out of the loop, what's the problem with signal?

Nuvalon@lemmy.ml · edit-2 23 hours ago

out of the loop, what's the problem with signal?

wildbus8979@sh.itjust.works · edit-2 20 hours ago

Second is that it runs on AWS. This isn’t a problem in the sense that it’s possible for it to still retain privacy while running on AWS. Some people don’t like it because they view the dependence on the infrastructure of an American company to be a risk to availability. They also believe that it would exacerbate a security flaw if one were found.

Let’s not pretend the hypervisor doesn’t have full access to the VMs memory and execution. The only thing protecting the Signal server is Intel SGX.

someacnt@sh.itjust.works · 19 hours ago

I don’t think Signal trusts the AWS server either, that’s the point of E2EE encryption.

wildbus8979@sh.itjust.works · 18 hours ago

I’m not claiming the contents of the messages are at risk here. You’re social graph and metadata though is another story.

pkjqpg1h@lemmy.zip · 8 hours ago

The only data they store are account creation time and last connection time.

https://signal.org/bigbrother/district-of-columbia/

wildbus8979@sh.itjust.works · edit-2 7 hours ago

The thing if someone has memory access Signal doesn’t need to store anything, transiting data is now available. For example all of your contacts when doing contact discovery. It used to be a simple hash, something for which you could build a rainbow table in a few hours, at the worst. It’s lightly better now, but still.

Don’t take it from me, take it from Moxie:

https://signal.org/blog/private-contact-discovery/

It also doesn’t really matter if the software itself can easily be tampered with in memory by the hypervisor. Like I said, they are putting a lot of trust in Intel SGX.

And let’s not even get into the digital sovereignty issues, and financing of right wing billionaires. Yes, running on AWS is an issue. It’s multiple issues even.

Count042@lemmy.ml · edit-2 35 minutes ago

I don’t take anything from someone I don’t trust that also explicitly doesn’t use warrant canaries because he says they don’t work in contradiction to every legal authority.

It’s also an issue that they run the signal server on one single AWS region.

It isn’t hard or even all that expensive to run on multiple regions.

wildbus8979@sh.itjust.works · 6 hours ago

It’s not me you need to tell this though.

pkjqpg1h@lemmy.zip · 6 hours ago

https://signal.org/blog/private-contact-discovery/

Since the enclave attests to the software that’s running remotely, and since the remote server and OS have no visibility into the enclave, the service learns nothing about the contents of the client request. It’s almost as if the client is executing the query locally on the client device.

wildbus8979@sh.itjust.works · edit-2 6 hours ago

… Providing you trust Intel SGX (and AWS for giving them access to actual SGX and not just emulating a compromised instruction set)

pkjqpg1h@lemmy.zip · 6 hours ago

Providing you trust Intel SGX (and AWS for giving them access to actual SGX and not just emulating a compromised instruction set)

😃

conspiracy begins…

wildbus8979@sh.itjust.works · 51 minutes ago

What conspiracy? CPU bugs aren’t a conspiracy, they are just a fact. Amazon’s involvement with American three letter agencies isn’t a conspiracy, it’s a fact.