Recent searches
Search options
Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications. 1/
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users. 2/
Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites. 3/
In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events. If you’re interested in learning more, this WIRED article from February 19th (over a month ago) goes into more detail:
https://wired.com/story/russia-signal-qr-code-phishing-attack/ 4/
@signalapp
The technical level of security of Signal is irrelevant. Even using its vulnerability as an argument against it for secure government communications is merely a red herring, since the main issue is not the security breach, but the the Trump administration skirting government accountability and effectively creating an unaccountable shadow government outside the normal intelligence community..
@Threadbane @signalapp exactly, the security of a tool is only as strong as its connections. It takes only ONE idiot to screw up the security of ANYTHING.
@JamesTDG @Threadbane @signalapp “signal, the choice of the next nazi generation”… 
So much fucking around the world and the US ended fucking herself. I pity the level of both: electors and elected, dems and reps. It’s long since your democracy died, you are just realizing it now.
@pomubieng @JamesTDG @Threadbane @signalapp they were also concerned about the end points (personal cell pho'nes) being vulnerable.
For example, shoulder surfing of the guy on a plane in Russia. Compare that to using a secure facility
@Threadbane @signalapp yep, and accidentally invite a journalist. Which wouldn’t have happened if a tool designed for secure military communications would have been used. There would be no journalist to add, because he wouldn’t have the security clearing. And most probably there would be an approval workflow (e.g. 4-eyes-principle) if someone is being added to a high security communication.
And that's why you do not want shadow-IT in your company (not sure if it was in this case, but looks like a pretty good example for me).
Still, trusting Signals encryption itself is a good decision.
@dexternemrod@troet.cafe @disco3000@climatejustice.social @Threadbane@newsie.social @signalapp@mastodon.world Trusting Signal's encryption was actually a bad decision here, as it was too good - messages on these topics are expected to become public record after some time, and Signal definitely isn't designed for that, but the exact opposite - it's designed to prevent centralized recording of messages.
@disco3000 @signalapp @Threadbane
I get your point and agree on a level that impacts the society and regulation. From a technical standpoint, I still think it was a good decision (the crypto works).
@divVerent @dexternemrod @disco3000 @signalapp @Threadbane
Signal was used as messages can be deleted .... Which in itself is illegal...
So many things wrong on so many levels
But onward to the next demonstration of incompetent
@disco3000 @Threadbane @signalapp that tool would also be created with federal and presidential records acts in mind. Add those to the felony charges for transmission of national defense information, and every official involved should go to jail for several years.
@enno @Threadbane @signalapp we all agree to that. But I guess we also agree, that convicted multiple felon Trump should also wear orange and sit in a federal prison. So I guess those GOPs are currently „above the law“ at least as it currently seems. 
@Threadbane @signalapp I think the technical level of security in Signal is relevant to the people using Signal for non-classified conversations which seems to be who they're addressing here.
@Threadbane
Military comms are designed to only allow personal that are pre vetted. You can't accidentally invite an outsider. The hardware is also secure.
These people have security comms people that travel with them to set up access to secure comms.
The other thing is Signal is not allowed on official phones and can't be downloaded.
This was on personal mobiles, which are unsecure and likely targeted and compromised by foreign intelligence.
It doesn't matter the encryption if Russia has a keylogger and screen capture software installed on the phone.
One of the party had just gone through Russian customs and would have had to hand their phone over and likely had software put on their phone.
China has also been in the US mobile system. So another way to put software on their phones.
Authoritarian countries have used routinely use spyware to surveil journalists, lawyers, political dissidents, and human rights activists
https://en.m.wikipedia.org/wiki/Pegasus_(spyware)
This is not the fault of Signal, but the underlying operating system of the phone. Particularly when up against adversaries with State level resources to target individuals.
@signalapp Can't listen to audio right now, and Gemini can't find any articles that explain "user flows" and "warnings" in this context. Looking forward to tech blog posts. 
@fallbackerik @signalapp a user flow is just a string of interfaces you have to interact with. think of buying socething in an online store, you go through the store page, your shopping cart, checkout, processing and then order confirmation. that's a user flow.
how signal implements those and warnings is beyond me, we're still on sms for phishing attacks
@signalapp can you react to this blog post of Google: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger?hl=en
@signalapp Yeah, can't really call "idiot added Jeff Goldberg to the group chat because he confused him for Jeff Goldblum" a sophisticated phishing attack
@signalapp I am joking. Although... The best jokes carry a kernel of truth.
