Signal

- Reading time: 23 minutes -

Content:

• General
  • Telephone numbers
  • Cryptocurrency
  • Financing
• Client
  • Replicas of the app
  • Client check
• Server
  • Server code
  • Server usage forbidden
• Encryption
  • Man-in-the-Middle-Attack
  • Encrypted database
  • Secure data recovery
  • Post Quantum Encryption
• DSGVO/GDPR
• The ecosystem is moving
• 7 reasons
• Tips
  • Registration without mobile number
• Webbkoll
• References
• Conclusion

General

Just like WhatsApp, Signal is de facto a closed system, also uses only phone numbers for registration, uses the same encryption, and is also headquartered in the United States of America (USA). Co-founder Matthew Rosenfeld (a.k.a. “Moxie Marlinspike”) resigned as CEO (external) in January 2022 and is (as of 03/2023) only still on the board. Current CEO at Signal is his former WhatsApp co-founder Brian Acton.

• positive: good end-to-end encryption with “Axolotl” (external; PDF file), which is the basis for many other implementations
• positive: good lobbying; “official recommendation” by Edward Snowden
• positive: client is open source throughout
• positive: own servers are possible (but these are then self-contained systems!)
• negative: ”… when using Signal, data protection concerns remain, especially because this service processes personal data of its users outside the scope of the GDPR. The use of this messenger service can therefore not be recommended.” Source: EKD (external; PDF file dated 24.10.2018)
• negative: File size limits for video, audio and documents max. 100 MB (external), for GIF files max. 25 MB (external)
• negative: centralized service - no interoperability
• negative: actual server software used does not have to match the version published on GitHub
• negative: terms of use (external) as well as privacy policy in English only
• negative: only phone number as identifier (no matter if with/without hash)
  
• negative: no federation with other servers
• negative: no login/usage without smartphone
• negative: no multi-device capability (use one chat account on multiple independent devices)
  
• negative: the desktop application is based on Electron
• negative: forks of the Signal app are actually not allowed to use Signal’s server
• negative: weaknesses in authentication for encryption
• negative: minimum age 13 years (may differ per country)
• negative: Cryptocurrency “Sentz” (formerly “MobileCoin”)
• negative: does not use own servers but Amazon infrastructure

At this point extra again the hint: If a wrong or outdated information is found, please let me know! >> Contact <<

Telephone numbers

Hash values from phone numbers are not a security feature, because phone numbers can be determined from the hash values without any problems (keyword “rainbow table” (external)). Signal also sends a registration SMS to each individual user. In plain text, the number may not be transmitted to Signal, that may be true - but at the latest during registration, it is known and thus they know every number of all users. Even internal phone numbers or secret numbers of companies, authorities and organizations with security tasks (BOS) or women’s shelters that use Signal. This is all fine - of course not!

Signal assures you that the hash values of the telephone numbers are stored on a separate server area. Why? It means that they do not offer any additional security but are just as worthy of protection as the corresponding telephone numbers. Quite apart from that, it doesn’t matter where the hash values (= phone numbers) are stored at Signal - they are stored.

In addition, Signal also accesses the user’s entire phone book and you can see who in your own environment is using Signal. So you can’t just select individual users with whom you want to communicate via Signal and you can’t keep your own access private.

Cryptocurrency

The name has been changed from “MobileCoin” to now “Sentz” (external) (the original Internet address “mobilecoin.com” is automatically redirected to the new address “sentz.com”).

Critical voices and reactions to Signal Payments:

• 2024-06-07: Article that also addresses cryptocurrency, among other things: https://bencrypted.gitlab.io/post/8 (external)
• 2021-04-09: Opinion in the Kuketz blog: https://www.kuketz-blog.de/kritische-stimmen-und-reaktionen-zu-signal-payments (external)
• 2021-04-07: Commentary by Fefe: https://blog.fefe.de/?ts=9e9221ad (external)
  

Financing

Here is some interesting information on cost structure:

We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate—and this is very lean compared to other popular messaging apps that don’t respect your privacy.

