undefined | Better HN

0 pointstialaramex4y ago0 comments

Signal doesn't need keys for the messages you previously received. You received a message from Jim, it's received, done, no need to retain keys to decrypt the message from Jim.

You might be thinking, "But what about the next message from Jim?" but that message is encrypted with a new key so the previous key isn't useful, your Signal works out what that key will be and remembers it until it receives a message from Jim.

It's a ratchet, you can go forwards but you can't go backwards, if I didn't keep the message Jim sent me last week then even though you've got the encrypted message, and I've still got a working key to receive new messages, we can't work back to decrypt the old message.

You might also be thinking, "There must be a long term identity key so that I can tell Jim and Steve apart?". Indeed there is. But Signal doesn't use this to sign messages since that's a huge security mistake, instead this long term identity key is used to sign a part of the initial keys other parties will use to communicate with you.

This design deliberately means you can't prove to anybody else, who sent you anything or what they sent. Sure, you can tell people. You can dish the dirt to your spouse, your friends, the Secret Police, but you can't prove any of it cryptographically.

0 comments

gjsman-10004y ago

You are trying to say that iMessage does not have forward secrecy.

That's true, and is a perfectly legitimate reason to use Signal.

I'm saying that the OP was dissing iMessage because of the Pegasus zero-click exploit, and was saying that switching to Signal gives zero guarantees of protecting you from that, because it likely has it's own zero-click exploits, especially because it doesn't attempt to sandbox unlike iMessage does with the flawed BlastDoor.

j / k navigate · click thread line to collapse