It doesn’t necessarily mean that the phone number is sent with every API call.
The real authentication of who sent the message happens on the receiver’s device when they decrypt it.
In a centralized database without, this seems like it’d be trivial to get around. You’d only have to look at the client sent messages and correlate them to the receiving ones.
It’s more complex than that. The client doesn’t authenticate itself to the server. It only shows a certificate that says “I have a right to send messages to this person”. This certificate is anonymous and was initially generated by the receiver, and then sent via the encrypted session.
The server could still correlate the IP, which is much less valuable and can be hidden through VPNs or even the built-in censorship circumvention proxy.
It doesn’t necessarily mean that the phone number is sent with every API call. The real authentication of who sent the message happens on the receiver’s device when they decrypt it.
How would the signal server know who to route the message to?
They know who the receiver is. They don’t need to know who sent the message. They only have to route it to the receiver.
In a centralized database without, this seems like it’d be trivial to get around. You’d only have to look at the client sent messages and correlate them to the receiving ones.
It’s more complex than that. The client doesn’t authenticate itself to the server. It only shows a certificate that says “I have a right to send messages to this person”. This certificate is anonymous and was initially generated by the receiver, and then sent via the encrypted session.
More details here.
The server could still correlate the IP, which is much less valuable and can be hidden through VPNs or even the built-in censorship circumvention proxy.