If you want total privacy, Signal is generally understood to be the best messaging app around. But that doesn’t mean it offers total privacy. Its developers are still working on improvements. And the latest tweak uses a controversial new feature in Intel processors to prove that Signal isn’t storing your contact info.
The fact is, unless you’re an expert in information security, there’s going to be a level of trust involved with using any encrypted messaging app. Back in March, security researchers found multiple vulnerabilities in Confide, an app that was believed to be comparable to Signal and was reportedly the service of choice for White House aides avoiding a data trail. So far, Signal has tried to offer all the safeguards experts want, and (because Signal is open source and peer-reviewed) it’s constantly being checked and double-checked. But one major problem has nagged at Signal’s development of user trust: importing contacts.
Like other messaging apps, Signal asks you to import your contacts when you first launch the app. This just makes sense—it’s hard to get people to adopt if they have to re-enter all that info every time they try a new service. But Signal’s whole philosophy is about encrypting the data that goes through its servers to a degree that it’s virtually uncrackable. The less Signal knows about you, the less any bad actor in the future can decipher from Signal’s information. This is an increasingly pressing issue today, considering that private companies are routinely hacked, and no one wants the government knowing any more than it has to. At its most basic, encryption converts data into a string of characters that would take the computers that we have today too long to crack by simply running all the possibilities to match up with the code. But phone numbers are relatively easy to crack because they have a short, set length and only consist of numbers.
Any code running in that enclave is signed with a unique key that Intel, not the computer’s owner, controls. And a computer that connects to that machine running SGX can check its signature to make sure that the code in the enclave hasn’t changed, even if the rest of the computer is infected with malware, seized by the FBI, reprogrammed by its owners to sell out all its users’ data, or otherwise compromised.
Today, Signal outlined how it plans to use SGX as a sort of middleman between its servers and your phone’s contacts, taking it one step further from knowing anything about you. Your contacts will pass through this secure enclave for processing and will disappear afterward. And going forward, users will be able to double-check that Signal’s open-source code hasn’t been altered in a way that would instruct the servers to store contact data, and the contacts are only temporarily held in the SGX. If all the testing works out, Signal wouldn’t ever “see” your contacts, and the code in the SGX would be unalterable by Signal’s team.
There’s a bit of irony here in that SGX is both facilitating a principle (personal privacy) that people who advocate for internet freedoms love, while it has also come under fire for being a dangerous route to unbreakable DRM. The criticism, in a nutshell, is that a user should have the power to alter anything they want on their own machine. But Intel controls what the code says in the SGX. If all chips that were produced had some sort of SGX, it would be easy to create a form of digital rights management that makes it impossible for anyone to get around any sort of constrictions the processor’s manufacturer decides it wants to put in place.
In Signal’s case, it’s turning this problem into an asset. Well, it might be turning this problem into an asset. It’s still unclear if it’s realistically feasible for someone to break into their own server-side SGX. If the history of web security, encryption, and cryptography are any indication, it’s probably only a matter of time before SGX is cracked. It’s also only a matter of time before Signal’s system is obsolete. That’s why it’s constantly being improved through a transparent and open-source process. And right now, it’s the best option we’ve got. [Wired]