BTW, one of Signal's weaknesses is that you MUST use a phone number with it. If you're savvy you realize this can be a Twilio number you control making your account immune from SIM hijacking. However, unless you override a bunch of defaults Signal is not immune to other attack vectors like attempting to unfurl a URL sent in a message -- which can expose your true IP address -- or generate a thumbnail of a video -- which can launch a malware attack -- which is the method of attack alleged to have been used by Saudi intelligence to hijack Jeff Bezos' phone (via an E2E encrypted WhatsApp message no less). A more sophisticated messenger system would turn off lots of "convenience" features by default and let me pick a random username and NOT make me enter a phone number or email address. People who care about security don't need a way to reset their randomly generated 128 character passwords.
> BTW, one of Signal's weaknesses is that you MUST use a phone number with it.
This isn't a weakness, it is a tradeoff. You use phone numbers (downside) but the server does not have to store any information about who is talking to who (upside). Other tools reverse this choice and don't use phone numbers but do need to maintain the communication metadata.
Sure, and Signal is already working on usernames. Here's the kink: When you have low latency (video) calls, you can't route via Tor. When you can't route via Tor, you leak your IP to the server. When you leak your IP you're not anonymous, and when you're not anonymous, the server having the hash of your phone number isn't adding too much data to them.
When the server knows who you are, the app can use your existing contact list to discover contacts. This means unlike e.g. Telegram, Signal server doesn't store your contact list.
I e.g. constantly see people whose phone number I've already deleted appear on my Telegram contact list "X joined Telegram". Telegram knows I had the number at some point. This would never happen with Signal.
> the server having the hash of your phone number isn't adding too much data to them.
Wait how big is the hash of the phone number?
If it's enough bits (e.g., a full sha hash) then it's not that secure to hash at all. 10^10 or even 10^11 is just 10 or 100 billion. I can easily try all phone numbers until I find the one that matches the hash.
It maybe protects against attacks against lots of people, but it really doesn't protect an individual.
You are correct that using a hash does not protect an individual from other users discovering that they can contact them with Signal, which is to be expected because that's the purpose of this feature. If you suspect that Bob, with phone number +15555551234 has Signal installed, you can verify that by... typing Bob's phone number into your contacts list and installing Signal so you can send messages to Bob.
For the purposes of entropy, you need only consider 10 valid choices for each symbol of a phone number so it's closer to 33.21 bits (10 * (log(10) / log(2))) and smaller still when discarding impossible area, trunk & subscriber numbers.
So given than 80 bits is much bigger than 30-40 bits, if I know someone's hash I can very easily narrow down their phone number to one or sometimes two candidates.
That system a) has a paytrail, b) involves companies that can be coerced / hacked with relative ease, c) is a paid system and d) is quite a bit for average user to handle.
Also, if you're going to stay anonymous, you need something that is extremely hard to misconfigure. I use wireguard on my Android and I've set the VPN to activate automatically, and I only allow connection via VPN, but I'd never imagine any of the apps I'm running are properly anonymized.
Also, since you're apparently working for or affiliated with VPN providers[1], you might want to be more transparent about possible vested interests.
I've never hidden the fact that I've worked for IVPN and Restore Privacy. But they pay me by the word, so I gain nothing by promoting them.
I haven't actually used Orchid, because there's no Linux app. But I did buy some of their Etherium currency. And I recall no money trail. As I recall, I converted well-mixed ~anonymous Bitcoin to plain-vanilla Etherium, and then to Orchid's currency.
But whatever, I'm not going to defend Orchid.
Anyway, I use nested VPN chains. It's like a multihop VPN, except that each hop is a different VPN service, and each of them is leased with a different pool of well-mixed Bitcoin. I do all the Bitcoin mixing via Tor, in Whonix instances. That way, I don't need to trust any of them, only that an adversary won't manage to compromise or coerce all of them. It's the same logic as Tor uses, based on Chaum.
If you want to read more, just search "mirimir" on IVPN's and Restore Privacy's sites. There's also https://github.com/mirimir/vpnchains which is pretty over the top. And I've also played with something like that which routes VPNs via Tor.
I'm not an expert on cryptocurrency so I can't say how well you managed to anonymize the paytrail but the problem of logs and the lifetime of the chain concerns me.
When you start to chain VPN nodes you gain latency so you might as well use Tor. These days Tor has enough bandwidth to play 720p video with ease and there's less hassle. Also once you hit three modes you won't really benefit from longer chain so mixing VPN with Tor isn't really beneficial unless you're evading censorship of Tor.
OK, fair enough. I'm no expert on Orchid. I rather lost interest, after it became clear that it was useless to me.
You're wrong about nested VPN chains, however. Depending on geographical distribution, each VPN adds 50-100 msec rtt. And bandwidth doesn't drop that much after the first VPN.
I use both nested VPN chains and Tor to mitigate the risk of Tor circuits being compromised. The lesson of CMU's "relay early" exploit for the FBI was sobering. Given that lesson, only fools use Tor without protection.
Bad guys might rather hack different servers in different countries and use something like a chain of SSH tunneling after making sure they patched the security vulnerability they used to get into.
Add in some routing trough Tor.
That would be harder to beat by a single law agency.
Particularly harder if the countries implied are not friendly towards each other.
