[HN Gopher] Moxie Marlinspike has a plan to reclaim our privacy ___________________________________________________________________ Moxie Marlinspike has a plan to reclaim our privacy Author : konz Score : 83 points Date : 2020-10-19 10:27 UTC (12 hours ago) (HTM) web link (www.newyorker.com) (TXT) w3m dump (www.newyorker.com) | 3np wrote: | I was vouching for Signal for all my friends for years, supported | them with donations, and was really rooting for them. However, I | regrettably can't trust in moxie having the best intentions with | Signal anymore. Lost count of the number of times this has been | recycled on HN so I'm not taking the time to formulate this | extremely well but: | | * For the longest time, requires phone number as identifier. When | asked to remove this restriction, the reply is "so we can | bootstrap off the phone's native contact application". But | Android and iOS contacts have natively supported e-mail addresses | on contacts since forever? And those could be optional? Every | time the conversation has gone this far with anyone involved in | Signal, silence/ghosting. | | * The whole PIN requirement debacle - where further amounts of | metadata would be uploaded to Signal's servers (encrypted of | course, with the PIN as passphrase of the key). Suddenly the app | wouldn't start and users were locked out of all their Signal | conversations (even reading them) without setting a PIN, no way | to circumvent it. We were told this would be a strict requirement | to be able to solve the above. After a lot of backlash they | rolled it back after a week or so? | | * Hostility towards alternative implementations. | | * There's an open issue on GH for verified builds. Since 2015. | | Signal may be good today. What about tomorrow? I think the only | durable and realistic solution (because let's face it, pure P2P | for the mainstream is not the latter) is federation. | | Anyone feeling similarly should check out matrix.org. It may not | be ready for the masses yet. But if we consider how we | communicate in 5, 10, 20 years from now, it becomes obvious that | we can't rely on a single actor as provider, regardless of how | good they are today. The only way we get there is with people | like the ones frequenting HN getting involved by using it, | contributing, filing bugs, hosting home servers and using the | clients. | lrvick wrote: | These are all exact reasons I have never used Signal. | | Additionally I find concerning the choice to bet the farm on | SGX which has been repeatedly broken with repeated | opportunities to extract the keys, at which point cracking | small numeric pins is trivial. | | Moxie simply promised they always patch right away and never | take the keys when they have such opportunities to do so. | | I do believe him, today, but I don't believe he is above being | threatened or coerced tomorrow or that he won't get replaced by | someone that cooperates better with state powers as happened | with VK and countless others. | | I also took issue with Signal having central network metadata | chokepoints his DCs or ISP could do timing heuristics on even | if he does not. | | I tried to engage with Moxie about these issues but he | dismissed each as things we will mostly have to accept because | he feels it is not possible to create and rapidly improve a | privacy focused communication tool for the masses that isn't | produced and controlled by a single large company. | | Moxie is brilliant, and his contributions to cryptography and | bringing education on privacy and end to end encryption to | millions can't be overstated. | | The problem is Moxie and Signal are struggling to engineer best | efforts under an assumption they treat like a law of nature: No | end to end end encrypted messaging platform can succeed without | complete centralization. | | I operate under a different assumption: No centralized platform | will ever escape censorship and control by the government it | operates under. | | Moxie has said before he is happy to be proven wrong. | | I hope as Matrix and others continue to prove him wrong with | his own cryptography research that he comes around and rejoins | the fight for a decentralized internet with irrevocable | privacy. | tptacek wrote: | You can't coherently be alarmed by Signal's use of SGX while | at the same time endorsing systems that use no cryptography | whatsoever to protect the metadata Signal uses SGX for. | nullc wrote: | > You can't coherently be alarmed by Signal's use of SGX | while at the same time endorsing systems that use no | cryptography whatsoever to protect the metadata Signal uses | SGX for. | | You can be: It isn't difficult to argue that signal | overstates the security properties of their solution. | | It's not an incoherent position to say that it's more | important to be conservative (or at least accurate) about | the claimed properties than it is to provide epsilon more | security. | | If it were the case that signal claimed that this metadata | had no privacy towards them (and the hosts running their | systems), but when you dig into the protocol or detailed | tech docs you find that they're using SGX to minimize | risk-- then I think there would be nothing to fault about | the addition of SGX. In that case it would be purely | additive security. | saagarjha wrote: | I'm not sure that that's the only conclusion you can draw. | Some systems choose to not handle