July 13, 2020

Signal Messenger: How to Successfully Resist Wiretapping Attempts

By David Balaban

Successfully Resist Wiretapping Attempts Against the backdrop of events in the US, the popularity of the Signal secure messenger has grown sharply – from 6,000 to 26,000 downloads per day. This software uses strong cryptography and end-to-end encryption. It is based on the open-source code and works with well-known cryptographic protocols (unlike proprietary MProto by […]

Successfully Resist Wiretapping Attempts

Against the backdrop of events in the US, the popularity of the Signal secure messenger has grown sharply – from 6,000 to 26,000 downloads per day. This software uses strong cryptography and end-to-end encryption. It is based on the open-source code and works with well-known cryptographic protocols (unlike proprietary MProto by Telegram).

Now and then, Signal developers are facing constant threats. Various governments, including the US government, are trying to compromise the built-in protection of the messenger and gain access to the correspondence of its users. Back in 2016, the US authorities managed to get a subpoena to delete the correspondence of one particular user, but thanks to end-to-end encryption, there was nothing to delete.

The only data that Signal can provide at the request of government services is just the minimal user data that it stores on its servers. It is:

  • Account creation data (in Unix format)
  • Date of the last time Signal was used (in Unix format)

And that is all. No contacts, group information, or profile information.

We designed Signal in such a way that personal data is stored on the client side, not ours,” the developers say. Signal uses end-to-end encryption, so developers never have access to the content of the messages people send. They are visible only to senders and the intended recipients. Signal also applies this design philosophy to the rest of the user data.

Unlike any other popular crypto messengers, Signal does not have access to contacts, social graph, group data, status information in groups, profile names, profile avatars, location data, search history, and so on. There are no trackers, ads, or analytics code in the program code. Absolutely all information is encrypted, except for the date the account was created and the date it was last used, as mentioned above.

Moxie Marlinspike, a well-known hacker, crypt anarchist and the lead program developer says: “Since we created Signal in order to completely avoid the storage of any confidential information, I can go on stage in front of thousands of people and publicly publish all my account information without revealing anything other than how long ago I have installed Signal (it was the last time I changed the phone) and the last date I used it (by the way today).

The main weakness of Signal and similar messengers is the binding to a specific phone number. For example, if an outsider joins a certain group, he can see the phone numbers of all members of this group. This technique was used by the Hong Kong police to identify the protesters in WhatsApp, Signal, and Telegram.

On the other hand, the attacker cannot get the rest of the account data even upon judicial requests.

If you ask the CEO of any other major communication platform to publicly publish his credentials from his platform, he won’t do that,” Moxie writes. “I don’t blame them – this is a kind of data that is inconvenient to share. But this raises the question of how comfortable it is to share the same data with the authorities and service providers.

Any American company is required to comply with the rules of American law and provide data at the request of the court. But in the case of Signal, it will simply have nothing to present.

In some countries, after WhatsApp leakage cases, even the military and politicians are transferred to the mandatory use of Signal and Wickr crypto messengers. For example, such rules are set for soldiers of the 82nd Airborne Division of the US Army and for communication of members of the Conservative Party in Great Britain. Today, the presence of Signal on the phone is not a sign of suspicious activity of its owner, but rather a sign of common sense.

The lack of personal data in the ownership of the company behind any messenger app is the only strategy that ensures the security of personal data. Trust in any messenger comes down to trusting the company’s engineering capabilities to develop software that will not allow the transfer of personal data and ensures that this data is stored only locally and no one else can read it.

Signal is a non-profit organization, so the software has been and will remain free and open-source. “Our mission is to increase privacy on the Internet, so we freely publish our technology and share knowledge in order to encourage other companies to use it in their own products and services,” says Moxie Marlinspike.

Today, some other messengers work using the Signal protocol. However, they have not implemented a strict refusal to collect personal information about users and continue to store contact details, conversations, photos, and other data for each account on their servers. For example, WhatsApp also uses the secure Signal protocol, but it passes the user’s social graph to the parent company Facebook. The same applies to Telegram Messenger Inc.

Of course, there are more secure and reliable instant messengers with end-to-end encryption, that do not transfer the phone number. For example, the Matrix P2P direct encrypted messaging system that uses client software such as Riot and others. But so far, these programs are not very user friendly. For example, , you need to edit the .json configuration file.

Moreover, we underestimate one more privacy problem coming from another side. None of us are immune from the fact that under pressure, we can be forced to reveal correspondence holding the phone in our hands. Anyone can play the coercive role, from a robber to border guards and police officers.

None of the popular instant messengers have protection against such an attack. So, the next step is to develop a new protection mechanism. Some experts are already working on a solution where if the user, being under pressure, could launch the messenger and show an empty account where there is no important correspondence. At the same time, the attacker will not know that he was shown only one of several accounts hidden in the messenger app.

By David Balaban

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the macsecurity.net project that presents expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Jeff DeVerter

Charting the Course: An Interview with Rackspace’s Jeff DeVerter on AI and Cloud Innovation

Rackspace’s Jeff DeVerter on AI & Cloud Innovation In an insightful conversation with CloudTweaks, Jeff [...]
Read more
Metasploit-Penetration-Testing-Software-Pen-Testing-Security

Leading Cloud Vulnerability Scanners

Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn’t help with [...]
Read more

Exploring SaaS Directories: The Path to Optimal Software Selection

Exploring the Landscape of SaaS Directories SaaS directories are vital in today’s digital age, serving [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more
Katrina Thompson

Why Zombie APIs are Such an Important Vulnerability

Zombie APIs APIs have a lifecycle, the same as anything else. They are born, they [...]
Read more

Lambda Cold Starts: What They Are and How to Fix Them

What Are Lambda Cold Starts? Lambda cold starts occur when AWS Lambda has to initialize [...]
Read more

SPONSORS

Interviews and Thought Leadership

AI at the Gate: Navigating the Future of Cybersecurity with SonicWall’s Bobby Cornwell

Navigating the Future of Cybersecurity In the face of the digital age’s advancements, AI’s role in cybersecurity presents both innovation and challenges. CloudTweaks welcomes a Q&A with Bobby Cornwell, Vice [...]
Read more
Daniel Barber

Q&A Daniel Barber – 2024 AI + Data Privacy Predictions

2024 AI + Data Privacy Predictions In a recent interview with CloudTweaks, Daniel Barber, Co-Founder and CEO of DataGrail, shared insightful perspectives on the evolving landscape of AI and privacy. [...]
Read more

How AI Machine Learning Is Enhancing Customer Experience Across Industries

Elevating Customer Satisfaction: AI’s Impact in Every Sector Recent years have witnessed an incredible transformational leap with regard to Artificial [...]
Read more

Exploring SaaS Directories: The Path to Optimal Software Selection

Exploring the Landscape of SaaS Directories SaaS directories are vital in today’s digital age, serving as key resources for businesses [...]
Read more

Embracing Governance to Navigate 2024’s Tech Trends

Mastering Governance Strategies for Success The start of a new year is a fitting time for goal-setting, and IT managers [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.