There's a "Signal deanonymized" thing going around:
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Stay calm. Deep breaths.
👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location
👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected
👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.
[#]Signal #InfoSec
=> More informations about this toot | More toots from rysiek@mstdn.social
In other words, it's not great that this is possible, but nowhere near an immediate and present danger to anyone except a very very small group of people doing very very specific things.
If you're in that group, you'd already known you are. You'd have someone to ask about this. And you'd almost certainly be using some other tools to anonymize yourself anyway.
If that's not the case, then this is almost certainly not something to lose sleep over. Signal remains a safe choice of a secure IM. 👍
=> More informations about this toot | More toots from rysiek@mstdn.social
If you are still worried about this, my read of it is that these things might make the attack more difficult:
👉 turn off automatic downloading of media files
This makes this attack rely on you clicking the image to download it, making it very difficult for the attacker to know when to check for the cached status of the resource.
This is important, because for each attachment the attacker can only ask this question once per the period Cloudflare caches these resources (not sure exactly).
=> More informations about this toot | More toots from rysiek@mstdn.social
You can also:
👉 turn off push notifications – this makes the attack rely on you clicking the chat to download the image
👉 turn off read receipts – again, this makes it more difficult for the attacker to know when to ask the question they can only ask once per a specific period of time
👉 use Signal over Tor or a VPN to obscure your actual location – the attacker would get the rough location of the exit node
=> More informations about this toot | More toots from rysiek@mstdn.social
Technical details tl;dr:
=> More informations about this toot | More toots from rysiek@mstdn.social
I believe this technique would work against any communication app that uses any global CDN that does endpoint caching and provides the caching status in HTTP headers of the response.
=> More informations about this toot | More toots from rysiek@mstdn.social
I'd like to hear what @signalapp has to say about all this. There is a claimed response from Signal in that gist file, but I'd like to see it come directly from Signal before I form an opinion.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek If you're using a VPN, does Cloudflare still serve you content from a node you're physically closest to, or does it do it based on where your VPN is?
=> More informations about this toot | More toots from sexybenfranklin@smores.town
@sexybenfranklin from your VPN exit point.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek Thanks Michal. Obviously, this is not great, but I suspect that if your activities are sensitive enough that being placed in an area that large poses a security risk, then I really hope you're already behind a strong vpn. Hopefully Signal and Discord decide it's actually an issue they should deal with, as it sounds like Cloudflare has decided it's not theirs.
=> More informations about this toot | More toots from sexybenfranklin@smores.town
@rysiek *yet another reason why I think @signalapp is just a successor to #CryptoAG aka. #M'INERVA / #RUBIKON...
[#]CryptoLeaks 2.0 - when?
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan I think spreading this kind of conspiracy crap is actively harmful to a lot of people. I'd like you to never do that again in my replies, thanks.
@signalapp
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek How much do you bet it's true?
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan @rysiek Do you have any proof? Any evidence?
=> More informations about this toot | More toots from twallutis@ruhr.social
@rysiek
Didn't they already give a responding statement? That's what 404Media are reporting.
@signalapp
=> More informations about this toot | More toots from jrredho@mastodon.world
@rysiek @signalapp excellent analysis. Fully agree that this attack doesn't match the average user's threat model and great suggestion that the probe can be eliminated by disabling read notifications. I would add that this is more of a Cloudflare bug. They should fix this.
=> More informations about this toot | More toots from freddy@security.plumbing
@freddy @signalapp I tend to agree, but I would expect Signal to push on them to fix this.
And by "fix this" I mean "stop broadcasting cache status and POP site location in HTTP response headers all the time".
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek Which is why my expectation until now was that they just simply don't outsource that. And if they did, that they made sure that it passes a basic laugh-test. But to use clownflare? And declare it to be out of scope because it is "up to users to hide their identity" (from a company that hard-verifies your phone number no less!) wtaf. But eh... one trust-us-pinkie-promise-company hand in hand with another pinkie-promise-company.
