
Technology Preview: Signal Private Group System - stablemap
https://signal.org/blog/signal-private-group-system/
======
tptacek
Again, in the theme of "features every group messaging system had already, but
Signal didn't, because they hadn't figured out a way to implement it without
turning Signal's central servers into a database of who's talking to who about
what". Signal didn't even have _user profiles_ until recently, for the same
reason. Here, they've slightly expanded the state of the art in MAC-based
anonymous credentials to accomplish their goal.

One interesting aspect of this is that Signal gets to do this, because they
have immense goodwill with the cryptographic research and engineering
communities; though it's no guarantee of soundness, they have the advantage of
having the feature designed, implemented, and ultimately reviewed by
cryptography engineers that aren't generally/economically available to other
messaging projects.

This is either a reason you _love_ Signal (raises hand) or _can 't stand_
Signal. My take is, if you're in the latter group, that's fine; I use Slack,
too.

~~~
JoshTriplett
Honestly, the one and only feature I'm missing in Signal that would let me use
it and recommend it to everyone without reservations (rather than exclusively
for ephemeral-only communication) is the ability to keep identity and full
message history when moving to a new device.

Today, on iOS, you _can 't_ move your Signal history to a new device, and on
Android you can only do so by manually making an encrypted backup file and
writing down a 30-digit passcode, completely separate from the normal Android
process of moving to a new device.

People keep long histories of messages, going back a decade, containing
pictures and memories that aren't stored anywhere else. Message history is
valuable data.

This doesn't seem like a "new cryptographic research" problem, this seems like
a "well-established crypto (encrypted files) plus integration with standard
device backup/migration" problem.

I really like Signal, I think they're doing things very well, and I wish I
could use it without being constantly at risk of data loss. And this doesn't
seem like an uncommon request, from what I've found.

Is there something I'm missing that makes this a _hard_ problem? Or is it just
a problem that nobody has prioritized?

~~~
mderazon
I actually going in the other direction with Signal

I turned on timer (1 week) for all of my conversation.

Nothing stays more than a week and I do not keep any backup.

It's not for security or privacy reasons. I feel like I don't need a full
history of all my conversations with everyone from the beginning of time.

This fits more to the real life model of having a conversation with someone. I
don't record my conversations with people so why do I need to do it in chat
apps?

My Whatsapp is the same. Don't need all the massive amount of chat history...

~~~
JoshTriplett
Interesting that that model works for you, but that doesn't mean it works for
everyone.

Persistent history that lasts many times longer than the lifetime of any one
device is a required feature to fully replace chat apps that have such
history.

~~~
benhurmarcel
Whatsapp doesn't have that feature when you switch between iOS and Android
however.

------
badrabbit
Very nice (seriously!). Now, please let people use the platform without
needing a valid phone number. The one major issue I have is that. Phone
numbers are the new SSN, just like SSN is being misused by traditional
businesses, phone numbers are also misused thse days (due to how you generally
can be tracked down to a physical area for antifraud and how "everyone" has a
cell phone) to uniquely identify users.

I don't get why users can't be addressed by both phone numbers and a "signal
id", if you opt-in to use a phone number for addressing, your phone will be
verified and signal will resolve it to your signal id. If you opt out people
will need your signal id to address you and you can't use it for SMS. What are
the challenges with that?

If I have a signal private group system, signal can find out a ton about me
and my associations with others using only that information. Many other
messaging platforms do not nees this very sensitive information from me to
function. And it does not support a desktop only app even if you give them a
phone number and verify you control that number.

I am always reminded of General Hayden (Former NSA chief) was saying how they
love PGP at the NSA because they can sniff metadata and know who talks to who,
it lets them easily find who has something to hide so they can target them.
Not that I have the NSA in my threat model but I am very sensitive to
unnecessary metadata being generated

~~~
bmarquez
What you're asking for is exactly how Telegram works, you can add someone with
a phone number or by username, but if you add someone via username they don't
see your phone number. Of course, Telegram chats are not encrypted by default,
and there is some controversy over the encryption protocol.

[https://telegram.org/faq#q-if-someone-finds-me-by-
username-m...](https://telegram.org/faq#q-if-someone-finds-me-by-username-
messages-and-i-reply-will-they)

~~~
Semaphor
Last time I checked, the only option to login was using a phone number. And at
least the web client only has the phone number as login. I do not want to give
them my phone number. Full stop. They can tie my account to my email, to my
domain, to a chosen username, whatever. But if your service requires a phone
number to use it, it’s not something I will use.

~~~
bmarquez
It's still true. Telegram still uses your phone number to login, even if you
never give your phone number to anybody. At least usernames are an option
unlike Signal and WhatsApp.

I dislike it too, but understand the reasoning behind spam prevention and
account authentication.

------
pepijndevos
I really want Signal to succeed. Or rather, I want anything that has decent
cryto and is not FAANG to succeed.

The problem is not which messaging app I want to use, it's which messaging app
my friends are using.

That said, if I had to choose, I think Matrix has a slight edge in my books
because it's a protocol rather than a silo. Even though Signal is private and
open source, they are hostile towards people running their own Signal builds
on company servers, and unwilling to federate with other servers.

Essentially, you run the official Signal app on the official Signal servers,
or GTFO.

