[mtgx]

For those interested, Signal doesn't seem to use ZRTP anymore:

> The new Signal voice and video beta functionality eliminates the need for ZRTP. The "signaling" messages used to set up the voice/video beta calls (offer/answer SDPs, ICE candidates, etc) are transmitted over the normal Signal Protocol messaging channel, which binds the security of the call to that existing secure channel. It is no longer necessary to verify an additional SAS, which simplifies the calling experience.

https://whispersystems.org/blog/signal-video-calls-beta/

And it's not in beta anymore:

https://whispersystems.org/blog/signal-video-calls/

[sufficient]

Author of the paper here.

Yup, in regards to Signal our findings are already obsolete :D I think that the new Signal developments are great. It is better to allow only one key verification mechanism for unified usability and also use key continuity. Before, SAS needed to be verified for each call again.

[jugbee]

But isn't now with signal that you have to wiretap it once and your are good to go since there are no sas every time?

[Johnny_Brahms]

Sure, but "wiretapping it once" would mean breaking a lot of well studied and until now unbroken crypto.

[zedred]

That's sort of too bad, because it looks like Signal was one of the only implementations they audited that had no issues.

I hope these authors will eventually look at the new thing too.