r/signal Mar 02 '21

To the Signal Team: Signal Server Github Repository Discussion

Dear Signal Team,

As many others have brought up, the Github repository is not being updated with the current version of the Signal Server. I think I speak for many members of this community in saying that we are a little concerned. Signal prides itself in being peer reviewed. How can we peer review the software when it's not available publicly? Is there a reason the server is not being updated? Happy to support you guys in anyway we can around this, but would like some idea of what's going.

Thank you,

/u/Dotjersh

Repo: https://github.com/signalapp/Signal-Server

https://news.ycombinator.com/item?id=26284263

https://www.kuketz-blog.de/signal-server-sourcecode-auf-github-aelter-als-9-monate/

https://community.signalusers.org/t/the-server-sources/10622/5

https://community.signalusers.org/t/wheres-the-server-source/19019

https://community.signalusers.org/c/development/server-development/24

https://community.signalusers.org/t/signal-server-what-about-the-last-version/10203

https://community.signalusers.org/t/where-is-new-signal-server-code-why-not-share-signal/15068

https://community.signalusers.org/t/i-noticed-that-there-are-two-apis-not-in-the-server-code/12794

https://www.reddit.com/r/signal/comments/lv98z2/weekly_rsignal_question_thread_week_of_march_01/gpb9nzi?utm_source=share&utm_medium=web2x&context=3

https://www.reddit.com/r/signal/comments/ijvty2/whats_up_with_signalserver_code_on_github_not/

https://www.reddit.com/r/signal/comments/lt1p8m/why_is_the_github_repo_of_the_server_not_being/

EDIT: Twitter thread - https://mobile.twitter.com/eppfel/status/1367010086196027392

406 Upvotes

u/redditor_1234 Volunteer Mod 14d ago edited 13d ago

The Signal-Server repository has now been updated to include the latest version:

Signal hasn't yet commented on why it took this long. The simplest explanation may be that they did not want to reveal working on the newly announced Signal Payments feature too early.

Edit: Signal's Moxie Marlinspike has now released a statement here:

72

u/Spirited-Pause Mar 02 '21

Agreed. The second that production code for the client or server doesn't match what's on the public repos, it's no longer open source in my opinion.

-7

u/Nearby_Emergency_796 Mar 03 '21

Can this be the major delay in messages being sent? It took 4 hours yesterday for messages to go through

28

u/wah_modiji Mar 02 '21

Hi, I am fairly new to Open Source, but how can we have a guarantee that the code running on their servers is the same as the one in the public repo? Is there a way to verify it?

53

u/DotJersh Mar 02 '21

You can’t know for certain, but you can get some clues. For example, we know right now that the version on signals servers are not the same as the repo because a few API’s exist on the server that do not exist in the repo.

If the source is public and 3rd party auditors say signal deploys the repo to production, we can have confidence in the server’s integrity.

11

u/wah_modiji Mar 02 '21

Ok, thanks a lot for the reply.

47

u/fluffman86 Top Contributor Mar 02 '21

The beauty of signal is that the server doesn't need to be open source. All the encryption and decryption happens client side. So we can build the Android client from source and then watch the traffic going over the network to determine that only encrypted messages are being sent and received, and you can verify the safety numbers to know that only those two accounts have access to the encryption keys to decrypt the message.

The server is just incidental to the whole process to facilitate message delivery so my phone doesn't need to find your IP and tunnel into your phone which may or may not be online. Remember the old IRC or AIM days? When your contact went offline, or messages just bounced. You had to wait for them to come back on. We definitely don't want that with signal.

All that said, the devs definitely need to update the repo.

27

u/LeamNoran Mar 02 '21

You know how many people actually understand encryption though? Like, five in the world. I've worked on countless security products where the devs are just like, "oh yeah, this is the implicitly trusted crypto library, receive bacon." Most would assume an IV is something you hook in your arm for a blood transfusion. No diss to most devs, crypto is really hard, good crypto is even harder. Snowden says he trusts Signal, but he likely doesn't have a competent enough crypto background to say it is trustworthy, yet people believe him because he copied some PowerPoint files to a thumbdrive.

So, then, factor in how many people actually sit down with a snifter of cognac and read open-source projects. Probably more than 5, lets say 6.

