Signal says 1,900 users’ phone numbers exposed by Twilio breach – TechCrunch - Privacy Community
At least one user had their Signal number re-registered by an attacker.

I tried finding the GitHub issue that asks for Signal to stop relying on phone numbers. I can’t find it. Do you [whoever is reading this] know where the issue is at?

Github Issues are only for bug reports, the Username feature is tracked here https://community.signalusers.org/t/usernames-in-signal/9157

Now you can request “enhancements” too in the issue section. See https://github.com/LemmyNet/lemmy-ui/issues

That’s… nice but I’m talking about how Signal handles Github issues

My bad, I thought enhancement requests were widespread all around Github, because I didn’t check how Signal handles issues there.

@kvjxq@beehaw.org
banned
link
fedilink
161M

It’s abominable that Signal still requires a phone number.

How else are they going to track you?

No, seriously. Even if the messages are encrypted, the metadata including your account info and the account info of everyone you talk to are not. In a lot of these cases, they don’t have to have the actual contents of the messages to have a pretty clear picture of what you might be talking about!

With a phone number that’s almost certainly registered to your real identity, it makes it trivial to track what you as a person is doing even without breaking the encryption! An encrypted messenger that requires anything related to your real identity to get an account is security theatre.

For example: if you suddenly start messaging back and fourth with an account, and that account happens to have the same phone number as the one on the business card and website of an out of state abortion clinic worker, and your own phone number’s area code just so happens to fall in a state that banned abortions after Roe v Wade got trashed, it juuuust might imply a few things about you. They can’t definitively prove what the messages were, but if your state criminalizes any and all attempts to get an abortion anywhere, it’s probably enough to get a warrant against you.

What viable user-friendly (i.e. no account creation required) options are there? I just want my messages between friends and family to not be mined by greedy corporations.

https://element.io/get-started

Don’t require phone or email. It’s encrypted, and they are continuity improving their system to fix some lack of encrypted content/metadata.

Matrix is pretty good.

poVoq
link
fedilink
31M

The problem is not the account, but the mandatory phone number verification.

XMPP with the Android Conversations or BlabberIM client works pretty well as an alternative and uses the same high quality encryption as Signal.

The problem is not the account, but the mandatory phone number verification

Yes, it is. At least from the perspective of normal users.

The reason for WhatsApp (or Telegram or iMessage) becoming as big as it is was the convenience (later the network effect, of course, too) of just entering your phone number and then it just works™. No server selection, no password to remember, totally hassle free—that is the argument I get to hear very often.

And honestly, I have no idea, how we could provide a similar conveniance that is fool proof and secure and private.

poVoq
link
fedilink
31M

I was referring to the “no account creation required” and given how other online services seem to be doing fine with accounts I don’t think it is as big of a hurdle as you make it seem.

Of course automatic discovery of accounts based on phone numbers is a different topic, but there are also plenty of people who hate that feature (Telegram has a special feature to not allow that even).

@SNFi@beehaw.org
link
fedilink
1
edit-2
1M

Tell people to just element.io, by default you don’t need to select any server, it uses matrix.org by default.

That is your only problem? (password requirement can’t be a problem…)

When a friend wants to talk to me, I just reply their MSM (simple phone text message) to get element.io and add me with my username, and done, they are in already.

Session is a pretty good one in my opinion. Also matrix has some privacy related concerns with the amount of meta data being shared on every home server.

noodlejetski
link
fedilink
4
edit-2
1M

luckily, from the warrants they’ve received in the past we know that they don’t store metadata, and the only information about the requested numbers that they’ve been able to provide to the court were the date of registering an account and the last time they were online, both in Unix epoch format: https://signal.org/bigbrother/

You have to keep the bigger context in mind here. Even if Signal only tracks your phone number, it can be easily correlated with other data that’s associated with you that’s aggregated from your online footprint.

poVoq
link
fedilink
51M

This only tells us what they do by default and without gag-order. They could still be forced to log specific users and are barred from telling us by legal request.

Furthermore, it is known from Telegram disclosures that the FBI has been approaching staff from messenger companies with the offer of quite a lot of money to act as moles inside these companies.

As long as Signal is a centralized service with servers in the US, neither problem can be solved and that makes Signal inherently unsafe to use.

What you wrote is simply wrong.

Signal encrypt metadata to the best of their capacity. On the contrary matrix, xmpp, telegram, WhatsApp don’t (unless sth changed since last year)

For example on my matrix server I could read the IP, username and time of each message.

https://signal.org/blog/sealed-sender/

Dessalines
creator
link
fedilink
-11M

This is what they tell you. Since signal isn’t self-hostable or federated, you can’t verify that.

As far as i understand this is a client side implementation. So it’s verifiable.

They probably do it to prevents spam/abuse. It is supposed to be a better WhatsApp after all, not a completely federated software. So it gotta be somewhat user friendly.