Source: https://signal.org/blog/signal-is-expensive (external)

At the end of 2023, the cost breakdown for operating a large messaging platform at Signal was as follows:

• Storage space: 1.3 million dollars per year (9.3%). It is interesting to note that Signal does not store message history on the server. The message history is stored on the client.
• Server: USD 2.9 million per year (20.7%). Cloud server costs to support the messaging service.
• Registration fees: 6 million dollars per year (42.9%). This is the cost of validating phone numbers and performing other validations.
• Total bandwidth: $2.8 million per year (20.0%).
• Additional services: $700,000 per year (5.0%). Uptime monitoring, outage alerts, redundant capacity for disaster recovery, maintenance contracts, etc.
• Infrastructure costs (as of November 2023): Approximately $14 million per year to support 40 to 50 million monthly active users.

… and that’s just the cost of the infrastructure. You have to add all the associated costs of running an organization with more than 50 employees.

• If a company/organization wants to operate a messaging platform on a large scale, the operating costs should be properly estimated.
• This also shows the impact of the centralized approach compared to a federated model. In a centralized model, the organization operating the platform must bear all the costs of running the platform. In a federated model such as XMPP, the costs can be shared across the entire network.

Source: process-one.net (external)

Client

Replicas of the app

One can easily take Signal from the Aurora Store or download it directly as APK from the Signal website (external), which then runs quite smoothly on google-free devices.

Alternatively, you can also use Signal forks like Langis, Molly (external) and Signal FOSS (external) via an additional F-Droid repo. Replicas/forks are prohibited from using Signal servers according to Mr. Rosenfeld (Moxie), but perhaps Signal has not yet established a system that actively detects and blocks this. With each fork, there is also the question of whether and how the code for the cryptocurrency was taken out and whether Signal then still allows client access to the quasi-proprietary servers.

Signal itself does not want the original app to be made available via F-Droid.
Source: Github (external)

Client check

It seems that Signal has the ability to recognize “outdated” clients (or replicas of the app) and then reject communication with them if necessary. This is indicated by an error code in the command line tool “signal-cli”:

Error while checking account +XXXXXXXXXXX: StatusCode: 499 org.whispersystems.signalservice.api.push.exceptions.DeprecatedVersionException: StatusCode: 499

Sending and receiving messages with signal-cli also seems to throw a “DeprecatedVersionException” (as of 2022-10-05, 21:59 UTC). This exception seems to be intended to disable obsolete clients.

Source: https://github.com/AsamK/signal-cli/issues/1022 (external; 20.12.2022)

Server

Server code

Signal has always been hailed as the security-conscious alternative to WhatsApp and co. because it’s open source. But the company got “caught” in the fact that the server code that was in use didn’t match the public code for almost a year. Here are the published versions of the server code until (as of) 07/14/2021 from which it can be seen that even in the past many versions (external) were repeatedly not published:

• v6.13.0 … 8 days ago
• v6.12.0 … 8 days ago
• v6.11 … 11 days ago
• v6.9 … 13 days ago
• v6.8 … on 11 Jun
• v5.98 … on 2 Jun
• v5.97 … on 28 May
• v5.96 … on 27 May
• v5.31 on 17 Feb
• v5.30 on 17 Feb
• v5.23 on 3 Feb
• v4.97 on 14 Jan
• v4.93 … on 11 Jan
• v0.93 … on 10 Mar 2016
• v0.54 … on 25 Jun 2015
• v0.53 … on 25 Jun 2015
• v0.52 … on 24 Jun 2015
• v0.50 … on 7 Jun 2015
• v0.49 … on 13 May 2015
• v0.48 … on 22 Apr 2015

The reason will be the integration of the cryptocurrency (MobileCoin), which is already completely (pre)mined.

But:

1. that’s fine, because the server code belongs to Signal (https://github.com/signalapp/storage-service) and there is no obligation to publish it!
2. this shows (again) clearly the dependency one gets into with a central provider.

