Whilst not the same as mentioned in TFA, I noticed in Signal that if you allow it access to your contacts it will tell you how many of your contacts are already on Signal. I understand this is useful from a usability/discoverability aspect, but from a privacy perspective I have no reason to be made aware of the fact that one of my old bosses who's number is in my phone is on Signal and neither should they know that I am on Signal for the same reasons (or lack thereof).
What's worse is there seems to be no way to opt-out of this behavior. I can deny Signal access to my contacts, thereby not knowing which of my contacts are on Signal, but that doesn't stop the other party from knowing if I am on Signal if they have given Signal access to their contacts.
It's not farfetched to consider a world where an oppressive regime may outlaw the use of something like Signal, Telegram or even WhatsApp and they'd be able to easily determine if you're using such a service through passive techniques such as these.
As far as I know, Wickr is a bit more privacy focused, but it doesn't tick the open source box for me (although the supposed source code is published[1] for public review).
Signal has spoken [1] at length about the issues of private contact discovery, and the many [2] solutions they've employed to minimize the amount of information that gets leaked. There's this intractable problem of requiring a social graph for easy discovery and for trust, and Signal's found one of the better solutions (though I'm sure we'll discover better ones yet).
Signal could allow using it without a phone number, and let people themselves choose between anonimyty, social graph and trust. Why didn't they allow it? Because they don't want anonymous users I assume.
> from a privacy perspective I have no reason to be made aware of the fact that one of my old bosses who's number is in my phone is on Signal and neither should they know that I am on Signal for the same reasons (or lack thereof).
I agree that there are some contacts that I would rather not know that I was on Signal, but, unfortunately, this is an impossible problem to solve when the goal is to create an end-to-end encrypted messaging platform where your identifier is your phone number. The server has to know when a number is not a user so the app can fall back to sending unencrypted SMS (although why Signal falls back to SMS is a mystery to me) and it also has to carry the current public key for each user so that you can be sure that you're talking to who you think you're talking to.
Put another way, even if Signal didn't advertise that, "So-and-so is on Signal, say hey!" you could still theoretically determine whether or not a given number is on signal by sending a message to that number. If it fails, you know they aren't. And if it succeeds, well, then you know they are.
>this is an impossible problem to solve when the goal is to create an end-to-end encrypted messaging platform where your identifier is your phone number
Right, the use of phone number as identifier is flawed by design, and not secure
A big part of practical security is usability. It's hard enough getting most people to adopt Signal or other encrypted messaging services. If they couldn't "just send a message to a number" it would be that much more difficult. The tradeoff seems worth it in this case.
People seem fine adding each other on Facebook without using a phone number. When I add people on LINE messenger I use their ID not their phone number. When I meet a new person and exchange some contact details, it is rarely a phone number. I would also like to talk to some people who I do not want to know my phone number. I think this tradeoff was a mistake for Signal.
You are clearly not the target audience for Signal. There of course is a space for the type of app you're describing, but saying that the tradeoff that Signal has chosen was a mistake is to misunderstand the goal there.
Do you have evidence that this is happening? Otherwise, completely FUD.
The goal I was referring to is making it easy for regular folks to use end-to-end encryption. Any real measure of security needs to be practically usable by the intended audience, and the clear and consistent intended audience for Signal is regular folks who don't have a sophisticated threat model. If any other identity scheme were used, I'd guess the number of Signal users would be an order of magnitude smaller.
This is not to say that there aren't great reasons to have more elaborate secure messaging systems that address these questions, for anyone with a different security model.
Usability? Signal prevents backups on iOS and has no solution for someone changing a device (or even restoring a device from a backup) to carry over the conversations and retain chat history and group memberships. This is because it puts security above usability.
It’s also buggy in many other ways (e.g., sending safety number change messages when nothing has changed with the device or number; contacts sending messages and asking if it was received, etc.).
Signal is quite bad on usability compared to other apps.