that metadata, which | often makes them a worse service but they make that choice | by looking at the landscape and choosing to not use SGX. | The other plausible argument is that Signal uses SGX, which | is better than nothing, but in selling it as more secure | than it is they do more harm than good. | JshWright wrote: | Some people choose not to turn their servers on at all. | It makes for a worse server, but it's very secure. | | Security is always about tradeoffs and compromises. A | system that is very, very good, but not perfect and | widely used is far preferable to a system that is perfect | but used by no one. | saagarjha wrote: | Right, but in this case the choice is "should I be able | to discover contacts" and some people just don't desire | that feature enough. | cwyers wrote: | Who, though? Matrix has contact discovery, doesn't it? | akerl_ wrote: | What's an example of a system in this space which chooses | not to handle that metadata? | Groxx wrote: | I don't need a phone number, nor do I need to upload my | contacts' phone numbers[1], in order to use Matrix. | | [1]: I work around this by running Signal in a work | profile with no contacts. So it's... kinda sorta | optional, but in practice there are _many_ caveats and | complications that make it effectively not. Certainly not | when we 're claiming it for average users, which is | Signal's argument for using it. | akerl_ wrote: | I'm not a Matrix user, but it seems like Matrix does in | fact handle contact metadata: | https://matrix.org/faq/#what-is-an-identity-server%3F | | I think there's a difference between what you're saying, | which seems to be that you personally don't upload your | contact metadata to Matrix, and what I asked / the | previous commenter was describing, which is the idea that | there are messaging platforms which have decided to not | support storing this kind of metadata. | | Notably, last I looked, Signal does allow users to opt | out of SGX metadata storage, though the initial | implementation didn't cleanly allow for that. | lrvick wrote: | Matrix lets people host their own servers and in doing so | put the metadata anywhere they are comfortable. | | One can have metadata for sensitive internal corporate | channels stay on a network they own in whatever country | they want while still being able to chat with outside | parties on matrix.org or other servers. Several friends | host their own servers and more recently matrix p2p is | rapidly maturing to dump the need for servers at all for | many use cases. | | Federated systems allow people like me can choose to host a | server for my own family in my own home closet rack so data | shared between my family and I never leave our network. | | Still others can host matrix as a Tor hidden service where | it will be very expensive to even learn who to target. | | If all participants are using Tor and not using identifying | information like a phone number, then bulk deanonymization | becomes very expensive, particularly if many small highly | targeted social circles roll their own. | | Signal does not give users a choice but to trust one SPOF | setup built under a one size fits all threat model that | flows all IP metadata to one place which can leak | information regardless of any encryption. | | Put simply you can either choose Signal and put all your | metadata in one place with one US based party that promises | to use known bad hardware enclaves to protect it, or you | can choose to carve off your sensitive communications to | dedicated servers with whatever accountability structures | that make sense for your threat model. | | I don't want a world where one central party holds all | communications metadata in one place under one legal | jurisdiction with one proprietary memory isolation | technology. | | Moxie here likes to point out that email demonstrates all | the things that can go wrong with federated systems, but if | the alternative is letting a single party everyone trusted | at one point in the past take over a whole class of | communication long term, we would all still be using AOL. | | Internet messaging will outlive us all, and if we advocate | everyone lock up their communications with one (even | benevolent) dictator, it won't end well when the next | dictator is not so benevolent. | | See: pretty much every social network in China and Russia | that is now under state control in spite of early promises | of privacy by founders. | bawolff wrote: | There is a reason why signal is relatively mainstream succesful | (by crypto product standards) and PGP wasn't. Its because its | willing to make tradeoffs in the name of usability (while still | emphasizing security). | | A secure messenger product nobody uses helps nobody's security. | nullc wrote: | Many of the security design flaws in signal have had little | to no direct impact on usability. | | For example, for years we asked for a simple mechanism which | could be used to view a users key and mark it as identified, | to prevent MITM -- even one buried in a menu for advanced | users (who could at least act as canaries against widespread | interception). Not only was the request turned down but | usually responded to with vigorous personal attacks against | the requesters. | | Subsequently once a fingerprint validation method was added | it was gratuitously bound to be pair-wise, making it largely | unusuable -- e.g. post a pgp signed