It seems to be about the clients rather than the server. A level deeper than "ho...

goatsi · on June 6, 2020

>"this phone number is using signal" is still a pretty large metadata leak.

>Especially when state actors and probably a fair few non state actors can remotely compromise devices via the stuff in the baseband processor.

A more accurate phrasing would be "this phone number was used to activate signal". If you only care about messaging other Signal users, you only need to have a baseband connection exactly once, when you receive the text message to confirm the number. After that you can toss the sim card and put in a different number, or run without a sim card at all and just use WiFi.

You don't even need to have the sim card in the same phone you will use with Signal when you receive the confirmation text.

DarkmSparks · on June 6, 2020

wifi is still in the baseband processor.

There have been mutiple baseband RCE exploits published in the literature and demonstrated at blackhat - and they dont include any that were put there intentionally.

If you are not using a sim smartphones are pretty useless.

Im a long way from convinced that centralised servers have any role to play in reasonably secure e2ee, they certainly are not a requirement for other services such as firechat used to use before they got shutdown and bridgefy is making use of.

goatsi · on June 6, 2020

> wifi is still in the baseband processor.

> There have been mutiple baseband RCE exploits published in the literature and demonstrated at blackhat - and they dont include any that were put there intentionally.

You can't target a WiFi exploit against a phone number though, so that's irrelevant to the Signal situation.

>If you are not using a sim smartphones are pretty useless.

Maybe I spend too much time hanging around places with WiFi, but I almost never need to have a sim card. I don't even have data on my current plan.