General > General Technical Chat
Delete WhatsApp, use Signal Private Messenger instead
<< < (14/25) > >>
RenThraysk:

--- Quote from: Halcyon on January 13, 2021, 06:56:52 pm ---You can have all the encryption in the world, once you get access to the physical device, all bets are off. Signal, Telegram, WhatsApp, Snapchat and others are able to be recovered and parsed from handsets in certain circumstances (provided the messages haven't been deleted and removed from the database, write-ahead log etc...), if you can get the device itself and certain other conditions are met.

--- End quote ---

Yeah, Signal's (et al) security claim is end to end encryption.
If the adversary has the unlocked phone, it's a simple matter of running the messenger app to gain access to messages.
Gyro:
Well the anti-VSee lobby will be pleased to hear that I have given in and re-installed Signal. It actually seems an ok app as far as a replacement for WhatsApp, but the video quality seems a bit lacking compared to VSee and a bit more sluggish. I think [Edit: @SVFeingold, sorry] has probably put across some of my thoughts with more patience than I could.

To try to bullet point my thoughts:

- All most people want (in the 'free' world anyway) is to guard their domestic affairs from the eyes of data harvesting and marketing companies and the like (even if they are the owners of the platform). The new WhatsApp terms seem to have signed its death warrant in that respect.

- People want something to base their faith on. In the case of Signal, this seems to be its open source, donation funded model. In the case of VSee, it is that the company's key business is in patient confidentiality, it's used by NASA, IBM, Navy Seals (apparently), and their business model is clear - and I doubt if they have any interest in my pets. From some of the previous replies, Telegram seems to be on some very dodgy footings in terms of faith (blind or otherwise).

- All most people want, or need, is the comfort of end to end encryption. The ability to share pictures of their cats, dogs etc. without coming into the sights of pet food and insurance companies!.... and of course their day to day family arrangements and domestic communications.

- Personally I don't want to stand out as giving the impression of possibly having something to hide from the authorities, by being seen to be using some ultra specialist secure specialist application - any more than I would use Tor or the dark web or whatever they're called. There are enough active conspirators out there for the authorities to deal with, without having to work out whether I am one of them.

- Can anything be said to be secure (from Google) if it's running on an Android phone. As far as I can see, Google are pretty much as interested in making money from my data as Facebook (?).

- Why can't I just have a 'good enough' end to end encrypted app that just offers a sensible level of security and is fast, without going the the extent of 'crypto enthusiast / paranoia' or 'state actor' territory. VSee seemed fine for that.

Whether I will manage to persuade my extended family to switch is another matter :(


P.S. I saw a review comment on the play store that the windows version of Signal wasn't secure. Is it?
Halcyon:

--- Quote from: RenThraysk on January 13, 2021, 07:28:50 pm ---
--- Quote from: Halcyon on January 13, 2021, 06:56:52 pm ---You can have all the encryption in the world, once you get access to the physical device, all bets are off. Signal, Telegram, WhatsApp, Snapchat and others are able to be recovered and parsed from handsets in certain circumstances (provided the messages haven't been deleted and removed from the database, write-ahead log etc...), if you can get the device itself and certain other conditions are met.

--- End quote ---

Yeah, Signal's (et al) security claim is end to end encryption.
If the adversary has the unlocked phone, it's a simple matter of running the messenger app to gain access to messages.

--- End quote ---

Signal does have the ability to set a password to open the application (after reboot) or if you haven't touched it for 24 hours, it auto-locks. I believe is also encrypts the message database on the device but I have not tested this out (perhaps if I get some time over the next few weeks I'll do some further testing).


--- Quote from: Gyro on January 13, 2021, 08:22:40 pm ---P.S. I saw a review comment on the play store that the windows version of Signal wasn't secure. Is it?

--- End quote ---

That relates to the message database itself. It's not encrypted, however the communications is always encrypted in transit between Signal clients.
RenThraysk:

--- Quote from: Halcyon on January 14, 2021, 05:09:52 am ---
--- Quote from: RenThraysk on January 13, 2021, 07:28:50 pm ---
--- Quote from: Halcyon on January 13, 2021, 06:56:52 pm ---You can have all the encryption in the world, once you get access to the physical device, all bets are off. Signal, Telegram, WhatsApp, Snapchat and others are able to be recovered and parsed from handsets in certain circumstances (provided the messages haven't been deleted and removed from the database, write-ahead log etc...), if you can get the device itself and certain other conditions are met.

--- End quote ---

Yeah, Signal's (et al) security claim is end to end encryption.
If the adversary has the unlocked phone, it's a simple matter of running the messenger app to gain access to messages.

--- End quote ---

Signal does have the ability to set a password to open the application (after reboot) or if you haven't touched it for 24 hours, it auto-locks. I believe is also encrypts the message database on the device but I have not tested this out (perhaps if I get some time over the next few weeks I'll do some further testing).

--- End quote ---

The way adversaries get around phone locks is to make sure you are using your phone when they grab you.
I don't know either for certain. Pretty well versed (written an implementation of) the Signal protocol, but that just covers e2e.
Given Cellebrite's recent embarrassing claim of being able to access the Signal's messages using software, if the phone is unlocked. Suspect might be using whatever secure storage the OS provides.

https://signal.org/blog/cellebrite-and-clickbait/
Halcyon:

--- Quote from: RenThraysk on January 14, 2021, 12:36:51 pm ---The way adversaries get around phone locks is to make sure you are using your phone when they grab you.
I don't know either for certain. Pretty well versed (written an implementation of) the Signal protocol, but that just covers e2e.
Given Cellebrite's recent embarrassing claim of being able to access the Signal's messages using software, if the phone is unlocked. Suspect might be using whatever secure storage the OS provides.

https://signal.org/blog/cellebrite-and-clickbait/

--- End quote ---

That's not the only way, it's the easy way, but there are many phones where locks can simply be bypassed or disabled with nothing more than a few clicks of a mouse and some hardware, or you can simply extract the contents of the memory (even if it's encrypted) without ever booting up the phone or knowing the password. Other phones are brute forced (some slowly, some very quickly). That's all the detail I will (and am allowed to) go into.

Cellebrite software and tools can read the Signal database from the phone, but it doesn't extend to every version of Signal (and to my knowledge, not the latest ones). Yes it's true, if you get the PIN/password (either from the user, brute force or via some other method), then you can just view the messages on the screen. As I said, once you have physical access to a device, all bets are off.

That being said, unless you have thousands and thousands of dollars to spend, the average nerd on the street is not going to have access to these tools (and some of them can't be bought with all the money in the world unless you're a law enforcement agency).
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod