this post was submitted on 24 Feb 2025

17 points (61.6% liked)

Privacy

34247 readers

1028 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

What do you think about Session as a potential replacement for Signal? (getsession.org)

submitted 2 days ago* (last edited 2 days ago) by zdhzm2pgp@lemmy.ml to c/privacy@lemmy.ml

69 comments fedilink hide all child comments

Especially for the less tech-savvy among us?

you are viewing a single comment's thread
view the rest of the comments

[–] chemicalwonka@discuss.tchncs.de 24 points 2 days ago (2 children)

first, why do you want to replace Signal?

[–] sunzu2@thebrainbin.org 1 points 2 days ago (2 children)

It is a centralized weak point that US feds can easily extract meta data from to obtain your social network etc

[–] doodledup@lemmy.world 10 points 1 day ago

A bigger weak point is having weak encryption like Session has. Also, you cannot obtain metadata from Signal. They've gone to great length to prevent that. Signal servers don't even know who is talking to whom.

[–] FauxLiving@lemmy.world 10 points 1 day ago (2 children)

easily extract metadata

That's a pretty big claim to make with zero additional information.

Since 2018, Signal has been encrypting the sender data with a key that isn't known to the server. Messages do not contain unencrypted metadata. I'm not sure how you expect the FBI to do this with the information available to the Signal servers.

[–] EngineerGaming -4 points 1 day ago (1 children)

I am pretty sure that if asked, the serverside protections can be circumvented - I think in one Github issue they even confessed that Sealed Sender is not bulletproof and is "best effort". I prefer to assume that if everything goes through a single server, and they know what and when each account does upon connecting - they can correlate the identities if they want to.

[–] FauxLiving@lemmy.world 4 points 1 day ago

I am pretty sure that if asked, the serverside protections can be circumvented

No, they literally cannot. The entire protocol is open sourced and has been audited many times over.

One of the fundamental things you assume when designing a cryptosystem is that the communication link between two parties is monitored. The server mostly exists as a tool to frustrate efforts by attackers that have network dominance (i.e. secret police in oppressive regimes) by not allowing signals intelligence to extract a social graph. All this hypothetical attacker can see is that everyone talks to a server so they can't know which two people are communicating.

The previous iteration, TextSecure, used SMS. Your cellular provider could easily know WHO you were talking to and WHEN each message was sent. So SMS was replaced with a server and the protocol was amended so that even the server has no way of gaining access to that information.

The sealed sender feature is something that the client does. It was best effort because, at the time, they still supported older clients and needed backwards compatibility. This is no longer the case.

[–] sunzu2@thebrainbin.org -5 points 1 day ago (1 children)

at role does the signal server play?

[–] FauxLiving@lemmy.world 1 points 1 day ago

at role does the signal server play?

If this is a question that you need answered then I'm ~~not~~ sure you're qualified to declare that Signal is insecure.

[–] eruchitanda@lemmy.world -5 points 1 day ago (1 children)

Because his grandma can't type a password 30 characters long just to restore her messages.

They are so smart and still make some choices that are so, so, *so dumb*. 'No history on a new PC for you, it's a ״feature״'. Seriously? c'mon.

[–] FauxLiving@lemmy.world 10 points 1 day ago (1 children)

History isn't stored on the server so it can't be automatically populated on a new device. That is a feature. The alternative, storing the messages on the server or having the means for one device to clone all of its messages to another device, would be insecure.

A 30 character long password is required in order to have enough bits of entropy so that the backed up messages are actually secure.

Grandma isn't moving her data to a new PC without assistance, the person that is assisting her should be competent enough to operate Signal.

[–] eruchitanda@lemmy.world -1 points 1 day ago (2 children)

Sure, so let me export my data from another PC or phone. If they wanted you to have message history, they would. So I'll respectfully disagree.

Why can she do WhatsApp but no Signal?

It's already needing to convince people to use Signal, why also making it hard for, let's say, your grandma.

[–] FauxLiving@lemmy.world 3 points 1 day ago

Sure, so let me export my data from another PC or phone. If they wanted you to have message history, they would. So I’ll respectfully disagree.

https://signal.miraheze.org/wiki/How_to_move_Signal_Desktop_message_history_to_another_computer_(or_during_an_OS_reinstall)

[–] Lyra_Lycan@lemmy.blahaj.zone 1 points 1 day ago

I use Matrix and this is possible via several encryption keys. They just probably cba. How Matrix E2EE works