signal fingerprint that | any of your contacts could use to transfer trust from an | existing key. Requests for a non-pairwise version, even as | just some advanced thing that grandma never sees ... again, | hostility. | | The constant logic-bombed auto-expiring software that make | signal effectively open-source-in-name-only. etc. | | I think signal is fine as an insecure messanger: Unencrypted | communications protocols should have no place in on the | internet today. But to advance it as a _security tool_ almost | certainly puts people 's lives and freedom at risk. | | Common usage of signal has zero security against MITM: users | aren't effectively notified that the contacts keys have | changed-- and given how often users lose/wipe phones perhaps | that's really the best that can be done for normy friendly | software. | | If that's how it is, that's how it is. Some resistance | against passive monitoring is still a critical upgrade. But | don't call it secure: if you do people will do and say things | using it that they wouldn't otherwise. | hackerfromthefu wrote: | Can the downvoters please respond to the post with the | reasons why they are downvoting? | nullc wrote: | I assume it's a defensible question of priorities. | | In spite of the many issues to complain about signal it's | still a lot better than what $random_person would likely | use otherwise. | | Do we do the most good for the world by under- | representing signal's weaknesses and overstating its | security in order to maximize the people using it over | choices that are worse and cheerlead its development, or | do we do the most good by trying to be frank and being | critical of its limitations (at least some of which are | pretty nitpicky), potentially at the expense of the | discussion causing people to continue using clearly worse | alternatives? | | Personally I answer this conflict like this: Outside of a | techy venue I don't go into any details about signal's | limitations-- I tell people they should use it, but don't | assume it keeps them private from governments, google, or | other powerful parties. | schoolornot wrote: | I have some concerns around the Signal foundation: | | The initial $50M in funding was a loan, not a donation, from | Brian Acton to the new nonprofit Signal Technology Foundation. | By the end of 2018, the loan had increased to $105,000,400, | which is due to be repaid on February 28, 2068. The loan is | unsecured and at 0% interest.[5] | | The Foundation is completely controlled by Brian Acton, who is | the sole "member" of the nonprofit, with the right to appoint | or remove every member of the Board of Directors. The Board | consists of Acton and Marlinspike. Acton is also the | President.[5] | sk2020 wrote: | Is there a reason to suspect Brian Acton's motives? I'm | always skeptical of celebrity-hackers, but I don't know why I | should be worried about Acton in particular. | cwyers wrote: | Why is it, whenever Signal is brought up on Hacker News, we get | inundated with the people who object to the core decisions of the | Signal Project? Would Signal really be better if, instead of | having a secure messenger available to the masses, it spent | massive amounts of time implementing the things these people | want? No. I would be comfortable recommending Signal (or | WhatsApp) to a nontechnical friend and communicating with them on | it, with the expectation of a certain level of privacy. I spend a | lot of time on Hacker News and consider myself a very technical | person, and I'm not sure I trust myself to use Matrix in a | forward-secure way where it's at right now. If everybody spent | the time they spent complaining about Signal working on getting | Matrix or whatever to a point where it was usable... well, | frankly I don't think it'd be much better off than it is right | now, but it seems more likely to bring about results to me than | endlessly lobbying to have Moxie do _the thing he thinks cannot | be freaking done right_. Right now, Signal exists and can be used | securely (given certain common threat profiles) by the typical | smartphone user. I'm really tired of people comparing the | security that Signal offers to the security of imagined | hypothetical messengers. | dingaling wrote: | Signal only has any userbase _due_ to advocacy; compared to the | secure-enough-for-most WhatsApp which has literally billions of | users and is the default choice, every user of Signal had to be | convinced to install it. | | So I think it's unfair to bash people who criticise the | project. The 'drag' they apply to wider adoption is still | miniscule. | | Put it this way: why does Signal exist when WhatsApp is good | enough? Wouldn't Mr Rosenfeld be better putting all that effort | and ingenuity into a truly innovative new messenger? | cwyers wrote: | WhatsApp... uses the Signal Protocol. I don't understand this | line of thinking at all. | AnthonyMouse wrote: | > why does Signal exist when WhatsApp is good enough? | | WhatsApp sends all your contacts to Facebook instead of the | Signal Foundation, and unlike Signal, doesn't use SGX to keep | Facebook from knowing what they are. | nickff wrote: | A great deal of human communication is dedicated to signalling | high rank/superiority, or demonstrating | familiarity/intimacy.