This is clearly written, understandable, and easily consumable by a wide audience with only some knowledge of cryptography as a “nice to have.” You’ve said it explicitly: crypto is hard, but the way you write… you make it easier to understand. I really appreciate that!
I used Threema for about a year a few years ago when I wanted to increase the privacy of certain conversations beyond what GChat/Hangouts could offer. It offered the best UX at the time, IMO, and (my then understanding of) its security guarantees met my needs. The ID backup problem complicated less-technical friends’ use of it and user discovery was problematic. I only ever really trusted connections after the in-person or out-of-band verification was complete, hence hitting the “three” in the name.
When Signal came out in ~late 2015 (Signal by Signal Technology Foundation previously Open Whisper Systems = TextSecure OSS + RedPhone OSS from Twitter following Whisper Systems acquisition by Twitter in 2011), I switched wholesale to it and haven’t looked back. Every now and then, there’s some negative press (recently, some rattling about an anti-spam system that’s closed source being added into the server side) but it’s usually mitigated or explained rationally by the Signal team in a way that is clear and reasonable.
I took a week off a while ago and spent a morning reading back through @soatok’s blog. It sounds as if they’ve had a lot of negative feedback, which is very sad. The posts were always entertaining and mostly informative. Looking forward to more of them!
Thus, in spite of their deliberate misinformation, Threema has been disqualified from any such courtesy.
I think you meant “because of their deliberate misinformation.”
Thanks for a really nice write-up. I thoroughly enjoyed reading it and learned quite a bit. The last time I got my hands dirty with an encrypted chat protocol was back in the stone age, and I liked the problem space then, so I really enjoy seeing what’s moved around since then.
“Threema, on the other hand, can be used anonymously” [then goes on to deconstruct that claim of theirs]
That one is a pet-peeve of mine with their business model (besides their grating “but we’re sooo Swiss” advertising[1]), so thank you for putting a spotlight on that.
[1] Yes, just like Crypto AG and their direct competitor in “bloc-free but compromised crypto typewriters”, Omnisec AG.
The CLOUD Act isn’t black magic; it can only force Signal to turn over the data they actually possess. Which is, as demonstrated by a consistent paper trail of court records, almost nothing.
You do realize that the NSA themself stated they don’t need the content, they only need to know when somebody talked to somebody else, so IP traffic. And that we’re bombing people with drones based on that meta data ? That doesn’t really help threema, but it does make a case for hosting your stuff at least outside the US (and cloud act) if possible.
Sure. If your threat model is “The NSA is going to bomb me if they know who I’m talking to”, Cwtch is better suited because its goal is metadata resistance.
The author mentions Threema’s claims that Signal is an US-based IT service provider, and is therefore subject to the CLOUD Act, and calls that fact “deliberate misinformation” and links to a self-written article about The Myers-Briggs Type Indicator (such as “INFJ” or “ENFP”).
..am I missing something very obvious here? I’m not convinced by the article that Signal is not subject to the CLOUD Act, if that was the point they were trying to make.
What kind of information might be obtained through the CLOUD Act is not discussed, apart from citing Signal that no information of value is available. If one trusts the Signal servers to not store the phone number hashes you send from your contact list, this is certainly true. However, it requires you to trust the Signal servers, which Signal has stated you don’t need to do, and Signal is moving to making the servers not completely open source.
What kind of misinformation are we talking about then? You seem to claim that either the CLOUD Act doesn’t apply to Signal, or that it does but that it doesn’t matter, and stamp Threema’s claims to the contrary as misinformation. But you provide no sources but your own blogpost about Myers-Briggs Type Indicator, a link to the Wikipedia page about FUD (Fear, Uncertainty and Doubt), and a blog post from Signal how they handled a single case, which you call “a consistent paper trail of court records”.
I apologize for the pedantry, but since you claim misinformation on Threema’s part, you should argue your point better. Frustration with misinformation can basically be used to argue against any claim you don’t agree with.
What kind of misinformation are we talking about then?
The kind where you imply that “the CLOUD Act” is dangerous to the privacy of Signal users when, in practice, the data they have to turn over is two Unix timestamps (time of account creation, time of last access).
They don’t even link to the text, or a summary, of the CLOUD Act.
