Conversation

Notices

1. Embed this notice
   Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:11:06 JST Michał "rysiek" Woźniak · 🇺🇦

   There's a "Signal deanonymized" thing going around:
   https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117

   Stay calm. Deep breaths.

   👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location

   👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as vulnerable

   👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.

   #Signal #InfoSec

   • HistoPol (#HP) 🏴 🇺🇸 🏴 repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:20:13 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     In other words, it's not great that this is possible, but nowhere near an immediate and present danger to anyone except a very very small group of people doing very very specific things.

     If you're in that group, you'd already known you are. You'd have someone to ask about this. And you'd almost certainly be using some other tools to anonymize yourself anyway.

     If that's not the case, then this is almost certainly not something to lose sleep over. Signal remains a safe choice of a secure IM. 👍

     HistoPol (#HP) 🏴 🇺🇸 🏴 repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:20:33 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Cheerios de Bergerac

     @sexybenfranklin from your VPN exit point.

   • Embed this notice
     Cheerios de Bergerac (sexybenfranklin@smores.town)'s status on Wednesday, 22-Jan-2025 07:20:34 JST Cheerios de Bergerac

     in reply to

     @rysiek If you're using a VPN, does Cloudflare still serve you content from a node you're physically closest to, or does it do it based on where your VPN is?

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:25:22 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     If you are still worried about this, my read of it is that these things might make the attack more difficult:

     👉 turn off automatic downloading of media files

     This makes this attack rely on you clicking the image to download it, making it very difficult for the attacker to know when to check for the cached status of the resource.

     This is important, because for each attachment the attacker can only ask this question once per the period Cloudflare caches these resources (not sure exactly).

     HistoPol (#HP) 🏴 🇺🇸 🏴 repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:27:20 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     You can also:

     👉 turn of push notifications – this makes the attack rely on you clicking the chat to download the image

     👉 turn off read notifications – again, this makes it more difficult for the attacker to know when to ask the question they can only ask once per a specific period of time.

     alcinnz repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:33:12 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     Technical details tl;dr:

     - Signal (and other communication platforms) uses Cloudflare with caching enabled for media

     - one can check on which Cloudflare endpoints a given attachment URL got cached (one can use a VPN for this), giving them the ability to roughly geolocate users whose Signal downloaded the file

     - a patched version of Signal (or whatever app) allows the attacker to send the message with an image, and extract the attachment URL to know what URL to check for having been cached

     anban and HistoPol (#HP) 🏴 🇺🇸 🏴 repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:40:03 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     - images mostly get downloaded automatically (and thus get cached on Cloudflare side)

     - push notifications make this a 0-click thing, as the targeted user doesn't even have to click on a conversation to have the image downloaded

     I believe this technique would work against any communication app that uses any global CDN that does endpoint caching and provides the caching status in HTTP headers of the response.

     MortSinyx, anban and HistoPol (#HP) 🏴 🇺🇸 🏴 repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:43:30 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Signal

     I'd like to hear what @signalapp has to say about all this. There is a claimed response from Signal in that gist file, but I'd like to see it come directly from Signal before I form an opinion.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:46:03 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Leszek
     • Avitus

     @Avitus I disagree. Taking this approach to an extreme would be to say that e2e-encrypted IMs should not exist at all, as this should be handled by the underlying network.

     It isn't though, so we need them.

     There is a valid privacy issue here, albeit not as huge as the sensational framing of "Signal deanonymized" might suggest. And there are ways for Signal to try to mitigate that.

     @makdaam

   • Embed this notice
     Avitus (avitus@ioc.exchange)'s status on Wednesday, 22-Jan-2025 07:46:04 JST Avitus

     in reply to

     • Leszek

     @makdaam @rysiek There's nothing for them to say. It's a problem with CloudFlare, so CloudFlare needs to fix it.

   • Embed this notice
     Leszek (makdaam@chaos.social)'s status on Wednesday, 22-Jan-2025 07:46:05 JST Leszek

     in reply to

     @rysiek It depends.

     What actually interests me is the response (or lack of it) from Signal. Seems like not much has changed over there in the last decade. Despite big words and hacker con keynotes they just want to be the new Facebook messenger.

     Also there's an easier attack to get your exact egress IP address. It's good to be aware that just having Signal on your phone can reveal it (assuming notifications are enabled).

   • Embed this notice
     Shaula Evans (shaulaevans@zirk.us)'s status on Wednesday, 22-Jan-2025 07:48:49 JST Shaula Evans

     in reply to

     @rysiek Thank you for this.

     I really wish there were more posts (in any context) in the format of: "Here's what's happening, don't panic, here's what you need to know, here are actions you can take." It's extraordinarily helpful.