You can just provide a choice, whether user wants to use a phone number and a real name, or just an anonymous login, not linked to anything. Why Signal doesn't want to do this? They don't want users to be anonymous, they want real names, addresses and GPS locations I assume.
I wouldn't say it's an impossible problem. It's fairly simple, in my mind.
If someone tries to send me a message on Signal it should go into purgatory. On my end, I should be able to see who is trying to send me the message (yes, including their phone number, given that is how Signal has decided to uniquely identify users) and I should be able to see what their public key is. Then I should be able to either accept that message, which would essentially make my presence on Signal known to the other party, or choose to first verify that the public key matches that of the other party via the existing "in-person" verification method.
Alternatively, I can leave the message in purgatory where a message from someone I don't trust belongs and eventually times out. Not only do I never see the contents of the message, but the sender of the message will also never know if I am on Signal.
> If it fails, you know they aren't. And if it succeeds, well, then you know they are.
This problem is solved in an interesting way by Keybase Chat, in which messages sent to non-existing accounts are "delivered", and can then be read if that account is created later on. It requires re-keying of the message by the sender, so it's not exactly a "fire and forget" solution, but it's pretty neat anyway.
This is like saying you want people to know you use PGP or encryption implying that those who use such tech have something to hide. I see no problem in anyone knowing that I use Signal. If anything it communicates that I'm serious about privacy and security.
> I noticed in Signal that if you allow it access to your contacts it will tell you how many of your contacts are already on Signal
I specifically did not let Signal access my contacts, but some of my contacts contact me on Signal.
Those people that did upload those contacts and being notified that I'm on Signal.
I don't like it.
Its moderately creepy when Google or Facebook do it, but when a service that is advertising itself as the antithesis to those and being privacy conscious I am really disappointed.
We are not really supposed to talk ill of the holy Signal here on HN, and we usually get severely trounced if we do. But of course you are absolutely right - this has been one gaping hole in Signal privacy since forever.
Another thing Signal likes to do is to broadcast the fact every time you shift it to a new device. I have seen enough changing round from a couple of correspondents to deduce a pattern in their hardware habits.
A third stunt it likes is to make it non-obvious what actually happens when you set up groups. One friend did, believing it to be just a personal way of organising contacts, thereby of course immediately exposing parts of his contact list to the rest of us and vice versa.
Also terrible user experience (like using heavily license restricted software). I no longer use the thing.
> Another thing Signal likes to do is to broadcast the fact every time you shift it to a new device. I have seen enough changing round from a couple of correspondents to deduce a pattern in their hardware habits.
This is a security feature to ensure you're talking to the same person. Phone numbers are terrifyingly easy to port to another account.
Yes, I know it's supposed to be a security feature. Not one that works weel, but perhaps it does somewhat enhance security. Alas, Signal forgets to mention that it does so at a cost to privacy.
It stops being a security feature when Signal keeps sending such messages when nothing has changed (and because Signal has bugs), prompting users to ignore these messages forever.
This feature leaks metadata.
It's just an implementation detail, I'm sure the devs are not happy about it and probably are researching other ways to provide cross-device experience.
> from a privacy perspective I have no reason to be made aware of the fact that one of my old bosses who's number is in my phone is on Signal and neither should they know that I am on Signal for the same reasons (or lack thereof).
Your goal is to set up little fun secret decoder ring groups each silo'd with a handful of people so you can pretend to be spies or whatever. For this goal it's important that each silo you set up doesn't know about the others. Signal just wants to end-to-end encrypt all the messages sent between all phones. These goals conflict, and, frankly I think your goal is stupid and should lose.
People use Signal in the first place because they want something more secure and privacy focused than the alternatives. It's not reasonable to mock them for having higher expectations of privacy and security than you do. Its the whole point of the product.
People who actually want "secure and privacy focused" text messages would want their messages to or from their boss to be "secure and privacy focused" too. Whereas people who just want to create yet another little clique don't want that. They'd rather most messages remained unencrypted, insecure, not privacy focused at all, so long as they can underscore how cool they are by creating an "in" group of people with secure messages.