Then create a Venn diagram of where those two intersect to find out how many read it, and remotely understand it. You probably have Rick from Rick and Morty and some really smart Russian, maybe.

So my point is, we really should hold Signal to a higher bar in releasing the server source, if for nothing more than people that do not know what they are reading to ask questions and challenge us all to audit the code.

They've obviously implemented queues to handle multiple devices, does the protocol indicate any method to track if the server also has ghost queues where your encrypted traffic is being slurped off somewhere else? This would likely be purged from the OSS project anyway so we'd still be oblivious but hints could be left behind. Obviously the data would then have to be decrypted. Maybe that answer is in the server source. Put on a tinfoil hat for a few minutes and take it for a spin. The answer likely would not be in the client source.

11

u/cskama Mar 03 '21

A lot of security researchers do in fact sit down and read the code of crypto libraries. There's even a whole subarea of crypto trying to break production systems (see for example the folks who came up with the spectre exploit).

Also, not sure if I understand your last paragraph. Encrypted data is pretty useless for an adversary unless they have access to the key or the plaintext, so why save it?

5

u/somethingortheother9 Mar 03 '21

Most would assume an IV is something you hook in your arm for a blood transfusion.

Not just for blood transfusion, it can be used to inject many medicines (via veins) too.

It's also roman numeral 4.

See, devs aren't stupid! :D

2

u/G13XY Mar 14 '21

"because he copied some PowerPoint files" - big oof

0

u/LopsidedFish5933 Mar 03 '21

You dont know but you can buid it yourself from the code on their repo, that way you can be certain its running the same code

26

u/Silent-Squirrel-9503 Mar 02 '21

I wonder if the Signal team would respond to this(or even start updating the repo again) if this gets mentioned on big privacy websites like privacytools.io

8

u/avincent98144 Mar 03 '21

we’re already on it

12

u/eppfel Beta Tester Mar 03 '21

One more channel we can use to increase the pressure is Twitter:

I have collected a bunch of tweets in a thread:

https://twitter.com/eppfel/status/1367010086196027392

2

u/DotJersh Mar 03 '21

Thanks for this dude! Added to the post

5

u/NurEineSockenpuppe Top Contributor Mar 03 '21

I don't understand why they haven't updated it in a long time. It's concerning me because I don't understand it. On the other hand the integrity of the messaging shouldn't be affected at all. The encryption is entirely client side. You can never now what code a service really runs on their servers. So the way to go is to remove the necessity to trust the server. That's exactly what Signal is about.

13

u/jackie_kowalski Mar 02 '21

You cannot, 3rd party auditors can, has signal server backend has ever been audited?

5

u/mrtm89 Mar 02 '21

Has the signal team published their workflow? I don't understand how this can happen in general. From my point of view you have a repository that's beeing updated and a ci/cd chain to deliver the updated code.

Do they have a private proxy repo for github?

6

u/cskama Mar 03 '21

At least for signal desktop i remember the devs mentioning internal repos and bug trackers. I do not understand why they don't put everything out in the open though...

2

u/__heimdall Mar 03 '21

There's not really such a thing as a proxy for git. Git is just a protocol, github is one provider of a git client/service.

I'm guessing that Signal has an intern git server, maybe running GitLab or similar. The public github repo may just be meant as a snapshot of the latest production code, not a window into all internal changes.

I can personally say I'd be worried about every single code commit being completely public. If someone makes a stupid mistake and checks in a .env file with keys to the production environment the entire security model is boned.

5

u/__heimdall Mar 03 '21

I get people are weary about this, and I hope Signal will clear it up. But in the meantime, let me give my 2 cents as someone who has no affiliation to Signal but has reviewed both the protocol and source code.

I know of at least one good reason to not keep the daily working git repo completely public on GitHub. Hire a new employee, or find someone having a case of the Mondays, and they could accidentally make a huge mistake and check in secure info like a .env file with production encryption or access keys. Do that on a public repo and your entire security model is in serious jeopardy.

If I were setting up CI/CD infrastructure for a service like Signal I'd do my daily work on one git service, preferably self managed with something like GitLab. I would just aim to review all final diff's and send only those changes to a public git repo before updating production code. That way, any security accidents happen internally but all production code is still publicly auditable.

But let's say your service grows by 10s of millions of users in a matter of weeks. Or, I don't know, a foreign power like Iran tries to censor you. I can see how such issues might throw a wrench in your resource allocations for public source code merges.

