I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message “hi <name entered>” could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

  • Jason2357@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    2 days ago

    That a timing attack could be successful is not a given. It’s a possibility, yes, but there is very likely sufficient mixing happening to make that unrealistic or unreliable. An individual doesn’t create much traffic, and thousands are using the server constantly. Calling it a honeypot or claiming the phone number and device is are available is a stretch.

    Timing attacks can work in tor when you are lucky enough to own both the entrance and exit node for an individual because very few people will be using both, and web traffic from an individual is relatively heavy and constant to allow for correlation.

    • poVoq@slrpnk.net
      link
      fedilink
      arrow-up
      1
      ·
      2 days ago

      A timing attack is extremely realistic when you control one of the end devices which is a common scenario if a person gets arrested or their device compromised. This way you can then identify who the contacts are and with the phone number you can easily get the real name and movement patterns.

      This is like the ideal setup for law inforcement, and it is well documented that honeypot “encrypted” messengers have been set up for similar purposes before. Signal was probably not explicitly set up for that, but the FBI for sure has an internal informant that could run those timing attacts.

      • Jason2357@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        12 hours ago

        You are talking out of your ass. First, a timing attack requires numbers to correlate - reasonable numbers of people using a node or server and a LOT of packets going back and forth. Neither are true for a Signal server. Second, they don’t get the phone numbers if contacts are using only their username (with phone number sharing disabled). Your criticisms are over the top and not at all nuanced to the degree of protection of metadata that was built into signal. If it was as bad as you imply, a whole heck of a lot of the most respected security researchers would have to be complete idiots.

        • poVoq@slrpnk.net
          link
          fedilink
          arrow-up
          1
          ·
          3 hours ago

          Lol, confidently saying stuff you obviously have no idea about and just believing Signal’s “trust me bro” nonsense. Have fun using that honeypot.

          (Those “security researchers” you are referring to have no access to the Signal infrastructure and usually only look at the cryptographic algorithms used by Signal, which are indeed good and used by other systems as well these days).