Discussion:
[whispersystems] Secure?
Zach Queal
2016-02-09 00:58:24 UTC
Permalink
I simply don't understand how handing out my personal cell phone number to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way to add an
alias to allow others to contact you via the alias instead of your phone
number -- or even your fingerprint. This seems entirely counterproductive,
here. I'm really interested to know how anyone could possibly praise Signal
for taking security seriously when I have to relinquish my right to keep my
phone number private to use your service?

Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be able
to communicate? This is what fingerprints are for. Again, it feels entirely
counterproductive and laughably insecure. I'm opting to use horrendously
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
Nathan of Guardian
2016-02-09 01:18:53 UTC
Permalink
Post by Zach Queal
I simply don't understand how handing out my personal cell phone number to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way to add an
alias to allow others to contact you via the alias instead of your phone
number -- or even your fingerprint. This seems entirely
counterproductive,
here. I'm really interested to know how anyone could possibly praise Signal
for taking security seriously when I have to relinquish my right to keep my
phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be able
to communicate? This is what fingerprints are for. Again, it feels entirely
counterproductive and laughably insecure. I'm opting to use horrendously
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
I generally agree, but do want to point out that you can use a virtual
phone number with Signal, such as a Google Voice number, SkypeIn, DDIWW
or any other kind that will work with the Twilio authentication. Heck
you might even be able to use a payphone booth number, if you can find
one, as I think you just need to be able to receive calls and not SMS.
--
Nathan of Guardian
***@guardianproject.info
Alexander Kayumov
2016-02-09 01:53:31 UTC
Permalink
Boskote
2016-02-09 02:08:36 UTC
Permalink
On 8 February 2016 at 20:18, Nathan of Guardian
Post by Zach Queal
I simply don't understand how handing out my personal cell phone
number
Post by Zach Queal
to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way
to add
Post by Zach Queal
an
alias to allow others to contact you via the alias instead of your
phone
Post by Zach Queal
number -- or even your fingerprint. This seems entirely
counterproductive,
here. I'm really interested to know how anyone could possibly praise
Signal
for taking security seriously when I have to relinquish my right
to keep
Post by Zach Queal
my
phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be
able
to communicate? This is what fingerprints are for. Again, it feels
entirely
counterproductive and laughably insecure. I'm opting to use
horrendously
Post by Zach Queal
insecure applications such as Telegram and their clusterfuck of
MTProto
Post by Zach Queal
instead of Signal because of this serious privacy issue.
I generally agree, but do want to point out that you can use a virtual
phone number with Signal, such as a Google Voice number, SkypeIn, DDIWW
or any other kind that will work with the Twilio authentication. Heck
you might even be able to use a payphone booth number, if you can find
one, as I think you just need to be able to receive calls and not SMS.


Yes, the design choice to identify Signal accounts with phone numbers
has the disadvantage of making registration more inconvenient for the
anonymity-conscious users who do not want to be identified with the same
phone number that they are already using on their phone. However, this
design choice also makes registration and use more convenient for most
users, who have no problem having their Signal account identified with
the phone on which they are using Signal (it also allows contact
discovery through the semi-autonomous social graph of phone contact
lists!). As with many other design choices, OWS is prioritizing the ease
of use for the most common use cases at the expense of ease of use or
customization available to less common use cases such as those who want
a more anonymous ID. I think that it is completely fair that those of us
who are sometimes prioritizing our anonymity have to do a little extra
work to make things work the way we want them to.

And to continue with the same point being made by Nathan, getting a more
anonymous phone number is not that difficult - you can do a lot with a
vpn and a prepaid credit card. I highly recommend voip.ms, and there is
even a guide that someone has already written on exactly this
subject:https://yawnbox.com/index.php/2015/03/14/create-an-anonymous-textsecure-and-redphone-phone-number/
good luck. adelante,

Boskote
Noir
2016-02-09 15:48:33 UTC
Permalink
Hello everyone!

I want to add another point of view.

I'm fully aware that I could use any telephone number which I have
access to as an identifier for Signal. This protects me from scenarios
which Nathan from Guardian pointed out.

In this world, most people are not aware that they have responsibility
not only about the data of their own but also the data of others that
have been entrusted to them. With other words: It's out of my control
what someone is doing on their smartphone. I'm also aware that it's not
possible to protect the content of conversations if one side is
compromised. I'm also screwed if a targeted attack happens. But this is
not my point.

The problem is that a telephone number is still an identifier. It's an
unique number which I'm supposed to give to anyone I want to communicate
with.