Very entertaining, from an outside perspective 🍿
=> More informations about this toot | More toots from nblr@chaos.social
@rysiek@mstdn.social CDNs confirmed once more to be a liability if anything. Stop using garbage like Cloudflare, stuff like this keeps happening. Its a shame that Signal uses it and doesn't see an issue.
=> More informations about this toot | More toots from tyil@fedi.tyil.nl
@rysiek this would work even without the cache status in the response.
you can infer the status from latency observations.
=> More informations about this toot | More toots from SoniEx2@chaos.social
@rysiek Thank you for this summary.
BTW, does using a trusted proxy in Signal help to mitigate this issue?
=> More informations about this toot | More toots from agturcz@circumstances.run
@agturcz I am not sure, I don't know enough about trusted proxies.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek You can set a proxy to be used by Signal. I would expect that in this case request to download the attachment from CDN goes through the proxy. And the best the attacker will get is the ip address of the proxy.
However, I will reveal my ip to the proxy. That's why trusted.
=> More informations about this toot | More toots from agturcz@circumstances.run
@agturcz yeah, that would make sense to me
=> More informations about this toot | More toots from rysiek@mstdn.social
@agturcz @rysiek Use @torproject or better yet, #XMPP+#OMEMO with an #OnionService aka. #Server on a .onion domain...
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan I ran and hosted a bunch of XMPP servers a while back. It was a pain to use, and it was easy for users to make mistakes and accidentally send messages in the clear.
You are making people les safe. Last time: please stop doing this in my mentions and replies.
@agturcz @torproject
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @agturcz that's not how you fix #TechIlliteracy, espechally since things changed for the better.
@monocles / #monoclesChat & @gajim / #gajim are quite easy, whereas @signalapp / #Signal demands #PII in the form of a #Phone number which is more often than not not legally obtainable without "#KYC" aka. "forced #SelfDoxxing" all whilst being an extremely #centralized, #SingleVendor & #SingleProvider solution that falls under #CloudAct ant thus cannot adhere to #GDPR & #BDSG!
[#]THXBYE #EOD #ITsec #InfoSec #OpSec #ComSec #DigitalSnakeoil #FakeSec
=> More informations about this toot | More toots from kkarhan@infosec.space
@rysiek I'll give you a week to #TouchGrass and come back...
[#]muted
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan Sorry but no, the correct solution is to push for easy to use solutions that are at the same time private and secure. Hiding privacy and security behind a veil of "you need to know" is discrimination of people that are not able (either mentally, physically or monetary) to gain that knowledge.
The correct move here is for @signalapp and any other service to fix this and for legislators to enact laws enforcing proper security and privacy by design.
=> More informations about this toot | More toots from max@gruene.social
@max
To quote you directly:
And if you go and say, "Just buy a [insert country here] [e]SIM!" and expect #TechIlliterates without a #CreditCard, #PayPal or other means of #OnlinePayment to fiddle around with some #eSIM if not having to get some #eSIMcard because they can only afford to maintain one SIM and can't spend triple-digits on a new devices then you completely missed the point!
Point is that #Signal #WontFix their setup and that was evidently clear even before @Mer__edith succeeded #MoxieMarlinspike: Their entire operation has a distinct #CryptoAG stench as it's an #unsustainable #VCmoneyBurning party!
=> More informations about this toot | More toots from kkarhan@infosec.space
@rysiek @kkarhan @agturcz An awful lot of people say they've used #XMPP "a while back". But they're often unaware of the best of XMPP, and have an unfairly negative view of it.
Did you happen to try...
...#Snikket for hosting?
https://snikket.org
...apps like #Quicksy and #Prav which use phone numbers for easy onboarding, same as #Signal #WhatsApp or #Telegram?
https://quicksy.im
https://prav.app
...featureful clients like #Cheogram #MonoclesChat #Gajim #Movim etc?
