Email or username:

Password:

Forgot your password?
All posts Meredith's posts Post Back to profile
Top-level
Meredith Whittaker

@cholling @scatty_hannah @echo_pbreyer No, the app does not read your contacts. See: signal.org/blog/private-contac

3 June at 12:55 | Open on mastodon.world
3 comments | Expand all CWs
cholling

@Mer__edith @scatty_hannah @echo_pbreyer The app still has to have access to my contacts in order to generate the hashes. The *server* may not be able to read my contacts, but the *app* absolutely can. Otherwise there's no way it would be able to show me a list of my contacts that are on Signal.

3 June at 13:10 | Open on social.sdf.org
Hannah

@Mer__edith @cholling @echo_pbreyer the linked text does say: "Clients transmit the encrypted identifiers from their address book to the enclave."

That would imply the *app* does need to read contacts.

Signal, *the company* and/or server operator will not be able to get access to those, though - as long as SGX is not broken.

Also a SGX breakage would not leak *previously* submitted identifiers, except when an attacker did know of a way to attack SGX before it gets known by the general public.

3 June at 13:12 | Open on queer.party
Hannah

@Mer__edith @cholling

Don't get me wrong, I think the approach Signal takes is very reasonable and probably a reason for its success.

It is good practical/*usable* security and users who need more privacy will face a lot of hurdles in operational security most of their communication partners probably won't take on - so it usually becomes a moot point.

Large adoption base is the biggest privacy preserving factor - and Signal is doing good there *because* of its tradeoffs.

Everyone of our communication partners who do have our phone number and still use WhatsApp, etc. will give a part of our social graph to those companies, no matter how good *our* operational security is.

@Mer__edith @cholling

Don't get me wrong, I think the approach Signal takes is very reasonable and probably a reason for its success.

It is good practical/*usable* security and users who need more privacy will face a lot of hurdles in operational security most of their communication partners probably won't take on - so it usually becomes a moot point.

3 June at 13:40 | Open on queer.party
Go Up