Recent searches
Search options
Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications. 1/
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users. 2/
Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites. 3/
In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events. If you’re interested in learning more, this WIRED article from February 19th (over a month ago) goes into more detail:
https://wired.com/story/russia-signal-qr-code-phishing-attack/ 4/
@signalapp
The technical level of security of Signal is irrelevant. Even using its vulnerability as an argument against it for secure government communications is merely a red herring, since the main issue is not the security breach, but the the Trump administration skirting government accountability and effectively creating an unaccountable shadow government outside the normal intelligence community..
@Threadbane @signalapp exactly, the security of a tool is only as strong as its connections. It takes only ONE idiot to screw up the security of ANYTHING.
@JamesTDG @Threadbane @signalapp “signal, the choice of the next nazi generation”… 
So much fucking around the world and the US ended fucking herself. I pity the level of both: electors and elected, dems and reps. It’s long since your democracy died, you are just realizing it now.
@pomubieng @JamesTDG @Threadbane @signalapp they were also concerned about the end points (personal cell pho'nes) being vulnerable.
For example, shoulder surfing of the guy on a plane in Russia. Compare that to using a secure facility
@Threadbane @signalapp yep, and accidentally invite a journalist. Which wouldn’t have happened if a tool designed for secure military communications would have been used. There would be no journalist to add, because he wouldn’t have the security clearing. And most probably there would be an approval workflow (e.g. 4-eyes-principle) if someone is being added to a high security communication.
And that's why you do not want shadow-IT in your company (not sure if it was in this case, but looks like a pretty good example for me).
Still, trusting Signals encryption itself is a good decision.
@dexternemrod@troet.cafe @disco3000@climatejustice.social @Threadbane@newsie.social @signalapp@mastodon.world Trusting Signal's encryption was actually a bad decision here, as it was too good - messages on these topics are expected to become public record after some time, and Signal definitely isn't designed for that, but the exact opposite - it's designed to prevent centralized recording of messages.
@disco3000 @signalapp @Threadbane
I get your point and agree on a level that impacts the society and regulation. From a technical standpoint, I still think it was a good decision (the crypto works).
@divVerent @dexternemrod @disco3000 @signalapp @Threadbane
Signal was used as messages can be deleted .... Which in itself is illegal...
So many things wrong on so many levels
But onward to the next demonstration of incompetent
@disco3000 @Threadbane @signalapp that tool would also be created with federal and presidential records acts in mind. Add those to the felony charges for transmission of national defense information, and every official involved should go to jail for several years.
@enno @Threadbane @signalapp we all agree to that. But I guess we also agree, that convicted multiple felon Trump should also wear orange and sit in a federal prison. So I guess those GOPs are currently „above the law“ at least as it currently seems. 
@Threadbane @signalapp I think the technical level of security in Signal is relevant to the people using Signal for non-classified conversations which seems to be who they're addressing here.
@Threadbane
Military comms are designed to only allow personal that are pre vetted. You can't accidentally invite an outsider. The hardware is also secure.
These people have security comms people that travel with them to set up access to secure comms.
The other thing is Signal is not allowed on official phones and can't be downloaded.
This was on personal mobiles, which are unsecure and likely targeted and compromised by foreign intelligence.
It doesn't matter the encryption if Russia has a keylogger and screen capture software installed on the phone.
One of the party had just gone through Russian customs and would have had to hand their phone over and likely had software put on their phone.
China has also been in the US mobile system. So another way to put software on their phones.
Authoritarian countries have used routinely use spyware to surveil journalists, lawyers, political dissidents, and human rights activists
https://en.m.wikipedia.org/wiki/Pegasus_(spyware)
This is not the fault of Signal, but the underlying operating system of the phone. Particularly when up against adversaries with State level resources to target individuals.
@signalapp Can't listen to audio right now, and Gemini can't find any articles that explain "user flows" and "warnings" in this context. Looking forward to tech blog posts. 
@fallbackerik @signalapp a user flow is just a string of interfaces you have to interact with. think of buying socething in an online store, you go through the store page, your shopping cart, checkout, processing and then order confirmation. that's a user flow.
how signal implements those and warnings is beyond me, we're still on sms for phishing attacks
@signalapp can you react to this blog post of Google: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger?hl=en
@signalapp Yeah, can't really call "idiot added Jeff Goldberg to the group chat because he confused him for Jeff Goldblum" a sophisticated phishing attack
@signalapp I am joking. Although... The best jokes carry a kernel of truth.
@signalapp This is an example of how Signal should improve its vulnerability disclosure.
cf. the OWASP guide: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#disclosure
Even if this is an UX improvement here, there should be a place resuming the identified problem and its impact, the vulnerable versions, the patched versions, the patch, etc.
Well made vulnerability improves confidence for the software because it shows maturity on the matter. It also avoid opportunistic attackers looking at the git log to identify and exploit bugs with fixes that aren't released yet
@signalapp there seems to be a community effort to respond to the need: https://community.signalusers.org/t/overview-of-third-party-security-audits/13243/12
@signalapp This Wired article is paywalled. Care to provide an archived copy, or write your own explainer?
@signalapp How did those phishing attacks work?