The _whole point of the product_ - to repeat your phrase - is to secure _all_ the messages rather than repeat the mistake of tools like PGP that never get there.
The problem could be solved like this; you generate an UUID and your friend generates UUID. Then you both exchange the UUID. You should do it within an hour. When both UUIDs are entered into the opposite parties you become friends. Now your friend knows you as G435-… and your wife knows you as B64J-…. No one can add you as friend with these used UUIDs. This will solve the privacy problem, mostly.
Signal could allow both options: register with a phone number or with completely anonymous logins. I think they just don't want anonymous users, visits from FBI etc. Also, it is not very profitable to sell ads to anonymous users.
You have to have a secure channel to exchange phone numbers too. The code could be communicated simply using a QR code. Other messengers already work this way and it works well.
Using Google to deliver notifications to Android phones achieves Do Not Stand Out, an important property that it would be an "epic fail" not to offer.
If you insist, you can install a version of Signal that doesn't use this service, whereupon you will stand out, or more specifically your notifications will stand out from everything else.
1 point by RichardHeart 44 minutes ago | parent | edit | delete [-] | on: Telegram 0-day vulnerability that can be used to d...
"TELEGRAM'S REPLY ZDNet has reached out to Telegram for comment earlier today, and the company has looked into the issue reported by Hong Kong protesters.
"We have safeguards in place to prevent importing too many contacts - exactly to prevent the scenario," a Telegram spokesperson said.
"In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds - and only managed to successfully import 85 contacts (not 10,000)," it said. "Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they're not using Telegram - even if they are."
However, this ban limit can be bypassed. A determined threat actor like the Chinese state can easily employ multiple bots to exploit this issue, instead of just one, and they'll eventually import the entire phone number sequence they want to cover."
Telegram says they block massive contacts imports, says that particular bot was able to add only 85 contacts and then throttled to 5 new contacts per day.
My questions is how do they distinguish legitimate imports? I have 2K phone numbers in my address book. Would it take a year for me to be able to message my friends on telegram?
I assume there are some limits on number of uploaded contacts (probably on order of thousands) but they can be bypassed by creating thousands of accounts each with different contact list. One SIM card here in Russia costs as low as several dollars, and probably cheaper if bought wholesale, so it is not very expensive.
Also, here is a quote from an article in Russian [1], where it is claimed that there is a software to de-anonymize Telegram users:
> A phone number used by [Telegram] account @silovikicat was discovered using a program titled "Insider-Telegram" developed by the "Center of research of legitimacy and political protest". The head of the "Center" Eugene Venediktov explains: "Currently the database contains over 10 million of numbers. We just go through all possible numbers and check whether they are registered in Telegram: for example, we take all numbers starting with a prefix +7911 and check them. You automatically see all contacts from you address book in your Telegram, don't you? We just have a very "fat" address book with phones of all users from our country."
> When a phone number provided by Eugene is added into an address book, Telegram automatically matches it with account @silovikicat («Siloviks' cat»).
The widespread usage of Telegram in a situation as sensitive as the Hong Kong protests is a failure on behalf of the security industry in educating the public.
Even WhatsApp is miles better, but in reality it should be a no-brainer for the relevant people to use Signal or perhaps Threema/Wire. What a shame that charlatans have successfully marketed themselves to the top of this segment with a distinctly inferior product.
charlatans? You mean like when Facebook claims they have implemented the signal protocol but then scan your messages for keywords in order to disable encryption for governments? There is no way for you to check my claim nor Facebook's as it's closed source.
Same goes for threema which will shortly be required by Swiss law to comply with Büpf as they will reach a size requiring it. It's closed source, we can't check what they are doing. Their external security audit was a long time ago.
At least with telegram if I install the android version off fdroid it is compiled from source and I can verify that.
I can gets users to switch to telegram, I can't get them to switch to signal. There is a trade-off but I would argue telegram over whatsapp anytime.
