|
|
|
|
|
|
by leevlad
1695 days ago
|
|
|
Fair. And I think I know what you're referring to. Yes, they do upload your contact list, but I believe there's a prompt at setup time that allows you to opt out? It might even be an OS-level prompt to the tune of "Signal would like to access your Contacts". Not 100% sure on that one as I haven't set up a brand new Signal installation in years. It's done to help their user acquisition. It uploads your contacts to match against other contact lists and let you know who's on Signal. I recall seeing a blog post explaining how they are doing it in a fully encrypted way, possibly using Secure Enclave (? though I think the 2021 version of that would probably involve ZK proofs/homomorphic encryption of some kind, and I hope they put some time into that). I don't recall ever having to set a PIN specifically for that. And besides, a 4-6 digit PIN would be a terribly insecure way to "encrypt" anything server-side :) But yes, that would be a shame if it were the case. |
|
|
I may be wrong, but I think this functionality existed prior to the server-side state effort. I recall when people in my contact list joined Signal, I was notified.
However, these days I do not keep contacts in the phone contact list. It's too big and juicy a target.
> And besides, a 4-6 digit PIN would be a terribly insecure way to "encrypt" anything server-side :)
Very much so. That does seem odd.