Revealing essentially all personal contacts to a service provider is a significant privacy risk and legal challenge, as from the social graph of users a variety of personal information can be inferred. Leaking Social Graphs via “Curious” or Compromised Service Providers In a research collaboration between TU Darmstadt, TU Graz, and University of Würzburg, we show that currently deployed contact discovery services severely threaten users’ privacy. Unfortunately, the low entropy of phone numbers indicates that it is feasible to reverse such hash values and therefore, albeit all good intentions, there is no gain in privacy. Some of the world’s most popular mobile messengers (with billions of users) like WhatsApp perform contact discovery by regularly uploading and storing the users’ entire address books, while more privacy-concerned messengers like Signal transfer only short hashes of phone numbers or rely on trusted hardware. Mobile contact discovery allows users of mobile messengers to conveniently connect with people in their address book: newly registered users can instantly start messaging existing contacts based on their phone numbers without exchanging additional information like usernames or email addresses. What is Mobile Contact Discovery & Why Should I Care? Attacks on WhatsApp, Signal, and Telegram in the News German IT-Security Award 2020 for their work on mobile private contact discovery. News Second Prize in German IT-Security Award 2020Ĭhristian Weinert, Thomas Schneider, Matthias Senker, Daniel Kales and Christian Rechberger won the second prize in the 8. This website is also available in German. Mobile (Private) Contact Discovery Breaking & Fixing Contact Discovery in Mobile Messengers All the crypto heads out there can get the low-down on the tech by reading Signal's blog post.Mobile (Private) Contact Discovery | Breaking & Fixing Contact Discovery in Mobile Messengers Skip to the content. To ease concerns, OWS is making the private contact discovery service open source, allowing the security community to nitpick it for possible exploits. And, as Wired reports, the server-side use of SGX is relatively untested. The feature is expected to roll out over the next few months, once the test run is out of the way.Īlthough the new option sticks to Open Whisper System's privacy commitments, it is still in its early stages. If the test feature works as it should, Signal will basically be kept out of your information - as will everyone else. That way, when your contacts pass through them, they'll also be kept in this secure enclave for processing, and will vanish afterwards. In the case of the app, SGX will be fitted to Signal's servers. The code running in that enclave is designated a unique key that only Intel can control. Originally designed for DRM, the tech essentially allocates a "secure enclave" in a processor that is kept isolated from the rest of a computer's operating system. To accomplish this task, it's utilizing an Intel processor feature known as Software Guard Extensions, or SGX. In other words, no one (whether nefarious actors, or even Signal itself) will be able to access that data, at least theoretically. With its latest test, the app is trialling a completely private contact discovery service. For the stricter privacy advocates, that's always been a niggling issue. Just like its ( now encrypted) rivals, Signal asks to import your phone contacts in order to tell you who's using the app. It's proven a tricky balancing act - particularly in regards to access to user contacts. But, the developer is having to juggle robust privacy with all the popular features a chat app is expected to provide in this day and age. And, to keep privacy experts on its side, Open Whisper Systems (the non-profit behind the app) has kept Signal open source and peer-reviewed. So secure, that even the US Senate has approved it for staff use. Signal is generally viewed as the most secure encrypted communications app.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |