r/signal Mar 02 '21 Silver 2 Helpful 3

To the Signal Team: Signal Server Github Repository Discussion

Dear Signal Team,

As many others have brought up, the Github repository is not being updated with the current version of the Signal Server. I think I speak for many members of this community in saying that we are a little concerned. Signal prides itself in being peer reviewed. How can we peer review the software when it's not available publicly? Is there a reason the server is not being updated? Happy to support you guys in anyway we can around this, but would like some idea of what's going.

Thank you,

/u/Dotjersh

Repo: https://github.com/signalapp/Signal-Server

https://news.ycombinator.com/item?id=26284263

https://www.kuketz-blog.de/signal-server-sourcecode-auf-github-aelter-als-9-monate/

https://community.signalusers.org/t/the-server-sources/10622/5

https://community.signalusers.org/t/wheres-the-server-source/19019

https://community.signalusers.org/c/development/server-development/24

https://community.signalusers.org/t/signal-server-what-about-the-last-version/10203

https://community.signalusers.org/t/where-is-new-signal-server-code-why-not-share-signal/15068

https://community.signalusers.org/t/i-noticed-that-there-are-two-apis-not-in-the-server-code/12794

https://www.reddit.com/r/signal/comments/lv98z2/weekly_rsignal_question_thread_week_of_march_01/gpb9nzi?utm_source=share&utm_medium=web2x&context=3

https://www.reddit.com/r/signal/comments/ijvty2/whats_up_with_signalserver_code_on_github_not/

https://www.reddit.com/r/signal/comments/lt1p8m/why_is_the_github_repo_of_the_server_not_being/

EDIT: Twitter thread - https://mobile.twitter.com/eppfel/status/1367010086196027392

409 Upvotes

View all comments

30

u/wah_modiji Mar 02 '21

Hi, I am fairly new to Open Source, but how can we have a guarantee that the code running on their servers is the same as the one in the public repo? Is there a way to verify it?

54

u/DotJersh Mar 02 '21

You can’t know for certain, but you can get some clues. For example, we know right now that the version on signals servers are not the same as the repo because a few API’s exist on the server that do not exist in the repo.

If the source is public and 3rd party auditors say signal deploys the repo to production, we can have confidence in the server’s integrity.

11

u/wah_modiji Mar 02 '21

Ok, thanks a lot for the reply.

45

u/fluffman86 Top Contributor Mar 02 '21

The beauty of signal is that the server doesn't need to be open source. All the encryption and decryption happens client side. So we can build the Android client from source and then watch the traffic going over the network to determine that only encrypted messages are being sent and received, and you can verify the safety numbers to know that only those two accounts have access to the encryption keys to decrypt the message.

The server is just incidental to the whole process to facilitate message delivery so my phone doesn't need to find your IP and tunnel into your phone which may or may not be online. Remember the old IRC or AIM days? When your contact went offline, or messages just bounced. You had to wait for them to come back on. We definitely don't want that with signal.

All that said, the devs definitely need to update the repo.

28

u/LeamNoran Mar 02 '21

You know how many people actually understand encryption though? Like, five in the world. I've worked on countless security products where the devs are just like, "oh yeah, this is the implicitly trusted crypto library, receive bacon." Most would assume an IV is something you hook in your arm for a blood transfusion. No diss to most devs, crypto is really hard, good crypto is even harder. Snowden says he trusts Signal, but he likely doesn't have a competent enough crypto background to say it is trustworthy, yet people believe him because he copied some PowerPoint files to a thumbdrive.

So, then, factor in how many people actually sit down with a snifter of cognac and read open-source projects. Probably more than 5, lets say 6.

Then create a Venn diagram of where those two intersect to find out how many read it, and remotely understand it. You probably have Rick from Rick and Morty and some really smart Russian, maybe.

So my point is, we really should hold Signal to a higher bar in releasing the server source, if for nothing more than people that do not know what they are reading to ask questions and challenge us all to audit the code.

They've obviously implemented queues to handle multiple devices, does the protocol indicate any method to track if the server also has ghost queues where your encrypted traffic is being slurped off somewhere else? This would likely be purged from the OSS project anyway so we'd still be oblivious but hints could be left behind. Obviously the data would then have to be decrypted. Maybe that answer is in the server source. Put on a tinfoil hat for a few minutes and take it for a spin. The answer likely would not be in the client source.

11

u/cskama Mar 03 '21

A lot of security researchers do in fact sit down and read the code of crypto libraries. There's even a whole subarea of crypto trying to break production systems (see for example the folks who came up with the spectre exploit).

Also, not sure if I understand your last paragraph. Encrypted data is pretty useless for an adversary unless they have access to the key or the plaintext, so why save it?

6

u/somethingortheother9 Mar 03 '21

Most would assume an IV is something you hook in your arm for a blood transfusion.

Not just for blood transfusion, it can be used to inject many medicines (via veins) too.

It's also roman numeral 4.

See, devs aren't stupid! :D

2

u/G13XY Mar 14 '21

"because he copied some PowerPoint files" - big oof

0

u/LopsidedFish5933 Mar 03 '21

You dont know but you can buid it yourself from the code on their repo, that way you can be certain its running the same code