There's a "Signal deanonymized" thing going around:
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Stay calm. Deep breaths.
👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location
👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected
👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.
[#]Signal #InfoSec
=> More informations about this toot | More toots from rysiek@mstdn.social
In other words, it's not great that this is possible, but nowhere near an immediate and present danger to anyone except a very very small group of people doing very very specific things.
If you're in that group, you'd already known you are. You'd have someone to ask about this. And you'd almost certainly be using some other tools to anonymize yourself anyway.
If that's not the case, then this is almost certainly not something to lose sleep over. Signal remains a safe choice of a secure IM. 👍
=> More informations about this toot | More toots from rysiek@mstdn.social
If you are still worried about this, my read of it is that these things might make the attack more difficult:
👉 turn off automatic downloading of media files
This makes this attack rely on you clicking the image to download it, making it very difficult for the attacker to know when to check for the cached status of the resource.
This is important, because for each attachment the attacker can only ask this question once per the period Cloudflare caches these resources (not sure exactly).
=> More informations about this toot | More toots from rysiek@mstdn.social
You can also:
👉 turn off push notifications – this makes the attack rely on you clicking the chat to download the image
👉 turn off read receipts – again, this makes it more difficult for the attacker to know when to ask the question they can only ask once per a specific period of time
👉 use Signal over Tor or a VPN to obscure your actual location – the attacker would get the rough location of the exit node
=> More informations about this toot | More toots from rysiek@mstdn.social
Technical details tl;dr:
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek Thank you for this summary.
BTW, does using a trusted proxy in Signal help to mitigate this issue?
=> More informations about this toot | More toots from agturcz@circumstances.run
@agturcz I am not sure, I don't know enough about trusted proxies.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek You can set a proxy to be used by Signal. I would expect that in this case request to download the attachment from CDN goes through the proxy. And the best the attacker will get is the ip address of the proxy.
However, I will reveal my ip to the proxy. That's why trusted.
=> More informations about this toot | More toots from agturcz@circumstances.run
@agturcz
...or - as suggested above - use Tor which is effectively a trustless proxy (HTTP/Socks proxying) which only reveals irrelevant exit-IPs. For example on Android under Orbot's settings (for apps to auto-tunnel traffic for) Signal is grouped under "recommended". If having problems connecting to Tor directly you can either enable connect-plugins like obfs4, Snowflake, or some other bridge, or connect to Tor over a VPN or SSH tunnel (optionally run on your own cloud VM).
=> More informations about this toot | More toots from rowanthorpe@fosstodon.org
text/geminiThis content has been proxied by September (ba2dc).