from Hacker News

Ask HN: How secure is Signal messaging?

by Sachaniman on 8/6/20, 4:45 PM with 4 comments

I'm trying to convince a party to use Signal to communicate privately with me, and would like to verify certain things with HN community to make sure my understanding of the application is correct.

- Are receivers and senders the only entities able to access privately sent messages/pictures/videos? Do the Signal servers not store any of this data?

- If it is not stored on the server, are all the media and content sent and received then stored on the user's device? In other words, will my usage be capped by my device's available storage?

- If Signal servers are hacked, are the security guarantees thrown out? Or, do the hackers only see encrypted data at all times, with no way to decrypt it themselves?

- Is Signal the most reliable mobile app in the secure communication domain? Are there better alternatives?

Thanks in advance :)

  • by justforfunhere on 8/7/20, 12:29 PM

    How public and private keys are generated, updated and stored between two contacts for a particular Signal chat session is captured in the document below. You should be able to find most of your answers here

    https://signal.org/docs/specifications/sesame/

    >> Are receivers and senders the only entities able to access privately sent messages/pictures/videos? Do the Signal servers not store any of this data?

    The text messages are stored in the database (postgres) of signal server. They are encrypted, so even if you had read access to database, you wouldn't be able to decrypt it. Read the document mentioned above as to how keys are managed.

    Pictures/Videos/any multimedia is stored in a separate storage server ( e.g. S3 ). This is also in encrypted form.

    >> If it is not stored on the server, are all the media and content sent and received then stored on the user's device? In other words, will my usage be capped by my device's available storage?

    Most definitely your device should have enough space for the all the content being sent on your way.

    >> If Signal servers are hacked, are the security guarantees thrown out? Or, do the hackers only see encrypted data at all times, with no way to decrypt it themselves?

    Yes, even if servers are hacked, they may be able to get the contact details of users registered( this may not be true for the latest signal server ), but they shouldn't be able to decrypt any stored messages.

    >> Is Signal the most reliable mobile app in the secure communication domain? Are there better alternatives?

    I think Signal is the most reliable app right now.

    Edit: Formatting

  • by kleer001 on 8/6/20, 11:19 PM

    not to sound snotty or anything, but you might want to do some poking around over at the official support page for your specific requests if you can't find help here.

    https://support.signal.org/hc/en-us

    And a more specific channel over at:

    https://github.com/signalapp

    IMHO the weakest security link is always the human. Make of that what you will.