Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday October 31 2018, @02:26AM   Printer-friendly
from the incremental-improvements dept.

Submitted via IRC for Bytram

New Signal privacy feature removes sender ID from metadata

Plenty of messaging apps use strong encryption to make it next to impossible for law enforcement officers or other potential adversaries to read communications sent between parties. Often, however, unencrypted metadata—such as the sender, receiver, and time a message is sent—is all the sensitive data an adversary needs. Now, the Signal app is testing a new technique called "sealed sender" that's designed to minimize the metadata that's accessible to its servers.

A beta release announced Monday will send messages that remove most of the plain-text sender information from message headers. It's as if the Signal app was sending a traditional letter through the postal service that still included the "to" address but has left almost all of the "from" address blank.

Like most messaging services, Signal has relied on the "from" address in message headers to prevent the spoofing of user identities and to limit spam and other types of abuse on the platform. Sealed sender, which puts most user information inside the encrypted message, uses two new devices to get around this potential privacy risk:

  • Senders periodically retrieve short-lived sender certificates that store the sender's phone number, public key, and expiration timestamp. The certificates are included inside the encrypted envelope, along with the message contents. Once the sender certificate is decrypted, message recipients can use it to mathematically verify the validity of the sender. But because this certificate is encrypted on the receiver's device and isn't decrypted until after it arrives on the receiver's device, Signal servers have no way of knowing who has sent the message.
  • Delivery tokens derived from the sender's profile key are used to prevent abuse. Before a user can transmit a message that strips the "from" address out of the header, the user must prove she has access to the delivery token. Because Signal profiles are end-to-end encrypted, valid tokens can only be created by a person or group that's already in the receiver's contacts. In the event a sender starts sending spam or other types of abuse, the receiver can simply block that person.

Users who want to receive sealed-sender messages from non-contacts can choose an optional setting that doesn't require the sender to present a delivery token. This setting opens a user up to the possibility of increased abuse, but for journalists or others who rely on Signal to communicate with strangers, the risk may be acceptable.

[...] Even under the sealed sender, observers said, Signal will continue to map sender's IP addresses. That information, combined with recipient IDs and message times, means the Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the "from" information from the outside of Signal messages, the service is incrementally raising the bar.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by All Your Lawn Are Belong To Us on Wednesday October 31 2018, @01:50PM

    by All Your Lawn Are Belong To Us (6553) on Wednesday October 31 2018, @01:50PM (#755997) Journal

    And even if you homebuilt the whole thing unless you've actually ground your own silicon and doped your own transistors there's a chance that a manufacturer has been compromised in a way that when you put components x, y, and z together there is an engineered flaw in the technology that permits an exploit.

    It's distrust all the way down.

    --
    This sig for rent.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2