But you provide no sources but your own blogpost about Myers-Briggs Type Indicator,
Correction: A blog post about people spreading falsehoods in my own community.The MBTI is not the focus, the act of spreading pseudoscience is the relevant focus.
a link to the Wikipedia page about FUD (Fear, Uncertainty and Doubt), and a blog post from Signal how they handled a single case, which you call “a consistent paper trail of court records”.
in practice, the data [Signal] have to turn over is two Unix timestamps (time of account creation, time of last access).
Threema could log the device IDs, Signal could log the phone number hashes. I haven’t asked them, but I’d wager that both claim they don’t, and may “prove” this by showing instances where they didn’t. Your opinion appears to be that you can trust Signal with this, because they said you can, but not Threema, because they said you can’t trust Signal.
My opinion is that you can’t trust anyone to not store data you’ve sent them. Why would you trust your provider to not store your contact list if you’re not willing to trust that they won’t store your messages if they weren’t E2E encrypted?
A blog post about people spreading falsehoods in my own community.The MBTI is not the focus, the act of spreading pseudoscience is the relevant focus.
You’ve linked it, so you must have felt it was relevant. You’re completely right in calling Threema out in not backing up their claim, but you not backing up YOUR claim that it’s misinformation is.. well, ironic. :)
My understanding is that the “deliberate misinformation” is the insinuation that this is a reasonable point on which to decide between messaging apps - because Signal collects so little data compared to Threema, the legal compulsion is relatively unimportant. And, as mentioned if that really is the metric that’s relevant for your threat model, you probably also don’t want to trust Threema not to voluntarily share the data they collect and shouldn’t have narrowed your options to Signal and Threema in the first place. There are other, better solutions for your use case.
From what I gather in the post, Threema sends some “device ID” and Signal sends a (hash of?) your phone number. If you want to compel them to log for you, you’re more likely to know the phone number of your target than some application specific “device ID”. Add to that the contact list you’re probably uploading to Signal and you have a nice graph of phone numbers. A graph of device IDs, if it can be made at all, is going to be less useful for tracking.
I don’t agree with the comment about threat models; if there’s a backdoor the NSA can use today, who knows who can use it tomorrow. A messenger app with focus on privacy should collect as little information as possible, end of story. This makes both Signal and Threema poor candidates for the job. I don’t know what a good candidate would be, I’m currently looking at Session but it’s too early for me to make recommendations.
If you know the phone number and have nation state level access to things, you can likely correlate the phone number of a smartphone to time / IP address pairs. From there “device ID” is just a “the device ID that pinged you from IP address X at time A, address Y at time B, …” away.
And once they can require that you hand out data you have, they can also compel you to collect and hand out data that is obtainable with little effort - such as collecting device ID / IP address / time triplets to hand out any narrowed down subset of them.
if there’s a backdoor the NSA can use today, who knows who can use it tomorrow
NOBUS (no one but us) is a term of art. Not the greatest idea but certainly not unheard of, and with reasonable precedence (the Dual_EC thing? NOBUS-candidate, but that’s as far as researchers were able to dissect it)
This makes both Signal and Threema poor candidates for the job
Agreed. And what Threema offers in “we’re safe because we’re Swiss” bullshit, Signal manages to mess up with their “we springle magic CPU feature dust on your data and then we’re safe.” (see their use of SGX for “proving” that their addressbook sync stuff isn’t tampered with)
If Signal only knows when you signed up and when your account was last active how do they route messages?
I mean, they can delete the information upon receipt but they need to store pending messages and they will know who sent them.
I think this is what rubbed me wrong about this particular article. Yes, Threema was being fast and loose with their statements, but so is Signal. I like the articles that the auth puts out, but I do wonder why the same ire isn’t directed at Signal for IMO being just as misinformative about it’s security properties.
Signal alludes that they have no data to give up, but that is either wildly inaccurate or out right lying by omission. In my experience, sure authorities want content but they rarely expect to get it. Instead they’re usually after all the metadata; IPs, timestamps, account IDs etc. These are conspicuously missing from the list they keep putting out about what they don’t log. For the most part IPs and timestamps will get you 90% of the way there. All that other stuff like contact lists, group avatars, profile names, etc. None of it is the stuff they’re actually after.
Sure, Signal could be deleting logs with IPs or ID information. But that is most likely illegal, and it’s taking their word for it at best.
I could be wrong, and maybe there is some literature out there about how Signal blinds themselves from sender metadata while still being able to route message, but I haven’t seen it. I’ve seen the beta sealed sender but that still does not discuss things like IPs and timestamps.
