What's worse is there seems to be no way to opt-out of this behavior. I can deny Signal access to my contacts, thereby not knowing which of my contacts are on Signal, but that doesn't stop the other party from knowing if I am on Signal if they have given Signal access to their contacts.
It's not farfetched to consider a world where an oppressive regime may outlaw the use of something like Signal, Telegram or even WhatsApp and they'd be able to easily determine if you're using such a service through passive techniques such as these.
As far as I know, Wickr is a bit more privacy focused, but it doesn't tick the open source box for me (although the supposed source code is published for public review).
But the issue in the parent post is about leaking information to the people you have in your contact list.
These are very different issues. And it looks like signal hasn't considered the second aspect and the implications.
I agree that there are some contacts that I would rather not know that I was on Signal, but, unfortunately, this is an impossible problem to solve when the goal is to create an end-to-end encrypted messaging platform where your identifier is your phone number. The server has to know when a number is not a user so the app can fall back to sending unencrypted SMS (although why Signal falls back to SMS is a mystery to me) and it also has to carry the current public key for each user so that you can be sure that you're talking to who you think you're talking to.
Put another way, even if Signal didn't advertise that, "So-and-so is on Signal, say hey!" you could still theoretically determine whether or not a given number is on signal by sending a message to that number. If it fails, you know they aren't. And if it succeeds, well, then you know they are.
Right, the use of phone number as identifier is flawed by design, and not secure
The goal I was referring to is making it easy for regular folks to use end-to-end encryption. Any real measure of security needs to be practically usable by the intended audience, and the clear and consistent intended audience for Signal is regular folks who don't have a sophisticated threat model. If any other identity scheme were used, I'd guess the number of Signal users would be an order of magnitude smaller.
This is not to say that there aren't great reasons to have more elaborate secure messaging systems that address these questions, for anyone with a different security model.
It’s also buggy in many other ways (e.g., sending safety number change messages when nothing has changed with the device or number; contacts sending messages and asking if it was received, etc.).
Signal is quite bad on usability compared to other apps.
If someone tries to send me a message on Signal it should go into purgatory. On my end, I should be able to see who is trying to send me the message (yes, including their phone number, given that is how Signal has decided to uniquely identify users) and I should be able to see what their public key is. Then I should be able to either accept that message, which would essentially make my presence on Signal known to the other party, or choose to first verify that the public key matches that of the other party via the existing "in-person" verification method.
Alternatively, I can leave the message in purgatory where a message from someone I don't trust belongs and eventually times out. Not only do I never see the contents of the message, but the sender of the message will also never know if I am on Signal.
This problem is solved in an interesting way by Keybase Chat, in which messages sent to non-existing accounts are "delivered", and can then be read if that account is created later on. It requires re-keying of the message by the sender, so it's not exactly a "fire and forget" solution, but it's pretty neat anyway.
I specifically did not let Signal access my contacts, but some of my contacts contact me on Signal.
Those people that did upload those contacts and being notified that I'm on Signal.
I don't like it.
Its moderately creepy when Google or Facebook do it, but when a service that is advertising itself as the antithesis to those and being privacy conscious I am really disappointed.
Your goal is to set up little fun secret decoder ring groups each silo'd with a handful of people so you can pretend to be spies or whatever. For this goal it's important that each silo you set up doesn't know about the others. Signal just wants to end-to-end encrypt all the messages sent between all phones. These goals conflict, and, frankly I think your goal is stupid and should lose.
The _whole point of the product_ - to repeat your phrase - is to secure _all_ the messages rather than repeat the mistake of tools like PGP that never get there.
EDIT: This proposal also suffers from a bootstrapping problem. You have to already have a secure channel to communicate the ids.
If you insist, you can install a version of Signal that doesn't use this service, whereupon you will stand out, or more specifically your notifications will stand out from everything else.
Another thing Signal likes to do is to broadcast the fact every time you shift it to a new device. I have seen enough changing round from a couple of correspondents to deduce a pattern in their hardware habits.
A third stunt it likes is to make it non-obvious what actually happens when you set up groups. One friend did, believing it to be just a personal way of organising contacts, thereby of course immediately exposing parts of his contact list to the rest of us and vice versa.
Also terrible user experience (like using heavily license restricted software). I no longer use the thing.
