[int_19h]

They're secure right up until the point someone with the ability to do so spoofs your phone number.

And yeah, Signal will detect that and inform the other side that "security number has changed". At which point they'll promptly confirm the new one, because they don't understand its purpose anymore so than private key management etc - because they simply installed the app from the store, and expect it to "just work".

[joshuamorton]

> Signal will detect that and inform the other side that "security number has changed"

Specifically, it will say "Your safety number has changed...This could either mean that someone is trying to intercept your communication, or that <other party> reinstalled signal."

Even for a layperson, if they have reason to be concerned about a powerful attacker that's reason enough to stop.

[int_19h]

I have switched quite a few casual users to Signal by now, and in my experience, none of them have paid any attention to those regardless. They don't even bother asking the person through some other channel - just confirm the new number.

[joshuamorton]

Assuredly, but most people aren't actually that concerned about state sponsored attacks on their communications, and for those people Signal is still as good as (or better than) PGP email, but they can safely ignore these notifications because, well, the likelyhood (and the risk due to) a state sponsored attack is relatively low.