I like the articles that the auth puts out, but I do wonder why the same ire isn’t directed at Signal for IMO being just as misinformative about it’s security properties.
From the article:
The reason you hear less about Signal on blogs like this is because, when people like me reviews their code, we don’t find these sorts of problems. I’ve tried to find problems before.
This is clearly written, understandable, and easily consumable by a wide audience with only some knowledge of cryptography as a “nice to have.” You’ve said it explicitly: crypto is hard, but the way you write… you make it easier to understand. I really appreciate that!
I used Threema for about a year a few years ago when I wanted to increase the privacy of certain conversations beyond what GChat/Hangouts could offer. It offered the best UX at the time, IMO, and (my then understanding of) its security guarantees met my needs. The ID backup problem complicated less-technical friends’ use of it and user discovery was problematic. I only ever really trusted connections after the in-person or out-of-band verification was complete, hence hitting the “three” in the name.
When Signal came out in ~late 2015 (Signal by Signal Technology Foundation previously Open Whisper Systems = TextSecure OSS + RedPhone OSS from Twitter following Whisper Systems acquisition by Twitter in 2011), I switched wholesale to it and haven’t looked back. Every now and then, there’s some negative press (recently, some rattling about an anti-spam system that’s closed source being added into the server side) but it’s usually mitigated or explained rationally by the Signal team in a way that is clear and reasonable.
Love reading these write-ups of yours! Keep up the great work, honestly. :)
I took a week off a while ago and spent a morning reading back through @soatok’s blog. It sounds as if they’ve had a lot of negative feedback, which is very sad. The posts were always entertaining and mostly informative. Looking forward to more of them!
Minor editorial nit-pick… when you wrote
I think you meant “because of their deliberate misinformation.”
Thanks for a really nice write-up. I thoroughly enjoyed reading it and learned quite a bit. The last time I got my hands dirty with an encrypted chat protocol was back in the stone age, and I liked the problem space then, so I really enjoy seeing what’s moved around since then.
Thanks for the nit-pick. You’re right, it’s worded badly. It should be fixed now. :)
That one is a pet-peeve of mine with their business model (besides their grating “but we’re sooo Swiss” advertising[1]), so thank you for putting a spotlight on that.
[1] Yes, just like Crypto AG and their direct competitor in “bloc-free but compromised crypto typewriters”, Omnisec AG.
You do realize that the NSA themself stated they don’t need the content, they only need to know when somebody talked to somebody else, so IP traffic. And that we’re bombing people with drones based on that meta data ? That doesn’t really help threema, but it does make a case for hosting your stuff at least outside the US (and cloud act) if possible.
Sure. If your threat model is “The NSA is going to bomb me if they know who I’m talking to”, Cwtch is better suited because its goal is metadata resistance.
Have you looked into fun projects such as Vuvuzela or Pond? :-)
The Pond Readme recommends to use Signal instead.
The author mentions Threema’s claims that Signal is an US-based IT service provider, and is therefore subject to the CLOUD Act, and calls that fact “deliberate misinformation” and links to a self-written article about The Myers-Briggs Type Indicator (such as “INFJ” or “ENFP”).
..am I missing something very obvious here? I’m not convinced by the article that Signal is not subject to the CLOUD Act, if that was the point they were trying to make.
What kind of information might be obtained through the CLOUD Act is not discussed, apart from citing Signal that no information of value is available. If one trusts the Signal servers to not store the phone number hashes you send from your contact list, this is certainly true. However, it requires you to trust the Signal servers, which Signal has stated you don’t need to do, and Signal is moving to making the servers not completely open source.
It’s a self-written article about my frustrations trying to fight misinformation in the communities I’m involved with.
The common thread is misinformation.
What kind of misinformation are we talking about then? You seem to claim that either the CLOUD Act doesn’t apply to Signal, or that it does but that it doesn’t matter, and stamp Threema’s claims to the contrary as misinformation. But you provide no sources but your own blogpost about Myers-Briggs Type Indicator, a link to the Wikipedia page about FUD (Fear, Uncertainty and Doubt), and a blog post from Signal how they handled a single case, which you call “a consistent paper trail of court records”.
I apologize for the pedantry, but since you claim misinformation on Threema’s part, you should argue your point better. Frustration with misinformation can basically be used to argue against any claim you don’t agree with.
