Signal To Move Away From Using Phone Numbers as User IDs (zdnet.com) 38
Secure instant messaging app Signal launched this week a new feature called "Signal PINs" which the company says will help users migrate account data between devices. From a report: Signal says that in the long run, this new feature is the base and the first step towards moving away from using phone numbers as profile IDs. The new Signal profile PIN feature is already live and available for all Signal users. The feature can be enabled in the Signal Settings section, under Privacy, and the Signal PIN option. Once enabled, users will be asked to create a PIN code that will be associated with their account. The PIN can be anything from a four-digit number to a long alpha-numerical string.
Mine's gonna be.... (Score:2)
Re: (Score:2)
This is awesome though. I use Signal a lot - but the point is to decouple my calling and texting from a specific phone, which doesn't work if Signal ties everything to a phone number. I want to be able to send and receive calls and texts from more than one phone without the people on the other side caring about that. My identity is me, not my phone.
Re: (Score:2)
" My identity is me, not my phone."
If somebody stands behind you when entering the pin, it's your Ex-identity.
Re: (Score:2)
If somebody stands behind you when entering the pin, it's your Ex-identity.
Um, OK? Is that a real problem in your life? Did you buy from a furniture company that said "we stand behind every sale" only to find out they were being literal?
Re: Mine's gonna be.... (Score:1)
Wait, where do people not stare at you like "go away!", when you keep standing close to them or staring at the keypad they are supposed to enter their PIN into?
Do you also not bother if somebody behind you might see your phone display on public transport? (Remember, much more common outside of rhe US.)
Cause then it's just you, dude, and we think you are a risk and won't entrust anything private to you.
Re: (Score:2)
"Wait, where do people not stare at you like "go away!", when you keep standing close to them or staring at the keypad they are supposed to enter their PIN into?"
No, that guy way behind has a phone, with a gazillion cameras and a 100 times zoom and filming your hand, he's not texting his girlfriend.
Re: (Score:1)
Re: (Score:2)
The two things are unrelated. Don't yell at Signal for good decisions because they made bad decisions elsewhere, or they'll never learn anything. If you don't like the cloud, use a different product, one that's actually security focused. Demand your money back!
Re: (Score:2)
You aren't required to give it access to your contacts.
I agree that it would be nice to let it use your contacts without also doing the Contact discovery, but even if it does, they do a pretty good job of matching contacts without revealing them.
You contacts aren't being uploaded! (Score:1)
They are hashed locally! Only the hashes are uploaded. Which is necessary in any case, since otherwise, who would the server send the message to? There is no way around some from of (anonymous) ID, unless you want a direct connection, which equals exposing your IP to the other side, and your connection to everyone in-between.
The only way to improve on this, is to use a mix (like TOR) for direct connections. And ephemeral session IDs, if you want to stay anonymous to the other side of the communication too.
A
Re: (Score:2)
https://www.youtube.com/watch?... [youtube.com] :P
Re: (Score:2)
Glad someone got it....
Re: (Score:2)
It's a classic and a meme! :D
Signal is getting a ton of flak (Score:5, Informative)
The community is voicing their feedback here, so far without any dev response: https://community.signalusers.... [signalusers.org]
Re: (Score:3)
Re: (Score:1)
Re: (Score:2, Informative)
Signal PINs were already being used to prevent someone else from swiping your phone number's receipt privileges on Signal's message delivery service. That context makes sense because it is possible to limit the number of tries. But using them alone as an encryption key makes no sense for the reason you say. Also, why would they need to store your contact data on their servers if it is fully encrypted? Currently the way you sync this info to a desktop client is via a picture of a QR code, which, I think,
Re: (Score:1)
Re: (Score:1)
Moxie Marlinspike should change his name to Proxie Marlinspike
Re: (Score:1)
Does the data that is uploaded include the conversations and history themselves?
Re: (Score:1)
Re: (Score:2)
Not at this point, though, but that's a planned feature according to their blog.
Good to know and that's a real cause for concern.
Re: (Score:1)
Indeed. We need a good, end-to-end encrypted app that does not share any more info than is necessary to operate. No cloud storage of contacts, history, etc. You move phones? No easy "restore from the cloud" options. Just document the manual restoration process, and let people decide if that's within their skill-set.
Maybe I'm being naive on the technical necessities of the way this app works, but what NEED is there to store things meta-data, contacts, message history,. etc. Especially on their own clou
What a hell took them so long? (Score:1)
... and why did they think phone number was a good idea to begin with?
Re: (Score:2)
Re: What a hell took them so long? (Score:2)
That's false. It asks if you'd like it to be the default, and it's clear you don't need to.
Re: (Score:2)
PIN in Messaging app? Have I heard that before? (Score:2)
Blackberry Signal PIN
cue Lawsuit in 5...4...3...2...
No thanks on storing my contacts in the cloud (Score:2)
I'd prefer not to store my contacts on Signal's servers. Doing so creates a little dossier on me that is only as secure as Signal's encryption. Even if the encryption is solid, good encryption today may not be tomorrow.
I've been ignoring the "CREATE PIN" dialog for weeks now. Hopefully this is equivalent to opting out.
Please choose another PIN (Score:2)
Enabled? (Score:1)
Re: Enabled? (Score:2)
I hadn't read their blog when it started asking me. They always had a local pin to protect the app so it seemed normal.
I'm thinking it's a bit smarmy. They made a lot of noise about having zero knowledge about users then they go on to set up a system which uploads your contact list to them, protected by a 4 digit PIN (pin is the default, how many will choose 4 digits like 0000 just to shut it up?
Warrant canary, much?
Wire (Score:1)