Signal is The Most Secure Chat App
Periodically someone will put out a dramatic statement that Signal has been hacked or that Signal is insecure. So far, every single time this has happened, its been a gross lack of understanding of Signal and of the vulnerability being discussed.
Most often someone makes the statement that XYZ stole their Signal messages and therefore Signal is insecure. This is a fundamental misunderstanding which I will try to clear up.
Back in the old days people broke cryptography in a process called cryptanalysis. First it was with a pen and paper and later it was with machines like Alan Turing's Bombe breaking the enigma. (Peter Thiel once showed me his authentic WWII Enigma machine, but that's a story for another day).
Now, with modern standard crypto algorithms which are open source and heavily tested by the community, breaking crypto is rare. I'm sure there are a variety of government organizations with some cool cryptanalysis capabilities, but in general, most attackers aren't attacking the crypto itself. What they attack are the endpoints, meaning they go after the data either before it is encrypted, or after it has been decrypted on the other side. More on this later.
I haven't talked to him in many years, but I knew Moxie Marlinspike, the creator of Signal. He was a bit sketchy, a bit of an anarchist type and activist, but brilliant at cryptography. This was one of his core motivations behind creating Signal. He wanted to be sure that his communications, and those of other like minded people couldn't be snooped on. Often, when trying to evade snooping, its beneficial for there to be "cover traffic" or the ability to mix in your traffic with that of other users so that there is a lot of noise that is difficult to sort. This is why you would make a large scale app used by millions, rather than something one off only you and the person you are talking to use.
Additionally, if you have an app like this with many users, for your own protection you need to be sure that you do not have access to the data because if you do, you can be compelled to reveal it or potentially have some responsibility over it. (Ex. Telegram's recent arrest)
It is because of these reasons I believe Moxie has significant incentive to make an app that not only is hard for others to snoop on, but that he himself can't snoop on, including meta data, which is valuable for surveillance. No backdoors so to speak.
SIGNAL'S DESIGN & STRENGTHS
Now lets discuss Signal's design and strengths a little bit.
End-to-End Encryption:
- Signal uses the Signal Protocol, an end-to-end encryption (E2EE) framework, to secure messages, calls, and media. This encryption ensures that only the sender and recipient can access the content, even if intercepted during transmission.
Open-Source Transparency:
- In the tradition of open cryptography algorithms, Signal's codebase is open source, meaning it can be independently audited by security experts to verify its security claims. Open-source development builds trust and allows the community to identify and fix vulnerabilities quickly.
Minimal Metadata Collection:
- Signal retains almost no metadata about users or their communications. The only data Signal keeps is the phone number used for registration and the last connection timestamp.
- This policy is further bolstered by features like Sealed Sender, which hides metadata about who is sending a message.
No Advertisements or Tracking:
- Signal is run by a nonprofit organization (Signal Foundation) and funded through donations, eliminating any incentives to monetize user data.
- Unlike many competitors, Signal does not track users or use analytics tools that could compromise privacy.
Forward Secrecy:
- Messages in Signal are encrypted with unique session keys that are discarded after each conversation.
- This prevents an attacker from decrypting past communications even if a user's encryption keys are compromised in the future.
Advanced Features for Privacy:
- Disappearing Messages: Messages can self-destruct after a specified period.
- Screen Security: Prevents others from taking screenshots of conversations.
- Registration Lock: Protects accounts from unauthorized re-registration.
Independent of Big Tech:
- Signal is not owned by a large corporation, reducing risks of data sharing with advertisers or governments.
In short, the purpose of Signal is to provide privacy between User A at Endpoint A and User B at Endpoint B. If the traffic is intercepted between the two endpoints, it cannot be read.
WHAT SIGNAL IS NOT
Signal is not an isolated data storage protection mechanism. While Signal messages are stored encrypted on your phone, your general phone user account has access to them. This means that if someone takes your phone while its unlocked, or guesses / forces you to give up your pin, face, or unlock mechanism, they can read your messages. This is normal and reasonable, not a vulnerability in Signal. Its up to you to implement proper OPSEC.