The kind where you imply that “the CLOUD Act” is dangerous to the privacy of Signal users when, in practice, the data they have to turn over is two Unix timestamps (time of account creation, time of last access).
They don’t even link to the text, or a summary, of the CLOUD Act.
Correction: A blog post about people spreading falsehoods in my own community.The MBTI is not the focus, the act of spreading pseudoscience is the relevant focus.
I linked to one from the past week. There have been several over the years.
Apology not accepted.
Threema could log the device IDs, Signal could log the phone number hashes. I haven’t asked them, but I’d wager that both claim they don’t, and may “prove” this by showing instances where they didn’t. Your opinion appears to be that you can trust Signal with this, because they said you can, but not Threema, because they said you can’t trust Signal.
My opinion is that you can’t trust anyone to not store data you’ve sent them. Why would you trust your provider to not store your contact list if you’re not willing to trust that they won’t store your messages if they weren’t E2E encrypted?
You’ve linked it, so you must have felt it was relevant. You’re completely right in calling Threema out in not backing up their claim, but you not backing up YOUR claim that it’s misinformation is.. well, ironic. :)
My understanding is that the “deliberate misinformation” is the insinuation that this is a reasonable point on which to decide between messaging apps - because Signal collects so little data compared to Threema, the legal compulsion is relatively unimportant. And, as mentioned if that really is the metric that’s relevant for your threat model, you probably also don’t want to trust Threema not to voluntarily share the data they collect and shouldn’t have narrowed your options to Signal and Threema in the first place. There are other, better solutions for your use case.
From what I gather in the post, Threema sends some “device ID” and Signal sends a (hash of?) your phone number. If you want to compel them to log for you, you’re more likely to know the phone number of your target than some application specific “device ID”. Add to that the contact list you’re probably uploading to Signal and you have a nice graph of phone numbers. A graph of device IDs, if it can be made at all, is going to be less useful for tracking.
I don’t agree with the comment about threat models; if there’s a backdoor the NSA can use today, who knows who can use it tomorrow. A messenger app with focus on privacy should collect as little information as possible, end of story. This makes both Signal and Threema poor candidates for the job. I don’t know what a good candidate would be, I’m currently looking at Session but it’s too early for me to make recommendations.
If you know the phone number and have nation state level access to things, you can likely correlate the phone number of a smartphone to time / IP address pairs. From there “device ID” is just a “the device ID that pinged you from IP address X at time A, address Y at time B, …” away. And once they can require that you hand out data you have, they can also compel you to collect and hand out data that is obtainable with little effort - such as collecting device ID / IP address / time triplets to hand out any narrowed down subset of them.
NOBUS (no one but us) is a term of art. Not the greatest idea but certainly not unheard of, and with reasonable precedence (the Dual_EC thing? NOBUS-candidate, but that’s as far as researchers were able to dissect it)
Agreed. And what Threema offers in “we’re safe because we’re Swiss” bullshit, Signal manages to mess up with their “we springle magic CPU feature dust on your data and then we’re safe.” (see their use of SGX for “proving” that their addressbook sync stuff isn’t tampered with)
If Signal only knows when you signed up and when your account was last active how do they route messages? I mean, they can delete the information upon receipt but they need to store pending messages and they will know who sent them.
I think this is what rubbed me wrong about this particular article. Yes, Threema was being fast and loose with their statements, but so is Signal. I like the articles that the auth puts out, but I do wonder why the same ire isn’t directed at Signal for IMO being just as misinformative about it’s security properties.
Signal alludes that they have no data to give up, but that is either wildly inaccurate or out right lying by omission. In my experience, sure authorities want content but they rarely expect to get it. Instead they’re usually after all the metadata; IPs, timestamps, account IDs etc. These are conspicuously missing from the list they keep putting out about what they don’t log. For the most part IPs and timestamps will get you 90% of the way there. All that other stuff like contact lists, group avatars, profile names, etc. None of it is the stuff they’re actually after.
Sure, Signal could be deleting logs with IPs or ID information. But that is most likely illegal, and it’s taking their word for it at best.
I could be wrong, and maybe there is some literature out there about how Signal blinds themselves from sender metadata while still being able to route message, but I haven’t seen it. I’ve seen the beta sealed sender but that still does not discuss things like IPs and timestamps.
From the article: