Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
General Apps
Messaging and video calls
Is Signal as secure as we think
Message
<blockquote data-quote="nurmagoz" data-source="post: 1123624" data-attributes="member: 106634"><p>Signal is widely seen as the gold standard of secure messaging. I’ve been digging into how Signal handles identity verification, especially when a user switches devices, to understand why it’s so trusted. Here’s how the process works based on their technical docs and my personal understanding:</p><ol> <li data-xf-list-type="ol">You log into Signal on a new device with your phone number via SMS code</li> <li data-xf-list-type="ol">A new key pair (new public/private key) is generated—Signal doesn’t reuse old ones</li> <li data-xf-list-type="ol">Signal assigns a new Registration ID</li> <li data-xf-list-type="ol">Signal server flags this as a “device change” and notifies all your contacts: “Safety number has changed"</li> <li data-xf-list-type="ol">Each contact must re-establish a secure session with your new public key. This usually happens silently, except for the visible warning</li> </ol><h3><span style="font-size: 15px">So in short, in Signal’s model: </span></h3> <ul> <li data-xf-list-type="ul">Phone number = identity</li> <li data-xf-list-type="ul">Key pair = encryption only</li> </ul><p>This differs from many privacy-first apps that treat your public key as your identity. </p><p></p><p><span style="font-size: 15px"><strong>I see some potential vulnerabilities in Signal's approach. Curious if others in the community share this concern.</strong></span></p><ol> <li data-xf-list-type="ol">MitM risk on device change: If someone intercepts your SMS during setup, they can hijack your identity and communicate as you.</li> <li data-xf-list-type="ol">User ignorance can lead to security breach: Most users ignore the “safety number changed” alert and keep chatting like nothing happened. Signal offloads risk to the user.</li> <li data-xf-list-type="ol">Social relationships exposure: Signal uses your contact list to auto-discover which friends use Signal. This leaks your social graph—a dataset that is more sensitive than your messages.</li> </ol><p>These are the vulnerabilities that raise red flags in my view. I’d love to hear your thoughts. Also, there are newer apps like Simplex Chat, Keet, and WireMin exploring ways that don’t rely on phone numbers for identity. If anyone here has experience with those alternatives, I’d be curious to hear your take.</p></blockquote><p></p>
[QUOTE="nurmagoz, post: 1123624, member: 106634"] Signal is widely seen as the gold standard of secure messaging. I’ve been digging into how Signal handles identity verification, especially when a user switches devices, to understand why it’s so trusted. Here’s how the process works based on their technical docs and my personal understanding: [LIST=1] [*]You log into Signal on a new device with your phone number via SMS code [*]A new key pair (new public/private key) is generated—Signal doesn’t reuse old ones [*]Signal assigns a new Registration ID [*]Signal server flags this as a “device change” and notifies all your contacts: “Safety number has changed" [*]Each contact must re-establish a secure session with your new public key. This usually happens silently, except for the visible warning [/LIST] [HEADING=2][SIZE=4]So in short, in Signal’s model: [/SIZE][/HEADING] [LIST] [*]Phone number = identity [*]Key pair = encryption only [/LIST] This differs from many privacy-first apps that treat your public key as your identity. [SIZE=4][B]I see some potential vulnerabilities in Signal's approach. Curious if others in the community share this concern.[/B][/SIZE] [LIST=1] [*]MitM risk on device change: If someone intercepts your SMS during setup, they can hijack your identity and communicate as you. [*]User ignorance can lead to security breach: Most users ignore the “safety number changed” alert and keep chatting like nothing happened. Signal offloads risk to the user. [*]Social relationships exposure: Signal uses your contact list to auto-discover which friends use Signal. This leaks your social graph—a dataset that is more sensitive than your messages. [/LIST] These are the vulnerabilities that raise red flags in my view. I’d love to hear your thoughts. Also, there are newer apps like Simplex Chat, Keet, and WireMin exploring ways that don’t rely on phone numbers for identity. If anyone here has experience with those alternatives, I’d be curious to hear your take. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
