this post was submitted on 11 May 2025
194 points (86.2% liked)

Privacy

37847 readers
394 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I remember a time when visiting a website that opens a javacript dialog box asking for your name so the message "hi " could be displayed was baulked at.

Why does signal want a phone number to register? Is there a better alternative?

you are viewing a single comment's thread
view the rest of the comments
[–] poVoq@slrpnk.net 1 points 1 day ago (1 children)

A timing attack is extremely realistic when you control one of the end devices which is a common scenario if a person gets arrested or their device compromised. This way you can then identify who the contacts are and with the phone number you can easily get the real name and movement patterns.

This is like the ideal setup for law inforcement, and it is well documented that honeypot "encrypted" messengers have been set up for similar purposes before. Signal was probably not explicitly set up for that, but the FBI for sure has an internal informant that could run those timing attacts.

[–] Jason2357@lemmy.ca 1 points 7 hours ago

You are talking out of your ass. First, a timing attack requires numbers to correlate - reasonable numbers of people using a node or server and a LOT of packets going back and forth. Neither are true for a Signal server. Second, they don’t get the phone numbers if contacts are using only their username (with phone number sharing disabled). Your criticisms are over the top and not at all nuanced to the degree of protection of metadata that was built into signal. If it was as bad as you imply, a whole heck of a lot of the most respected security researchers would have to be complete idiots.