@Democracy@lemmy.ml
link
fedilink
7
edit-2
1M

What? It’s easier for spammers/scammers to enumerate phone numbers (because they follow a specific pattern) than usernames or random IDs.

Probably referring to that it’s harder for scammers to create scam accounts because they need to verify the phone number is actually theirs before the account can send messages. IMO, still not worth requiring a phone number for the 90% of legitimate users.

There are websites online that offer 10 minute phone numbers.

Not sure if Signal does this, but most websites will automatically look up the phone number registration, see that it’s from one of those companies, and reject it.

@Democracy@lemmy.ml
link
fedilink
2
edit-2
1M

There are these services still around.

https://sms24.me/en/messages/Signal

You’ll notice most numbers aren’t from US. The ability to detect VoIP numbers only applies to NA.

poVoq
link
fedilink
31M

The original argument is that Signal does not want to create a social graph of user accounts on their server and rather rely on the already existing one of the users phone book.

But that is very narrow thinking and ultimately counterproductive as others have pointed out here already.

WiνΛlem OrtΛνíz
link
fedilink
10
edit-2
1M

Someone was talking about Session in another post, the open source app that uses signal code, but without the need to register a phone number.

Can someone recommend it ? Has it been audited ? Because when it comes to cryptography, even if it’s supposedly the same code as Signal, it still needs to be independently audited to be trusted.

Session runs on the cryptocurrency backed loki network.

Ok, didn’t know that. I will have so much catching up to do with documentations one of these days… The onion routing seemed cool but I barely read anything on it yet.
I Hope it’s not some bullshit whitepaper just to add value to a blockchain/token.

Dhadelis
link
fedilink
11M

I prefer XMPP. Probably the best solution available.

You can care about privacy, or you can ask a phone number during sign up. Those things are mutually exclusive.

Don’t use Signal you care about privacy.

Don’t let perfection be the enemy of good. All my friends and family use Signal, it was a multi-year effort to pull that off. Signal will roll out usernames faster than the tide will turn, so let’s take our wins and learn to be better.

@ree@lemmy.ml
link
fedilink
8
edit-2
1M

Yhea.

I can almost exclusively chat with my social circle with signal now, been using it since 8-9 years.

I’ve tried xmpp, matrix and some other. Signal is the only one that stuck, it’s not perfect but it’s fucking fine from my perspective.

@SNFi@beehaw.org
link
fedilink
8
edit-2
1M

Well, I force my social circle to use element.io (matrix.org) or they are not going to be able to talk to me. I don’t need to talk to anyone, but they need to talk to me to ask me to help with their stuff, so they are joining to element.io. I never used Signal because asking for a phone number or making closed source claiming it is to stop spammers sounds stupid requirements or arguments.

I don’t get any spam on matrix.org and on channels we have bots to review and block spammers.

Also, I neither like how Signal discard F-Droid and forces us to use Google. I think they also use Google Push notifications.

Element had a lot of issue last time i’ve tested it: push notification issue, convulated ui, e2e encryption disabled by default, slow server.

I had my own server for a while for my SO and I and we often missed each other messages plus the client was draining my phone battery.

I love the briding capacity of matrix, I woulf like to spend an evening setting that up in order to aggregate all those messaging apps but I’m afraid it’s not worth it.

All messages are encrypted by default unless on public channels. Speed is something they are going to improve now.

I don’t have any other issue.

Yhea they’re improving quite a lot, it’s great to read. Do they encrypt metadata now?

@SNFi@beehaw.org
link
fedilink
3
edit-2
1M

I have checked right now and seems they are still debating the implementation…

I hope they will implement it soon. 😥

I’ve missed that. It’s great :)

Hope they solve it soon.

And yes signal is far from perfect and moxie view on some key point such as centralization are not mine. Still it’s solid software .

This is my argument for Telegram. It’s clients are open source and has good Linux support. And unlike Signal it’s actually nice to use. (non-tech people usually dislike using Signal, but the feedback from Telegram is very positive)

Except e2ee isn’t on by default at telegram.

That’s why I prefer Matrix. But it’s hard to convince people to use Matrix so Telegram it is.

Ight, imma delete Signal

Dhadelis
link
fedilink
21M

Who thought that requiring phone number and relying on third party services would reduce users privacy /s

Amicese
link
fedilink
-11M

People seriously still use Signal? lmao

Amicese
link
fedilink
-1
edit-2
1M

Uh oh. I somehow blocked Dessalines and I can’t unblock them cuz they’re an admin.

@hellfire103@lemmy.ml
link
fedilink
0
edit-2
1M

deleted by creator

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 2 users / day
  • 7 users / week
  • 47 users / month
  • 268 users / 6 months
  • 2 subscribers
  • 255 Posts
  • 747 Comments
  • Modlog