[1] In the case of HN, very few people | know much about Moxie, so the only useful signal they can | convey is expertise. Many people come here because of their | technical or product development background/interests, and the | way they show expertise is by second-guessing technical, user | interface, and other issues. | | As a result of this combination of constraint and desire, we | get a bunch of comments where HNers talk about how they'd make | Signal (as well as every other product) better/more useful. | | [1] From Deborah Tannen's works | cwyers wrote: | Huh. I did not expect a serious and insightful answer to my | entirely rhetorical question. Thank you! | saagarjha wrote: | I think this is an uncharitable view, and while it might be | true in some cases it is certainly not always the case. Many | times the people who point out issues with Signal do it not | because they think they want to show off, but because they | honestly are frustrated that no product seems to meet their | needs and Signal has specific issues that matter to them. I | honestly believe "Signal is stupid for relying on phone | numbers and SGX" is really just "I don't trust this things, | they have a track history of having issues, I would really | like to use this service and am sad that you chose to do | this". Hacker News is often not very good at conveying what | it is trying to say, but I remain optimistic that it's more | than a intellect measuring contest. | est31 wrote: | I remember the outrage quite well when Facebook started | spamming ads to the phone numbers of people who were forced | to give Facebook phone numbers for "security" purposes and | promised to never been shown ads on those numbers. Or when | Jack Dorsey's Twitter account was hacked because of SMS | 2fA. | | Last, phone numbers are general identifiers used in the | search boxes of various data collection tools. Maybe you | can search by the Threema ID as well, but that requires the | tool to be a tiny bit more sophisticated, and that means | the people who like to invade privacy of are a bit more | frustrated. | | That isn't "smartness signalling" or whatever, that's a | real concern. | eeZah7Ux wrote: | > signalling high rank/superiority | | Please leave this social darwinism propaganda out of HN. | stefantalpalaru wrote: | This guy was very active during a weird campaign to bury | information detrimental to WhatsApp that would have affected a US | operation in Turkey (the one meant to replace Erdogan with Gulen | - a friendlier theocrat). | | https://www.cyberscoop.com/whatsapp-backdoor-guardian-open-l... | | http://technosociology.org/?page_id=1687 | olah_1 wrote: | Signal's recent (not even yet out for many) implementation of | mention-only notifications has reinvigorated my investment in | them. | | I am a bit more confident now that usernames will eventually | come. | | But the fact that it's so slow to change is quite ironic, | considering that the whole point is "the ecosystem is moving". | Well apparently it moves like molasses. | StavrosK wrote: | What are mention-only notifications? | neonate wrote: | https://archive.is/nARhl | maxerickson wrote: | Could Signal use phone number pairs to robustly implement a "make | me visible to" discovery method? | | It could certainly implement contact matching based on number | pairs instead of just numbers, but I haven't reasoned through | whether it could robustly (and efficiently I suppose) keep other | parties from enumerating the number pairs. | bilal4hmed wrote: | Other than matrix, what are some other alternatives or upcomers | in the messaging field I should try. | | Matrix still has a high burden of me setting up my own server and | maintaining it. Till their P2P solution doesnt release, they have | their own metadata problem. | olah_1 wrote: | These are all worth keeping tabs on. | | Ethereum: https://status.im/ | | Loki: https://getsession.org/ | | Gun: https://iris.to/ | | IPFS: https://berty.tech/ | est31 wrote: | In addition to what the siblings said, Threema. Doesn't require | phone numbers, is end to end encrypted like Signal. | | https://threema.ch/ | | Also they announced that they will open source their client. | elevation wrote: | It's frustrating to see Signal's reputation undermined in | technical circles by the shortsighted zeitgeist. | | Signal's constitutional emphasis on usability supports user | demographics that no other security product can attract. My | elderly relatives use Signal now instead of Skype. This drew in | other family members who just wanted to video chat with grandma | and grandpa. Matrix will never win markets like this. | | When tech nerds nit pick Signal's implementation, they ignore | that the unfederated nature of Signal limits the damage these | decisions can cause. Thanks to Signal's security posture, global | protection from weak ciphers, buffer overflows, and even SGX, is | just one software update away. This even protects you from faults | in your contact's clients! Like the key agility that makes the | Axolotl Ratchet so superior to GPG, update agility makes Signal | infinitely superior to every existing or proposed federated | network. | | The Signal group has an uncompromising commitment to user privacy | and a poignant security philosophy. Signal has no competition in | its usability class, making hypothetical protections from other | products worse than useless for user cohorts who will probably | switch back to skype or sms. Signal's detractors do a terrible | disservice to the people they dissuade from using