Wow I didn’t realize that Signal is run on Amazon’s servers and that they contract with the CIA. This article has some interesting points to mitigate the privacy concerns of this real popular service: https://simplifiedprivacy.com/signal-messenger-guide-to-avoid-privacy-mistakes/
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 84 users / day
- 537 users / week
- 1.5K users / month
- 6.58K users / 6 months
- 1 subscriber
- 2.3K Posts
- 53.2K Comments
- Modlog
So… Yes, Amazon has a contract with the CIA. They have for well over a decade now. In fact, I happened to work in AWS when that program first began.
It’s called GovCloud and it’s just a physically separated, hardened version of AWS. It’s separate hardware to meet US govt requirements for handling data and the networks are not accessible from the public internet. Otherwise, it’s just standard AWS stuff. The Men in Black want to use S3 too.
Anyway, yes, the CIA (like JPL and NASA and a bunch of non-scary orgs) makes use of GovCloud. That’s not evidence that they’re spying on Signal messages. And even if they are, they wouldn’t have needed to set up a very public contract with Amazon. They’d just make a backroom deal and you and I would never hear about it. E.g. Even if signal switched to Azure is no guarantee.
Finally… If you’re in the US, it’s not the CIA you need to be worried about anyway. CIA is focused on foreign threats. The NSA is the group that spies on US citizens. And they have a massive data capture facility in Utah. They’ve got taps all over the backbone internet hardware in the USA. If anybody’s watching your signal metadata, it’s them. …and they don’t need Amazon’s help to do it.
Yup, pretty obvious. Your friends that stick to apple are the worst annoyance. Android and even Windows can be hacked a lot
Signal takes steps to reduce the amount of metadata visible, like sealed sender which makes it so that Signal doesn’t know who sent a message. Even your payment information for donations is separated from your identity so that they know you are a donor, but not how you donated.
It desn’t matter if Signal were hosted on Putin’s personal servers. Its security is in its protocol, it’s not trust based.
Thanks for the reply but please check the article:
Sealed Sender is Flawed
Signal has a flawed system called “Sealed Sender”, which encrypts the metadata of who sent the message inside the encrypted packets. However, cybersecurity researchers from the University of Colorado Boulder, Boston University, George Washington University, and U.S. Naval Academy, found that Sealed Sender could be compromised by a malicious cloud host in as few as 5 messages to reveal who is communicating with who. In this paper published by NDSS, headed by Ian Martiny, these researchers found that Signal’s “read receipts”, which lets the sender know that the receiver got the message can be used as an attack vector to analyze traffic because it sends data packets right back to the sender. Therefore, our recommendation to increase metadata protection is turn off read receipts, which can be toggled in the security settings.
Source used: Improving Signal’s Sealed Sender Ian Martiny∗, Gabriel Kaptchuk†, Adam Aviv‡, Dan Roche§, Eric Wustrow∗ ∗, {ian.martiny, ewust}@colorado.edu †Boston University, kaptchuk@bu.edu ‡George Washington University, aaviv@gwu.edu §U.S. Naval Avademy, roche@usna.edu
https://www.ndss-symposium.org/ndss-paper/improving-signals-sealed-sender/ & Paper PDF: https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-4_24180_paper.pdf
Signal doesn’t promise anonymity. If you’re using Signal with the intent of being anonymous, well, there are better services for that. For sending E2EE messages, Signal does well; that is its purpose.
That would be true if it was implemting forward secrecy.
The problem is that signal knows exactly who you know. I would use simplex chat or session
It does use PFS. Signal’s protocol is based on the double ratchet algorithm.
If that was the case then how come the FBI subpoenaed signal for that information and didn’t get it
They did though. Individuals who are on the contact lists of on on individual can get investigated
The contact list built into your phone? Because that isn’t encrypted of course they would get it
Last time I checked signal had phone numbers in there servers.
deleted by creator
What facts are you disputing on the site?
And they do name squatting in session oxen names.
I’m on the fence, they do create content… The super energetic, breathless, bombastic, tone with no nuance that steam rolls over lots of considerations to make conclusions I don’t agree with, doesn’t sit well with me. But thats just me… so just I blocked their last account just to let bygones be bygones, but they made a new account to post this video so it showed up in my feed.
What conclusions do you disagree with?
We already discussed at length your session video, i’m not going to review your other videos. Like i said, let bygones be bygones, its just you made a new account to post the new video so my block didn’t work.
Yes Session trades forward secrecy away in return for uncensored identity. These are pros/cons of different approaches and we provide educational material on a variety of software
As long the encryption and everything else they do is as good as independant audits say they are, none of this matters, does it.
The only thing they know about any user is when the account was created, and when it was last online. That’s all they’re able to hand to law enforcement
Thanks for the reply but please check the article:
Sealed Sender is Flawed
Signal has a flawed system called “Sealed Sender”, which encrypts the metadata of who sent the message inside the encrypted packets. However, cybersecurity researchers from the University of Colorado Boulder, Boston University, George Washington University, and U.S. Naval Academy, found that Sealed Sender could be compromised by a malicious cloud host in as few as 5 messages to reveal who is communicating with who. In this paper published by NDSS, headed by Ian Martiny, these researchers found that Signal’s “read receipts”, which lets the sender know that the receiver got the message can be used as an attack vector to analyze traffic because it sends data packets right back to the sender. Therefore, our recommendation to increase metadata protection is turn off read receipts, which can be toggled in the security settings.
Source used: Improving Signal’s Sealed Sender Ian Martiny∗, Gabriel Kaptchuk†, Adam Aviv‡, Dan Roche§, Eric Wustrow∗ ∗, {ian.martiny, ewust}@colorado.edu †Boston University, kaptchuk@bu.edu ‡George Washington University, aaviv@gwu.edu §U.S. Naval Avademy, roche@usna.edu
https://www.ndss-symposium.org/ndss-paper/improving-signals-sealed-sender/ & Paper PDF: https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-4_24180_paper.pdf
eh, its better than discord and it was hard to convince people to use signal, even as convenient as it is.
Pretty obvious contents, strange premise and even fud’ier title…
It’s not that obvious if millions of people do it. anyone can type criticism, you are not adding value
To be fair - your videos are pretty strong in the FUD department.
deleted by creator
Just use Matrix/Element or Session or Briar or Jami or Threema lol
Matrix but please do not use their identity server. Please.
No, use SimpleX.
Damn it I knew I was forgetting one
deleted by creator