Notes on the license (“AGPL”):
The license applies only to anyone who ever uses signal code published under this license. The original authors of the code may change the license at any time. Licenses are generally only the terms of use for everyone else who does not hold the copyright or relevant usage rights to the code itself. See also Contributor License Agreement (CLA) (external). Also unreleased software (in this case parts of the server software that have an update) is their property. Presumably that’s why there are no allowed merge requests from others on GitHub.

Report:
https://androidpolice.com/2021/04/06/it-looks-like-signal-isnt-as-open-source-as-you-thought-it-was-anymore/ (external; English)

Server usage forbidden

Mr. Rosenfeld (“Moxie”) has called OpenSignal a “product” and forbidden them to address the official Signal servers or have anything with Signal in the name:

I’m not OK with LibreSignal using our servers, and I’m not OK with LibreSignal using the name “Signal.” You’re free to use our source code for whatever you would like under the terms of the license, but you’re not entitled to use our name or the service that we run.
If you think running servers is difficult and expensive (you’re right), ask yourself why you feel entitled for us to run them for your product.

In response to the question about the federation of servers:

It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult.

Source: https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165 (external; Englisch; 05.05.2016)

Encryption

Encryption includes authentication, because without authentication the best encryption is useless. But Signal has (apparently) a weak one:

_“… Unfortunately, Signal’s default authentication scheme is weak. It is arguably worse than X.509’s CA system as used on the web, which is notoriously bad. It relies on a single CA, which is controlled by Signal who also controls the messaging infrastructure. This places Signal in an optimal position to perform a machine-in-the-middle attack on their users like the one described in GCHQ’s Ghost proposal. But, Signal has rightfully earned a trustworthy reputation. …”

Source: sequioa-pgp.org (external; Englisch)

I understand that PGP and authentication are great and important ideas, but unfortunately they no longer have a place in the modern world. Moxie Marlinspike

Source: searched

Man-in-the-Middle-Attack

Signal has technical ability to compromise e2e encryption via a simple man-in-the-middle attack, as all key exchanges are vendor-mediated. While Signal offers security code verification, it’s optional and still requires an out-of-band channel that is trusted not to replace messages (one of the points of criticism of SimpleX), and it is not presented prominently in Signal app when security code changes. Experts’ view that a small share of users using this feature protect all users is misleading, as it only protects against large-scale attacks when all (or a substantial share of) the users would be compromised, but it offers a poor mitigation against targeted attacks - users have to be diligent in re-verifying security code every time it changes, and in some cases it may be very difficult to find a reliable out-of-band channel. Therefore I would argue that Signal cannot be used as a platform for mission-critical secure communications, because Signal servers can trigger keys renegotiation at any point, and that would require out-of-band security code verification to confirm that it is caused by contact’s device change and not a compromise - affected users cannot confirm it in Signal conversation, because once security code changed users no longer have proof of who they are communicating with.

Source: reddit.com (external)

Encrypted database

Next time someone asks for “encrypted database because Signal” do give them…

iOS: https://blog.elcomsoft.com/2019/08/how-to-extract-and-decrypt-signal-conversation-history-from-the-iphone/ (external) Android: https://www.cellebrite.com/en/blog/cellebrites-new-solution-for-decrypting-the-signal-app/ (external)

There is a cross-platform decryption and export utility for Signal Desktop: https://github.com/aaronsdevera/sigkill (external) A description is available at Github (external; PDF).

Secure data recovery

Also the “secure value recovery (SVR)” this is in the criticism: blog.cryptographyengineering.com

Post Quantum Encryption

Signal has implemented this type of encryption. From their documentation:

This document describes the “PQXDH” (or “Post-Quantum Extended Diffie-Hellman”) key agreement protocol. PQXDH establishes a shared secret key between two parties who mutually authenticate each other based on public keys. PQXDH provides post-quantum forward secrecy and a form of cryptographic deniability but still relies on the hardness of the discrete log problem for mutual authentication in this revision of the protocol. …

Source: signal.org (external)

DSGVO/GDPR

here are no German terms of use and no German privacy policy. Do the English version have legal validity in Germany? Regardless, Signal writes in the introductory words to the GDPR (external):

In Signal messages and calls cannot be viewed by us, or by third parties, as they are always end-to-end encrypted, private to us secure.

