Oh, just the metadata. The content is end-to-end encrypted on your phone!
I'm sure OWS would encrypt the metadata in the same way if they could,
but then the server wouldn't know who to send the message to :)
Boskote
On 22 January 2016 at 00:40, <***@tuta.io <mailto:***@tuta.io>>
wrote:
Boskote,
Thanks for the message. When you say, "someone with either of these
accesses would probably also be able to see every Signal message you
send", do you mean the meta data, or the content, too?
Thanks,
anonday
22. Jan 2016 05:19 by ***@riseup.net <mailto:***@riseup.net>:
anonday,
There was a similar thread on this list a couple months ago, and
this post from Brad was an informative overview of the situation
surrounding contact
discovery:<https://lists.riseup.net/www/arc/whispersystems/2015-12/msg00000.html>https://lists.riseup.net/www/arc/whispersystems/2015-12/msg00000.html
<https://lists.riseup.net/www/arc/whispersystems/2015-12/msg00000.html>
I found the following sentence to be most relevant in terms of
the security issues posed by the contact discovery process: "If
the server is indeed successful in not storing, logging, leaking
the protocol messages used to (transiently) calculate contact
intersection, and the channel from phone to server isn't
compromised, then the contact list from a particular phone is
not leaked directly - but the list (obfuscated by the hash) does
get sent over the wire so those 'ifs' matter in tough environments."
In other words, if someone has access to either the signal
server, or the channel from the phone to the server, then they
could in theory get access to your contact list as a result of
the contact discovery process. This sounds bad, however it is
worth keeping in mind that someone with either of these accesses
would probably also be able to see every Signal message you
send, which unavoidably reveals the subset of your contact list
that you communicate with through Signal over the period of time
that they have access. Assuming the adversary has long term
access, they would have all of your Signal contacts. In that
case, the contact discovery process would only be meaningfully
revealing the members of your contact list that are not using
Signal. Assuming your are communicating with these people using
regular calls or text messages, then this metadata would be much
more widely revealed/recorded by the telecommunications and
intelligence institutions.
The conclusions I draw from this are that the contact discovery
process makes contact list info more vulnerable than it would be
otherwise in the two following situations:
1) When an adversary would only have temporary access to the
signal server or the channel between the phone and the server,
and can therefore intercept contact discovery info but not very
many signal communications.
2) When a phone's contact list contains members that are not
being communicated with using that phone (either through Signal
or through less secure means).
I find this analysis relevant for more clearly evaluating the
privacy side of the trade-off between privacy and the benefits
of contact discovery (as outlined at the beginning of the blog
post <https://whispersystems.org/blog/contact-discovery/>).
adelante,
Boskote
On 21 January 2016 at 12:56, Jani Monoses
<***@gmail.com <mailto:***@gmail.com>> wrote:
"For TextSecure, however, weâve grown beyond the size where
that remains practical, so the only thing we can do is write
the server such that it doesnât store the transmitted
contact information, inform the user, and give them the
choice of opting out."
This suggests that hashing is used. It is not secure, but
the secure protocols were (and probably still are) at the
time of writing prohibitively inefficient.
Check out this recent thread for more info:
https://moderncrypto.org/mail-archive/messaging/2015/001827.html
On Thu, Jan 21, 2016 at 7:49 PM, <***@tuta.io
<mailto:***@tuta.io>> wrote:
Also, in the Signal Wiki, it says: In order to determine
which contacts are also Signal users, cryptographic
hashes
<https://en.wikipedia.org/wiki/Cryptographic_hash_function>
of the user's contact numbers are periodically
transmitted to the server.^[41]
Source [41] links to your link, Jani. However, that blog
post does not say that Signal uses hashes, only that
hashing is a solution that doesn't work. Is this an
error in the Wiki?
source:
https://en.wikipedia.org/wiki/Signal_%28software%29#Servers
--
Securely sent with Tutanota. Claim your encrypted
mailbox today!
https://tutanota.com
21. Jan 2016 17:32 by ***@tuta.io
<mailto:***@tuta.io>:
Jani,
Thanks for the link. It touches on the hashing
issue. However, it doesn't explain what Signal's
process is for contact discovery. Is there an
explanation somewhere?
21. Jan 2016 17:02 by ***@gmail.com
<mailto:***@gmail.com>:
On Thu, Jan 21, 2016 at 6:56 PM,
<***@tuta.io <mailto:***@tuta.io>> wrote:
What information about my contacts does the
Signal server collect? Here's my
understanding of the process: I create an
account with my number, which is stored as a
hash on the Signal server. A friend installs
Signal, and the Signal network scans his
contact list, encrypting it first. His
contacts' numbers are hashed and checked
against the server to find any matches. The
server sees my number hash in the server and
in his contact list, so I'm added to his
Signal contacts. Therefore, at no point does
the Signal server store anything but phone #
hashes.
Is this accurate? If not, would you please
explain or direct me to an explanation? I
was discussing this with someone, and they
warned me that if numbers are being hashed
in the server, they're easily crackable. He
said that modern GPUs can calculate up to
200 million hashes per second which means
they could have a complete hashtable of all
possible phone numbers in seconds.
https://whispersystems.org/blog/contact-discovery/