~~~
tptacek
Matrix and Signal aren't comparable from a security perspective. Because
Matrix is a protocol rather than a silo, many (most?) of its implementations
don't even support E2E, and because Matrix has its roots in an ecosystem where
E2E was a nonstandard add-on, Matrix will never be as safe as Wire or Signal.

~~~
Arathorn
Matrix project lead here; fwiw we’re aiming to turn on E2E by default for
private rooms by end of Jan. It’s not really a non-standard add-on; it’s in
the core of the protocol and has been designed for from the outset. It’s a
pain in the ass to get right in a decentralised world though, hence the delay
in forcing it on for everyone.

p.s. support for ephemeral msgs was released on the server in RC yesterday.

~~~
tptacek
The way these conversations are structured, I'm always going to come across
like I'm rooting for Matrix to fail, which is not at all the case. Like I
said, I use Slack more than any other group messaging system, and while Slack
does have some security assets that Matrix lacks, nobody can say that it has a
more coherent encryption story. I wish Matrix all the best; I just don't think
it's reasonable to suggest it as an alternative for people who need secure
messaging that reliably works in groups of people.

------
unnouinceput
I really hope Signal takes over the world from Whatsapp. I hate Whatsapp and
yet I am forced to use it due to all my friends / family / parents use of it.
I try to fight but is hard and currently FB mess and WA are the only ones with
a consistent reliability of delivering notifications promptly, while rest of
chat apps either are too hard to use for non-computer people or they lose
notifications. I mean, c'mon Microsoft!!! Is it really that hard to make Skype
reliable again?!!

------
RustyRussell
What I really want from Signal is the ability to use it as an application
transport. In particular, I want to authorise certain people to request my
phone's location.

At the moment I share it with Google so I can share it with friends or family,
which sucks.

~~~
DrAwdeOccarim
Maybe ask the writers of Mr. Robot. They figured it out!

~~~
unnouinceput
Please. I hope that's sarcasm. Because if it's not, then may I steer you clear
of that annoying series and into Breaking Bad + its follow up Better Call
Saul?

~~~
DrAwdeOccarim
No, I'm being totally serious.../s

------
SheinhardtWigCo
The point of this seems to be hiding the identity of users when they fetch or
modify group attributes - but why? The user’s identity is otherwise known to
the server: they know that account X was accessed by IP address Y, and that IP
address Y fetched metadata for group Z, therefore account X is in group Z.
They can also figure out group membership by tracking clusters of messages
that are sent simultaneously. What am I missing?

~~~
0xCMP
They do not know that information unless they’re monitoring on-the-server in
the clear. They simply know they’re talking to Signal servers. This new
feature protects in the case of Information Requests because they themselves
don’t know who is in what groups.

~~~
SheinhardtWigCo
You either have to trust the server operator not to keep logs, or assume they
are keeping logs and _do_ know what groups you’re in. In either case, what is
this fancy crypto scheme actually buying you?

~~~
tptacek
The fancy crypto is what allows them not to (effectively) keep those logs in
the first place. If you build this feature without the fancy crypto, then even
if you say you're not logging this stuff, you (effectively) are, because your
system depends on durable access to that metadata in order to function. This
is, for instance, the major security difference between Signal and Wire.

One strong indication you have that Signal isn't logging this stuff is that
they had to wait until they were able to advance the state of the art in
anonymous credentials in order to implement group access control at all.

~~~
SheinhardtWigCo
To verify the claim that my group message content is protected, I can examine
the Signal client. I don’t have to trust the server operator whatsoever; I can
independently confirm there is no way for them to see the content of my
messages.

In contrast, I cannot verify this new claim that my group memberships are
protected. I have to trust them.

I think you are basically saying: ‘well, they built all this crypto that is
only useful if you believe they’re not logging, so I believe they’re not
logging.’

~~~
tptacek
No, what I'm saying is that without the cryptographic protections, a messaging
provider _can 't_ claim not to be logging, because their serverside logic
requires the log.

