Privacy

4467 readers

55 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

Ategon@programming.dev

danielintempesta@programming.dev

371

Signal Desktop without a smartphone, standalone version in development (aboutsignal.com)

submitted 3 days ago by unglueclass23@programming.dev to c/privacy@programming.dev

58 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] kuberoot@discuss.tchncs.de 3 points 2 days ago

How do we know they don't store copies of the keys?

I don't know how Signal is built, but you can establish a secure communication channel through a channel that's being listened in on, meaning the server doesn't need to ever see the keys. Look up Diffie-Hellman for an example, an algorithm that lets two actors establish a shared secret without communicating enough information to reconstruct the secret.

So if the client uses a secure key exchange algorithm (or straight up asymmetrical encryption) the server can't just grab your keys - you just need a secure way to verify that your keys actually match, because what they could do is a man in the middle attack where they establish a secure channel with you and the person you're messaging, and decrypt and reencrypt messages going both ways, being able to listen in and modify messages.