[m4rtink]

Do we relly know the server actually does this when you can't run your own Signal server instances you have compiled yourself from source code ?

[maqp]

Short answer is no.

Signal provides content-privacy by design with E2EE. Signal provide metadata-privacy by policy, i.e. they choose to not collect data or mine information from it. If you need metadata-privacy by design, you're better off with purpose-built tools like Cwtch, Ricochet Refresh, OnionShare, or perhaps Briar.

[master-lincoln]

I thought you could compile from source and run Signal server instances, but there is no federation, so you would need a client that points to your server and you could only talk to other people using that client.

https://github.com/signalapp/Signal-Server

[GranPC]

They use remote attestation based on SGX. So, assuming SGX can be trusted, yes. See https://signal.org/blog/private-contact-discovery/

[dathinab]

and assuming you have a practical way to

- verify the attestation

- make sure it means the code they have published is the attested code

- make sure the published code does what it should

- and catch any divergence to this *fast enough* to not cause much damage

....

it's without question better then doing nothing

but it's fundamentally not a perfect solution

but it's very unclear if there even is a perfect solution, I would guess due to the characteristics of phone numbers there isn't a perfect solution

[mjg59]

Well, no - as long as someone you trust is able to do that verification, that's good enough.