Signal is Making Improvements to Improve Privacy

signal

Cyber security has been at the top of mind lately.  Cyber security isn’t just a corporate issue either.  If you put any of your data online, you will want to ensure that its protected.  And unless you’re an expert, this can be difficult to figure out.  Let alone, just understand.  Signal is generally understood to be the best messaging app around.  But, it doesn’t offer total privacy.  Signal developers are still working on improvements, but it still has the ability to get better.  The latest improvement uses a controversial new feature in Intel processors, which prove that Signal isn’t storing your contact information.

But, you still have to trust that your information is protected when you’re using any encrypted messaging app.  Earlier this year, security researchers found multiple vulnerabilities in Confide.  Confide was believed to be comparable to Signal and had been reported as the service of choice for White House aides wanting to avoid a data trail.  Signal has definitely tried to offer all the safeguards that experts want and it is always being checked and double checked.  But there is one area where they are struggling.  And that is in relation to importing contacts.

Like with many other messaging apps, Signal asks you to import your contacts when you first launch the app.  Which makes sense, because its easier to offer this from the start, rather than making people do the work.  But Signal’s whole philosophy is about encrypting the data that goes through its servers to a degree that it’s virtually uncrackable.  The less Signal knows about you, the less of a chance that someone can disguise themselves as Signal and steal your information.  No one wants the government knowing what you’re up to, and you certainly don’t want to put yourself at risk of getting hacked.

signal

Encryption converts data into a string of characters that would take computers too long to crack by simply running all the possibilities to match up with the code.  But because phone numbers are short, are a set length and only consist of numbers, they are relatively easy to crack.  Which is where Intel comes in.  They have a new Software Guard Extension (SGX) that would allocate a
“secure enclave” in a processor.  This, in theory, can’t be altered by the user.  Wired explains this in a really clear way:

Any code running in that enclave is signed with a unique key that Intel, not the computer’s owner, controls. And a computer that connects to that machine running SGX can check its signature to make sure that the code in the enclave hasn’t changed, even if the rest of the computer is infected with malware, seized by the FBI, reprogrammed by its owners to sell out all its users’ data, or otherwise compromised.

Which definitely sounds pretty great, doesn’t it?  Signal has outlined how it plans to use SGX as a “middle man” between its servers and your phone contacts.  Your contacts will pass through this secure enclave for processing and will disappear afterward.  And going forward, users will be able to double-check that Signal’s open source code hasn’t been altered in a way that would instruct the servers to store contact data, and the contacts are only temporarily held in the SGX.  If all the testing works out, Signal wouldn’t ever be able to “see” your contacts, and the code in the SGX would be unaltered by Signal’s team.

Even with this improvement, is Signal secure?  They are still working on this in terms of whether or not it can or will work.  Which is great, but what would be great is if this did work.  Right?  It’s one of those things that may never be perfect.  Cyber security is a big business, and there are always going to be hackers.  Which means, there are always going to be “solutions” to these problems, but they may never actually be complete in terms of what we need.  Its kind of a catch 22, in my opinion.  You use the system to be secure, but there’s a good chance that the system isn’t completely secure?  In general, these are great steps, but more needs to be done in order to make the system completely secure.