SIGNAL: MYTHS AND REALITY OF SECURITY. WHY IT'S NOT THE SAFEST MESSENGER.
//Finally, I got around to this "secure" messenger :)
-- Genesis of Signal --
Launched in 2014 by the initiative of Moxie Marlinspike and WhatsApp co-founder Brian Acton, Signal emerged from the desire to provide users with a platform for encrypted and secure communications. The project, conceived by Marlinspike and Michael Callas, led to the creation of an application that uses the end-to-end encryption protocol developed by the non-profit Signal Foundation. Signal gained popularity when Edward Snowden recommended it as a reliable means for confidential communication in 2013.
-- Inside Signal --
Signal employs the TextSecure protocol with the Double Ratchet algorithm to ensure the exchange of encrypted messages between parties based on a shared secret key. The system generates new keys for each message, making it impossible to calculate previous keys from subsequent ones, and uses Diffie-Hellman public values for additional security.
-- On Vulnerability Issues --
Despite the high level of encryption, vulnerabilities have been discovered. The use of UFED devices allowed the extraction of phone numbers and photographs from Signal contacts https://habr.com/ru/news/t/533188. In January 2023, two vulnerabilities were identified in desktop clients (CVE-2023-24068 and CVE-2023-24069 - (Windows/Mac)), allowing local modification of attachments in conversations. There were also issues with the "Disappearing Messages" feature and other vulnerabilities that allowed the forging of URLs or remote code execution on victims' devices. All listed methods apply LOCALLY only.
-- Scandals and Problems with Law Enforcement --
Signal became the target of an attack by the company FinFisher, and in 2021 it became known about the FBI's ability to access encrypted messages through vulnerabilities in iPhones. Following an FBI data leak, Signal began collecting IP addresses of senders as part of a compromise with law enforcement. Signal uses Amazon Web Services for hosting and seeks ways to encrypt IP addresses and other metadata to protect against traffic analysis. The vulnerability lay in how Signal processed file attachments. - https://www.kaspersky.com/blog/finspy-commercial-spyware/27606.
-- Privacy Policy and Sponsorship --
Signal's privacy policy involves collaboration with third parties to provide services and the possibility of data transfer to legal authorities upon official request. There are claims about Signal's funding by the CIA through "Radio Free Asia" and the Open Technology Fund, although Moxie Marlinspike asserts that funding ceased in 2023.
Signal continues to fix identified vulnerabilities, but the existence of unknown issues raises questions about the security and confidentiality of communications through this messenger.
-
Author: Isa Dagestani
https://linktr.ee/isa_dagestani
SIGNAL: MYTHS AND REALITY OF SECURITY. WHY IT'S NOT THE SAFEST MESSENGER.
//Finally, I got around to this "secure" messenger :)
-- Genesis of Signal --
Launched in 2014 by the initiative of Moxie Marlinspike and WhatsApp co-founder Brian Acton, Signal emerged from the desire to provide users with a platform for encrypted and secure communications. The project, conceived by Marlinspike and Michael Callas, led to the creation of an application that uses the end-to-end encryption protocol developed by the non-profit Signal Foundation. Signal gained popularity when Edward Snowden recommended it as a reliable means for confidential communication in 2013.
-- Inside Signal --
Signal employs the TextSecure protocol with the Double Ratchet algorithm to ensure the exchange of encrypted messages between parties based on a shared secret key. The system generates new keys for each message, making it impossible to calculate previous keys from subsequent ones, and uses Diffie-Hellman public values for additional security.
-- On Vulnerability Issues --
Despite the high level of encryption, vulnerabilities have been discovered. The use of UFED devices allowed the extraction of phone numbers and photographs from Signal contacts https://habr.com/ru/news/t/533188. In January 2023, two vulnerabilities were identified in desktop clients (CVE-2023-24068 and CVE-2023-24069 - (Windows/Mac)), allowing local modification of attachments in conversations. There were also issues with the "Disappearing Messages" feature and other vulnerabilities that allowed the forging of URLs or remote code execution on victims' devices. All listed methods apply LOCALLY only.
-- Scandals and Problems with Law Enforcement --
Signal became the target of an attack by the company FinFisher, and in 2021 it became known about the FBI's ability to access encrypted messages through vulnerabilities in iPhones. Following an FBI data leak, Signal began collecting IP addresses of senders as part of a compromise with law enforcement. Signal uses Amazon Web Services for hosting and seeks ways to encrypt IP addresses and other metadata to protect against traffic analysis. The vulnerability lay in how Signal processed file attachments. - https://www.kaspersky.com/blog..../finspy-commercial-s.
-- Privacy Policy and Sponsorship --
Signal's privacy policy involves collaboration with third parties to provide services and the possibility of data transfer to legal authorities upon official request. There are claims about Signal's funding by the CIA through "Radio Free Asia" and the Open Technology Fund, although Moxie Marlinspike asserts that funding ceased in 2023.
Signal continues to fix identified vulnerabilities, but the existence of unknown issues raises questions about the security and confidentiality of communications through this messenger.
-
Author: Isa Dagestani
3
2
1