Signal is not an anonymization system. It protects your messages from being read in transit, not your traffic from being correlated to your phone. Signal's main key is your phone number. If you don't use a burner phone and practice good OPSEC, then you cannot expect to be anonymous. For example:
- If your phone number is registered with the cell company to your name, you aren't anonymous.
- If your burner phone is sitting in your house or car most of the time, you aren't anonymous.
- If your burner phone is sitting next to your real phone, you aren't anonymous.
- If you don't disable media auto-download in Signal, you aren't anonymous.
- If the person you are talking to doesn't practice good OPSEC, you likely aren't anonymous.
If you need to be anonymous (If you are a journalist or activist for example) , there are OPSEC steps and approaches to do so, but Signal is not that. You can combine those activities with Signal and gain privacy as well as anonymity, but Signal does not pretend to offer anonymity, that's not its stated purpose.
If I have access to your device, be that virtual or physical, I will get your data. This doesn't just apply to your phone running Signal, but to any device running any app. Even if you have FDE and a TPM, eventually, given enough time, I will get your data. It is paramount and incumbent upon you to protect access to your device. If you fail to do this, it is not Signal's fault.
In early 2024 Tucker Carlson alleged that Signal isn't secure and that the NSA spied on his chats. Tucker is well known to be in communication with overseas intelligence targets including Vladimir Putin. If this occurred, it occurred in one of two ways:
1.) The USG procured a FISA warrant or something similar, got access to Tucker's phone, and then simply monitored his messages before they were sent, and after they were received. Section 702 of FISA allows the collection of intelligence between US persons and individuals overseas.
2.) The USG hacked foreign persons phones, who Tucker was in contact with, and monitored the messages before sent and after received. (I think this is more likely than 1.). I suspect he was talking to targets rather than being a target himself.)
What very likely didn't happen is that the USG captured the Signal traffic in transit between the two phones and decrypted it. What also didn't likely happen is that the USG exploited a bug or backdoor in the Signal app to steal the messages, for all the reasons I listed above. Additionally, they didn't have to. All they had to do was get access to one of the two phones which is fairly trivial. Why waste the time and expense for an elaborate exploit?
THE MOST RECENT "SIGNAL IS HACKED" ATTENTION SEEKING
A few days ago this article came out:
And I'm seeing people, yet again, talk about how Signal is hacked, isn't secure, or isn't private. And again, this is wrong.
Caching content providers have been tracking user location data via a variety of methods for at least 20 years, probably starting with AKAMI. This data is available for sale for whatever you want to use it for. Data centers that cache resources such as images for quicker internet retrieval can sometimes be enumerated to identify which one cached the resource. Whatever data center is closest to you is likely the one your content will come from, providing a somewhat fuzzy correlation to your likely physical location.
But remember, Signal isn't an anonymization app. This vulnerability doesn't exploit anything within Signal or its protocol. If you were using a VPN, or you had automatic downloads turned off, this likely wouldn't affect you at all.
I first did an attack similar to this in 2003. I was helping an organization with an intrusion where the attacker was pulling data off their systems. I created a Word document with a juicy name and included an image in the document that loaded off a public web server whose logs I had access to. The attacker downloaded the document, opened it, the image loaded from the internet, and I had the attackers real IP address.
This article as actually hinting at a major privacy issue that has existed in cached content providers for decades, but they threw Signal and Discord in to generate buzz and attention. Lets focus on the real problem.
It's irresponsible and a disservice done by the media, hackers looking for attention, and security professionals to push this type of hysteria around something they don't understand. Half the time I suspect they have an agenda to scare people into not using Signal to make it easier to spy on them, or to sell their own, likely less effective, competing product.
WRAPPING IT UP
I have looked at many privacy based communications apps over the years, including reverse engineering them and finding vulnerabilities, both open source and proprietary. As far as I am aware, there is no better and more secure option than Signal.
Please, really dig in to vulnerabilities like this before your amplify them and freak people out, or ask someone who is credible expert to look into it.
Thanks for reading,
A.