moddedBear

Re: Signal

Idiomdrottning made a post commenting on an article that suggested how to use the encrypted chat app Signal without giving out your phone number (something that's just not possible).

gemini://idiomdrottning.org/signal

In the post a few claims were made about Signal that I hadn't heard before. I like checking out private encrypted chat apps and I'm pretty familiar with most of the popular ones, so I decided to dig a little deeper.

Signal is a proprietary chat app that ties accounts to phone numbers.

Simple correction. The Signal clients and server are open source and licensed under the GPLv3/AGPLv3.

https://github.com/signalapp
Signal leaks your phone number to everyone you talk to...

This is true but, since Signal uses phone numbers as identification, is about as silly as saying you leak your phone number to people you call or send SMS to.

...if you want to quit using it, everyone who had you on there can no longer text you

This is what first caught my attention. It sounds a bit wild at first but it makes perfect sense why this might be a concern.

Signal on Android has the option to become your default SMS app. If you enable that then Signal will behave in much the same way that iMessage does on iPhones. It'll check the phone number of anyone you message to see if they have Signal. If they do it'll send a Signal message and if not it'll fallback to insecure SMS.

The trouble comes when you uninstall the app and some of your contacts are using Signal as their SMS app. They might try to send you a message, their device will try to send it using Signal instead of SMS since it doesn't immediately know you uninstalled the app, and you'll never get the message.

There's a couple ways around this. If you plan to stop using Signal you can easily delete your account and that should disassociate your phone number with Signal. Signal also has delivery receipts so if your contact is paying attention they might see that their Signal messages aren't reaching you and can try resending via SMS.

I've learned from one of my contacts that Signal does deregister accounts after some period of inactivity, so at least if you do run into this problem it will only be temporary. All this considered I don't see this as a big concern.

...if, when you get a new phone number, you get the used phone number of someone who used to have signal, you’re SOL.

This seems like a more legitimate concern from what I've been able to find.

Signal sends you an SMS verification code when you try to register, so I'd hope it would be smart enough to realize you really do own the new phone number if you give it the right code.

But that counts on you wanting to setup Signal soon after getting the new phone number. If that's not the case you probably could end up not receiving SMS messages you otherwise would have if you're unlucky. This smells like an oversight and is a good reason among several others why Signal should consider removing its SMS features (which thankfully are off by default).

Signal also has this setting called "registration lock" which will "require your Signal PIN to register your phone number with Signal again". Does that really mean if you get a new number and your old one gets recycled, the poor sucker to get it will be unable to register with Signal or remove their phone number from it?

I did some digging around in Signal support pages and it looks like registration locks expire after 7 days of inactivity. So worst case scenario, you could go up to that long not being able to register for Signal.

Again, Signal does deregister inactive accounts but I can't find anything suggesting they periodically reverify ownership of a phone number. Here's the worst case scenario I can think of.

Maybe unlikely, but it's still worthy criticism.

“How To Not Give Out Your Phone Number When Using Signal: Don’t Use Signal”

Great advice. There are plenty of solid private messaging apps I can recommend for people who aren't willing to give out their phone number, like Briar or Session (which actually started out as a Signal fork).

My thoughts on Signal

Signal is a good encrypted private messenger for personal contacts, but it isn't for people looking for anonymity. Everyone has people they're comfortable giving their phone number to and people they're not. Signal is great for talking with people in that first group. For that second group you'll need some other app.

I do wish Signal did away with its SMS features. It adds needless complexity, plus managing end to end encrypted messages and insecure SMS with the same app is bad security practice.

My grandma managed to set up Signal and contact me on it without anyone explaining it to her, which if you knew her then you'd know how much of a real technical achievement that was. That's an absolute win for privacy. Granted she did it accidentally because she thought Signal was replacing Facebook Messenger, but a win is a win.

Signal has flaws but none that overshadow its ease of setup and use. You can't take that for granted when choosing an encrypted messaging app.

- moddedBear / 2022-07-07

Briar
Session
XMPP + comparisons to Matrix
Home