Privacy

33992 readers

2072 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

What do you think about Session as a potential replacement for Signal? (getsession.org)

submitted 2 days ago* (last edited 2 days ago) by [email protected] to c/[email protected]

55 comments fedilink hide all child comments

Especially for the less tech-savvy among us?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] -1 points 2 days ago (2 children)

It is a centralized weak point that US feds can easily extract meta data from to obtain your social network etc

[–] doodledup 10 points 2 days ago

A bigger weak point is having weak encryption like Session has. Also, you cannot obtain metadata from Signal. They've gone to great length to prevent that. Signal servers don't even know who is talking to whom.

[–] FauxLiving 10 points 2 days ago (2 children)

easily extract metadata

That's a pretty big claim to make with zero additional information.

Since 2018, Signal has been encrypting the sender data with a key that isn't known to the server. Messages do not contain unencrypted metadata. I'm not sure how you expect the FBI to do this with the information available to the Signal servers.

[–] [email protected] -4 points 1 day ago (1 children)

I am pretty sure that if asked, the serverside protections can be circumvented - I think in one Github issue they even confessed that Sealed Sender is not bulletproof and is "best effort". I prefer to assume that if everything goes through a single server, and they know what and when each account does upon connecting - they can correlate the identities if they want to.

[–] FauxLiving 4 points 1 day ago

I am pretty sure that if asked, the serverside protections can be circumvented

No, they literally cannot. The entire protocol is open sourced and has been audited many times over.

One of the fundamental things you assume when designing a cryptosystem is that the communication link between two parties is monitored. The server mostly exists as a tool to frustrate efforts by attackers that have network dominance (i.e. secret police in oppressive regimes) by not allowing signals intelligence to extract a social graph. All this hypothetical attacker can see is that everyone talks to a server so they can't know which two people are communicating.

The previous iteration, TextSecure, used SMS. Your cellular provider could easily know WHO you were talking to and WHEN each message was sent. So SMS was replaced with a server and the protocol was amended so that even the server has no way of gaining access to that information.

The sealed sender feature is something that the client does. It was best effort because, at the time, they still supported older clients and needed backwards compatibility. This is no longer the case.

[–] [email protected] -5 points 2 days ago (1 children)

at role does the signal server play?

[–] FauxLiving 1 points 2 days ago

at role does the signal server play?

If this is a question that you need answered then I'm ~~not~~ sure you're qualified to declare that Signal is insecure.