Prior to doing this cryptographic work, Signal simply went without having
these features at all.

~~~
eximius
You're both right. The other poster's claim is that we cannot verify the code
running on the server. They could support this new scheme AND just store every
thing in plain text. We can only verify the interface is the same (because
that's what we're using).

But you're also right it would be a long con to go without these features for
so long, develop state of the art cryptography to add them securely and
privately, then not use that.

~~~
kyboren
> They could support this new scheme AND just store every thing in plain text.

Could they?

I am not clear that this is possible. I thought the entire point of "Alice
provides a zero-knowledge proof to the server that she possesses an
AuthCredential matching some particular entry" is that the server learns
nothing about Alice other than her possession of a matching AuthCredential.
Indeed, the paper says: "Because of the zero-knowledge property, the server
has assurance that the user possesses such an auth credential without learning
the UID certified by the credential, or other information that might link this
use of the credential to other uses or to credential issuance."

It would be nice if someone more knowledgeable could confirm whether it is
indeed possible for Signal to compromise user privacy while using this scheme.
Is SheinhardtWigCo right when they write, "In contrast, I cannot verify this
new claim that my group memberships are protected. I have to trust them."?

~~~
tialaramex
SheinhardtWigCo's central idea is that if someone receive a packet over the
network it has an IP address in it, and that's the sender's "identity" and so
the Signal servers can't avoid knowing Alice's "identity" when she does this,
and then they can collect such data to try to re-assemble group membership in
terms of IP address "identities".

For example let's say a packet arrives from 10.20.30.40 [[ all IPs used are
from 10/8 as examples I am aware that Signal probably rejects packets claiming
to be from an RFC1918 network ]] which contains proof that group #1 member #4
has authorised adding a new member #8

SheinhardtWigCo believes this tells us that this identity (10.20.30.40) is a
member of this group, group #1 and they suppose that Signal's server could in
fact store this, and then perhaps later tell some Spooks a list of such
members of group #1 and it could do this on a vast scale, so that it would be
able to say for any "identity" (IP address) the list of all identities (IP
addresses) which seem to be members of groups which that identity is also a
member of.

Now, I don't think Spooks would find that very useful, but there you go,
that's what SheinhardtWigCo thinks is a big problem here.

[ Edited to clarify early paragraph ]

~~~
kyboren
I see, thanks. I was confusing "logging" for logging the association between
AuthCredential and UID rather than logging IP addresses. For what it's worth,
Signal does allow connecting over Tor.

------
beyprotester
Using a throwaway for obvious reasons... I am grateful these are being worked
on because they are extremely needed for some use cases.

I have been part of a group organizing protest in Beirut and I was surprised
there was no clearly go to app that provided the security features we need.

We started off with WhatSapp because that's what everyone used before security
became a concern. We then moved to Signal mostly to get auto-deleting
messages. We then ran away to Telegram because there was no way to kick a
compromised phone outside of a Signal group.

We considered using Wire which seemed to have what we needed but the interface
was a bit clunky and it did not run well on all the phones of the group... We
are currently evaluating an considering Keybase.io which seems to have all the
feature too, but not sure how it will handle about a hundred people in the
group...

 _If anyone has ideas about which apps are recommended for that (or has
additional useful things) please help_ , the main things we need are:

\- Encryption E2E is nice to have but not a deal breaker.

\- Possibility to kick a user from the group, deal breaker ( a thug stole
someone's phone in the protest once and another time we got a message saying
someone's security code changed then they became inaccessible) both incidents
ended up ok but there was no way to kick the person out of the group and
proceed while clearing things out with signal.

\- no old history kept of the conversation. Either auto-deleting messages set
to short duration like signal, or if not possible we can survive with an admin
at home deleting old messages constantly and clearing the chat for everyone in
sensitive situations ( like telegram allows)

\- Free. For various reasons, some people can't buy apps no matter how cheap.

\- easy to use. Most protesters are not too technical.

\- possibility to display sender and group but not the content of messages in
the notifications.

\- having an easy way to add password to the app itself. (nice to have)

\- making screenshots inconvenient to take (just nice to have).

\- Not tied to phone numbers also really nice to have but not mandatory.

Our main threat is riot police and pro government thugs taking protesters
phones and forcing people to unlock them or running away before the phone is
locked then snooping around. Very rarely are people alone when this happens so
we almost always get a notification that X is compromised, so we clear chats
and kick them out of the group before their phones are really compromised.

I don't think the government is running sophisticated deep packet inspection.
I don't think our group has been infiltrated but that is always a possibility.

We are also trying to find some free device management solution to remotely
track / lock and maybe wipe phones when they get taken.

Sorry for the wall of text... just though now might be a good time to ask...

~~~
commoner
This list could be a helpful starting point:

[https://en.wikipedia.org/wiki/Comparison_of_cross-
platform_i...](https://en.wikipedia.org/wiki/Comparison_of_cross-
platform_instant_messaging_clients)

You can sort the table by clicking on the column headers. The "E2EE group
chat" column should be useful.

