[simonh]

That’s one way, but.

https://thehackernews.com/2025/02/hackers-exploit-signals-li...

“… the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance.”

“ These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website.”

Also

“ Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are taking advantage of a technique called device code phishing to log into victims' accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.”

[Zak]

That's just phishing.

Signal could make the pairing attack impossible by eliminating the device pairing feature, but that would also reduce its appeal and harm its mission of bringing secure communication to a broad audience. It could add steps to setting up a group chat and inviting additional members to make it less likely users will invite the wrong person, but that, too would hurt its popularity.

Security is a process and a spectrum, not a binary that can be guaranteed by using a certain product or service.

[bb88]

The goal of US information security is not making an app more popular. It's keeping secrets safe.

In that view, Signal is the wrong app to use for US Officials.

[Zak]

I agree. There are official channels that already exist for discussing sensitive information, and it does not appear Signal is one of them. These officials using any device or software not approved for that purpose constitutes a serious breach of protocol.

Signal probably shouldn't be approved for that purpose because it does trade some foolproofness for convenience. Secure communication should also be limited to dedicated devices, which probably wouldn't have journalists stored in their contacts.

[bb88]

The CIA was approved to use signal but for certain applications. Probably because it was better than SMS. But not good enough for classified information.

You could see a CIA agent being in Russia needing to use Signal with an informant, e.g. But that wouldn't be the same level of security needed to hold nuclear secrets.

[Zak]

I imagine Signal itself is secure enough that it wouldn't be unreasonable for a government to develop a procedure to use it to transmit classified information under certain conditions.

That list of conditions would likely be quite restrictive compared to how we saw it used here. It would certainly include using a dedicated device for classified information, and would forbid taking that device to an unfriendly country. The US government doesn't need to do that though; it already has its own systems for secure communication.