"Telegram, another privacy-focused application, is completely invulnerable to this attack"
"Discord […] citing this as a Cloudflare issue other consumers are also vulnerable to"
"Cloudflare ended up completing patching the bug"
I wish Signal would react differently. I still remember the bubble color controversy when they changed their mind after the backlash and not before. :-)
I just sent a feature request[1] to Signal with the following text:
I understand that Signal does not consider this
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 to be
a valid security bug, but it would be helpful to at least be able to
mitigate it.
Please add an option in settings to disable automatically downloading
attachments.
That should be enough to change the attack from 0-click (just opening the
conversation) to 1-click (click the attachment). Most people won’t care
about this, but for some every little bit of privacy is important.
Hold on, someone else in this thread noted this does exist
"
You can disable the auto-download. Settings > Data and storage > Media auto-download, you can choose what to auto download for mobile data/wifi/roaming."
So, that part is there, but my question is, it's still aissue when they manually download the image, right? Unless something never accepts images from someone they aren't expecting, who 's number or unique created ID has never been seen before
> "Cloudflare ended up completing patching the bug"
This short quote fragment is a little misleading: Cloudflare patched the bug in their systems that allow you to send HTTP requests to any CF data center, regardless of where the originator of the request lives. This is likely something they want fixed for a large variety of reasons, some probably much more important than the specific attack OP wrote about.
> I wish Signal would react differently.
The severity of a potential security issue, or the determination of who is responsible for fixing or mitigating it, is a matter of opinion. Just because you think this is important for Signal to fix, it doesn't mean it's some absolute truth that it does. At the risk of appealing to authority, I would expect that people who run a security/privacy-focused messaging project to have a better handle on classifying these sorts of things than random people on HN like you or me.
But of course, sometimes they'll get it wrong too. I'm not familiar with the bubble color thing you mention, but sure, nobody's perfect; we're all human and we make mistakes. I'm personally not convinced Signal needs to do anything here. A 250 mile radius is quite a large area, and users can already choose to not auto-download attachments. To be fair, though, I think a simple way for Signal to fix this would be to disable caching on the attachments HTTP endpoints, though that might increase their bandwidth bills and increase load on their servers, depending on what their access patterns look like.
> There's clearly a problem here as Cloudflare says consumers are responsible for protecting themselves against these types of attacks, while consumers (ex. Discord) are putting the blame on Cloudflare.
>I wish Signal would react differently. I still remember the bubble color controversy when they changed their mind after the backlash and not before. :-)
Can you blame them though? They're a non-profit with limited manpower and resources. There's quite a lot of cranks in the security field, and as many people have echoed in this thread, the bug report is rather sensationalist. At some point you just have to pattern match and ignore any reports that seems a bit too cranky. Is this ideal? No. But I don't see how it's any different than summarily dismissing a vaccine skeptic's claim that vaccines are bad, even if there's a kernel of truth buried in there (eg. that benefits for young people are questionable).
You're making this stuff up. In most threads about Signal, 1-2 commenters appear to post fabricated conspiracist stuff defaming the people who originally worked on Signal --- people extremely well-known to the real-world cryptography engineering community. I don't know why we're so chill about people being defamed here.
"Telegram, another privacy-focused application, is completely invulnerable to this attack"
"Discord […] citing this as a Cloudflare issue other consumers are also vulnerable to"
"Cloudflare ended up completing patching the bug"
I wish Signal would react differently. I still remember the bubble color controversy when they changed their mind after the backlash and not before. :-)