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@contrapunctus @agturcz yes, I am aware of all these. I am also aware of Simplex, Briar, and whole slew of completely decentralized IMs. And I made a long ranty talk about shortcomings of Signal that one time, got pretty popular on media.ccc.de.
And I still react badly to unnecessarily alarmist hot takes that can lead regular folks to make bad technological decisions.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @agturcz Then, I confess to being confused about what you mean.
Why did you find it to be "a pain to use"?
Some clients don't have end-to-end encryption enabled by default - I hope that will change some day, but I never found that to be a dealbreaker. If someone sends cleartext, me and my friends immediately ask them to enable OMEMO.
Still, no feature or convenience is worth using a centralized silo. Reddit, Twitter, and Meta are proof enough.
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@contrapunctus @agturcz first of all, please don't explain centralization to me, I was talking about it before it was cool:
https://media.ccc.de/v/30C3_-5319-en-saal_g-201312282330-technomonopolies-_rysiek
Secondly, "some clients don't support X" is a deal breaker. Because now regular folks need to track and think about whether or not their contact's server supports a safety feature they rely on.
Third, "if someone sends a cleartext…" is not anywhere near being acceptable for a communication tool like that. Sending cleartext should not be possible.
=> More informations about this toot | More toots from rysiek@mstdn.social
@contrapunctus @agturcz I had worked with people reporting on Panama Papers, I had worked with people working with sources whose threat model included men with guns who were trained and willing to use them.
This kind of "no biggie if someone sends cleartext, we can ask them to enable OMEMO" stuff is what can get people killed. Advocating for tools like that is putting real people in real danger.
I am glad XMPP is improving, but it is simply nowhere near a Signal replacement yet.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @agturcz Sounds like @snikket_im is your best bet, then. All Snikket clients have OMEMO enabled by default. And this way you actually can actually trust the operator, i.e. yourself, and control exactly what cloud services are used (including "none").
And Signal is seemingly not the perfect solution it's being made out to be, either.
https://troet.cafe/@pixelschubsi/113808514523533577
https://troet.cafe/@pixelschubsi/113808528593247949
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@contrapunctus you seem to be ignoring what I and others are telling you about how dangerous what you're doing – promoting XMPP into a space it has no business being in in its current state – is.
I am done with this conversation.
@agturcz @snikket_im
=> More informations about this toot | More toots from rysiek@mstdn.social
@contrapunctus @rysiek @agturcz unfortunately "but which OMEMO" is a thing, and most clients use the old, less secure version, while "we don't care about those bugs, there's a new version that's much better" is used by next to no clients
https://soatok.blog/2024/08/04/against-xmppomemo/
=> More informations about this toot | More toots from viq@hackerspace.pl
@viq @rysiek @agturcz Let's not post FUD? 🤷♀️
Here's a response to it.
https://www.moparisthebest.com/against-silos-signal/
OMEMO author Tim Henke also made this fairly civil comment on the post, which was - somewhat surprisingly - deleted by Soatok. https://www.moparisthebest.com/tim-henkes-omemo-response.txt
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@agturcz
...or - as suggested above - use Tor which is effectively a trustless proxy (HTTP/Socks proxying) which only reveals irrelevant exit-IPs. For example on Android under Orbot's settings (for apps to auto-tunnel traffic for) Signal is grouped under "recommended". If having problems connecting to Tor directly you can either enable connect-plugins like obfs4, Snowflake, or some other bridge, or connect to Tor over a VPN or SSH tunnel (optionally run on your own cloud VM).
=> More informations about this toot | More toots from rowanthorpe@fosstodon.org
@agturcz @rysiek no, because that's not how #ComSec works!
=> More informations about this toot | More toots from kkarhan@infosec.space
@rysiek oh yikes
you're right that it's pretty niche threat model where this matters, but wow that's a devious side channel
=> More informations about this toot | More toots from Gaelan@cathode.church
@Gaelan devious indeed.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek but why are these cloudflare cache headers even there?
