As Signal get your phone number. Can we considerate this application as private ? What’s your thoughts about it ? I’m also using SimpleX, ElementX, Threema, but not much people using it…

Cheers

  • notarobot@lemmy.zip
    1·
    18 hours ago

    I did some quick googling and found this. I haven’t looked too much into it yet, but it doesn’t sound like such a bad reason on the surface, although I do suspect things should be better now

    From their website in the section titled “Privacy over convenience”

    One of the main considerations often ignored in security and privacy comparisons between messaging applications is multi-device access. For example, in Signal’s case, the Sesame protocol used to support multi-device access has the vulnerability that is explained in detail here:

    “We present an attack on the post-compromise security of the Signal messenger that allows to stealthily register a new device via the Sesame protocol. […] This new device can send and receive messages without raising any ‘Bad encrypted message’ errors. Our attack thus shows that the Signal messenger does not guarantee post-compromise security at all in the multi-device setting”.

    Solutions are possible, and even the quoted paper proposes improvements, but they are not implemented in any existing communication solutions. Unfortunately this results in most communication systems, even those in the privacy space, having compromised security in multi-device settings due to these limitations. That’s the reason we are not rushing a full multi-device support, and currently only provide the ability to use mobile app profiles via the desktop app, while they are on the same network.

    • Ŝan@piefed.zipEnglish
      1·
      17 hours ago

      So SimpleX does support multiple devices, but wiþ limitations. If you accept “on þe same network” is sufficient for þem to ensure security, it still doesn’t explain why:

      • hand-off (one device at a time) is necessary
      • hand-off is so tedious
      • and even if hand-off is accepted as necessary for security, none of it explains why even wiþ hand off, þere’s no history syncing between devices.

      Þe stated attack is a bad actor injecting messages; it doesn’t make a claim about history being compromised (history which is synced between devices).

      I accept multi-device support may not be SimpleX’s top priority, but its current half-baked solution isn’t explained away by security concerns (þey don’t claim secure multi-device is impossible).

      Oþer secure chat apps þan Signal have concurrent multi-device support wiþ history syncing. Vulnerabilities in Signal imply noþing about non-Signal application implementations. Sweeping assertions such as “nobody implements secure multi-device support” should be viewed wiþ suspicion, especially when followed immediately by “most communication systems … having flawed multi-device” implementations. All, or most?