How does the app called Signal work, and how much anonymity does it provide?
Signal is widely regarded as most secure. That includes the EFF score card, Edward Snowden, and Bruce Schneier among others. Additional validation comes from Facebook, WhatsApp,
and Google Allo which use the same encryption. Be careful though, Allo and Facebook messenger don’t enable encryption by default. The safest thing to do is use a app that uses encryption by default, which signal does.
First, let’s separate two properties. Anonymity does NOT equal confidentiality. Confidentiality protects the contents of your communication from third party prying eyes, usually using end to end encryption. Anonymity is the property of preventing a third party from inferring or observing you communicating with the other person. These are VERY different properties, and you can have either without the other.
Second, Signal IS a secure protocol. It uses end to end encryption and your personal keys are created when you first use the app on your device. Your keys are NOT shared with some remote central server. And if that remote server were to be compromised, your content would be safe (indeed, your content would have already been deleted off your device by the app according to your specified parameters). There is NO known weakening of the encryption algorithms, and no major tech company in the US has been known to acquiesce to demands made by the US government for encryption backdoors. In fact, if you learn about encryption, you’ll understand that building backdoors into an encryption algorithm needs to be done at the algorithmic level, not on a per-use basis. Signal (and apps that implement it, including WhatsApp) use reasonably strong 256-bit keys on the latest encryption standards (hashing and asymmetric encryption based on elliptic curves).
So what does that mean? That means Signal is very secure for confidentiality purposes. It has been studied by multiple research groups and analyzed both formally and as a software system. If you communicate using Signal and set reasonable expiration/deletion parameters on your messaging sessions, you can be reasonably sure that those messages are unrecoverable and not prone to third parties’ prying eyes. Signal allows one party on the session to specify or change how soon messages disappear from all parties devices. So I can be sure that my messages are indeed gone from the other user’s device, even if they don’t actively delete it. If they change the parameter, e.g. to 1 day from my 30 mins, it notifies me so I am aware (and can change it back if I so choose). So unless the other person (people) take screenshots, your messages are reasonably secure.
However, it is NOT necessarily anonymous. Anonymity requires significant deployment of techniques, either a variant of Chaum Mixes or Dining Cryptographers for reasonably strong anonymity. And such algorithms are generally quite expensive (in terms of redundant messages and communication delays) to deploy, and prone to bugs that make them susceptible to traffic analysis attacks. Tor is the most popular anonymous communication service, and it has been attacked countless times over the years, many times successfully.
In summary: if you want confidential messages that disappear, Signal is a very good platform, and is quite popular with lawyers and security professionals who require confidentiality of messages. If you want anonymity, however, you have very few choices available, and it’s basically Tor or nothing. Even then, you need to understand Tor is likely compromised and your identity can and will likely be leaked over time.
PS: if you create a truly secure platform, it WILL be used for purposes and by groups that you disagree with or even hate. Terrorist groups are fairly inventive (and some are quite savvy) when it comes to technology. So the fact that a terrorist group has used a particular secure communication platform is not a scandal, but more like an unwelcome endorsement of sorts.
Telegram is not encrypted by default. Most users aren’t likely to bother to enable “secret chat” so ISPs or anyone that can get in the middle of the network connection (called the man in the middle attack) could read messages by default. Only with Secret chat enabled is telegram more secure, even then the security of signal is likely to be better. Rolling your own encryption is dangerous and only when you have respected third parties audit your code can you start to have confidence in how secure it is.
Security isn't easy to get right, in fact it's amazingly easy to get wrong. I don't know much about telegram, but Whisper systems has an excellent reputation, excellent people, and a open and transparent setup that encourages others to help improve their code.
Picture Source Wikipedia
Thanks for Reading
0 Comments