If we look at the current Signal market share it's very likely that most
of my contacts are using other services like Whatsapp to communicate. We
all know that Whatsapp uploads and processes all contacts of the user.
When we make the assumption that every contact in my database also has
my number in their database we come to the conclusion that Whatsapp
still knows a very big part of my contacts. This scenario doesn't
require some kind of targeted attack. It doesn't require some
sophisticated new experimental algorithm. Whatsapp belongs to Facebook
and Facebook is a social network. And creating a network of persons to
find patterns is one of the very core functionalities of social
networks. It's almost the same with all other widespread apps like
Google services and such.

So what can I do about this at the moment? I can install Signal only
once and this installation is tied to a specific identifier. Alternating
between different identifiers would mean to swap the whole installation
including app data which is hacky, error prone and very inconvenient.
Another option is using more that one phone to separate the identifiers.
I'm actually using two phones for another reason but this is already
very inconvenient. Other options are like virtualization and such.

I hope you got my point.

So my suggestion is: Make it possible for every user to create (and
destroy) an unlimited number of aliases.

Cheers
Noir
Post by Boskote
On 8 February 2016 at 20:18, Nathan of Guardian
Post by Zach Queal
I simply don't understand how handing out my personal cell phone
number
Post by Zach Queal
to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way
to add
Post by Zach Queal
an
alias to allow others to contact you via the alias instead of
your phone
Post by Zach Queal
number -- or even your fingerprint. This seems entirely
counterproductive,
here. I'm really interested to know how anyone could possibly praise
Signal
for taking security seriously when I have to relinquish my right
to keep
Post by Zach Queal
my
phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others
to be
Post by Zach Queal
able
to communicate? This is what fingerprints are for. Again, it feels
entirely
counterproductive and laughably insecure. I'm opting to use
horrendously
Post by Zach Queal
insecure applications such as Telegram and their clusterfuck of
MTProto
Post by Zach Queal
instead of Signal because of this serious privacy issue.
I generally agree, but do want to point out that you can use a virtual
phone number with Signal, such as a Google Voice number, SkypeIn, DDIWW
or any other kind that will work with the Twilio authentication. Heck
you might even be able to use a payphone booth number, if you can find
one, as I think you just need to be able to receive calls and not SMS.
Yes, the design choice to identify Signal accounts with phone numbers
has the disadvantage of making registration more inconvenient for the
anonymity-conscious users who do not want to be identified with the
same phone number that they are already using on their phone. However,
this design choice also makes registration and use more convenient for
most users, who have no problem having their Signal account identified
with the phone on which they are using Signal (it also allows contact
discovery through the semi-autonomous social graph of phone contact
lists!). As with many other design choices, OWS is prioritizing the
ease of use for the most common use cases at the expense of ease of
use or customization available to less common use cases such as those
who want a more anonymous ID. I think that it is completely fair that
those of us who are sometimes prioritizing our anonymity have to do a
little extra work to make things work the way we want them to.
And to continue with the same point being made by Nathan, getting a
more anonymous phone number is not that difficult - you can do a lot
with a vpn and a prepaid credit card. I highly recommend voip.ms, and
there is even a guide that someone has already written on exactly this
subject:<https://yawnbox.com/index.php/2015/03/14/create-an-anonymous-textsecure-and-redphone-phone-number/>https://yawnbox.com/index.php/2015/03/14/create-an-anonymous-textsecure-and-redphone-phone-number/
good luck. adelante,
Boskote
Tim Harman
2016-02-09 09:09:43 UTC
Permalink
Secure != Anonymous.

You are confusing the two.
I simply don't understand how handing out my personal cell phone number to every Tom, Dick, and Samantha who needs to contact me is considered "secure." I've searched preferences and there seems to be no way to add an alias to allow others to contact you via the alias instead of your phone number -- or even your fingerprint. This seems entirely counterproductive, here. I'm really interested to know how anyone could possibly praise Signal for taking security seriously when I have to relinquish my right to keep my phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already verified via Twilio, why do I *need* to relinquish it to others to be able to communicate? This is what fingerprints are for. Again, it feels entirely counterproductive and laughably insecure. I'm opting to use horrendously insecure applications such as Telegram and their clusterfuck of MTProto instead of Signal because of this serious privacy issue.
Xavier Lebrun
2016-02-09 09:47:51 UTC
Permalink
signal textsecure protect the content of messages

signal redphone server (calls) is not open source so we are not sure what
it does

signal apps does not protects identity nor metadata. we just have to trust
about what they do.
as a cenralised service this can be counterproductive in terms of security.

texsecure and redphone are supposed to be federation enabled
but there is no efforts to develop this federated aspect

based on that decided if it is ok for you or not.

at signals is to be compared with whatsapp or Facebook messenger or viber.
not with xmpp + tor (chatsecure, conversations, xabber, freelab messenger)
Post by Tim Harman
Secure != Anonymous.
You are confusing the two.
I simply don't understand how handing out my personal cell phone number to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way to add an
alias to allow others to contact you via the alias instead of your phone
number -- or even your fingerprint. This seems entirely counterproductive,
here. I'm really interested to know how anyone could possibly praise Signal
for taking security seriously when I have to relinquish my right to keep my
phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be able
to communicate? This is what fingerprints are for. Again, it feels entirely
counterproductive and laughably insecure. I'm opting to use horrendously
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
Sam Lanning
2016-02-09 18:22:59 UTC
Permalink
On 9 Feb 2016 5:51 p.m., "TiagoTiago" <
It is not possible to study the crypto used by the redphone part of
client to verify it shouldn't be possible to eavesdrop?