I don't think Signal supports very large groups well (hundreds of users or more). Or things like announcement channels where tens of thousands can subscribe, but only a handful of accounts can post. Sounds to me like they have a superior product.
WhatsApp does secure group messages with end to end encryption, but what good is encryption in a public protests group where everyone can see your phone number?
It could be argued you already had the phone number of your victim.
If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.
>If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.
If you're a state actor probably pretty easy. Get a couple thousand rooted remote controllable android devices (which you probably already have for other projects) and have them automatically add 10k phones numbers each. Then have them join public telegraph lists and check for matches. Now you have gone through 10 million phone numbers. Run it in a loop 10 times and you have 100 million. Might take a few days to setup and run.
I don't see why this is infeasible in any way to do if you have a moderate budget (ie: state actor).
edit: And if your target is in your jurisdiction then you probably have a good mapping of names to phone numbers already.
All this to get an app to make "do any of my contacts also use signal" requests? You could probably just figure out what endpoint the mobile client calls and imitate them yourself to avoid all the overhead of setting up the mobile devices. If you have to register to make the request, just provision a bunch of VOIP numbers and go to town.
Point being, if "who is using signal" is a question you want answered, it's far more trivial than having to acquire actual devices. Your oppressive regime could go from zero to black bag list in an afternoon.
The impact is specifically related to Hong Kong, where the protesters are using telegram to coordinate, and where, according to the bug report, the telephone number range is limited.
There's apparently at least one private company that gathered a database of account-to-number correlations precisely by adding over ten million numbers to Telegram's address books. Here's an article in Russian where one account is deanonymised: https://meduza.io/feature/2019/08/10/kto-takoy-tovarisch-may...
Dunno if this is patched by Telegram in any way now. However, I don't see why it would be difficult for a program to add numbers to the contact list incrementally. To my knowledge, computers so far were pretty good at incrementing numbers. And if the contact list length is limited, the question is just how many phone numbers a company can buy.
The way cellphone telephones work, is by registering to a cell. so all they have to do is look what phones were in vicinity of cell towers in place where they protest.
Right, the key trick here is that Telegram is easily used as an Oracle.
Telegram has essentially agreed to tell you whether any phone number is correct, so you can just guess all the phone numbers. Never allow this unless the thing an adversary has to guess is both _completely random_ and from a _very large keyspace_ (128-bits is where you can start to feel safe). If you find you're cornered into doing this (e.g. typical email + password login) aggressively rate limit it, so the adversary has to work harder/ longer to take advantage and maybe they'll give up.
Phone numbers are neither random nor from a large key space, it's maybe 10^12 worldwide or something? Much too small.
they say that they managed to add 0.1 million people at once. If you're after a group of people and getting only one of them is enough, the limits look pretty feasible to me, even more possible especially in small communities.
This appears to be a similar attack vector, to the one which might have been used for scamming Swiss Revolut customers, by determining legitimate users via the phone number range, in order to deliver fraudulent SMS messages.
I live in $civilized_country and have gotten one unsolicited phone call ever. It was from an Indian, so either it was a scam or someone who doesn't adhere to telemarketing blocklists.
What's worse is there seems to be no way to opt-out of this behavior. I can deny Signal access to my contacts, thereby not knowing which of my contacts are on Signal, but that doesn't stop the other party from knowing if I am on Signal if they have given Signal access to their contacts.
It's not farfetched to consider a world where an oppressive regime may outlaw the use of something like Signal, Telegram or even WhatsApp and they'd be able to easily determine if you're using such a service through passive techniques such as these.
As far as I know, Wickr is a bit more privacy focused, but it doesn't tick the open source box for me (although the supposed source code is published[1] for public review).
[1] https://github.com/WickrInc/wickr-crypto-c
[1] https://signal.org/blog/private-contact-discovery/ [2] https://signal.org/blog/contact-discovery/
But the issue in the parent post is about leaking information to the people you have in your contact list.
