Hello Everyone,

This is something I’ve been thinking about in the wake of many users joining Signal, due to WhatsApp’s new privacy policy changes.

When it comes to the mobile client (in case of Android), we could verify its integrity by checking the source code & the APK’s integrity using reproducible builds (https://signal.org/blog/reproducible-android/).

When it comes to the server, it is possible that it could get compromised in many ways.

My question is, when it comes to privacy & security, does the server integrity matter if we are reasonably sure the client isn’t compromised in any way or doesn’t transmit anything that the server could access in a meaningful way.

And, this could apply to any service that has both FOSS client & server or just FOSS client.

    • Rugged RaccoonOP
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      But, we could install a version of signal client that’s not compromised, which sends as little as possible, encrypted. So, a compromised server could deny the requests, because the client was modified or it couldn’t work with the encrypted content the way it expected. This would automatically raise red flags, because the app doesn’t work anymore. Has something like this happened?

      And for the deploying modified versions to targeted devices. I know it’s possible through orders or compromised server, but has it happened? If so, any sources regarding that.

      • DessalinesA
        link
        fedilink
        arrow-up
        4
        ·
        4 years ago

        That really doesn’t matter, because a compromised server could get hoard a lot of info even assuming the message content is secure. I forget what video it was, but it was emphasizing linkability, what the western security orgs care about more than content, is linking your accounts to create a digital footprint.

        Signal has everyone’s phone number (its mandatory), and connections between accounts (timestamped messages with sender and recipient info). You can pretty much link a phone number to your identity, your name and address, credit cards, so a compromised signal server is a centralized place with everyone’s social connections, message activity, names, and addresses.

        • Rugged RaccoonOP
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          4 years ago

          But, signal has the concept of sealed sender (https://signal.org/blog/sealed-sender/), where signal doesn’t know who is sending the messages.

          This is when the government asked for data from Signal, “The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use – not user messages, groups, contacts, profile information, or anything else.” (https://signal.org/blog/looking-back-as-the-world-moves-forward/)

          With my phone number, they could tie it to other services, but not with the contacts in Signal itself.

          This is something related to how groups are secured - https://signal.org/blog/signal-private-group-system/

          • DessalinesA
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            4 years ago

            The source for that stuff is “trust me” since:

            • The signal server isn’t made to be self-hostable, nor do we have a way to verify their server code is the code that’s running, on the only instance you can sign up to.
            • Its hosted in the US, so we must assume the worst there. Lots of places to log form login posts that connect a phone number to their internal ids, and phone numbers are mandatory for logins.

            I’m not sure why people let signal off the hook with a few press releases. If someone were to say, “Hey I’m making a secure messaging service! You must give me your phone number, and its run by a US company, hosted in one of the few countries where its illegal for us to tell you if our server is compromised.”, not many of us would take it seriously.

                • Rugged RaccoonOP
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  4 years ago

                  Yeah, wondering why Signal isn’t federated yet. Is it because they can’t ensure that the federated servers confirm to the same standards or something?

              • Rugged RaccoonOP
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                4 years ago

                In that sense, then any messaging service, with an open client that has the same features as Signal & a server that’s either closed or open but compromised, should be ok, right? because the client doesn’t trust the server and ensures that it doesn’t send anything that can be interpreted by the server. The server either has no choice but to work with such a client or doesn’t.

                From your earlier reply, I understand that a closed server can’t be forked or can do this & that with the data sent, but at the same time, the Signal team has a tight lid on its ecosystem well. I don’t see anyone self-hosting Signal server or running a custom client, at least the people I know don’t.

                Note: Here, I’m assuming that I’ve manually installed a version of the open client that I know isn’t tampered with & has a solid implementation, not directly from any store.

          • federico3
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            4 years ago

            Sealed sender does nothing against timing correlation. It’s really trivial correlate traffic over TCP connections and find out which pairs of IP addresses are communicating with each other.

            Unsurprisingly, it’s ineffective against users that exchange messages very rarely and effective with users texting every day.

            Signal does nothing to mitigate this problem.