It is possible yes. We can verify redphone / signal calls are secure by
only inspecting the client code.
And btw, is anything sent between the client and the server (in either
direction) sent in plain-text (using vulnerable crypt, which is almost the
same thing)?

Anything that is not encrypted e2e between devices (e.g. message metadata,
contact discovery etc...) is encrypted between the server and the phone. So
only someone who has compromised the server can eavesdrop.

Sam.
Post by Xavier Lebrun
signal textsecure protect the content of messages
signal redphone server (calls) is not open source so we are not sure
what it does
Post by Xavier Lebrun
signal apps does not protects identity nor metadata. we just have to
trust about what they do.
Post by Xavier Lebrun
as a cenralised service this can be counterproductive in terms of security.
texsecure and redphone are supposed to be federation enabled
but there is no efforts to develop this federated aspect
based on that decided if it is ok for you or not.
at signals is to be compared with whatsapp or Facebook messenger or viber.
not with xmpp + tor (chatsecure, conversations, xabber, freelab messenger)
Post by Tim Harman
Secure != Anonymous.
You are confusing the two.
Post by Zach Queal
I simply don't understand how handing out my personal cell phone
number to every Tom, Dick, and Samantha who needs to contact me is
considered "secure." I've searched preferences and there seems to be no way
to add an alias to allow others to contact you via the alias instead of
your phone number -- or even your fingerprint. This seems entirely
counterproductive, here. I'm really interested to know how anyone could
possibly praise Signal for taking security seriously when I have to
relinquish my right to keep my phone number private to use your service?
Post by Xavier Lebrun
Post by Tim Harman
Post by Zach Queal
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be able
to communicate? This is what fingerprints are for. Again, it feels entirely
counterproductive and laughably insecure. I'm opting to use horrendously
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
Sam Lanning
2016-02-09 20:32:38 UTC
Permalink
At least that is my understanding... I would be very surprised if that were
not the case, but feel free, anyone, to correct me if I am mistaken.

Sam.
On 9 Feb 2016 7:02 p.m., "TiagoTiago" <
That's a little less concerning, thanx.
Post by Sam Lanning
On 9 Feb 2016 5:51 p.m., "TiagoTiago" <
It is not possible to study the crypto used by the redphone part of
client to verify it shouldn't be possible to eavesdrop?
It is possible yes. We can verify redphone / signal calls are secure by
only inspecting the client code.
And btw, is anything sent between the client and the server (in either
direction) sent in plain-text (or using vulnerable crypto, which is almost
the same thing)?
Anything that is not encrypted e2e between devices (e.g. message
metadata, contact discovery etc...) is encrypted between the server and the
phone. So only someone who has compromised the server can eavesdrop.
Sam.
Post by Xavier Lebrun
signal textsecure protect the content of messages
signal redphone server (calls) is not open source so we are not sure
what it does
Post by Xavier Lebrun
signal apps does not protects identity nor metadata. we just have to
trust about what they do.
Post by Xavier Lebrun
as a cenralised service this can be counterproductive in terms of
security.
Post by Xavier Lebrun
texsecure and redphone are supposed to be federation enabled
but there is no efforts to develop this federated aspect
based on that decided if it is ok for you or not.
at signals is to be compared with whatsapp or Facebook messenger or
viber.
Post by Xavier Lebrun
not with xmpp + tor (chatsecure, conversations, xabber, freelab
messenger)
Post by Xavier Lebrun
Post by Tim Harman
Secure != Anonymous.
You are confusing the two.
Post by Zach Queal
I simply don't understand how handing out my personal cell phone
number to every Tom, Dick, and Samantha who needs to contact me is
considered "secure." I've searched preferences and there seems to be no way
to add an alias to allow others to contact you via the alias instead of
your phone number -- or even your fingerprint. This seems entirely
counterproductive, here. I'm really interested to know how anyone could
possibly praise Signal for taking security seriously when I have to
relinquish my right to keep my phone number private to use your service?
Post by Xavier Lebrun
Post by Tim Harman
Post by Zach Queal
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be able
to communicate? This is what fingerprints are for. Again, it feels entirely
counterproductive and laughably insecure. I'm opting to use horrendously
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
Nathan of Guardian
2016-02-09 14:22:42 UTC
Permalink
Post by Tim Harman
Secure != Anonymous.
You are confusing the two.
Not wanting to hand out your actual mobile number tied to your mobile
operator, real name identity, banking info and phone IMEI is not about
being anonymous. It is about protecting what should be considered
sensitive information. Somehow the humble mobile phone number has become
the globally unique identifier we are all assigned, and is the primary
mechanism for tracking someone on the planet.