These are very different issues. And it looks like signal hasn't considered the second aspect and the implications.
I agree that there are some contacts that I would rather not know that I was on Signal, but, unfortunately, this is an impossible problem to solve when the goal is to create an end-to-end encrypted messaging platform where your identifier is your phone number. The server has to know when a number is not a user so the app can fall back to sending unencrypted SMS (although why Signal falls back to SMS is a mystery to me) and it also has to carry the current public key for each user so that you can be sure that you're talking to who you think you're talking to.
Put another way, even if Signal didn't advertise that, "So-and-so is on Signal, say hey!" you could still theoretically determine whether or not a given number is on signal by sending a message to that number. If it fails, you know they aren't. And if it succeeds, well, then you know they are.
Right, the use of phone number as identifier is flawed by design, and not secure
The goal I was referring to is making it easy for regular folks to use end-to-end encryption. Any real measure of security needs to be practically usable by the intended audience, and the clear and consistent intended audience for Signal is regular folks who don't have a sophisticated threat model. If any other identity scheme were used, I'd guess the number of Signal users would be an order of magnitude smaller.
This is not to say that there aren't great reasons to have more elaborate secure messaging systems that address these questions, for anyone with a different security model.
It’s also buggy in many other ways (e.g., sending safety number change messages when nothing has changed with the device or number; contacts sending messages and asking if it was received, etc.).
Signal is quite bad on usability compared to other apps.
If someone tries to send me a message on Signal it should go into purgatory. On my end, I should be able to see who is trying to send me the message (yes, including their phone number, given that is how Signal has decided to uniquely identify users) and I should be able to see what their public key is. Then I should be able to either accept that message, which would essentially make my presence on Signal known to the other party, or choose to first verify that the public key matches that of the other party via the existing "in-person" verification method.
Alternatively, I can leave the message in purgatory where a message from someone I don't trust belongs and eventually times out. Not only do I never see the contents of the message, but the sender of the message will also never know if I am on Signal.
This problem is solved in an interesting way by Keybase Chat, in which messages sent to non-existing accounts are "delivered", and can then be read if that account is created later on. It requires re-keying of the message by the sender, so it's not exactly a "fire and forget" solution, but it's pretty neat anyway.
I specifically did not let Signal access my contacts, but some of my contacts contact me on Signal.
Those people that did upload those contacts and being notified that I'm on Signal.
I don't like it.
Its moderately creepy when Google or Facebook do it, but when a service that is advertising itself as the antithesis to those and being privacy conscious I am really disappointed.
Another thing Signal likes to do is to broadcast the fact every time you shift it to a new device. I have seen enough changing round from a couple of correspondents to deduce a pattern in their hardware habits.
A third stunt it likes is to make it non-obvious what actually happens when you set up groups. One friend did, believing it to be just a personal way of organising contacts, thereby of course immediately exposing parts of his contact list to the rest of us and vice versa.
Also terrible user experience (like using heavily license restricted software). I no longer use the thing.
This is a security feature to ensure you're talking to the same person. Phone numbers are terrifyingly easy to port to another account.
Which is precisely why they should never be used as an identifier.
Your goal is to set up little fun secret decoder ring groups each silo'd with a handful of people so you can pretend to be spies or whatever. For this goal it's important that each silo you set up doesn't know about the others. Signal just wants to end-to-end encrypt all the messages sent between all phones. These goals conflict, and, frankly I think your goal is stupid and should lose.
The _whole point of the product_ - to repeat your phrase - is to secure _all_ the messages rather than repeat the mistake of tools like PGP that never get there.
EDIT: This proposal also suffers from a bootstrapping problem. You have to already have a secure channel to communicate the ids.
If you insist, you can install a version of Signal that doesn't use this service, whereupon you will stand out, or more specifically your notifications will stand out from everything else.
