Comment by viktorcode 16 hours ago
So far the biggest weakness of Signal is identification via a phone number. It's not only hackers who can spoof the numbers, but an authoritarian governments too may take ownership of a number at any moment.
Addressing future threats is good, but priorities should be different.
This is different though. PP is saying that you require a phone number to sign up, and phone numbers are being used to match your account to your user name.
"As a new default, your phone number will no longer be visible to everyone in Signal."
https://support.signal.org/hc/en-us/articles/6712070553754-P...
"Signal does not send your phone number to anyone unless you have enabled that others can see it and then you send them a message or make a call to them."
https://support.signal.org/hc/en-us/articles/360007061452-Do...
Neither of these are the issue, the issue is the required association of a phone number with a Signal account. You cannot register a Signal account without a phone number.
It's something you'd want to avoid if your life, liberty or well-being are at risk if you're de-anonymized.
Agreed as far as governments tracking Signal sign-ups. For a long time though user names were not even supported between Signal users.
Many other secure IM software managed to work without phone numbers and they are also metadata resistant. Signal should start doing things that way.
In many countries your SIM card is tied to you, which is a huge deal-breaker.
Yup, in Poland, a mobile phone number (pre-paid or not, it doesn't matter) is tied to a PESEL number [1] at the time of purchase. The official justification, as usual, was combating crime, but the end result is a tighter grip on citizens' privacy by the government while spammers and others continue their business as usual.
Its a difficult problem because you, ideally, want to curb spam. Requiring phone numbers is a somewhat easy and somewhat reliable way to do that.
If no one knows your user ID besides you and the people you share it with, why would spam be a big issue? If it's a random string, I don't know how anyone could get it, unless you share it publicly or with someone untrustworthy who shares it publicly. And even if it's a username users choose, as long as there's no directory it still shouldn't be a big problem.
That is - even if someone makes 1000 bot Signal accounts, what can they really do with that if they don't have a good way of enumerating other Signal users?
Replace "user ID" with "email address". Pretty much the same thing. But spam is a huge problem with email.
> if they don't have a good way of enumerating other Signal users?
Btw, if you don't accept message requests from spammers they have no indication of if you have an account or not. Try sending a message to a friend who you haven't added on signal. You can just see you sent the message but not if it was received or rejected or anything. Not until they click accept
If it's a sufficiently long random string, that shouldn't be possible, right? Admittedly not an amazing user experience to have to share a random string to your friends, but many Signal-like apps do this.
Great point that requiring a friend request beforehand kind of eliminates the issue too. I assume the Signal developers do have a good reason for thinking requiring phone numbers reduces abuse, but I'm having trouble understanding it.
You can't brute force it if the ID is large enough. E.g. if it's a 256 bit ID, sending 10^18 brute force messages per second it would still take 10^41 years until you hit a real user (assuming 6 billion users).
Good luck brute force guessing an Ed25519 keys (32 bytes).
Honestly there are so many better options than phone numbers available. If you're already using QR-codes to transmit user ids, you might as well use something that is transferable and user generated.
Bots join group chats to scrape user lists to spam. It's also desirable for users to be able to find their contacts already on Signal with phone numbers.
You don't need phonenumbers to deal with spam, just set the "allow messages only from contacts/friends" and a way to add new contacts when needed (via username, email, or even a phone number). It used to work without issues with protocols like MSN messenger, aim, icq etc.
> identification via a phone number.
> an authoritarian governments too may take ownership of a number at any moment.
Don't get me wrong, Signal has issues and we should be critical and hold them to high standards. BUT *they are only E2EE and low metadata Messenger that my grandma can use.* That's a big fucking deal. If we want secure communication to be common place we need to make sure it's usable. Sure, there's more secure and more private services, but none that my grandma could use.
I very much think signal should shift focus to privacy as they've got the security side pretty well handled (as this blog illustrates). But also these comments at the top of any signal thread feel a bit out of touch. Maybe I'm reading too much into it but there's a lot of people who confidently act like this compromises security or places harm on a user. The existence of a registered signal account means very little, especially as you note numbers can be spoofed. You need more than a number to hijack an account and hijacking only reveals messages moving forward while telling the compromised user they're compromised.
So can we focus on bigger issues? Can we critique while still recommending? I have no problem saying I have issues with signal and wish they did more while acknowledging that it is strongly my preferred means of contact and I try to convince others to talk to me that way. These things are not at odds. I've gone so far as donating to them several times because I use the service so much
Imagine being someone who would downvote this without a comment.
Is it:
"I disagree but am not literate enough to state why"
Or is it:
"This person is right, but I don't want people to know it (insert motive here), so I will try to make their comment invisible"
Either way they're cowards, and you are correct. Signal is the best intersection of genuine security and ease-of-use I've seen.
My points are positive now but the variance has been huge. I'm surprised how often a comment like mine swings or gets entirely downvoted without a reply. I do not know if it is zealots, bots, or people just feel like the issue is "so obvious" that it needs no addressing. But I'm not sure how that's different than the first item.
It is also crazy to see how on HN of all places there's still a lot of confusion between the difference of privacy and security. People are saying phone numbers are a security issue. That's flat out wrong. It is a privacy issue.
Having run some family through the Signal onboarding process lately I'm actually kind of disappointed though: the CAPTCHA requirements are a big turn off, and it was relatively difficult to get them to see "look I'm on Signal!" In their existing contacts.
To wit: phone numbers have to stay. That's how I even get people to use it with me, and that's enormously valuable.
But also: there really needs to be a way I can use my own account to vouch for a new user and skip that CAPTCHA (maybe there is? What happens if I do an in app invite?)
Yeah the onboarding process isn't the best but... is CAPTCHA requirements really that big of a deal? Where on the internet can you go where you don't face these? Maybe my grandma can't handle that, but my already retired parents can (and that's a pretty low bar if you know them). For my grandma, yeah, I'll set it up. For my parents and anyone under 70 I think CAPATCHA is not too high of a bar.
I think your threshold is too high. How high off the floor is a CAPATCHA? Because it looks like a bar rolling on the ground to me. You can trip over it but it is almost trivial to get over.
In case anyone is not aware:
https://news.ycombinator.com/item?id=39444500 Keep your phone number private with Signal usernames (2024-02-20, 1422 points, 890 comments)