This is a security feature to ensure you're talking to the same person. Phone numbers are terrifyingly easy to port to another account.
Which is precisely why they should never be used as an identifier.
"TELEGRAM'S REPLY ZDNet has reached out to Telegram for comment earlier today, and the company has looked into the issue reported by Hong Kong protesters.
"We have safeguards in place to prevent importing too many contacts - exactly to prevent the scenario," a Telegram spokesperson said.
"In fact, our data shows that the bot displayed on the screenshots got banned from further imports after two seconds - and only managed to successfully import 85 contacts (not 10,000)," it said. "Once you get banned from importing contacts, you can only add up to 5 new numbers per day. The rest of the contacts you add will look like they're not using Telegram - even if they are."
However, this ban limit can be bypassed. A determined threat actor like the Chinese state can easily employ multiple bots to exploit this issue, instead of just one, and they'll eventually import the entire phone number sequence they want to cover."
My questions is how do they distinguish legitimate imports? I have 2K phone numbers in my address book. Would it take a year for me to be able to message my friends on telegram?
Also, here is a quote from an article in Russian , where it is claimed that there is a software to de-anonymize Telegram users:
> A phone number used by [Telegram] account @silovikicat was discovered using a program titled "Insider-Telegram" developed by the "Center of research of legitimacy and political protest". The head of the "Center" Eugene Venediktov explains: "Currently the database contains over 10 million of numbers. We just go through all possible numbers and check whether they are registered in Telegram: for example, we take all numbers starting with a prefix +7911 and check them. You automatically see all contacts from you address book in your Telegram, don't you? We just have a very "fat" address book with phones of all users from our country."
> When a phone number provided by Eugene is added into an address book, Telegram automatically matches it with account @silovikicat («Siloviks' cat»).
Even WhatsApp is miles better, but in reality it should be a no-brainer for the relevant people to use Signal or perhaps Threema/Wire. What a shame that charlatans have successfully marketed themselves to the top of this segment with a distinctly inferior product.
Same goes for threema which will shortly be required by Swiss law to comply with Büpf as they will reach a size requiring it. It's closed source, we can't check what they are doing. Their external security audit was a long time ago.
At least with telegram if I install the android version off fdroid it is compiled from source and I can verify that.
I can gets users to switch to telegram, I can't get them to switch to signal. There is a trade-off but I would argue telegram over whatsapp anytime.
Groups in Telegram are not encrypted. And now its shown that it also reveals phone numbers, and this is not a feature.
Whatsapp shows phone numbers by default, so it wouldn't be a criticism of whatsapp.
Edit: Nvm, I remembered that telegram isn't e2e by default
If mobile numbers in your country are in the 2________ range, how feasible is it to add millions of phone numbers to your contact list to find out the number of someone? I think this is nonsensical.
If you're a state actor probably pretty easy. Get a couple thousand rooted remote controllable android devices (which you probably already have for other projects) and have them automatically add 10k phones numbers each. Then have them join public telegraph lists and check for matches. Now you have gone through 10 million phone numbers. Run it in a loop 10 times and you have 100 million. Might take a few days to setup and run.
I don't see why this is infeasible in any way to do if you have a moderate budget (ie: state actor).
edit: And if your target is in your jurisdiction then you probably have a good mapping of names to phone numbers already.
Point being, if "who is using signal" is a question you want answered, it's far more trivial than having to acquire actual devices. Your oppressive regime could go from zero to black bag list in an afternoon.
Dunno if this is patched by Telegram in any way now. However, I don't see why it would be difficult for a program to add numbers to the contact list incrementally. To my knowledge, computers so far were pretty good at incrementing numbers. And if the contact list length is limited, the question is just how many phone numbers a company can buy.
But you have no correlation between it and Telegram user. This bug is about this correlation.
Telegram has essentially agreed to tell you whether any phone number is correct, so you can just guess all the phone numbers. Never allow this unless the thing an adversary has to guess is both _completely random_ and from a _very large keyspace_ (128-bits is where you can start to feel safe). If you find you're cornered into doing this (e.g. typical email + password login) aggressively rate limit it, so the adversary has to work harder/ longer to take advantage and maybe they'll give up.
Phone numbers are neither random nor from a large key space, it's maybe 10^12 worldwide or something? Much too small.
Do not blame USA's inadequacies on human nature.