Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform


https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117

Signal has moved the ball on e2e for the masses, but it's centralized arch makes it a honeypot for metadata collection & timing correlation attacks. p2p networks w/ plausible deniability bloom filters like @waku & mixnets like @nymproject make attacks like this harder w/ the tradeoff of higher bandwidth & latency.

Building uncompromising web3 communication at scale.

https://waku.org
Part of the @logos-stack .

The next generation of privacy infrastructure.

Quilibrium, the decentralized MPC platform as a service

/quilibrium

Software Engineer @ Cadence Design Systems. B4: Stanford EE / Illinois ECE

also Quorum Messenger via @quilibrium can add cryptoeconomics into the mix by providing incentives to run decentralized messaging infra

Making DeFi accessible to everyone - building @starta | /9to5dotmeme on the side FID 675

Yep, but I think UX needs to be more expansive than just in-app animation candy. UX could be a big tent that includes user metadata privacy, data sovereignty, the uptime that only a decentralized network can provide, etc. The problem is that the tradeoffs & shortcuts taken are not salient to users, and once you make it clear, they often do understand & care about it. (my bet is that this will continue & it's why crypto will win)

Feels like UX is usually the biggest trade off right? The fact that our industry runs on top of TG continues to baffle me but I’ve accepted the network effect

Agree that Signal is awesome except for it's centralized arch. In addition to honeypot for metadata collection, Signal also doesn't have a cryptographically provable identity to verify initial messages sent to a new contact.

A team of us are experimenting with adding Signal-like e2ee messaging to Bluesky which, like FC, has a DID that can bootstrap secure messaging.

With this particular attack, I think the only thing that will help is a mixnet or a client that doesn't use a CDN in any way.

It's a trade off between responsive UX and doxing your location.