=> More informations about this toot | More toots from stefan@graz.social
@stefan because if you are a website owner and trying to debug a problem, you need them.
This could be done better though. Turn it on for debugging, turn of afterwards, for example.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek Any info if using a Signal proxy mitigates this, or is this specifically a client-level thing? Assuming the latter.
=> More informations about this toot | More toots from rombat@sfba.social
@rombat I am not 100% sure how trusted proxies work in Signal, but basically: it's about the location that the requests is seen by Cloudflare's infrastructure from.
If the proxy moves that somewhere else, it can help.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek I think the proxy is more about bypassing places that block Signal for client-to-server connectivity, so I'm thinking it probably doesn't apply here.
=> More informations about this toot | More toots from rombat@sfba.social
@rysiek I think even just turning off details in push notifications (using name only, or none of the above) would also stop the 0-click version from succeeding. No need to kill signal push notifications entirely.
=> More informations about this toot | More toots from nerdwoman@infosec.exchange
@rysiek It depends.
What actually interests me is the response (or lack of it) from Signal. Seems like not much has changed over there in the last decade. Despite big words and hacker con keynotes they just want to be the new Facebook messenger.
Also there's an easier attack to get your exact egress IP address. It's good to be aware that just having Signal on your phone can reveal it (assuming notifications are enabled).
=> More informations about this toot | More toots from makdaam@chaos.social
@makdaam @rysiek There's nothing for them to say. It's a problem with CloudFlare, so CloudFlare needs to fix it.
=> More informations about this toot | More toots from Avitus@ioc.exchange
@Avitus I disagree. Taking this approach to an extreme would be to say that e2e-encrypted IMs should not exist at all, as this should be handled by the underlying network.
It isn't though, so we need them.
There is a valid privacy issue here, albeit not as huge as the sensational framing of "Signal deanonymized" might suggest. And there are ways for Signal to try to mitigate that.
@makdaam
=> More informations about this toot | More toots from rysiek@mstdn.social
@Avitus CloudFlare doesn't mention any guarantees of anonymity of the audience.
Someone made a decision to use their services with all the implications of using it. So either nobody at Signal cares about exposing endpoint IPs (which I believe to be the actual stance - but like @rysiek said let's see if they respond) or they care and didn't check it when using CFlare as a dependency.
Either way it's the integrator's responsibility to check if the chosen components fit the purpose.
=> More informations about this toot | More toots from makdaam@chaos.social
@makdaam @rysiek CloudFlare already fixed the issue and Signal provided a statement to 404 Media: https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/
=> More informations about this toot | More toots from Avitus@ioc.exchange
@Avitus @makdaam Cloudflare fixed an issue that allowed the researcher to more easily target individual datacenters.
Signal's statement is behind a loginwall.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @Avitus @makdaam IIRC, 404 uses a loginwall to prevent AI scraping, for the most part. Anyway, Signal's alleged statement from the article:
=> View attached media | View attached media
=> More informations about this toot | More toots from xgranade@wandering.shop
@xgranade @Avitus @makdaam that's the statement from the gist. I'd like a statement directly from Signal somewhere.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @Avitus @makdaam Of course agreed. Was only meaning that that's the quote 404 went with.
=> More informations about this toot | More toots from xgranade@wandering.shop
@rysiek
I've already used it to track down a person threatening the life of a child.
:ablobcatrainbow:
=> More informations about this toot | More toots from INIT6@infosec.exchange
If you're in that group, you'd already known you are.
Or, you know, you're tasked to presidential lifeguard duty, or Israeli specops, or French nuclear sub crew...
(those who know, know what that's a reference to)
@rysiek
=> More informations about this toot | More toots from osma@mas.to
@osma nah, those guys don't use Signal. They're all on Telegram and broadcasting their location (and layout of their military base) on Strava. :blobcatderpy:
=> More informations about this toot | More toots from rysiek@mstdn.social This content has been proxied by September (ba2dc).Proxy Information
text/gemini