it. | ryukafalz wrote: | > When tech nerds nit pick Signal's implementation, they ignore | that the unfederated nature of Signal limits the damage these | decisions can cause. | | It limits the damage that some decisions can cause, but | exacerbates others. Signal only allows the first-party client | to connect to its network; if the developers were legally | compelled to add a backdoor into that client, users would have | few options. | | Its security depends on a single company being perpetually | trustworthy, free of influence, and supported. Having used many | chat platforms that have been shut down/acquired/etc in the | past, that's not a bet I'm willing to take. | | I'd also contest the idea that Matrix can never have a client | as usable as Signal, but I'll agree that there isn't one yet. | StavrosK wrote: | Compile your own client binary and use that? | novok wrote: | Signal is OSS and you can start your own fork & network if | you want to. | | App publishing platforms not having a good binary signature | verification system is the orthogonal issue that you're | bringing up, that would in many ways apply to matrix for most | users too. Most will never bother to sideload it. | p1necone wrote: | > Signal is OSS and you can start your own fork & network | if you want to. | | You can't though, what use is your own fork when nobody | uses it? | upofadown wrote: | >Like the key agility that makes the Axolotl Ratchet so | superior to GPG, | | I am not sure how you can usefully compare a thing originally | intended to secure email to a thing intended to secure IM. | | The ratchet only provides forward secrecy anyway. My take on | that is that it is a pointless thing for something like email | and pointless in practice for most IM applications. Most IM | users keep their old messages and practically all email users | keep their old messages... | | There is nothing particularly wrong with Signal. Some of the | criticism might a reaction to the constant promotion of it over | all other things, even when (as in this case) the things are | fundamentally different. | nullc wrote: | > update agility makes Signal infinitely superior to every | existing or proposed federated network. | | Translation: Signals ability to forcefully change the software | and protocol out for users without any consent (much less | informed consent) renders it functionally immune to any | criticism or review because any aspect of the protocol could be | changed ('improved') at a moments notice. | | I think signal is a fine insecure messenger. If you mistake it | for a cryptographic security product you are making a | significant mistake. The fact that is uses cryptographic | techniques internally just means that it isn't grossly | incompetently constructed, but that doesn't make it achieve any | particularly strong notion of security against any particular | attack model. | | I strongly recommend people us it (at least on devices which | are already compromised by mystery meat binary updates that | could be remotely backdoored at any time)... just don't think | it's going to provide you with substantial security against | active attackers (much less state level attackers or from | Signal themselves). | na85 wrote: | >Translation: Signals ability to forcefully change the | software and protocol out for users without any consent (much | less informed consent) renders it functionally immune to any | criticism or review because any aspect of the protocol could | be changed ('improved') at a moments notice. | | What percentage of users, globally, do you suppose are | qualified to make informed consent on arbitrary patches to | $secure_messenger of your choosing? | nullc wrote: | Informed consent for a drug doesn't mean that you | personally understand molecular biology. It usually means | that you've received and understand factual information | about the tradeoffs from hopefully neutral parties who are | acting in your best interest and can weigh those | considerations based on your own priorities and | preferences. And that you can make the choice you make free | of coercion, or otherwise it isn't consent at all. | | Signal's software management practices make the system | largely opaque even to experts, and what review does happen | comes at a significant lag. This is evidenced by the | substantial number of times that signal has had to back- | pedal on a change after substantial backlash. Even where it | isn't opaque, there is no consent: the software stops | running if you don't accept all changes, and seldom are | changes introduced as optional features (default-on or | otherwise). | walrus01 wrote: | My primary concern about Signal and usability is the insistence | on using phone numbers to identify a person as a user ID. | | Anything that relies on SS7/PSTN working correctly is a very | bad design choice in my opinion. | | Giving out your phone number to possibly untrusted contacts is | also a bad decision because it opens up opportunities for | scams, spam and social-engineering attempted hijacks of | accounts (SIM swap attacks etc). | fidelramos wrote: | Signal is moving to allow users registering without a phone | number. The infamous PIN was a necessary step to achieve that | and other features, such as proper group management, which | has just been released. ___________________________________________________________________ (page generated 2020-10-19 23:00 UTC)