It is true that for people who are already using WhatsApp, Viber,
iMessage or plain old text messaging, this is not an issue. They are
used to this idea, and it has created truly seamless and powerful user
experiences. Instant, free global messaging and calling is empowering.

However for anyone who even dabbles in being outspoken publicly
(activist, journalist, organizer, politician, popular personality) it is
a big problem. Having your mobile phone number be your public identifier
can lead to at the least prank calls and spam, and at worse death
threats and targeted mobile malware attacks. Simply by having your phone
number appear on someone else's phone who is arrested or detained or
even just appear on a controversial website or press release, puts you
on a short list of who to target next. This is not hypothetical. I have
seen things you wouldn't believe... If this isn't your world, then count
yourself lucky, but please don't categorize this as "anonymity".

Still, I love Signal, and use it as great solution for opportunistic /
serendipitous encryption with people I have never communicated with
before, or people I would be comfortable sharing my phone number with
like family, close friends and colleagues. Everytime i type in a new
number to text and the secure icon pops up is a total joy. It is the
best solution to ensure the *contents* of what you write and say is kept
confidential. Nothing more, nothing less.

+n
--
Nathan of Guardian
***@guardianproject.info
Tim Harman
2016-02-09 17:43:58 UTC
Permalink
My statement was simply trying to say "Signal does not make ANY attempt
to hide/mask your identity, only the content of your messages" - The
exact statement you make towards the end of your comments.

If you wish to be pedantic then yes, "hide/mask your identity/dissociate
you from your mobile number" doesn't match the definition of Anonymous.
There are ways to do this (as has been discussed many times), but that
is left as an exercise for the user.

Tim
Post by Nathan of Guardian
Post by Tim Harman
Secure != Anonymous.
You are confusing the two.
Not wanting to hand out your actual mobile number tied to your mobile
operator, real name identity, banking info and phone IMEI is not about
being anonymous. It is about protecting what should be considered
sensitive information. Somehow the humble mobile phone number has become
the globally unique identifier we are all assigned, and is the primary
mechanism for tracking someone on the planet.
It is true that for people who are already using WhatsApp, Viber,
iMessage or plain old text messaging, this is not an issue. They are
used to this idea, and it has created truly seamless and powerful user
experiences. Instant, free global messaging and calling is empowering.
However for anyone who even dabbles in being outspoken publicly
(activist, journalist, organizer, politician, popular personality) it is
a big problem. Having your mobile phone number be your public identifier
can lead to at the least prank calls and spam, and at worse death
threats and targeted mobile malware attacks. Simply by having your phone
number appear on someone else's phone who is arrested or detained or
even just appear on a controversial website or press release, puts you
on a short list of who to target next. This is not hypothetical. I have
seen things you wouldn't believe... If this isn't your world, then count
yourself lucky, but please don't categorize this as "anonymity".
Still, I love Signal, and use it as great solution for opportunistic /
serendipitous encryption with people I have never communicated with
before, or people I would be comfortable sharing my phone number with
like family, close friends and colleagues. Everytime i type in a new
number to text and the secure icon pops up is a total joy. It is the
best solution to ensure the *contents* of what you write and say is kept
confidential. Nothing more, nothing less.
+n
Xavier Lebrun
2016-02-09 17:45:10 UTC
Permalink
answer is simple

if you want im with encription with no phone numer
you have to go for standard xmpp... or fork signal

