Signal is not the place for top secret communications, but it might be the right choice for you – a cybersecurity expert on what to look for in a secure messaging app
-
I personally use carrier pigeons with caesar cipher. I know I can't out tech google, so I will go medieval.
You can do better than Caesar cipher
-
at least not when using a public instance - they could fork the project to keep decryptable records on gov servers where the official gov instance would run
All the people in the chat were high enough that the government for free provided them with secure rooms in their homes so everything would be done through government hardware and encryption programs.
They were probably out golfing at the time
-
Anyone who uses Facebook messenger as their only messenging app will need to text or call me. Fuck that. I do, however, use WhatsApp and discord for work and uni group chats. If or when that's no longer the case, people who only use those will need to text me, too.
The big problem is that the telecoms still charge by the minute to call a landline so most businesses have a Facebook page and use messenger as their primary form of contact.
I’m literally going to a vet now and they had messenger, WhatsApp or telegram as their contact method
-
One use case could be mass protests, where you have a lot of people congregated in a small area. An increasingly popular strategy among governments these days is to just shut down the entire internet in an agitated region. Bluetooth could keep information flowing as people move in and out of range.
Ah yeah that's a pretty good use case
-
Signal recently implemented "usernames" instead of phone numbers
Much better.
-
There's nothing to know; facebook is facebook, and nobody trusts facebook for data security. Whatsapp is not, nor will it ever be, true end to end encryption, when facebook owns the locks and keys.
Also WhatsApp logs a bunch of metadata (who you contact, how often, profile pic, etc)
-
Pretty sure they still store the phone number you sign up with, though - the usernames are just for sharing your contact with other people.
Most peoples' phone numbers are easily linked to their identity. Which means the government knows who's using Signal.
Usernames are definitely an improvement, but there are fundamental limitations in Signal's design.
Then I'd delete my old phone number account and start fresh.. not exactly the best option but all things considered you might have too
-
Signal is the place for top secret communications, but not for government business (at least not when using a public instance - they could fork the project to keep decryptable records on gov servers where the official gov instance would run).
The protections for classified information are not just about information security. They are about physical and operational security as well. That's why s SCIF has a "two locks" policy, and requires things like 4" steel doors.
-
It also just gets blocked by autocratic firewalls. Deltachat is clutch because it can theoretically run on top of any email host so it's way more difficult to block.
-
Signal recently implemented "usernames" instead of phone numbers
But still, to use it, you need a phone number, which in many countries can only be purchased with a passport. That's the main rule. If privacy is really needed, personal identification should be excluded so that it's basically impossible to determine who owns the account.
-
I can't imagine any messenger is private if you invite random people into a group chat
️The actual military grade (xmpp based) messengers implement security lables, meaning messages are tagged with the required security clearance and if you invite random people to a chat they can't see the messages.
-
It also just gets blocked by autocratic firewalls. Deltachat is clutch because it can theoretically run on top of any email host so it's way more difficult to block.
You can easily redirect xmpp to port 443 which is not blocked by most firewalls. If you have problems with firewalls or public wifis your xmpp server is misconfigured.
-
Seeing as RCS with encryption based on the MLS standard hasnt been deployed yet, can you show exactly what metadata is leaking?
Well, instead of leaking metadata to Signal, AWS, Cloudflare and your ISP, like Signal does, RCS only leaks it to your ISP /s
-
Anything that logs all the communication.
Govs have their own apps, email servers, various other web-based tools to exchange data, etc. Usually also gov hardware (ie can't use/access such gov apps on non-gov phones).
It's not "what's better" it's what is mandated/required/the law.
Much like when you get a regular average job you have to use whatever is permitted - company email is the usual, can't just deal with company data over your private email account where the company has no oversight.I didn’t mean for transparency or compliance with disclosure. I meant more secure for classified level communications.
-
This post did not contain any content.
Wherever Signal is mentioned, I shall mention SimpleX-Chat.
Zero user ID needed to use. No phone numbers and no username.
SimpleX-Chat!!!
-
The protections for classified information are not just about information security. They are about physical and operational security as well. That's why s SCIF has a "two locks" policy, and requires things like 4" steel doors.
You are right.
They are also about data security, so nobody can just erase, modify, or destroy/lose data. And all that applies to data handling as well.
-
One use case could be mass protests, where you have a lot of people congregated in a small area. An increasingly popular strategy among governments these days is to just shut down the entire internet in an agitated region. Bluetooth could keep information flowing as people move in and out of range.
I'll have to give this a look. Since going to music festivals where I couldn't text my friends I've wanted a decentralized adhoc network message app. Using pgp all messages bounces through all devices within local device network range but you can only read the ones you have private keys for.
-
This post did not contain any content.
The exact reason why it's bad for top secret communications is why individuals should use it or something like it. That is government auditability.
-
SimpleX is decentralized, requires no phone number, based on Signal code. Screws up invitations via FB/Messenger though.
Salute fellow simplex enjoyer
-
Regarding the trick of an adversary gaining access by emailing or SMS'ing a QR code for adding another device...
Why does the new device not demand the PIN before being added?
It does, I tried it. Though, that may have been an addition since the attacks started.
Though, in that specific case - Russian agents conducting espionage via targeted individuals - it's very likely they surveil their targets long enough to catch their device PIN before they nab the phone and return it. In the end, there is very little recourse to defend against this type of Evil Maid attack. Signal is really better at protecting against mass surveillance, but for individuals directly targeted by state espionage? You would need serious opsec, using air-gapped computers kept in safes or guarded by humans 24x7 and other crazy stuff. They have rules about what can be physically done with devices containing top secret information for a good reason.