“are secure to us” is not a typo on my part - it’s not content that’s interesting here, but the metadata that accumulates (security =/= privacy).

And in the “Terms of Service” of the further:

Additional technical information is stored on our servers, including randomly generated authentication tokens, keys, push tokens, and other material that is necessary to establish calls and transmit messages.

… which keys are actually stored there?

In the “Privacy Policy” it is explicitly (but unnecessarily) pointed out that the phone number, the profile name and the profile picture are of course always end-to-end encrypted - but what was that again with the metadata in central systems?!

Apparently Google automatically gets that you use Signal:

PING contentproxy.signal.org (107.178.250.75) = Google
Sieht man auch gut so:
$ host contentproxy.signal.org
contentproxy.signal.org has address 107.178.250.75
$ host 107.178.250.75
75.250.178.107.in-addr.arpa domain name pointer 75.250.178.107.bc.googleusercontent.com.

Why Signal is running on Amazon servers (AWS) -but this part is on Google- is not readily apparent. Perhaps they don’t want AWS to be able to access and correlate all access data, or perhaps the “traffic data” and the “metadata” are not supposed to be with the same service provider and separate from each other?

At least https://signal.org/blog/looking-back-on-the-front/ (external) explains why they don’t use their own Signal servers.

The security model with regard to metadata can be shortened to “trust the central operator”, because “the ecosystem is moving” …

The ecosystem is moving

From Moxie (co-founder and CEO), building on an execution from 2016, there is a talk from 12/28/2019 with the topic “the ecosystem is moving” at the Chaos Computer Club (“CCC”). Here, advantages/disadvantages of centralized and decentralized systems are discussed. Of course, Signal is touted here as the solution.

However, the argumentation of Signal’s CEO for his product is controversial and often overrated. Many arguments listed there are true, but the “value of freedom” is ignored. In the end, (many) are not only concerned with technical security, but rather with future security.

Here are various sources/information on “The ecosystem is moving” (all English):

• 10.05.2016: Article Matthew Rosenfeld (alias Moxie Marlinspike) (external)

• 30.11.2016: Objections Daniel Gultsch (external)

• 28.12.2019: Lecture Matthew Rosenfeld (alias Moxie Marlinspike) (external)
  The talk can be found In Youtube (external) too.

• Dec 29, 2019: Reason Matthew Rosenfeld (aka Moxie Marlinspike) for taking the video offline:
  
  I had asked for it not to be recorded (which is what I’ve been doing with talks for the past 5yrs or so). Seems like there was some confusion, and it was recorded/published, then removed. … I just prefer to present something as part of a conversation that’s happening in a place, rather than a webinar that I’m broadcasting forever to the world. I have less faith in the internet as a place where a conversation can happen, and the timelessness of it decontextualizes.
  Quelle: https://nitter.net/moxie/status/1211443530335281153 (extern)

• 29.12.2019: Opinion from Jabber(XMPP) (external)

• 02.01.2020: Opinion from Matrix (external)
  
  HOWEVER: all of this completely ignores one critical thing - the value of freedom. Freedom to select which server to use. Freedom to run your own server (perhaps invisibly in your app, in a P2P world). Freedom to pick which country your server runs in. Freedom to select how much metadata and history to keep. Freedom to choose which apps to use - while still having the freedom to talk to anyone you like (without them necessarily installing yet another app). Freedom to connect your own functionality - bots, bridges, integrations etc. Freedom to select which identifiers (if any) to use to register your account. Freedom to extend the protocol. Freedom to write your own client, or build whole new as-yet-unimagined systems on top.
  