this is not actual signal philosophy
Post by Nathan of Guardian
Post by Tim Harman
Secure != Anonymous.
You are confusing the two.
Not wanting to hand out your actual mobile number tied to your mobile
operator, real name identity, banking info and phone IMEI is not about
being anonymous. It is about protecting what should be considered
sensitive information. Somehow the humble mobile phone number has become
the globally unique identifier we are all assigned, and is the primary
mechanism for tracking someone on the planet.
It is true that for people who are already using WhatsApp, Viber,
iMessage or plain old text messaging, this is not an issue. They are
used to this idea, and it has created truly seamless and powerful user
experiences. Instant, free global messaging and calling is empowering.
However for anyone who even dabbles in being outspoken publicly
(activist, journalist, organizer, politician, popular personality) it is
a big problem. Having your mobile phone number be your public identifier
can lead to at the least prank calls and spam, and at worse death
threats and targeted mobile malware attacks. Simply by having your phone
number appear on someone else's phone who is arrested or detained or
even just appear on a controversial website or press release, puts you
on a short list of who to target next. This is not hypothetical. I have
seen things you wouldn't believe... If this isn't your world, then count
yourself lucky, but please don't categorize this as "anonymity".
Still, I love Signal, and use it as great solution for opportunistic /
serendipitous encryption with people I have never communicated with
before, or people I would be comfortable sharing my phone number with
like family, close friends and colleagues. Everytime i type in a new
number to text and the secure icon pops up is a total joy. It is the
best solution to ensure the *contents* of what you write and say is kept
confidential. Nothing more, nothing less.
+n
--
Nathan of Guardian
Boskote
2016-02-10 22:42:05 UTC
Permalink
Hello Noir,

I have been thinking about your proposal for multiple aliases and why
you think it is important. I agree with most of what you are saying,
though I don't think that phone numbers as identifiers (as opposed to
aliases) is precisely the problem. If I understand correctly, the change
in the Signal client that would provide the functionality you seek
(without changing the current phone number ID system) is to allow
multiple phone numbers to be registered through a single client. In this
case, "deleting" the IDs would be accomplished through the same options
that are currently available for unregistering a number from the
servers. Even though I think it is a good idea, and involves less
changes than there would be from switching away from phone number IDs, I
also think it still introduces the kind of complexity into the app that
OWS seems pretty committed to avoiding.

So is there another way to provide the functionality using the current
Signal client? You mention three options that do not work well:
reinstallation, multiple phones, or virtualization (I'm not sure how
this last one would work). Of these three, I think multiple phones is
most reasonable. I can see how carrying two phones is tricky (I have
also had to do it in the past!), but it wouldn't always be necessary. If
the "secondary" phone number were a voip number, the regular calls and
texts could be forwarded to the primary phone. Then the secondary
installation of Signal could be done on any phone (borrowed from a
friend who does not want to use Signal, for example) and then synced to
Signal Desktop on a computer you use regularly. From what I have read
about Signal Desktop, it seems as though it should then be possible to
uninstall Signal on the borrowed phone and keep using it on the desktop
but I haven't tested it yet so I'm not sure (can anyone confirm this?).
To provide further parallel Signal account usage, it should be easy on
most computers to have Chrome running alongside Chromium, and each could
have an installation of Signal Desktop running on a different number.

I didn't think of it before, but there is actually a better option for
parallel usage on a phone! Starting with lollipop, user accounts are a
default feature of Android, and each user account has completely
independent apps installed. Each user account could have its own Signal,
each one registered with a different number. The major downside to this
would be a lack of notifications on whichever account(s) are not
currently active. As far as I know there is no way to do cross user
account notifications in Android (and I can imagine good reasons why
this should not be possible). Though if the messages coming through on
the non-primary Signal account are not urgent, then it could be feasible
to periodically check the other accounts to see if any messages have
arrived. Combined with the voip forwarding and Signal Desktop options
above, this setup could be useful for a lot of situations. For example,
it becomes possible to have different Signal numbers affiliated with
pseudonyms for use in situations where you do not want to be connected
to a phone number that is already very integrated with other aspects of
your identity (as Nathan described).

Finally, another permutation that I'm not able to test, but I'm curious
to find out how it will work: does anyone know if Signal Desktop will
run on Chrome in Android? Or iOS for that matter? I'm pretty sure this
is not what OWS intends with Signal Desktop, so I wouldn't be surprised
it does not work well or at all, but for anyone who really needs two
Signal numbers running on the same phone, it could be worth testing.
adelante,

