Session os a fork of Signal that aims to be decentralized.

The response of Session: https://web.archive.org/web/20250117085555/https://getsession.org/blog/a-response-to-recent-claims-about-sessions-security-architecture

and another blog post: https://soatok.blog/2025/01/20/session-round-2/

Loading a ressource can deanonymise a user:

1. Cloudflare CDN shares the nearest airport in its HTTP header Cf-Ray
2. A favicon cache works: "Since everytime you load their site, your browser automatically downloads this favicon, this means a user from each one of this locations has visited the Namecheap.com site within the 5 minutes with the last visit from Tokyo, Japan.". So if you lead a specific content created only to target one user, you can know from which data center the content is loaded (and its nearest airport).
3. As Signal uses Cloudflare caching for the attachments, the same attack can be exploited.

With an innocent-looking attachment, an attacker can deanonymize users and find their location within an approximate radius (tens of miles, depending of the datacenters).

It works only if the user clicks to download the attachment in this case.

4. Push notification of Signal with an image can trigger the cache... So a 0-click exploit can exist.

If the target has push notifications enabled (which it is by default), they don't even have to open the Signal conversation for their device to download the attachment. [...]
An attacker can run this deanonymization attack any time and grab a user's current location without a single interaction.

A similar exploit can be used on Discord with custom emojis: the custom emoji is a custom content downloaded by one user.

Conclusion:

his attack can be used to track Signal accounts, correlate identities, find employees meeting with journalists and much more.
Any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken.

Definitely. I'm a big fan of Signal. Works at least as well as WhatsApp. The only excuse I've heard for not switching is "But my friends only use WhatsApp."

Don't be part of the problem. Create your account.

Signal seems to consume a lot of battery.

Using both encryption algorithm: one as usual and another quantum resistant.

(via https://sebsauvage.net/links/?1IxNPQ)

C'est curieux de voir comment l'extrême-droite (et Telegram) tapent sur Signal.
Sachant que :
1) Telegram a fait le choix de ne pas activer le chiffrement par défaut, contrairement à Signal.
2) Conséquence : 99% des échanges sur Telegram sont écoutables.
3) Telegram est d'origine Russe (même si visiblement hostiles au pouvoir en place).

La critique a dit: "leurs messages Signal "privés" avaient été exploités contre eux dans les tribunaux ou les médias américains". On ne sais pas qui, ni quand, ni pourquoi...

Elon Musk répond: « Signal présente des vulnérabilités connues qui ne sont pas corrigées. Cela semble étrange... »
Lesquelles?

La suite des arguments est longue... à propos de Telegram:

vous avez pris la décision délibérée de ne pas ajouter de sécurité pour la plupart des utilisateurs, cela sort du domaine de la concurrence et commence à ressembler à de la malveillance.

Images, videos and icons are great. Signal comes with stickers with its proper format.

A great tool could convert such images into stickers, and bundle it into sticker packs.

A greater tool could export these stickers.

Oh wait there is already a website referencing them: https://signalstickers.org/.

A quick documentation about them is available on the dedicated signal webpage

We estimate that by 2025, Signal will require approximately $50 million dollars a year to operate — and this is very lean compared to other popular messaging apps that don’t respect your privacy.

When you send a message, the Signal service temporarily queues that message for delivery. As soon as your message is delivered, that small bundle of encrypted data (i.e. your message) can be dropped from the queue. The storage of end-to-end encrypted files is temporary too, and any undelivered end-to-end encrypted data is automatically purged after a period of inactivity.

It also shows different service costs and why they are like that. It shows the care Signal has to privacy in its different services.

Signal tends to have their incomes from their users. Users donating will be awarded of a badge on their profile. This will allow them to be consistent with their principles and to be independent, while giving reputation to their financial contributors.

We will see how this evolve :)

The response of Matrix to Moxie (Signal maintainer). And why a decentralized version is needed on the internet.

Alternatives: Matrix, Briar, Jitsi, XMPP

👍

Signal was again ordered by a judge to provide user information. But since everything is encrypted from end to end, here is the only information they were able to provide:

• date/time of account creation.
• date/time of the last connection to the service.
  And that's it.
  That's it.
  It's probably not perfect software, but use Signal.