@signalapp This is an example of how Signal should improve its vulnerability disclosure.
cf. the OWASP guide: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#disclosure
Even if this is an UX improvement here, there should be a place resuming the identified problem and its impact, the vulnerable versions, the patched versions, the patch, etc.
Well made vulnerability improves confidence for the software because it shows maturity on the matter. It also avoid opportunistic attackers looking at the git log to identify and exploit bugs with fixes that aren't released yet
@signalapp there seems to be a community effort to respond to the need: https://community.signalusers.org/t/overview-of-third-party-security-audits/13243/12
@signalapp This Wired article is paywalled. Care to provide an archived copy, or write your own explainer?
@signalapp I worked against phishing attempts…20+ years ago…definitely not new!
@signalapp If someone in the conversation shares that conversation... that's outside of the app's control.
Just like anything else. If there is physical access to the thing, it is not secure.
First day in security:
(1) Something you are.
(2) Something you have.
(3) Something you know.
#Signal doesn't have all three
@signalapp Thanks for the explanation!
@signalapp it isn’t surprising that NPR would get it wrong.
In what way did the NPR article get it wrong? They reported on a government memo suggesting vulnerability, but also contacted Signal to get the actual truth.
@acroamatis @signalapp Well one of us can’t read.
@byuck goodbye boring thingamajig
@byuck be gone, useless.
@byuck I have bad news ...
It also kind of misses the point that they are using Signal to avoid FOIA stuff.
That doesn't "miss the point", it simply was not the point of the post.
Regarding NPRs focus on their reporting.
@keithnator3000 @byuck @signalapp Nope. Classified material isn't available using that. They intended to avoid complying with the Government Records Act, which would ensure an archival record.
@keithnator3000 @byuck @signalapp The relevant acts are the Espionage Act and the Government Records Act, not the Freedom of Information Act. First two violated and 3rd not relevant.
If its not archived it can't be foia later when classification changes. Or even investigated internally. Try and be aware so you don't talk past people.
@keithnator3000 There is a hierarchy and sequence of applicablility. There is no guarantee of FOIA ever applying even if other laws weren't broken.
@byuck @signalapp
What about the article did you feel was wrong?
@byuck @signalapp
What did NPR report?
@signalapp someone needs to explain that public servants should not be using encryption to evade retroactive scrutiny... the US President's + aide's devices should be backed up continuously and the device's keys time-unlocked every 4 years.
@signalapp The official vulnerability is CVE-2025-ID10T : There is no security that can safeguard against human stupidity. #signal #signalgate
@signalapp I wouldn't worry about that too much. By now it must be abundantly clear to everyone interested in securing their comms, that US national security institutes should no longer be considered a reliable source for infosec threat information in any way. Like everything else he touches, they are now a Trump weapon.
@matv1 @signalapp 'no longer' LOL
it was a PEBCAK error
Problem Exists Between Chair And Keyboard
The oldest vuln that remains unfixed.
what alleged vuln remains unfixed? elaborate your remark and provide sources of proof. cheers
PEBCAK. The oldest vulnerability is the human factor. Duh.
@signalapp The biggest complaint I'm seeing is that Signal doesn't store conversations on its servers, so there's no way to recover them for transparency purposes. So is this true? Can chats, for example, from a Republican "National Security Team" who "accidentally added" a reporter to their chat be recovered for the Freedom of Information Act, or are those chats just gone forever? That’s why people are calling Signal an unsecured messaging app. Because officials are using it to bypass our laws.
That is accurate but unsecured is probably not the right adjective to describe that.
Noncompliant would be better because it's not compliant with the requirements for government messaging but also has never claimed to be.
Messages in Signal are E2E encrypted. Even if they Werke stored, Signal would not be able to release them in any useful form.
@evrenozara @signalapp Either encryption works or it doesn't. Having a robust encrypted messenger has benefits in that it preserves the user's privacy. It also has potential for misuse, but that's a small price to pay for freedom of thought, expression, speech. The world is a big place too. There are other countries experiencing oppression where activists use Signal to exercise their rights of organisation and protest.
@evrenozara @signalapp the Signal foundation is really pushing the envelope, pushing for a world which is free from censorship and surveillance. We should not be looking at Signal, but rather the US administration's corruption. Just my two cents as a long time Signal user :) P.S. get on there and get all your friends and family who you can to join!