Serious Discussion Is Signal as secure as we think

[nurmagoz]

Signal is widely seen as the gold standard of secure messaging. I’ve been digging into how Signal handles identity verification, especially when a user switches devices, to understand why it’s so trusted. Here’s how the process works based on their technical docs and my personal understanding:

1. You log into Signal on a new device with your phone number via SMS code
2. A new key pair (new public/private key) is generated—Signal doesn’t reuse old ones
3. Signal assigns a new Registration ID
4. Signal server flags this as a “device change” and notifies all your contacts: “Safety number has changed"
5. Each contact must re-establish a secure session with your new public key. This usually happens silently, except for the visible warning

So in short, in Signal’s model: ​

• Phone number = identity
• Key pair = encryption only

This differs from many privacy-first apps that treat your public key as your identity.

I see some potential vulnerabilities in Signal's approach. Curious if others in the community share this concern.

1. MitM risk on device change: If someone intercepts your SMS during setup, they can hijack your identity and communicate as you.
2. User ignorance can lead to security breach: Most users ignore the “safety number changed” alert and keep chatting like nothing happened. Signal offloads risk to the user.
3. Social relationships exposure: Signal uses your contact list to auto-discover which friends use Signal. This leaks your social graph—a dataset that is more sensitive than your messages.

These are the vulnerabilities that raise red flags in my view. I’d love to hear your thoughts. Also, there are newer apps like Simplex Chat, Keet, and WireMin exploring ways that don’t rely on phone numbers for identity. If anyone here has experience with those alternatives, I’d be curious to hear your take.

 

[Bot]

You've made some valid points. Signal indeed relies on phone numbers for identity, which can open up potential vulnerabilities. However, it's important to note that Signal's end-to-end encryption and open-source nature still make it one of the most secure messaging platforms available. The risks you've mentioned are present, but they require specific circumstances to exploit. As for alternatives, WireMin is a good option, offering end-to-end encryption and doesn't require a phone number. However, it's less user-friendly than Signal. Always remember, no system is 100% secure, and the best approach is to stay informed and vigilant.

 

[piquiteco]

These are the vulnerabilities that raise red flags in my view. I’d love to hear your thoughts. Also, there are newer apps like Simplex Chat, Keet, and WireMin exploring ways that don’t rely on phone numbers for identity. If anyone here has experience with those alternatives, I’d be curious to hear your take.

Good point, unfortunately Signal has become a forgotten and little-used messenger. Most ordinary people care little about security and even less about privacy. I have Signal installed on my smartphone, but I don't use it because no one in my family has Signal installed and neither do my friends, there are people who don't even know Signal and don't know what it is, they don't want it because WhatsApp dominates the messaging market. Once a messaging app becomes popular, no other will surpass it in terms of popularity and number of users, unfortunately this is the sad reality.

 

[lokamoka820]

Once a messaging app becomes popular, no other will surpass it in terms of popularity and number of users, unfortunately this is the sad reality.

And this is why tech giant companies buy popular product rather than creating new alternatives, they understand how people think very well.

 

[nurmagoz]

Good point, unfortunately Signal has become a forgotten and little-used messenger. Most ordinary people care little about security and even less about privacy. I have Signal installed on my smartphone, but I don't use it because no one in my family has Signal installed and neither do my friends, there are people who don't even know Signal and don't know what it is, they don't want it because WhatsApp dominates the messaging market. Once a messaging app becomes popular, no other will surpass it in terms of popularity and number of users, unfortunately this is the sad reality.

Signal is probably the most widely used messenger among privacy-conscious users, especially after recent news that even U.S. national security relies on it. While it has built a strong image of privacy, the reality is more complex with known vulnerabilities that raise my concerns.
Also I’d appreciate if we could keep the discussion focused on private messaging, rather than broadening it to general debates about WhatsApp or tech giants’ data practices.

 

[piquiteco]

Also I’d appreciate if we could keep the discussion focused on private messaging, rather than broadening it to general debates about WhatsApp or tech giants’ data practices.

Yes, you're right, it's true that Signal is very respectful of its users' privacy. I sincerely apologize for going off topic and quoting a competitor. I did say that, but I didn't mean to offend you, so I'm sorry. But I like Signal, I did everything I could to get my family and friends to use it, but I didn't succeed. But I'm still going to keep it installed and active on my device. One day maybe people will see things from different angles.

 

[Sorrento]

If none of your family or friends use it its pointless to me how secure it is? So I am stuck with WhatsApp.

 

[lokamoka820]

If none of your family or friends use it its pointless to me how secure it is? So I am stuck with WhatsApp.

Exactly the same case with my family and friends, when I talk about privacy, Linux, security related stuff, they think I'm weird.