Privacy

34247 readers

1114 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

What do you think about Session as a potential replacement for Signal? (getsession.org)

submitted 2 days ago* (last edited 2 days ago) by zdhzm2pgp@lemmy.ml to c/privacy@lemmy.ml

70 comments fedilink hide all child comments

Especially for the less tech-savvy among us?

you are viewing a single comment's thread
view the rest of the comments

[–] FauxLiving@lemmy.world 10 points 2 days ago (2 children)

easily extract metadata

That's a pretty big claim to make with zero additional information.

Since 2018, Signal has been encrypting the sender data with a key that isn't known to the server. Messages do not contain unencrypted metadata. I'm not sure how you expect the FBI to do this with the information available to the Signal servers.

[–] EngineerGaming -4 points 1 day ago (1 children)

I am pretty sure that if asked, the serverside protections can be circumvented - I think in one Github issue they even confessed that Sealed Sender is not bulletproof and is "best effort". I prefer to assume that if everything goes through a single server, and they know what and when each account does upon connecting - they can correlate the identities if they want to.

[–] FauxLiving@lemmy.world 4 points 1 day ago

I am pretty sure that if asked, the serverside protections can be circumvented

No, they literally cannot. The entire protocol is open sourced and has been audited many times over.

One of the fundamental things you assume when designing a cryptosystem is that the communication link between two parties is monitored. The server mostly exists as a tool to frustrate efforts by attackers that have network dominance (i.e. secret police in oppressive regimes) by not allowing signals intelligence to extract a social graph. All this hypothetical attacker can see is that everyone talks to a server so they can't know which two people are communicating.

The previous iteration, TextSecure, used SMS. Your cellular provider could easily know WHO you were talking to and WHEN each message was sent. So SMS was replaced with a server and the protocol was amended so that even the server has no way of gaining access to that information.

The sealed sender feature is something that the client does. It was best effort because, at the time, they still supported older clients and needed backwards compatibility. This is no longer the case.

[–] sunzu2@thebrainbin.org -5 points 2 days ago (1 children)

at role does the signal server play?

[–] FauxLiving@lemmy.world 1 points 1 day ago

at role does the signal server play?

If this is a question that you need answered then I'm ~~not~~ sure you're qualified to declare that Signal is insecure.