You can now hide you phone number, according to the blog post.
[...] Selecting “Nobody” means that if someone enters your phone number on Signal, they will not be able to message or call you, or even see that you’re on Signal. And anyone you’re chatting with on Signal will not see your phone number as part of your Profile Details page – this is true even if your number is saved in their phone’s contacts. Keep in mind that selecting “Nobody” can make it harder for people to find you on Signal.
Well, to link with recent news, do you think talking with the late Alexey Navalni over Signal would protect you from russian police? They'd still be able to see that you talked to him.
And then what's the point of the super duper encryption?
In Signal, probably no. Signal has this sealed sender functionality hiding significant amount of metadata from passive observer and active examination post-communication: https://signal.org/blog/sealed-sender/
What Russian police would be able to see, that in a given time period of certificate rotation at most X people communicated to Navalny.
Signal does not know who you correspond with. The only information they keep is the account creation timestamp, and the date that the account last connected to the Signal service.
You may have confused this information with WhatsApp which indeed keeps a lot of metadata on each user.
Signal absolutely knows who you correspond with. How could they otherwise route your chat messages?
They promise to throw this information away, which is nice but not possible to verify.
They also employ a roundabout way of encrypting this data, but as they rightly point out in their article that describes the scheme, encrypting or hashing phone numbers is not safe from a malicious attacker. The space of all possible phone numbers is so small that it could be brute forced in the blink of an eye.
You place all your trust in Signal (and Google/Apple) when you use them. That may be better than the alternatives, but it's still something we should be honest about.
That said, keep in mind that Signal and Google/Apple can also trivially backdoor your software, so unless you take specific precautions against that, the details of their middleman protection isn't terribly important.
I guess you are right. It's trust-based. For an actual obfuscation Signal would need to implement something like onion routing, right? I think Session does it.
Well, TIL. That does not refute my comment, though. Signal still does not know who you chat with. It's the cloud provider who might log the IP address of the sender. Identifying the person based on that information alone would be non-trivial if not simply impossible.
> They'd still be able to see that you talked to him.
Signal has no access to metadata, including participants in a conversation. All they know is the date of account creation and the date of the last connection.
However, if they got access to Navalni's phone, then they of course can see everything Navalni can.
Even encrypted data is not irrelevant. The frequency of messages is relevant, as is how many messages are sent how quickly, the total package size can be revealing if they arent hella padding the data, there is a lot you can learn just from the data. Total obfuscation is ideal.
If you are worried of an adversary that is using numerical analysis on the frequency of messages to somehow undermine you, I’d recommend not using a smartphone or internet connected device. And perhaps medication.
We don’t insult each other here. Take the cheap potshots to Reddit.
>Why worry about nation-state level attacks when you can simply be hit over the head with a mallet until you give up your password?
Yes, that would be the point of obfuscation, as opposed to just encryption. End to end encryption does not prevent the $5 wrench attack, obfuscation does.
If a person is a member of a terrorist network - or friends with someone who is - the fact that a warrant could force Signal to expose that link could mean that a court is then more likely to approve increased surveillance of your (non-Signal) communications because of that link.
On the other hand if you are a woman on Tinder and using Signal to communicate with matches, this doesn't expose you to the person you have just matched with adding your number to their phone book, uploading it to LinkedIn and then finding where you work (which is what you can do with a phone number).
My feeling is this is a reasonable compromise, but it is important people understand what it does and doesn't protect you from.
[...] Selecting “Nobody” means that if someone enters your phone number on Signal, they will not be able to message or call you, or even see that you’re on Signal. And anyone you’re chatting with on Signal will not see your phone number as part of your Profile Details page – this is true even if your number is saved in their phone’s contacts. Keep in mind that selecting “Nobody” can make it harder for people to find you on Signal.