A company that requires using a phone number prides itself in security?
Comment on Signal downplays encryption key flaw, fixes it after X drama
dinckelman@lemmy.world 2 months ago
[deleted]
timewarp@lemmy.world 2 months ago
eager_eagle@lemmy.world 2 months ago
privacy != anonymity != security
victorz@lemmy.world 2 months ago
But in some way, privacy ≈ security. Very intertwined.
sudneo@lemm.ee 2 months ago
Privacy is not anonimity though. Privacy simply means that private data is not disclosed or used to parties and for purposes that the data owner doesn’t explicitly allow. Often not collecting data is a way to ensure no misuse (and no compromise, hence security), but it’s not necessarily always the case.
9tr6gyp3@lemmy.world 2 months ago
Whats the vulnerability with Signal and phone numbers?
wildbus8979@sh.itjust.works 2 months ago
It’s better now, but for years and years all they used for contact discovery was simple hashing… problem is the dataset is very small, and it was easy to generate a rainbow table of all the phone number hashes in a matter of hours. Then anyone with access to the hosts (either hackers, or the US state via AWS collaboration) had access to the entire social graph.
9tr6gyp3@lemmy.world 2 months ago
Yeah the way I remember it, they put a lot of effort into masking that social graph. That was a while back too, not recent.
unexposedhazard@discuss.tchncs.de 2 months ago
It wasnt a serious security flaw, arguable not one at all. So they are perfectly justified in downplaying the hysteria.
spiderman@ani.social 2 months ago
the point is they could have fixed it by the time it was reported and not waited around until the issue was blown bigger.
sudneo@lemm.ee 2 months ago
A security company should prioritize investments (I.e. development time) depending on a threat model and risk management, not based on what random people think.
spiderman@ani.social 2 months ago
so you are saying that wasn’t a security risk?