Worried about the privacy of your messages and chats? It’s about time you start considering the use of ‘Signal’. As if end-to-end chat encryption wasn’t enough, Signal is now rolling out a new feature in Beta that will further hide a sender's “from” information and conceal their identity.
The logic behind implementing this feature is simple- While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is.
First, let's understand how communication takes place traditionally, prior to exploring this feature.
A Signal client sends a message by connecting to the service over TLS, authentication takes place, and the encrypted message contents are sent to the destination. The authentication process is supposed to:
The latest beta release is designed to further retain another piece of information of its users: who is messaging whom.
In order to implement the new feature and still ensure authenticity of the sender the following have been included in the short-term certificate:
To prevent spoofing of messages, clients periodically retrieve a short-lived sender certificate, containing the client’s phone number, public identity key, and an expiration timestamp- thus attesting to their identity. Clients can include the sender certificate when a message is sent, and receivers of the message can easily check its validity.
To take steps against abuse, clients derive a 96-bit delivery token from their profile key and register it with the service. The service requires that the clients prove their knowledge of the delivery token for a user in order to transmit messages to that particular user.
Profiles are shared with contacts, other people or groups who users explicitly approve, and in conversations that they create. This allows delivery tokens to be seamlessly exchanged behind the scenes.
Since knowledge of a user’s profile key is necessary to derive that user’s delivery token, this restricts “sealed sender” messages to contacts who are less likely to require rate limits and other abuse protection. Additionally, blocking a user who has access to a profile key will trigger a profile key rotation.
Signal Protocol is used to encrypt message contents end-to-end. The “envelope” containing the sender certificate as well as the message ciphertext is also encrypted using the sender and recipient identity keys.
Signal has never retained much of users data. This was proved two years ago when the FBI demanded that Signal turn over all the data it had on one particular user.
But the question is, with social media platforms being misused by criminals to post attack threats, will a feature like this make Signal a haven for unscrupulous elements? Does Signal also have a plan to tackle issues such as hate speech recognition on its platform?
The Beta releases that support sealed sender will be rolling out over the next few days. Users are advised to update all of their devices to use this new feature. Head over to the Signal Blog for more insights on this news.
Google Cloud Storage Security gets an upgrade with Bucket Lock, Cloud KMS keys and more
Firefox Nightly now supports Encrypted Server Name Indication (ESNI) to prevent 3rd parties from tracking your browsing history
90% Google Play apps contain third-party trackers, share user data with Alphabet, Facebook, Twitter, etc: Oxford University Study