first, why do you want to replace Signal?
-
History isn't stored on the server so it can't be automatically populated on a new device. That is a feature. The alternative, storing the messages on the server or having the means for one device to clone all of its messages to another device, would be insecure.
A 30 character long password is required in order to have enough bits of entropy so that the backed up messages are actually secure.
Grandma isn't moving her data to a new PC without assistance, the person that is assisting her should be competent enough to operate Signal.
-
easily extract metadata
That's a pretty big claim to make with zero additional information.
Since 2018, Signal has been encrypting the sender data with a key that isn't known to the server. Messages do not contain unencrypted metadata. I'm not sure how you expect the FBI to do this with the information available to the Signal servers.
-
at role does the signal server play?
-
Sure, so let me export my data from another PC or phone. If they wanted you to have message history, they would. So I'll respectfully disagree.
Why can she do WhatsApp but no Signal?
It's already needing to convince people to use Signal, why also making it hard for, let's say, your grandma.
-
at role does the signal server play?
If this is a question that you need answered then I'm
notsure you're qualified to declare that Signal is insecure. -
Sure, so let me export my data from another PC or phone. If they wanted you to have message history, they would. So I’ll respectfully disagree.
-
A bigger weak point is having weak encryption like Session has. Also, you cannot obtain metadata from Signal. They've gone to great length to prevent that. Signal servers don't even know who is talking to whom.
-
I use Matrix and this is possible via several encryption keys. They just probably cba. How Matrix E2EE works
-
I am pretty sure that if asked, the serverside protections can be circumvented - I think in one Github issue they even confessed that Sealed Sender is not bulletproof and is "best effort". I prefer to assume that if everything goes through a single server, and they know what and when each account does upon connecting - they can correlate the identities if they want to.
-
I am pretty sure that if asked, the serverside protections can be circumvented
No, they literally cannot. The entire protocol is open sourced and has been audited many times over.
One of the fundamental things you assume when designing a cryptosystem is that the communication link between two parties is monitored. The server mostly exists as a tool to frustrate efforts by attackers that have network dominance (i.e. secret police in oppressive regimes) by not allowing signals intelligence to extract a social graph. All this hypothetical attacker can see is that everyone talks to a server so they can't know which two people are communicating.
The previous iteration, TextSecure, used SMS. Your cellular provider could easily know WHO you were talking to and WHEN each message was sent. So SMS was replaced with a server and the protocol was amended so that even the server has no way of gaining access to that information.
The sealed sender feature is something that the client does. It was best effort because, at the time, they still supported older clients and needed backwards compatibility. This is no longer the case.
