The developers of Signal are currently doing a user survey:
I told them that I really like the app but also that I would like:
a) Signal on @fdroidorg
b) a proper desktop client
c) no data stored in "secure enclaves"
Maybe you'd like to tell them, too?
I think that one of the biggest issues with #SecureEnclave|s is being forced to use them, @waterbear.
If they were optional, I would feel less uncomfortable using them. However, the current situation creates a compliance issue when using #Signal in a business environment in the EU, as the highest EU court has ruled that US servers cannot be considered #SafeHabour|s anymore
Think their use isnt as secure as signal suggests either. SGX isnt a secure enclave. Its using root-of-trust signing. If I'm not getting confused all Intel CPUs have keys that can do SGX attestations. If you keep one from getting updated, while watching for and examining any updates they get, may find a way in.
Alternatively just try hard to attack one, maybe an older, less secure design. Or an employee leaks the keys.
Signal is relying on this to increase security of the encryption on this metadata. Its running on servers they don't control
They pretty much forced people into setting this up (couldnt use the app otherwise)without explaining properly what was going on
The app offered a keypad - where users were highly likely to set up a weak pin
Theres a whole load of SGX exploits been developed
Before it was "We have no data, so you don't need to trust us".
Now it is "We have your data, but we are smart nerds and will manage to protect it."
I think that it is not ideal, but changing it means that Signal would need to store the entire contact-graph of the network, which is much worse from my POV. I think they want to go there which is why they are doing the SGX-thing.
The only motivation I can think of for moving contact lists server side would be to make moving from one phone to another easier, but that's not required to implement easy migration.
But not having this decreases usability even further. You wouldn't only need to discover all of your contact's usernames, but also need to rediscover them when you lose your phone. All these things are solvable, but I just don't see it happening.
The things I asked for are very straightforward and don't require coimplicated changes of the status quo.
@__h2__ @fdroidorg Signal protocol over XMPP sounds great to me. When people lose their phone, they can recover the XMPP usernames of the people they talk to the same way they would recover their address book (which for me is backups)
I do hear you about discoverability though. Usernames require two parts so it's clear which server should get the traffic. People accepted that paradigm for email though.
Do you know of any mobile apps that make e2ee XMPP easy?
I wrote a proposal some years ago to add phone-number bases client-side discovery, but the authors were not interested ;-)
@__h2__ @fdroidorg I read through your proposal and my concern is that it would allow a guess-and-check way to obtain a person's contact list. Just query a user with all possible phone numbers. This is bad in that I can't control if anyone ever puts my JID and phone/email in their contact list and this feature is the link that allows randos to query this info.
If I were an advertiser, or Facebook or whomever, I'd absolutely use this to suck up contact lists.
All permissions are explained here:
Apart from localization and calendar, they are all used by major features of the app (camera for quickly snapping and sending pictures, contacts for contacts, microphone and camera for calls, storage for saving media sent and phone/sms to use signal to send standard sms, not just using data).
It works perfectly fine when most of them are deactivated, nothing forces you to activate them.
@__h2__ Second all of that. But i get a security warning on the survey site and my browser won't open it?
@__h2__ I completed that one, too! Didn't think of #3, but I asked for 1 and 2 as well. Especially when it comes to the accessibility of the desktop app. Currently, it's pretty horrible.
I am merely asking for them to not change their threat model by storing my data and to support fully free platforms better.
In fact, not using phone numbers is what they are currently planning, I think, and which has led them to store data in the SGX.
Right now the contact list in Signal is stored client side, because the identifier is the phone number and that is stored in your address book. Signal servers don't know who I know or who I am in groups with.
If identifiers are separate, they are not stored in the address book and for any type of usability will be stored server-side. This reverses the trust model.
Whether this data is stored in SGX or not is another matter. Nation-scale adversaries will have access to SGX.
I would prefer decentral, but apparently "like WhatsApp" is the main criterium right now. So I would at least like this service to store as little data as possible.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!