[sneak]

The server can MITM the public keys, providing you with a key from the server instead of the key from your conversation partner.

It very much does matter if the server is malicious.

[UncleMeat]

If you are paranoid, you can do public key verification through another channel. People with high risk profiles should do this.

[sneak]

Key authentication is not for the "paranoid" or simply those with "high risk profiles", otherwise every web browser in the universe wouldn't do it by default on every single connection to every single website. It is a normal, routine thing that is expected in all modern secure communications systems.

Please don't spread this harmful meme.

[UncleMeat]

We've got certificate authorities to centralize trust for server public keys. And those require trusting organizations that lots of people don't want to trust. We don't have an equivalent system for individuals. There is no trivial push-button key verification process for peer-to-peer communications. Key signing parties suck and never worked. Key validation for things like Signal is nicely automated if you are physically near the other person. But beyond that it is tricky.

It is hard enough to get my parents to use a secure messenger. If I told them they needed to do a key verification process for every person they ever communicate with... they'd just go back to facebook messenger or sms.

I think it is completely reasonable for somebody to say "I don't care enough to worry about validating public keys" while also educating people like journalists about how to do that correctly.

[henearkr]

Not if the keys are generated by the client.

Signal also offers to label contacts for which you could verify the authenticity by another way.

Doing a video call with the contact can be a simple way to clear doubts, even if it is not a proper different channel.

[chipsa]

Video calls alone won't stop a MITM attack. They would just send both video streams along, and record both sides.

Signal does have the capability to have a verification phrase displayed, which is generated from the session key. Reading that off can make the video more difficult to MITM, because then they'd have to morph the audio to match the phrase, and if it's done after the video is setup, morph the video as well. Not impossible, but difficult.

[sneak]

This is false. A video call will not prevent or detect MITM. You may be suggesting that a video call is used to authenticate the key, which is certainly a step in the right direction, but I don't think Signal supports this.

[henearkr]

It will, because it will prove (or give you a lot of confidence) that the agent who sent you their public key is your legit correspondent.

This uses the fact that the client on each side is open source and inspectable, so that each side knows that they sent only the public key that they generated on their own device.

PS: to answer your last sentence, Signal allows you to flag specifically contacts that you managed to verify. Which is technically equivalent to say that you verified that the public key is theirs.

[sneak]

Yes, but it doesn't support doing that whilst in a video call with them.

[henearkr]

[edited]

Indeed it is far from straightforward that merely doing a video call suffices to check the keys.

Signal is famously using a special protocol for secure key sharing through the server, which I have not studied.

But as said by another comment, there is no way around verifying explicitly the public key using an independent channel.