There's a "Signal deanonymized" thing going around:
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Stay calm. Deep breaths.
👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location
👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected
👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.
[#]Signal #InfoSec
=> More informations about this toot | More toots from rysiek@mstdn.social
In other words, it's not great that this is possible, but nowhere near an immediate and present danger to anyone except a very very small group of people doing very very specific things.
If you're in that group, you'd already known you are. You'd have someone to ask about this. And you'd almost certainly be using some other tools to anonymize yourself anyway.
If that's not the case, then this is almost certainly not something to lose sleep over. Signal remains a safe choice of a secure IM. 👍
=> More informations about this toot | More toots from rysiek@mstdn.social
If you are still worried about this, my read of it is that these things might make the attack more difficult:
👉 turn off automatic downloading of media files
This makes this attack rely on you clicking the image to download it, making it very difficult for the attacker to know when to check for the cached status of the resource.
This is important, because for each attachment the attacker can only ask this question once per the period Cloudflare caches these resources (not sure exactly).
=> More informations about this toot | More toots from rysiek@mstdn.social
You can also:
👉 turn off push notifications – this makes the attack rely on you clicking the chat to download the image
👉 turn off read receipts – again, this makes it more difficult for the attacker to know when to ask the question they can only ask once per a specific period of time
👉 use Signal over Tor or a VPN to obscure your actual location – the attacker would get the rough location of the exit node
=> More informations about this toot | More toots from rysiek@mstdn.social
Technical details tl;dr:
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek Thank you for this summary.
BTW, does using a trusted proxy in Signal help to mitigate this issue?
=> More informations about this toot | More toots from agturcz@circumstances.run
@agturcz I am not sure, I don't know enough about trusted proxies.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek You can set a proxy to be used by Signal. I would expect that in this case request to download the attachment from CDN goes through the proxy. And the best the attacker will get is the ip address of the proxy.
However, I will reveal my ip to the proxy. That's why trusted.
=> More informations about this toot | More toots from agturcz@circumstances.run
@agturcz @rysiek Use @torproject or better yet, #XMPP+#OMEMO with an #OnionService aka. #Server on a .onion domain...
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan I ran and hosted a bunch of XMPP servers a while back. It was a pain to use, and it was easy for users to make mistakes and accidentally send messages in the clear.
You are making people les safe. Last time: please stop doing this in my mentions and replies.
@agturcz @torproject
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @kkarhan @agturcz An awful lot of people say they've used #XMPP "a while back". But they're often unaware of the best of XMPP, and have an unfairly negative view of it.
Did you happen to try...
...#Snikket for hosting?
https://snikket.org
...apps like #Quicksy and #Prav which use phone numbers for easy onboarding, same as #Signal #WhatsApp or #Telegram?
https://quicksy.im
https://prav.app
...featureful clients like #Cheogram #MonoclesChat #Gajim #Movim etc?
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@contrapunctus @agturcz yes, I am aware of all these. I am also aware of Simplex, Briar, and whole slew of completely decentralized IMs. And I made a long ranty talk about shortcomings of Signal that one time, got pretty popular on media.ccc.de.
And I still react badly to unnecessarily alarmist hot takes that can lead regular folks to make bad technological decisions.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @agturcz Then, I confess to being confused about what you mean.
Why did you find it to be "a pain to use"?
Some clients don't have end-to-end encryption enabled by default - I hope that will change some day, but I never found that to be a dealbreaker. If someone sends cleartext, me and my friends immediately ask them to enable OMEMO.
Still, no feature or convenience is worth using a centralized silo. Reddit, Twitter, and Meta are proof enough.
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@contrapunctus @agturcz first of all, please don't explain centralization to me, I was talking about it before it was cool:
https://media.ccc.de/v/30C3_-5319-en-saal_g-201312282330-technomonopolies-_rysiek
Secondly, "some clients don't support X" is a deal breaker. Because now regular folks need to track and think about whether or not their contact's server supports a safety feature they rely on.
Third, "if someone sends a cleartext…" is not anywhere near being acceptable for a communication tool like that. Sending cleartext should not be possible.
=> More informations about this toot | More toots from rysiek@mstdn.social
@contrapunctus @agturcz I had worked with people reporting on Panama Papers, I had worked with people working with sources whose threat model included men with guns who were trained and willing to use them.
This kind of "no biggie if someone sends cleartext, we can ask them to enable OMEMO" stuff is what can get people killed. Advocating for tools like that is putting real people in real danger.
I am glad XMPP is improving, but it is simply nowhere near a Signal replacement yet.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @agturcz Sounds like @snikket_im is your best bet, then. All Snikket clients have OMEMO enabled by default. And this way you actually can actually trust the operator, i.e. yourself, and control exactly what cloud services are used (including "none").
And Signal is seemingly not the perfect solution it's being made out to be, either.
https://troet.cafe/@pixelschubsi/113808514523533577
https://troet.cafe/@pixelschubsi/113808528593247949
=> More informations about this toot | More toots from contrapunctus@en.osm.town
@contrapunctus you seem to be ignoring what I and others are telling you about how dangerous what you're doing – promoting XMPP into a space it has no business being in in its current state – is.
I am done with this conversation.
@agturcz @snikket_im
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @contrapunctus @agturcz yes, this! I gave up on XMPP for this exact reason. The chain of
is simply ridiculous. I have used XMPP when we had nothing better. Now we have. Time to move on.
=> More informations about this toot | More toots from claudius@darmstadt.social This content has been proxied by September (ba2dc).Proxy Information
text/gemini