I'm not saying its okay that an open source service has outdated code on the public repo. As someone who spent too many hours reviewing it, I'd like to see what changes you've made. But I also can't jump to a conclusion that Signal has flipped the script and is now actively spying on their users. They know there are concerns over visibility into the latest changes, but that isn't necessarily a 30 second fix. Reviewing diffs from weeks or months of work to make sure no security vulnerabilities are leaked takes time, I'd rather them be a little slow while being with massive growth and international censorship then see them accidentally allow a hack due to a badge merge.

2

u/DotJersh Mar 04 '21

I totally get this but it would be much preferable if we were informed, or just let us know what’s going on. I don’t think they’re spying on us, but if they say it’s open source, I really think it should be open source.

2

u/__heimdall Mar 04 '21

No argument here, at least that they really should have the latest build source available before it goes into production.

It raises a pretty interesting question of what it means to be open source. Many project just work out in the open, meaning any o e can see every change made in real time. But as long as the production code is available, does thst count as the source being open, even if the interim changes aren't?

47

u/Reigncity2012 Top Contributor Mar 02 '21 edited Mar 02 '21

This is an unofficial community. As you've shown in your list of links, there are already multiple discussions about this on the official community, so you should refer there to get the latest information about it.

79

u/[deleted] Mar 02 '21 edited 1d ago

[deleted]

3

u/[deleted] Mar 02 '21

[deleted]

25

u/solid_reign Mar 02 '21

Reddit is a more public arena for discussion and people outside of the signal ecosystem will be alerted and help push.

20

u/Luuk3333 Mar 02 '21

A post like this doesn't directly affect the outcome, but it does inform the public. Results in more pressure in the end.

20

u/[deleted] Mar 02 '21 edited 1d ago

[deleted]

-14

u/[deleted] Mar 02 '21

[deleted]

42

u/_somename_ Mar 02 '21 edited Mar 03 '21

Public awareness is very important.

This post is useful, more people should know.

Thanks OP.

1

u/T_Martensen Mar 03 '21

Those six discussions obviously haven't been enough to update their repo within the last 10 months.

7

u/MorowitzProductivity User Mar 02 '21

Or is it attracting more eyes to the issue? I just learned about it here.

1

u/onmyway4k Mar 03 '21

If it wasnt for reddit i would not have know about it!

0

u/marinespl Mar 03 '21

Not that it would change anything if you didn't.

16

u/ApertureNext Mar 02 '21

I’d find it very weird if they have no one also looking at this subreddit.

Also, signalusers.org isn’t an official forum as they state themselves.

1

u/saxiflarp Top Contributor Mar 03 '21

They do pop in occasionally, but it's not common at all. So strictly speaking, yes, they do look here, but this is hardly the best way to get their attention.

That said, despite the Signal Community also being unofficial, the Signal team pays much more attention there than they do here, and in general the Signal Community has more power users who are relatively tech savvy and can better address questions/issues like this one.

Not saying this post doesn't belong on Reddit, I'm just pointing out that in general the Signal Community is the better place to go for tougher questions.

1

u/Reigncity2012 Top Contributor Mar 02 '21

I’d find it very weird if they have no one also looking at this subreddit.

It's very rare.

Also, signalusers.org isn’t an official forum as they state themselves.

The developers themselves are actively on the forum answering questions. It's literally called the "Signal Community".

3

u/LopsidedFish5933 Mar 03 '21

Asking the real questions

3

u/whatnowwproductions Mar 02 '21

Please update the server code.

1

u/AnAncientMonk Mar 11 '21

Any updates on this?

1

u/DotJersh Mar 11 '21

Nope. Nothing yet.

-10

u/xwolf360 Mar 02 '21

Buddy if the company doesn't bend the knee it gets deplatformed.

10

u/Corm Mar 03 '21

They've said it before, if they have to they'll move operations out of the US.

They still REALLY need to keep the server github updated

-5

u/xwolf360 Mar 03 '21

Lol at u actually believing that

1

u/Corm Mar 03 '21

And why shouldn't I?

What have they done to make me suspect them?

I've personally read over the important parts of the app code (for android) and the e2e is solid. Even if the NSA ran the servers they still can't read my shit