~~~
upofadown
That list seems somewhat out of date, at least for OMEMO based group chat.

------
panda921
I noticed this from the paper:

> Note that a user who has acquired a group’s GroupMasterKey and then leaves
> the group (or is deleted) retains the ability to collude with a malicious
> server to encrypt and decrypt group entries. We deem this risk acceptable
> for now due to the complexities in rapid and reliable rekey of the
> GroupMasterKey.

Does this mean that the server and a deleted user can always collude to get
the deleted user readded to the group? Also, is there no provable audit trail
of who added or deleted whom? Unless I'm misunderstanding, it seems like
deleting a user is therefore enforced only via server trust, but please
correct me if I'm wrong.

~~~
tialaramex
Yes, this means the server and a deleted user could collude to re-add them, or
anybody of the deleted user's choosing to the group, or to remove selected
people from the group (the server doesn't need collusion to remove random
people from a group)

No, the members of the group would be able to see that the deleted user is
back, or whatever else has happened to the list. Signal's server isn't
responsible for deciding who gets the group messages, only for storing the
agreed list in encrypted form. So members don't need to trust that the server
did as it was told.

Certainly if you have a group where you suspect a member of colluding with the
Signal server to betray the group you should probably NOT remove that member
but instead take the extra trouble to explicitly form a new group (without
that member obviously).

~~~
panda921
Got it. I was thinking that for bigger groups, it might be hard for members to
keep track of who got deleted when and by whom, so it might be easier for a
deleted user to slip back in without attracting notice.

Your point that the deleted user and the server can collude to add a rando to
the group seems like a bigger deal, since it would be harder to catch.

To make the same point more critically, if the members need to constantly
recheck the mapping of group name to membership list (to stop server
cheating), then the scheme might not be buying much.

------
e12e
Overall cool stuff. It feels like this has implications for auth/authz schemes
in general, like a variant of kerberos, or a way to do auth/authz for a ssh
like service - maybe even a way to anchor trust (in user principals and
service principals - like ssh keys and/or certificates)?

If we replace "the signal server" with "the authentication/authorization
service ("the AD service" / the organization's internal certificate
authority")...?

Maybe I'm just needlessly afraid of the complexity of managing a real world
certificate authority (keeping it secure, keeping it running, keeping as much
as possible off line..).

------
misrab
Is it a coincidence this came up on HN at the same time Telegram is getting
dissed on HN? Can't help but think it was coordinated...which is sad for HN

~~~
anon9001
People don't like Telegram because it's a centralized thing and maybe not
trustworthy. I'm not sure if I'd trust the Telegram founders, and their
commitment to open source seems questionable to me (no server, outdated
clients).

People advocate for Signal because it's arguably the least offensive of the
available e2e options. Also the founder for Signal has a long history of doing
good work in this area.

~~~
anoncake
> People don't like Telegram because it's a centralized thing and maybe not
> trustworthy.

Just like Signal.

> I'm not sure if I'd trust the Telegram founders, and their commitment to
> open source seems questionable to me

Meanwhile Moxie Marlinspike's _opposition_ to free software is evident. You
use the client he dictates or fuck off. There's closed source software that
respects freedom more than Signal.

~~~
anon9001
[https://github.com/signalapp/Signal-
Android](https://github.com/signalapp/Signal-Android)

Can't I build and use this if I want? It looks very open, but I haven't tried
building my own client.

~~~
anoncake
Free software is not about being able to compile and code Moxie Marlinspike
allows you to use. It's about freedom that he opposes:

[https://github.com/LibreSignal/LibreSignal/issues/37#issueco...](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)

Yes, Signal's licensing complies to the letter of how we define free software.
But that is irrelevant as it violates the spirit.

------
jolmg
I think I know the answer already, but just in case: is there a way to use
Signal to communicate with users using Whatsapp? IOW, can I receive Whatsapp
messages in Signal?

The only reason I use Whatsapp is because it's what all my contacts use. It's
_everywhere_. It's _the_ de facto standard for text communication. And I hate
the app. I hate its guts.

I read that whatsapp implemented the signal protocol, does that mean anything
with respect to being able to communicate with people using a different app?
Because I was hoping so, but I can't find a way to see my whatsapp messages in
signal.

~~~
unnouinceput
Yup, you guessed right. By default that's a no. However, you can do a cow-
helicopter by using a 3rd party that will be a proxy between your signal
account and your whatsapp account. Hell, you can do whatever you want between
any 2 services with a 3rd party. Problem is, you still need an account on both
ends.

