Jump to content

Talk:Signal (software)

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is the current revision of this page, as edited by Spookyaki (talk | contribs) at 18:31, 18 December 2024 (Assessment: banner shell, Computing, Human rights (Low) (Rater)). The present address (URL) is a permanent link to this version.

(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

contact discovery clarification

[edit]

Contact discovery says (emphasis mine) «Signal's developers announced that they were working on a way for the Signal client applications to "efficiently and scalably determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service."» but this support page says "The Signal service does not have any knowledge of your contacts. Data is all owned by your phone." Meonkeys (talk) 18:08, 1 October 2024 (UTC)[reply]

The technique described there was deployed, so the page should be updated, but it's not quite as straight forward as the protections around message content. The fundamental principle of Signal's private contact discovery is "do it in SGX", and while strictly better than what they were doing before, it's only as secure as the SGX hardware and libraries, which in practice has been "not very." It does mean that an attacker would have to have the skills and resources to not only break into Signal's servers, but also deploy an attack on SGX, which is non-negligible, but it's not even remotely close to the security of the cryptography protecting message contents. The hard part is now finding a reputable source describing this reality, without under- or over-selling it. Tga (talk) 17:31, 7 October 2024 (UTC)[reply]