  It’s true that if you’re writing a messaging app optimised for privacy at any cost, Moxie’s approach is one way to do it. However, this ends up being a perversely closed world - a closed network, where unofficial clients are banned, with no platform to build on, no open standards, and you end up thoroughly putting all your eggs in one basket, trusting past, present & future Signal to retain its values, stay up and somehow dodge compromise & censorship… despite probably being the single highest value attack target on the ‘net.
  
  Quite simply, that isn’t a world I want to live in.
  
  We owe the entire success of the Internet (let alone the Web) to openness, interoperability and decentralisation. To declare that openness, interoperability and decentralisation is ‘too hard’ and not worth the effort when building a messaging solution is to throw away all the potential of the vibrancy, creativity and innovation that comes from an open network. Sure, you may end up with a super-private messaging app - but one that starts to smell alarmingly like a walled garden like Facebook’s Internet.org initiative, or an AOL keyword, or Google’s AMP.
  
  So, we continue to gladly take up Moxie’s challenge to prove him wrong - to show that it’s both possible and imperative to create an open decentralised messaging platform which (if you use reputable apps and servers) can be as secure and metadata-protecting as Signal… and indeed more so, given you can run your server off the grid, and don’t need to register with a phone number, and in future may not even need a server at all.
  

7 reasons

Here are the headlines from a lengthy commentary “7 valid reasons why you should never trust Signal over the air, either“

1. the mobile number compulsion
2. funding
   2a.) Brian Acton
   2b.) Open Tech Fund = money from US government https://www.opentech.fund/results/supported-projects/open-whisper-systems (external)
   2c.) What happens when the money runs out? What happens to Signal then?
   
3. Amazon΄s cloud AWS (related: https://de.wikipedia.org/wiki/CLOUD_Act )
4. conspicuous “security holes” in three US messengers - of course patched (plugged) in the meantime:
   • Facebook’s WhatsApp: “The attacker can inject the spyware into the respective device simply by making a WhatsApp call, even if the called party doesn’t even pick up.” / https://heise.de/-4421379 (external)
   • Apple’s iMessage: “A Google security researcher describes how malicious code can be remotely injected into iPhones without user interaction.” / https://heise.de/-4632972 (external)
   • and just the SignalApp: “Big eavesdropping call: Signal accepts calls by itself” / https://heise.de/-4546500 (external)
5. Signal wants to be SMS replacement
6. legal sphere of influence of USA and now also EU
7. “Moxie Marlinspike” (external) is only a stage name

Source: Comment in Heise-Forum (external)

Tips

• Step-by-step instructions (external; English) on how to use Signal without a smartphone
• Signal Android app directly and without Aurora/PlayStore: from the Signal page download the hidden APK (external) - updates without Aurora/PlayStore
  

Registration without mobile number

Tip: For the registration at Signal it is not necessary to enter your actually used mobile number. You can use an extra SIM card with a different mobile number - or an unused landline number (also works with the phone number of a public phone booth!). In this case, the confirmation SMS with the verification code is read out over the phone.

Sources: netzwelt.de (external) / vice.com (external; English)

Webbkoll

Source: https://webbkoll.dataskydd.net/de/results?url=http%3A%2F%2Fsignal.org (external)

References

• Project page: https://signal.org (external)
• Matthew Rosenfeld (aka Moxie Marlinspike): https://en.m.wikipedia.org/wiki/Moxie_Marlinspike
• German Wikipedia entry (external)
• Why not use Signal for mobile chat:
  
  • 2024-08-08: https://www.moparisthebest.com/against-silos-signal (external)
  • 2024-06-07: https://bencrypted.gitlab.io/post/8 (external)
  • 2023-01-02: Another very good overview/article: https://restoreprivacy.com/secure-encrypted-messaging-apps/signal (external)
  • 2019-05-10: Signal has copious privacy issues making it unfit for privacytools.io (external) endorsement
  • 2018-08-08: I don’t trust Signal (external)
    

---

Conclusion

Signal as a messenger is certainly “safe” - however, one is dependent on a single provider.