"TELEGRAM'S REPLY ZDNet has reached out to Telegram for comment earlier today, and the company has looked into the issue reported by Hong Kong protesters. "We have safeguards in place to prevent importing too many contacts - exactly to prevent the scenario," a Telegram spokesperson said.
"In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds - and only managed to successfully import 85 contacts (not 10,000)," it said. "Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they're not using Telegram - even if they are."
However, this ban limit can be bypassed. A determined threat actor like the Chinese state can easily employ multiple bots to exploit this issue, instead of just one, and they'll eventually import the entire phone number sequence they want to cover."
My questions is how do they distinguish legitimate imports? I have 2K phone numbers in my address book. Would it take a year for me to be able to message my friends on telegram?
Also, here is a quote from an article in Russian [1], where it is claimed that there is a software to de-anonymize Telegram users:
> A phone number used by [Telegram] account @silovikicat was discovered using a program titled "Insider-Telegram" developed by the "Center of research of legitimacy and political protest". The head of the "Center" Eugene Venediktov explains: "Currently the database contains over 10 million of numbers. We just go through all possible numbers and check whether they are registered in Telegram: for example, we take all numbers starting with a prefix +7911 and check them. You automatically see all contacts from you address book in your Telegram, don't you? We just have a very "fat" address book with phones of all users from our country."
> When a phone number provided by Eugene is added into an address book, Telegram automatically matches it with account @silovikicat («Siloviks' cat»).
[1] https://meduza.io/feature/2019/08/10/kto-takoy-tovarisch-may...
Even WhatsApp is miles better, but in reality it should be a no-brainer for the relevant people to use Signal or perhaps Threema/Wire. What a shame that charlatans have successfully marketed themselves to the top of this segment with a distinctly inferior product.
Same goes for threema which will shortly be required by Swiss law to comply with Büpf as they will reach a size requiring it. It's closed source, we can't check what they are doing. Their external security audit was a long time ago.
At least with telegram if I install the android version off fdroid it is compiled from source and I can verify that.
I can gets users to switch to telegram, I can't get them to switch to signal. There is a trade-off but I would argue telegram over whatsapp anytime.
Groups in Telegram are not encrypted. And now its shown that it also reveals phone numbers, and this is not a feature.
Whatsapp shows phone numbers by default, so it wouldn't be a criticism of whatsapp.
Edit: Nvm, I remembered that telegram isn't e2e by default
If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.
If you're a state actor probably pretty easy. Get a couple thousand rooted remote controllable android devices (which you probably already have for other projects) and have them automatically add 10k phones numbers each. Then have them join public telegraph lists and check for matches. Now you have gone through 10 million phone numbers. Run it in a loop 10 times and you have 100 million. Might take a few days to setup and run.
I don't see why this is infeasible in any way to do if you have a moderate budget (ie: state actor).
edit: And if your target is in your jurisdiction then you probably have a good mapping of names to phone numbers already.
Point being, if "who is using signal" is a question you want answered, it's far more trivial than having to acquire actual devices. Your oppressive regime could go from zero to black bag list in an afternoon.
Dunno if this is patched by Telegram in any way now. However, I don't see why it would be difficult for a program to add numbers to the contact list incrementally. To my knowledge, computers so far were pretty good at incrementing numbers. And if the contact list length is limited, the question is just how many phone numbers a company can buy.
But you have no correlation between it and Telegram user. This bug is about this correlation.
Telegram has essentially agreed to tell you whether any phone number is correct, so you can just guess all the phone numbers. Never allow this unless the thing an adversary has to guess is both _completely random_ and from a _very large keyspace_ (128-bits is where you can start to feel safe). If you find you're cornered into doing this (e.g. typical email + password login) aggressively rate limit it, so the adversary has to work harder/ longer to take advantage and maybe they'll give up.
Phone numbers are neither random nor from a large key space, it's maybe 10^12 worldwide or something? Much too small.
https://www.reddit.com/r/Revolut/comments/cu07cv/revolut_sca...
Do not blame USA's inadequacies on human nature.