Hello Everyone,
This is something I’ve been thinking about in the wake of many users joining Signal, due to WhatsApp’s new privacy policy changes.
When it comes to the mobile client (in case of Android), we could verify its integrity by checking the source code & the APK’s integrity using reproducible builds (https://signal.org/blog/reproducible-android/).
When it comes to the server, it is possible that it could get compromised in many ways.
My question is, when it comes to privacy & security, does the server integrity matter if we are reasonably sure the client isn’t compromised in any way or doesn’t transmit anything that the server could access in a meaningful way.
And, this could apply to any service that has both FOSS client & server or just FOSS client.
If signal’s servers become compromised:
- The messages of already open channels stay encrypted1
- The attacker has access to the frequency at which you receive new messages (but not from whom, if they use a VPN2) thanks to Sealed Sender
- The attacker cannot know how frequently and to whom you send messages, thanks to sealed sender also (once again if you use a VPN2)
- The attacker can compromise any new communication you open, though if sealed sender is enabled for unknown senders, they can’t know who you are opening the channel to before compromising it
- You can detect any channel that is compromised by checking the safety code of all of your conversations.
- They can prevent you from receiving/sending any messages, but once again, thanks to sealed sender, they can pick which contact they block you from connecting to.
- If you have given Signal access to your address book, they might be able to get all the phone numbers that are in it3.
- In theory they can’t know the members of each groups, but with clever timing analysis of who receives messages when etc… they might be able to have an idea of who is in the same group.
- By channel I mean any conversation between 2 people. My understanding is that groups work by just you sending the same message to everyone in the group, so groups are just a special case of 1 to 1 conversations between every pair of 2 people in the group.
- If you don’t use a VPN or anything similar, they could likely just track the IP address of the sender to get an idea of who is sending the message, rendering the Sealed Sender tech much less efficient
- This is a bit tricky, because of private contact discovery, but my understanding is that if intel is compromised too, the attacker could nullify the benefits of this tech, if someone with greater knowledge of the SGX secure enclave could validate, that’d be great.
Disclaimer: I am not an expert on Signal, or secure messaging in general, this is just my understanding of the tech behind Signal.
Thanks for the explanation.
So, hypothetically speaking, can we say that it’s alright for any messaging service to have it’s server remain closed source as long as it has features similar to the following?
- Both sender & receiver use VPN
- Sealed Sender
- Private contact discovery
- Safety code of conversations
- Any other strong features Signal has
No, because if the server is closed source, it means that nobody can spin up another network, and distribute a modified version of the app that connects to said new network, which means that in that case the owner can publish updates that reduce the privacy of the app, without actually facing the risk of a fork (this is exactly what WhatsApp is doing).
The signal server code is open-source: https://github.com/signalapp/Signal-Server
But in the end it mainly depends of what your definition of “alright” is. My n°1 concern is surveillance capitalism. So my definition of “acceptable” relies a lot on the fact that the service is not run by a corporation that is into the ad business. The fact that is FLOSS, especially copyleft licences, pretty much guaranties that the app won’t be bought by an ad company (like WhatsApp was).
in that case the owner can publish updates that reduce the privacy of the app
Can you please elaborate on this?
For example, removing the encryption so that the contents of the messages can be used for ad targeting. If the server is closed source no one can fork the app and build an alternative network keeping the encryption, they would have to rebuild the whole server side from scratch. One could keep using the old version of the app, but it is likely that they will end up being booted of by the servers.
If Signal does that, it is very likely that third party clients and servers will be able to quickly pop up and keep the encryption.
All these are some hypothetical scenarios I thought about.
As far as I read, the client sends as little as possible, encrypted. So, the server can’t interpret it meaningfully. Let’s say I’ve installed the client from an apk which I know has not been compromised.
So, either the client becomes unusable, because the server tries to mess with the encryption, or the server simply doesn’t accept requests from the modified client.
Almost anyone can be socially engineered to accept a compromised app update, but that is anyways a moot point.
Why would you use a service that connects your device to a US based and likely compromised server, if there are alternatives that can be hosted locally? It doesn’t really matter if the service only sends minimal and encrypted data, because in the age of big data that is plenty to use for ML based correlation. No data shared is always better :)
I totally get that. But, it’s an uphill battle to make people you know well, to switch to a centralized alternative, let alone a decentralized/p2p/self hosted one.
Well, this is the story the Signal developers are promoting it: “even if our servers are compromised it wouldn’t matter”. But this is their framing and one that IMHO shifts your focus in the wrong direction.
Because according to all that is publicly known, it is pretty safe to assume that both servers and developers of Signal are already compromised by the CIA / NSA for years. Thus it is better to look at it from that perspective.
