to slurp as much data and metadata as possible in the most malicious manner logically possible. In this thought experiment, they will now log things that the server currently does not because of a government-mandated implant.
In this scenario, the NSA will learn: someone from an IP address send an encrypted envelope to an unknown recipient.
Later, they will learn that another user (and their IP address) accessed the same envelope when downloading it from the Signal server.
You might be sitting there, rubbing your hands, thinking, "Wow, we sure got them." Except that there are millions of Signal users, many whom share IP addresses over time, and you can't even be reliably sure if a given Delivery Token maps to a targeted recipient.
Furthermore, you can't reliably distinguish between 1:1 messages and group messages, due to how groups are implemented (see: zkgroup).
> There is no way to make this kind of thing secure without some kind of remailer system and without many peer-to-peer connections.
When you say "make this kind of thing secure", are you talking about hiding IP addresses and phone numbers from Signal's servers? Or are you suggesting what Signal is already doing is not possible in the first place?
Cryptography isn't magic. It is comprehensible to mortals.
Yes. So they know the IP of the sender, and of the receiver, and they know the time, and they can contact the ISP and ask them who had these IP addresses at the given time and thus determine with certainty who communicated with whom.
We used a law in the EU requiring ISPs to keep track of this. It was determined to be illegal, so many ISPs probably don't store this information anymore, but I am sure that many do, and there can be other people-- maybe someone from another country that comes to your country gets jobs at ISPs to modify their software and make it do things he wants.
I don't know about this Salt Typhoon, but as I interpret it, there was an excellent secure system, and then people built some kind of front end on top of it so they could enter their orders into it, and then somebody compromised that front end and basically started getting all the data that the government could order to be gathered. I'm thinking that's going to include who has what IP.
I agree though, the complexity is maybe okay. It doesn't sound like a super terrible protocol or that involved. I suppose the description I saw of it felt more convoluted. At the same, I felt that the complexity of the presentation was hiding something, which I think might well be true-- it might even have been this simple fact that the central server still has every opportunity to determine who sends things to whom.
Anyway, people can get IP addresses of phones, public Wifi still tells them where you were and it only takes on mistake of you connecting through your own phone for them to know certain.
This taken together means there's no security with regard to contacts if the server or the network is compromised.
There are excellent solutions to this: dummy messages and remailing. Without those no system can ensure that contact information is kept secret.
But Signal offers optional features so that it does not know the former; nor the latter (usernames, etc.) Re: former - as discussed there's sealed sender (iirc been quite some time since they released it), but also depending on how you mean it - situation may be less scary for you even if not using sealed sender.
> so they've basically got everbody's real names.
Based on the above as well as on the fact that having phone number does not by itself == real name PII / identity - claiming "so they've basically got everbody's real names" is not just overly dramatic but also patently false and disingenuous. :( I'm sure you did not mean to dissuade people, but c'mon. Generalising in such a way and then adding hyperbole does not help, imho.
Yeah, of course you have to ask the phone company, but if you need to use Signal as opposed, then you are already assuming an adversary that does more than just snoop on the public Wifi he offers.
Such an adversary can ask the phone company whose phone number a certain phone number is, and they will tell him.
> but if you need to use Signal as opposed, then you are already assuming an adversary that does more than just snoop on the public Wifi he offers.
No, not necessarily. In fact I'd claim that we should all use Signal so that usage of Signal would not imply any kind of user profile (would not rconstitute any kind of meaningful signal where one could infer what kind of user they are).
I do believe that there's a spectrum of users with a corresponding spectrum of appropriate threat models.
If my own threat model (that I felt I had to adopt) was particularly gnarly, I would (1) use Signal sandboxed / in a VM, tunnelling all traffic through Tor (e.g. Tor listens on socket exposed to VM so that there's no easy way to work around tunnel), and/or (2) if particularly gnarly - would set up pre-shared one time pads with counterparties where possible, and use them to authenticate further, perhaps encrypt further (maybe just encrypting a session key, to save most of OTP) - essentially definitely not deem Signal enough by itself.
Signal correctly focuses on privacy, not on anonymity. The wider your set of claims as to what kinds of properties (from the set of: privacy, anonymity, censorship-circumvention, etc.) you provide, the higher the probability you're going to screw up with one of these, I'd say. Better to combine several tools where possible if your needs require it.
> Are you insisting that XMPP is "military grade encryption"?
I don't think that's the fair implication there, and I'd also hope you'd pull out "military grade" as a red herring, as meaningless marketing speak and ignore it instead of trying to trap someone using it. (unless it was a primary point they made, critical to their position, clearly not the case here)
Sure, if self hosting is the most important criteria for you, you can't really beat XMPP. Same goes for a richer ecosystem of 3rd party clients.
But those two are completely unrelated to security. I mean a self hosted solution can be secure, but it's weird to say that Signal can't compete with XMPP on security because it's not self hostable.
> but it's weird to say that Signal can't compete with XMPP on security because it's not self hostable.
No it's not. If I could conditionally control if your messages are delivered, and when. Even if I can't see the contents, that's a huge security vulnerability!
You can't control when "someones" messages are delivered, only when "all" messages are delivered. I.E Signal servers control general availability, not selective availability.
Moving to a self-hosted service most likely introduces more risk at this point assuming you can keep the service and all related infrastructure up to date and monitored 24/7/365
> You can't control when "someones" messages are delivered, only when "all" messages are delivered. I.E Signal servers control general availability, not selective availability.
this is the first I've heard this, got a source to prove this is actually true?
> Moving to a self-hosted service most likely introduces more risk at this point assuming you can keep the service and all related infrastructure up to date and monitored 24/7/365
That's not how threat models work, it's not 'more' risk. It's additional work. The risk is the same, signal has to do it, or 'you' have to do it. The risk and level of effort is the same. The only thing that changes is the direct responsibile party. Depending on configuration, it might reduce the risk if you can lower the number of parties you have to trust. I.e. I can verify my servers are up to date, but I have to just trust me bro, that signal's servers are always up to date.
> Without authenticating, hand the encrypted envelope to the service along with the recipient’s delivery token.
I'm probably going to need to read the white paper to actually understand this, because currently I'm confused as to how this doesn't result in knowing the destination. Surely I can reverse the delivery token if I'm in control of the servers?
Signal's server doesn't know who sent the message, since that information was Sealed.
Signal's server does know where to deliver the message to, based on a 96-bit random value generated client-side by the recipient (the delivery token). But it cannot know which user has which delivery token. To understand that, you need to look at the zero-knowledge credentials section of the code.
They could randomly drop messages sent to a specific targeted user's delivery token and block messages sent to that targeted user, but they have no way of knowing which user they're targeting. (Also, the client could just enroll a new one if this ever happened and Signal was somehow court-ordered to block delivery to a specific delivery token.)
>That's not how threat models work, it's not 'more' risk. It's additional work.
The "most likely" part does a lot of carrying here, and you made my point. The additional work self-hosting is not trivial in this space. Assuming you can either personally dedicate a LOT of time, or personally pay staff people to keep up vs a dedicated team working on this means that the threat model is inverted now.
I self-host a number of services, I'm very pro self hosting. I'm _VERY_ aware there is always a trade off between "I want this to work", "I don't have time to fix this regularly because I have a Job and Family and hopefully other hobbies besides self-hosting a service" and "I need to constantly update and apply changes that sometimes do not gracefully fall into automation or introduce breaking changes".
Now consider that communication is one service and add on self-hosting other services, and the additional updates and knowledge to support it.
Outside of the small group of people that dedicate themselves to hosting and managing their services, which excludes most USERS (its in the name) the threat model is indeed inverted.