> I e.g. constantly see people whose phone number I've already deleted appear on my Telegram contact list "X joined Telegram". Telegram knows I had the number at some point. This would never happen with Signal.
This literally happens with Signal. And it makes sense too, the message that Signal gets telling it someone is now on Signal is presumably the same one letting it know it can use encryption rather than SMS to talk to that person.
Signal is not built for anonymity. It's built for message privacy. It's a lot like PGP in that the government know who emailed whom, but they cannot read the email. That's the whole point. If you are trying to hide your phone number, Signal is not going to help you and it's not meant to.
PGP doesn't hide metadata, anonymous remailers hide metadata. Add a sufficient volume of dummy messages and all of a sudden nobody can do traffic analysis, either. Think ATM: There's a constant volume of "cells" but only some of them are actually carrying anything.
That, or blasting your message to a huge number of people, only one or a few of whom actually receive it because it's encrypted and then steganographically hidden in spam. Again, use dummy messages and there's no way to predict anything by divining the ebb and flow of spam volumes.
I've never understood the point of privacy without anonymity. Or of plausible deniability. Both depend on rather idealistic assumptions about adversaries.
The practical upshot of Signal's deniable authentication is that a Signal message isn't proof of anything. It has zero weight because everybody can make fake Signal messages apparently from somebody else to them about anything.
If Alice tells Bob a secret via Signal, this means Alice cannot be worse off than if she'd used any other means of telling Bob. Can Bob reveal the secret? Yes. Can he claim Alice told him? Yes. Can he prove it? No.
This is a sharp contrast to something like PGP where Bob can prove Alice sent the message.
That's nice. But choosing to believe nonsense won't make it true. The United States of America chose to believe that torturing people is an effective means of securing reliable intelligence. Because that's how it works in Hollywood movies, so how can reality be different? But of course the "intelligence" they obtained this way was not in fact reliable, because a person being tortured doesn't magically know the truth and you don't know if they're telling the truth, so they'll say whatever they think will make you stop hurting them, which is utterly useless.
The only way you can know if intelligence obtained is reliable is to actually test it. With systems like PGP you get proof. Did Alice send this message as Bob alleges? Yes, the message includes proof so he was telling us the truth.
With Signal all you have is Bob's word as I described.
Signal can't stop the Secret Police from torturing Bob, but they can ensure they don't have any way to know if he told them the truth. If the Secret Police were rational that's enough reason not to bother torturing Bob. But we can't make them rational, for some people just inflicting pain for no reason is their goal.
Nope. Signal's messages are relayed by Signal's servers over IP like anything else, your phone has no evidence this message ever came from anybody's phone, let alone that it was Alice's phone. If you use Signal Desktop it didn't come from a phone at all. Signal doesn't keep any proof that it got these messages from an "authentic" source. Either they check out as from Alice or they don't and in the latter case they clearly shouldn't be displayed at all.
The way you normally know a message is from Alice on Signal is that the message was sent using keys only you and Alice share†, and you know you didn't write the message. But a third party has no way to verify that last part. That's the entire trick (in layman's terms).
† Signal and similar systems provide a means to do out-of-band verification that the long term identity key for people you know matches. You probably don't use this with most people, but you can and it's made easy if you want to.
The vast majority of communications occur between people who are publicly known to have an association and have no need to deny the association. Some common examples:
1. Friends
2. Family members.
3. Members of a business.
If your life or freedom is on the line because of an association with someone then most systems out there are somewhat dangerous due to the weakness of the endpoints. You would want something like an airgapped computer with on or off line dead drops possibly hidden with stenography.
> You would want something like an airgapped computer with on or off line dead drops possibly hidden with stenography.
Well, "the best is the enemy of the good". That's the whole point of risk management. As a practical matter, I do the best that I can manage, or at least, be bothered with ongoingly. If I were as paranoid as you're advocating, I'd be cowering in a bunker. Also, for me there's the fact that I have little left to lose.
Beyond the (slightly behind trend) enthusiasm for blockchains Session is the same punt on contact discovery as lots of other systems that went nowhere. This works great for little secret decoder ring cliques but doesn't actually secure real people's day-to-day messages due to lack of discovery - your local butcher and the guy your sister went to college with never find out that you have the same secure messaging app, and so their messages to you aren't secured.
In contrast to your disinterest in convenience features, Session does have a bunch of things that presumably its principles felt were non-negotiable but clearly harm security. The "Open Groups" feature for example is basically "Eh, this is hard, we give up" for larger groups (500+ people). No end-to-end encryption and you're given either a moderator tool that doesn't work ("Ban" pseudonymous people who can for zero cost just create a new pseudonym) or one that's onerous ("Invite" everybody manually).
"BTW, one of Signal's weaknesses is that you MUST use a phone number with it. If you're savvy you realize this can be a Twilio number you control making your account immune from SIM hijacking."
Does Signal not ever send messages from, or otherwise use, SMS shortcodes ?
I ask because no twilio number can receive an SMS shortcode (because no twilio number is classified as a "mobile" number).
To be fair, "Signal the App" and "Signal the Protocol" are two different things. If you were talking about the later then your statement is quite possibly correct.
Signal is all about making good cryptography usable for the general public. If you actually use the "safety numbers" to verify the identity of who you are communicating with then you have real guaranteed end to end encryption. Unfortunately not everyone does that.
People that really really need to be sure probably use something super simple like PGP after they take the time to learn how.