So for example, reproducible builds are nice in theory, but since they more or less prevent there to be actual widely used 3rd party builds and alternative distribution channels, it is trivial for Signal (in cooperation with Google) to secretly put a modified version on specific phones. Their official argument is that it is better to have a single point of failure (The Signal developers), then multiple 3rd parties that could get compromised. But IMHO since it can be assumed that they are already compromised to some extend, then I personally would rather trust a 3rd party with compiling and distributing the app.
There is also no way to know if the code that runs on the Signal servers is the same that they published and so far there seem to be no alternative Signal based servers, thus some of the arguments mentioned in this thread that the Signal Foundation can’t lock you is again only (and only maybe) true in theory.
But I agree that it is unlikely that Signal will ever be sold to an ad company if that is your main concern. However my main concern is that journalists and wistlebowers etc. should have secure communication channels and be able to communicate hidden in a mass of normal users and without specialized technical knowledge necessary. Looking at it from that perspective, Signal raises multiple red-flags which is especially concerning since it is marketed and recommended especially to this vulnerable group of users.
But, we could install a version of signal client that’s not compromised, which sends as little as possible, encrypted. So, a compromised server could deny the requests, because the client was modified or it couldn’t work with the encrypted content the way it expected. This would automatically raise red flags, because the app doesn’t work anymore. Has something like this happened?
And for the deploying modified versions to targeted devices. I know it’s possible through orders or compromised server, but has it happened? If so, any sources regarding that.
That really doesn’t matter, because a compromised server could get hoard a lot of info even assuming the message content is secure. I forget what video it was, but it was emphasizing linkability, what the western security orgs care about more than content, is linking your accounts to create a digital footprint.
Signal has everyone’s phone number (its mandatory), and connections between accounts (timestamped messages with sender and recipient info). You can pretty much link a phone number to your identity, your name and address, credit cards, so a compromised signal server is a centralized place with everyone’s social connections, message activity, names, and addresses.
But, signal has the concept of sealed sender (https://signal.org/blog/sealed-sender/), where signal doesn’t know who is sending the messages.
This is when the government asked for data from Signal, “The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else.” (https://signal.org/blog/looking-back-as-the-world-moves-forward/)
With my phone number, they could tie it to other services, but not with the contacts in Signal itself.
This is something related to how groups are secured - https://signal.org/blog/signal-private-group-system/
Sealed sender does nothing against timing correlation. It’s really trivial correlate traffic over TCP connections and find out which pairs of IP addresses are communicating with each other.
Unsurprisingly, it’s ineffective against users that exchange messages very rarely and effective with users texting every day.
Signal does nothing to mitigate this problem.
The source for that stuff is “trust me” since:
- The signal server isn’t made to be self-hostable, nor do we have a way to verify their server code is the code that’s running, on the only instance you can sign up to.
- Its hosted in the US, so we must assume the worst there. Lots of places to log form login posts that connect a phone number to their internal ids, and phone numbers are mandatory for logins.
I’m not sure why people let signal off the hook with a few press releases. If someone were to say, “Hey I’m making a secure messaging service! You must give me your phone number, and its run by a US company, hosted in one of the few countries where its illegal for us to tell you if our server is compromised.”, not many of us would take it seriously.
The source for that stuff is “trust me” since
Not for Sealed Sender and Private groups, because that’s mainly implemented client side. Pretty much all of the privacy features of Signal come from Client side encryption and deletion of metadata, so you don’t have to trust the server, because it never has access to the decrypted content and metadata since it’s never even sent to it.
That is what I would call a “cargo cult” feature ;)
Since Signal is in full control of the server infrastructure they can easily correlate based on timing who the sender is.
Edit: This, like a lot of the features of Signal are nice in theory and would be great in a fully federated and self-hostable ecosystem, but as it stands they are pretty much a smoke screen.
Yeah, wondering why Signal isn’t federated yet. Is it because they can’t ensure that the federated servers confirm to the same standards or something?
In that sense, then any messaging service, with an open client that has the same features as Signal & a server that’s either closed or open but compromised, should be ok, right? because the client doesn’t trust the server and ensures that it doesn’t send anything that can be interpreted by the server. The server either has no choice but to work with such a client or doesn’t.
From your earlier reply, I understand that a closed server can’t be forked or can do this & that with the data sent, but at the same time, the Signal team has a tight lid on its ecosystem well. I don’t see anyone self-hosting Signal server or running a custom client, at least the people I know don’t.
Note: Here, I’m assuming that I’ve manually installed a version of the open client that I know isn’t tampered with & has a solid implementation, not directly from any store.
The fact that their tech is FLOSS means that if someone wants to build a messaging service that has the same privacy features as Signal, they can without starting from scratch.
I don’t see anyone self-hosting Signal server
If they suddenly announce that Signal is bought by Facebook (it can’t really happen because it’s a non-profit), there will be other organisations that will start their own Signal based services.
We wouldn’t know.
