Comment by notepad0x90

Comment by notepad0x90 5 days ago

8 replies

View on Hacker News

Keep in mind that with secure messaging, if the other side gets compromised, your chats with them are compromised. This seems obvious, but with signal groups of a large size, they're effectively public groups. Signal insists on using your phone number too, refusing user ids or anything that will make analysis hard.

Don't use Signal for organizing anything of this sort, I promise you'll regret it. I've heard people having better luck with Briar, but there might be others too. I only know that Signal and Whatsapp are what you want to avoid. Unless your concern is strictly cryptographic attacks of your chat's network-traffic and nothing more.

indigo945 5 days ago

> Signal insists on using your phone number too, refusing user ids or anything that will make analysis hard.

That is no longer true, you can use user IDs now.

For the other problem, you can enable self-deleting messages in group chats, limiting the damage when a chat does become compromised. Of course, this doesn't stop any persistent threat, such as law enforcement (is that even the right term anymore?) getting access to an unlocked phone.

Reply View 1 reply
  • notepad0x90 4 days ago

    It doesn't mean much if it isn't the default, even then people who got it prior to that use phone numbers, you can protect yourself maybe, but not other people in the group. But it's good they're doing this now.

    Reply View 0 replies
zahlman 5 days ago

No cryptography will protect a group that allows a traitor to join. The fundamental problem is vetting, and you really just can't do that remotely.

Reply View 5 replies
  • notepad0x90 4 days ago

    Not traitor, but compromised user. Given enough targets, one of them will have their device compromised. Of course the FBI has access to things more powerful than pegasus I'm sure (Just guessing).

    Reply View 0 replies
  • copirate 4 days ago

    It can protect the identity of the members, though.

    Reply View 3 replies
    • zahlman 4 days ago

      Apparently, one member of the group uploaded a personal photo as an avatar.

      I've also heard of side-channel attacks on Signal that could allow for profiling a user's location, which with the FBI's resources could presumably eventually result in identification.

      Reply View 2 replies
      • copirate 4 days ago

        Sure, I was not talking about Signal. Something like Bitmessage[1] can.

        [1] https://en.wikipedia.org/wiki/Bitmessage

        Reply View 1 reply
        • octoberfranklin 4 days ago

          Bitmessage is/was awesome, but it fundamentally doesn't scale.

          Every user has to attempt decryption of every message sent by any sender. Later they cobbled on some kind of hokey sharding mechanism to try to work around this, but it was theoretically unmotivated and an implementation minefield (very easy for implementation mistakes in the sharding mechanism to leak communication patterns to an observer).

          Bitmessage would be great if we had something like Schnorr signatures (sum of (messages signed with different keys) = (sum of messages) signed with (sum of keys)) that could tell you if any of the sum of a bunch of messages was encrypted to your secret key. Then you could bisection-search the mempool.

          Reply View 0 replies