Boskote
Post by Noir
Hello everyone!
I want to add another point of view.
I'm fully aware that I could use any telephone number which I have
access to as an identifier for Signal. This protects me from scenarios
which Nathan from Guardian pointed out.
Post by Noir
In this world, most people are not aware that they have responsibility
not only about the data of their own but also the data of others that
have been entrusted to them. With other words: It's out of my control
what someone is doing on their smartphone. I'm also aware that it's not
possible to protect the content of conversations if one side is
compromised. I'm also screwed if a targeted attack happens. But this is
not my point.
Post by Noir
The problem is that a telephone number is still an identifier. It's an
unique number which I'm supposed to give to anyone I want to communicate
with.
Post by Noir
If we look at the current Signal market share it's very likely that
most of my contacts are using other services like Whatsapp to
communicate. We all know that Whatsapp uploads and processes all
contacts of the user. When we make the assumption that every contact in
my database also has my number in their database we come to the
conclusion that Whatsapp still knows a very big part of my contacts.
This scenario doesn't require some kind of targeted attack. It doesn't
require some sophisticated new experimental algorithm. Whatsapp belongs
to Facebook and Facebook is a social network. And creating a network of
persons to find patterns is one of the very core functionalities of
social networks. It's almost the same with all other widespread apps
like Google services and such.
Post by Noir
So what can I do about this at the moment? I can install Signal only
once and this installation is tied to a specific identifier. Alternating
between different identifiers would mean to swap the whole installation
including app data which is hacky, error prone and very inconvenient.
Another option is using more that one phone to separate the identifiers.
I'm actually using two phones for another reason but this is already
very inconvenient. Other options are like virtualization and such.
Post by Noir
I hope you got my point.
So my suggestion is: Make it possible for every user to create (and
destroy) an unlimited number of aliases.
Post by Noir
Cheers
Noir
On 8 February 2016 at 20:18, Nathan of Guardian
Post by Nathan of Guardian
Post by Zach Queal
I simply don't understand how handing out my personal cell phone number
to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way to add
an
alias to allow others to contact you via the alias instead of your
phone
Post by Noir
Post by Nathan of Guardian
Post by Zach Queal
number -- or even your fingerprint. This seems entirely
counterproductive,
here. I'm really interested to know how anyone could possibly praise
Signal
for taking security seriously when I have to relinquish my right to
keep
Post by Noir
Post by Nathan of Guardian
Post by Zach Queal
my
phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be
able
to communicate? This is what fingerprints are for. Again, it feels
entirely
counterproductive and laughably insecure. I'm opting to use
horrendously
Post by Noir
Post by Nathan of Guardian
Post by Zach Queal
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
I generally agree, but do want to point out that you can use a virtual
phone number with Signal, such as a Google Voice number, SkypeIn, DDIWW
or any other kind that will work with the Twilio authentication. Heck
you might even be able to use a payphone booth number, if you can find
one, as I think you just need to be able to receive calls and not SMS.
Yes, the design choice to identify Signal accounts with phone numbers
has the disadvantage of making registration more inconvenient for the
anonymity-conscious users who do not want to be identified with the same
phone number that they are already using on their phone. However, this
design choice also makes registration and use more convenient for most
users, who have no problem having their Signal account identified with
the phone on which they are using Signal (it also allows contact
discovery through the semi-autonomous social graph of phone contact
lists!). As with many other design choices, OWS is prioritizing the ease
of use for the most common use cases at the expense of ease of use or
customization available to less common use cases such as those who want
a more anonymous ID. I think that it is completely fair that those of us
who are sometimes prioritizing our anonymity have to do a little extra
work to make things work the way we want them to.
Post by Noir
And to continue with the same point being made by Nathan, getting a
more anonymous phone number is not that difficult - you can do a lot
with a vpn and a prepaid credit card. I highly recommend voip.ms, and
there is even a guide that someone has already written on exactly this
subject:https://yawnbox.com/index.php/2015/03/14/create-an-anonymous-textsecure-and-redphone-phone-number/
good luck. adelante,
Post by Noir
Boskote
"Ahmad Youssef" (via whispersystems Mailing List)
2016-02-11 14:03:08 UTC
Permalink
Hello Boskote,

