Comment by upofadown - Hacker Neue

upofadown 2 days ago parent

Yeah, but Signal really didn't help them at all with that. As with most of these phone oriented encrypted messengers, Signal is pretty sloppy with identity management. It would be hard to find a better example of this than SignalGate 1.0.

* https://articles.59.ca/doku.php?id=em:sg End to End Encrypted Messaging in the News: An Editorial Usability Case Study (my article)

jeroenhd 2 days ago

It wasn't Signal's identity management that proved to be a problem: https://www.theguardian.com/us-news/2025/apr/06/signal-group...

When it comes to practical cryptography, nobody is doing signing parties anyway. It's all TOFU unless someone forces people's hands, and when you force people to do security you can assume they won't bother checking if the QR code they're scanning is coming from a real app or a livestream of someone else's app, they just want to get the scanning done. The whole key scan thing is probably only of any use to people keeping contact after meeting with journalists.

upofadown OP 2 days ago

If you blame the incorrect phone number in the Apple address book then sure, but that implies that you think that a smart phone address book should be responsible for identity management in an end to end encrypted messenger. Oh, and the telephone number to identity mapping is the responsibility of:

* Signal

* Twillo

* The phone company

That's all OK as far as it goes, but the root problem here is that a typical Signal user is made aware of none of this. Sure it's legit to take convenience over security, but it is not OK to leave this tradeoff completely unknown to the people affected.

This item has no comments currently.