SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
New Signal privacy feature removes sender ID from metadata
Plenty of messaging apps use strong encryption to make it next to impossible for law enforcement officers or other potential adversaries to read communications sent between parties. Often, however, unencrypted metadata—such as the sender, receiver, and time a message is sent—is all the sensitive data an adversary needs. Now, the Signal app is testing a new technique called "sealed sender" that's designed to minimize the metadata that's accessible to its servers.
A beta release announced Monday will send messages that remove most of the plain-text sender information from message headers. It's as if the Signal app was sending a traditional letter through the postal service that still included the "to" address but has left almost all of the "from" address blank.
Like most messaging services, Signal has relied on the "from" address in message headers to prevent the spoofing of user identities and to limit spam and other types of abuse on the platform. Sealed sender, which puts most user information inside the encrypted message, uses two new devices to get around this potential privacy risk:
- Senders periodically retrieve short-lived sender certificates that store the sender's phone number, public key, and expiration timestamp. The certificates are included inside the encrypted envelope, along with the message contents. Once the sender certificate is decrypted, message recipients can use it to mathematically verify the validity of the sender. But because this certificate is encrypted on the receiver's device and isn't decrypted until after it arrives on the receiver's device, Signal servers have no way of knowing who has sent the message.
- Delivery tokens derived from the sender's profile key are used to prevent abuse. Before a user can transmit a message that strips the "from" address out of the header, the user must prove she has access to the delivery token. Because Signal profiles are end-to-end encrypted, valid tokens can only be created by a person or group that's already in the receiver's contacts. In the event a sender starts sending spam or other types of abuse, the receiver can simply block that person.
Users who want to receive sealed-sender messages from non-contacts can choose an optional setting that doesn't require the sender to present a delivery token. This setting opens a user up to the possibility of increased abuse, but for journalists or others who rely on Signal to communicate with strangers, the risk may be acceptable.
[...] Even under the sealed sender, observers said, Signal will continue to map sender's IP addresses. That information, combined with recipient IDs and message times, means the Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the "from" information from the outside of Signal messages, the service is incrementally raising the bar.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday October 31 2018, @01:53PM (2 children)
If I'm the NSA, then I start putting together a plan to spam hell out of Signal users. Make the service so uncomfortable to use that nobody wants to use it.
Removal of metadata = removal of trackability = increased potential for bad actors to act anonymously against the network as well. Or, as summary says, leave trails of potentially sensitive metadata that are stored *somewhere* and are thus reachable with a warrant (or warrantless these days).
This sig for rent.
(Score: 2) by ngarrang on Thursday November 01 2018, @12:58PM (1 child)
You didn't read the link, did you?
You have to be in someone's contacts list for the new sealed feature to work. Only those recipients that have specifically chosen to accept anonymous sealed senders could be spammed. I suppose the NSA could spam a bunch of journalists.
(Score: 2) by All Your Lawn Are Belong To Us on Thursday November 01 2018, @04:05PM
I certainly did. Including the part quoted in the last line of the summary above that said:
Which means Signal gets a National Security Letter [wikipedia.org] wanting track of all I.P. addresses sending messages at times X, Y, and Z and/or sent to IP blahblahblah, plus an absolute nondisclosure so it doesn't pop up on their 'requests' page.
If you're talking about the ability to spam the sevice out of business... I don't think they have to break the new metadata-less version or worry about who's enabled it or not. All they have to do is make the service inconvenient and unusable generally to make it unprofitable to operate, no matter the status of the service. AND if you don't think NSA can break Signal if it wants to..... well then you don't. Me, I'd bet on NSA if they want to launch electronic warfare on any single provider, whether that is active action or passive monitoring (or active monitoring come to that). And make it seem like they're not. Sucks, but that's what I think can happen whether it does or not. Finally, they can fight an "install this on your server" order all they want.... I'd be very surprised if the government can't compel that to happen under do-it-or-be-shut-down-or-locked-up-in-gaol-or-freeze-your-assets order.
This sig for rent.