Thank you and all others for their informative replies.
Post by Boskote
From what I have read
about Signal Desktop, it seems as though it should then be possible to
uninstall Signal on the borrowed phone and keep using it on the desktop
but I haven't tested it yet so I'm not sure (can anyone confirm this?).
AFAIK, no.
https://lists.riseup.net/www/arc/whispersystems/2016-01/msg00225.html
Post by Boskote
Hello Noir,
I have been thinking about your proposal for multiple aliases and why
you think it is important. I agree with most of what you are saying,
though I don't think that phone numbers as identifiers (as opposed to
aliases) is precisely the problem. If I understand correctly, the change
in the Signal client that would provide the functionality you seek
(without changing the current phone number ID system) is to allow
multiple phone numbers to be registered through a single client. In this
case, "deleting" the IDs would be accomplished through the same options
that are currently available for unregistering a number from the
servers. Even though I think it is a good idea, and involves less
changes than there would be from switching away from phone number IDs, I
also think it still introduces the kind of complexity into the app that
OWS seems pretty committed to avoiding.
So is there another way to provide the functionality using the current
reinstallation, multiple phones, or virtualization (I'm not sure how
this last one would work). Of these three, I think multiple phones is
most reasonable. I can see how carrying two phones is tricky (I have
also had to do it in the past!), but it wouldn't always be necessary. If
the "secondary" phone number were a voip number, the regular calls and
texts could be forwarded to the primary phone. Then the secondary
installation of Signal could be done on any phone (borrowed from a
friend who does not want to use Signal, for example) and then synced to
Signal Desktop on a computer you use regularly. From what I have read
about Signal Desktop, it seems as though it should then be possible to
uninstall Signal on the borrowed phone and keep using it on the desktop
but I haven't tested it yet so I'm not sure (can anyone confirm this?).
To provide further parallel Signal account usage, it should be easy on
most computers to have Chrome running alongside Chromium, and each could
have an installation of Signal Desktop running on a different number.
I didn't think of it before, but there is actually a better option for
parallel usage on a phone! Starting with lollipop, user accounts are a
default feature of Android, and each user account has completely
independent apps installed. Each user account could have its own Signal,
each one registered with a different number. The major downside to this
would be a lack of notifications on whichever account(s) are not
currently active. As far as I know there is no way to do cross user
account notifications in Android (and I can imagine good reasons why
this should not be possible). Though if the messages coming through on
the non-primary Signal account are not urgent, then it could be feasible
to periodically check the other accounts to see if any messages have
arrived. Combined with the voip forwarding and Signal Desktop options
above, this setup could be useful for a lot of situations. For example,
it becomes possible to have different Signal numbers affiliated with
pseudonyms for use in situations where you do not want to be connected
to a phone number that is already very integrated with other aspects of
your identity (as Nathan described).
Finally, another permutation that I'm not able to test, but I'm curious
to find out how it will work: does anyone know if Signal Desktop will
run on Chrome in Android? Or iOS for that matter? I'm pretty sure this
is not what OWS intends with Signal Desktop, so I wouldn't be surprised
it does not work well or at all, but for anyone who really needs two
Signal numbers running on the same phone, it could be worth testing.
adelante,
Boskote
Post by Noir
Hello everyone!
I want to add another point of view.
I'm fully aware that I could use any telephone number which I have
access to as an identifier for Signal. This protects me from scenarios
which Nathan from Guardian pointed out.
Post by Noir
In this world, most people are not aware that they have responsibility
not only about the data of their own but also the data of others that
have been entrusted to them. With other words: It's out of my control
what someone is doing on their smartphone. I'm also aware that it's not
possible to protect the content of conversations if one side is
compromised. I'm also screwed if a targeted attack happens. But this is
not my point.
Post by Noir
The problem is that a telephone number is still an identifier. It's an
unique number which I'm supposed to give to anyone I want to communicate
with.
Post by Noir
If we look at the current Signal market share it's very likely that
most of my contacts are using other services like Whatsapp to
communicate. We all know that Whatsapp uploads and processes all
contacts of the user. When we make the assumption that every contact in
my database also has my number in their database we come to the
conclusion that Whatsapp still knows a very big part of my contacts.
This scenario doesn't require some kind of targeted attack. It doesn't
require some sophisticated new experimental algorithm. Whatsapp belongs
to Facebook and Facebook is a social network. And creating a network of
persons to find patterns is one of the very core functionalities of
social networks. It's almost the same with all other widespread apps
like Google services and such.
Post by Noir
So what can I do about this at the moment? I can install Signal only
once and this installation is tied to a specific identifier. Alternating
between different identifiers would mean to swap the whole installation
including app data which is hacky, error prone and very inconvenient.
Another option is using more that one phone to separate the identifiers.
I'm actually using two phones for another reason but this is already
very inconvenient. Other options are like virtualization and such.
Post by Noir
I hope you got my point.
So my suggestion is: Make it possible for every user to create (and
destroy) an unlimited number of aliases.
Post by Noir
Cheers
Noir
On 8 February 2016 at 20:18, Nathan of Guardian
Post by Nathan of Guardian
Post by Zach Queal
I simply don't understand how handing out my personal cell phone number
to
every Tom, Dick, and Samantha who needs to contact me is considered
"secure." I've searched preferences and there seems to be no way to add
an
alias to allow others to contact you via the alias instead of your
phone
Post by Noir
Post by Nathan of Guardian
Post by Zach Queal
number -- or even your fingerprint. This seems entirely
counterproductive,
here. I'm really interested to know how anyone could possibly praise
Signal
for taking security seriously when I have to relinquish my right to
keep
Post by Noir
Post by Nathan of Guardian
Post by Zach Queal
my
phone number private to use your service?
Can anyone reasonably explain this to me? If my identity is already
verified via Twilio, why do I *need* to relinquish it to others to be
able
to communicate? This is what fingerprints are for. Again, it feels
entirely
counterproductive and laughably insecure. I'm opting to use
horrendously
Post by Noir
Post by Nathan of Guardian
Post by Zach Queal
insecure applications such as Telegram and their clusterfuck of MTProto
instead of Signal because of this serious privacy issue.
I generally agree, but do want to point out that you can use a virtual
phone number with Signal, such as a Google Voice number, SkypeIn, DDIWW
or any other kind that will work with the Twilio authentication. Heck
you might even be able to use a payphone booth number, if you can find
one, as I think you just need to be able to receive calls and not SMS.
Yes, the design choice to identify Signal accounts with phone numbers
has the disadvantage of making registration more inconvenient for the
anonymity-conscious users who do not want to be identified with the same
phone number that they are already using on their phone. However, this
design choice also makes registration and use more convenient for most
users, who have no problem having their Signal account identified with
the phone on which they are using Signal (it also allows contact
discovery through the semi-autonomous social graph of phone contact
lists!). As with many other design choices, OWS is prioritizing the ease
of use for the most common use cases at the expense of ease of use or
customization available to less common use cases such as those who want
a more anonymous ID. I think that it is completely fair that those of us
who are sometimes prioritizing our anonymity have to do a little extra
work to make things work the way we want them to.
Post by Noir
And to continue with the same point being made by Nathan, getting a
more anonymous phone number is not that difficult - you can do a lot
with a vpn and a prepaid credit card. I highly recommend voip.ms, and
there is even a guide that someone has already written on exactly this
subject:https://yawnbox.com/index.php/2015/03/14/create-an-anonymous-textsecure-and-redphone-phone-number/
good luck. adelante,
Post by Noir
Boskote
--
/Regards/,
/Ahmad/
Stephan Klötzli
2016-02-11 14:59:01 UTC
Permalink
Hi,

