Submitted by celebratedrecluse in freeAsInFreedom

This is a great leap forward in the application of FOSS encryption technologies. Congratulations to the developers, and to the implementors at the Signal Foundation.

Signal Group Calls are one of many features that we have designed with Signal Private Groups as a foundation, using our RingRTC library for handling frame encryption and the logic around setting up and joining calls.

Historically, most anonymous credential schemes enable the credential issuer and credential verifier to be different parties, which is achieved by using complex and costly signature algorithms. These costs are one reason anonymous credentials have seen limited real-world use. However, in Signal’s case the issuer and the verifier would be the same party (the Signal service), which raises the possibility of using more efficient MAC-based keyed-verification anonymous credentials – a concept introduced several years ago by Melissa Chase, Sarah Meiklejohn, and Greg Zaverucha.

It appears that the encryption is based on hardware encoded MAC addresses? Can someone do a breakdown of the paper referenced in the last quoted paragraph? Interested to learn more about this.

11

Comments

You must log in or register to comment.

nulloperation wrote (edited )

It appears that the encryption is based on hardware encoded MAC addresses?

No, this is not about the media access control address but rather message authentication codes. Accidental clash of acronyms.

This is a great leap forward in the application of FOSS encryption technologies. Congratulations to the developers, and to the implementors at the Signal Foundation.

It is! I'm glad that they've started to focus on this rather than sticker packs and animated gif search. How I do hope this hasten the demise of Zoom.

6

celebratedrecluse OP wrote

Ah, thank you for clarifying. And I agree, I eagerly await Signal and other platforms to contest the dominance of Zoom and other non end-to-end conferencing appliance

4

blubl00d wrote

We already have options like Wire, Tox, and Jitsi Meet. Just not many people are utilizing them unfortunately. :(

2

celebratedrecluse OP wrote

Do they have encrypted end to end? I know Jitsi Meet is not, Tox was unstable last I heard (i have not checked up in a few years) and Wire has other security & privacy issues going back a long time. They've allegedly improved but their track record is pretty bad from back when they launched. There's also been a suspicious amount of retroactive search engine cleanup and other things which signal an expensive PR campaign to me...I don't trust the people behind that app, for better or worse

1

blubl00d wrote (edited )

Jitsi Meet currently has experimental E2E encryption. From what I understand, Tox is stable, it just hasn’t been audited yet. As far as Wire goes, I’m not sure which privacy and security issues you’re referring to. The only issue I’m aware of is that Wire stores your contacts in plaintext which isn’t ideal but shouldn’t be a dealbreaker. Correct me if I’m wrong but I do not believe there are any audited alternatives to Wire other than Signal maybe which is more for personal use. Everything else is experimental.

2

celebratedrecluse OP wrote

Wire has suspicious funders going back to its founding, and also had absolutely no protections for metadata, stored contacts in plaintext, and for a while did not even have E2E and made misleading advertisements on it.

Jitsi Meet is not E2E, it is simply encrypted from endpoint to server. Server is completely unencrypted by default.

Element is a great alternative to Wire.

2

isvarahparamahkrsnah wrote

Too late. I stopped using it several months ago.

3

celebratedrecluse OP wrote

I don't use it either, due to the location of the servers inside USA and the requirement for PSTN #s to register

3

blubl00d wrote

I don't use it either, due to the location of the servers inside USA

Signal has a feature where you’re able to verify a contacts crypto keys yourself without having to trust their servers. So long as you verify your contacts, they can’t really do anything but collect some metadata.

and the requirement for PSTN #s to register

It’s certainly unfortunate, but to be fair, Signal isn’t made to be anonymous. It’s made to replace apps like WhatsApp. If anonymity is a concern, Session uses a Signal-based protocol but utilizes onion routing to achieve anonymity.

2

Subjunk77 wrote

I just starting using Session and I like it, but getting my contacts to join up has been a chore, especially after I recently talked many of them into switching to Signal before I found out about Session.

1

celebratedrecluse OP wrote

So long as you verify your contacts, they can’t really do anything but collect some metadata.

Eh, metadata can be more important than the actual data in a lot of cases.

It’s certainly unfortunate, but to be fair, Signal isn’t made to be anonymous.

most People have a limit to how many app they will use to communicate. Signal's presence monopolizes its marketspace as a result of the niche position of privacy software.

1

keez wrote

May I ask why?

3

isvarahparamahkrsnah wrote

Everybody I knew spent time on WhatsApp.

4

blubl00d wrote

It’s never too late to pick it back up. Signal is really the only secure messenger I’ve been able to get people on, you’ll probably have luck getting others on to it.

1

throwaway wrote (edited )

Just to avoid confusion, Signal isn't FOSS, it's Open Source, which isn't quite the same - but still, this is neat, and Signal is a cool thing!

e: It turns out that Signal is actually GPL licensed. Sorry!

3

celebratedrecluse OP wrote

Is it not foss, because it forces you to use the centralized server rather than allowing you to run your own? In that case, I agree, it's not quite free software.

3

throwaway wrote

I actually thought Signal wasn't licensed as free software, because a friend at work told me so a long time ago - I just checked, it is actually GPL/AGPL licensed... And just like that, in an attempt to avoid confusion, I became the very thing i swore to destroy!

The thing about the central server is another aspect of course - you're forced to trust the server blindly, which sucks, but that's just the name of the game. Decentralized communication isn't easy to come by.

I've edited my original comment.

3

celebratedrecluse OP wrote

Ah, I see what you mean. No worries

As far as the central server, I think that Element provides a great example of why that's not necessary, but also why the implementation of federation can be complex and difficult to execute well.

I think that software that doesn't "free" the user to use it how they see fit, makes it non-free in a partial sense. Signal, in that case, is not 100% free software, because it constrains the ability of the user to make use of it in ways its peer/rival platforms & protocols in the FOSS community have permitted.

2