I've been following this conversation cosely, and I have to admit I
don't quite get it.

The phone number is a fine way of automatically finding and connecting
Alice and Bob as long as their respective #s are in each other's
contacts. This is the most common use case and ensures
noob-friendliness, no problem with that.

If, however, Bob's # isn't in Alice's contacts, they can not currently
communicate using Signal. The solution is either
(a) Bob gives Alice his # (current behaviour) or
(b) Bob gives Alice the Signal alias he wishes her to use (preferred
behaviour).
In either case, automatic discovery as in my second sentence is broken.
In the second case, Bob's privacy is safer, but we run into a problem
I've encountered in e.g. Telegram: multiple users with the same alias
(i.e. broken search). This is solved by only allowing aliases to be
registered once. While I don't think they're strictly necessary and add
some complexity, screen names could then be used to get rid of the
resulting jake_29438's ugliness.

Manual discovery should happen through the same search box that's used
to find people in the local contacts ('+' in top-right). The request is
only sent out after the user hits the enter key (no "polling" after
every character), automatically rate-limiting this mechanism and
providing privacy to all other users (you have to specifically search
for one person and don't get endless lists of (so-far) matching aliases
after every keystroke like in Telegram).

I honestly do not see the supposed user-facing complexity that has kept
this from being implemented (if it's more of a resource shortage, my bad).

As long as Signal can only be used in combination with a phone number, I
do not believe it can be marketed as any more privacy-conscious than the
plethora of "private" messengers out there. Such as it is, Signal is a
nice maths exercise and UI/X study, not a tool for the democratization
of power. It is not (yet) an addition to the freedom fighter's toolkit.

With that, I can only thank all of you who developed it this far. Your
work is deeply appreciated.

Steve
Noir
2016-02-11 16:27:01 UTC
Permalink
Hi Stephan!
Post by Stephan Klötzli
(b) Bob gives Alice the Signal alias he wishes her to use (preferred
behaviour).
In either case, automatic discovery as in my second sentence is broken.
In the second case, Bob's privacy is safer, but we run into a problem
I've encountered in e.g. Telegram: multiple users with the same alias
(i.e. broken search). This is solved by only allowing aliases to be
registered once. While I don't think they're strictly necessary and add
some complexity, screen names could then be used to get rid of the
resulting jake_29438's ugliness.
I would not let the user chose the alias at all. An alphanumeric string
like you can see
in YouTube URLs would be sufficient and there would be no problem with
collisions
(frustration with name choosing) or manipulations (similar looking
aliases for example).
Post by Stephan Klötzli
Manual discovery should happen through the same search box that's used
to find people in the local contacts ('+' in top-right). The request is
only sent out after the user hits the enter key (no "polling" after
every character), automatically rate-limiting this mechanism and
providing privacy to all other users (you have to specifically search
for one person and don't get endless lists of (so-far) matching aliases
after every keystroke like in Telegram).
A user could just add a friendly name paired with the alias to the phone
contacts and
let Signal do the matching work. This would reduce the number of changes
required.
On the other hand the Signal alias is pretty useless in the contact list
since there
should be no usable information for other apps than Signal. This would
mean that
there must be an decoupled internal Signal contact list. However in In
my opinion
there's no need for an alias search function. The scan of a QR code or
manual input
of the alias should be sufficient and would require less changes on the
server side.

Cheers
Noir

Loading...