     Thank you again.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 07:49:29 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Shaula Evans

     @ShaulaEvans sure thing. I try to provide those when I can. Especially when I get to go a bit ahead of the main wave of hot takes, which seems to have been the case here.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 08:10:32 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Gnome Tsunami

     @gnometsunami yes, and I said that in the toot you are responding to:

     👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected

   • Embed this notice
     Gnome Tsunami (gnometsunami@mastodon.social)'s status on Wednesday, 22-Jan-2025 08:10:33 JST Gnome Tsunami

     in reply to

     @rysiek Not just signal. ALL services that allow media links are vulnerable to this type of attack. Similar deanonymizing and fingerprinting techniques have been in use since forever.

   • Embed this notice
     David Zaslavsky (diazona@techhub.social)'s status on Wednesday, 22-Jan-2025 08:10:54 JST David Zaslavsky

     in reply to

     @rysiek It's an extremely well-written report, too! Thanks for sharing.

     (as other people have mentioned, I appreciate your measured response)

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 08:10:54 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • David Zaslavsky

     @diazona my pleasure.

   • Embed this notice
     Gnome Tsunami (gnometsunami@mastodon.social)'s status on Wednesday, 22-Jan-2025 08:15:37 JST Gnome Tsunami

     in reply to

     @rysiek my reading skills are at an all time low.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 08:15:37 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Gnome Tsunami

     @gnometsunami you're in very good company, I assure you

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 09:29:11 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • stefan

     @stefan because if you are a website owner and trying to debug a problem, you need them.

     This *could* be done better though. Turn it on for debugging, turn of afterwards, for example.

   • Embed this notice
     stefan (stefan@graz.social)'s status on Wednesday, 22-Jan-2025 09:29:12 JST stefan

     in reply to

     @rysiek but why are these cloudflare cache headers even there?

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 09:31:59 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • ₵ⱧⱤł₴ ⱤØ₥₱ NZ6F 🇺🇸🇺🇦💪🏻

     @rombat I am not 100% sure how trusted proxies work in Signal, but basically: it's about the location that the requests is seen by Cloudflare's infrastructure from.

     If the proxy moves that somewhere else, it can help.

   • Embed this notice
     ₵ⱧⱤł₴ ⱤØ₥₱ NZ6F 🇺🇸🇺🇦💪🏻 (rombat@sfba.social)'s status on Wednesday, 22-Jan-2025 09:32:00 JST ₵ⱧⱤł₴ ⱤØ₥₱ NZ6F 🇺🇸🇺🇦💪🏻

     in reply to

     @rysiek Any info if using a Signal proxy mitigates this, or is this specifically a client-level thing? Assuming the latter.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 09:38:59 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Leszek
     • Avitus

     @Avitus @makdaam Cloudflare fixed *an* issue that allowed the researcher to more easily target individual datacenters.

     *The* issue is not "fixed", as that is still possible by using a VPN and cycling through exit locations, or by using one's own nodes in these locations, etc.

     Signal's statement is behind a loginwall.

   • Embed this notice
     Avitus (avitus@ioc.exchange)'s status on Wednesday, 22-Jan-2025 09:39:00 JST Avitus

     in reply to

     • Leszek

     @makdaam @rysiek CloudFlare already fixed the issue and Signal provided a statement to 404 Media: https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/

   • Embed this notice
     Leszek (makdaam@chaos.social)'s status on Wednesday, 22-Jan-2025 09:39:02 JST Leszek

     in reply to

     • Avitus

     @Avitus CloudFlare doesn't mention any guarantees of anonymity of the audience.

     Someone made a decision to use their services with all the implications of using it. So either nobody at Signal cares about exposing endpoint IPs (which I believe to be the actual stance - but like @rysiek said let's see if they respond) or they care and didn't check it when using CFlare as a dependency.

     Either way it's the integrator's responsibility to check if the chosen components fit the purpose.

   • Embed this notice
     Picks (greycat@kitty.social)'s status on Wednesday, 22-Jan-2025 09:41:31 JST Picks

     in reply to

     @rysiek@mstdn.social wouldn't being behind a VPN render this useless?

   • Embed this notice
     tyil (tyil@fedi.tyil.nl)'s status on Wednesday, 22-Jan-2025 18:20:16 JST tyil

     in reply to

     @rysiek@mstdn.social CDNs confirmed once more to be a liability if anything. Stop using garbage like Cloudflare, stuff like this keeps happening. Its a shame that Signal uses it and doesn't see an issue.

     MortSinyx likes this.
   • Embed this notice
     ~n (nblr@chaos.social)'s status on Wednesday, 22-Jan-2025 19:16:35 JST ~n

     in reply to

     @rysiek Which is why my expectation until now was that they just simply don't outsource that. And if they did, that they made sure that it passes a basic laugh-test. But to use clownflare? And declare it to be out of scope because it is "up to users to hide their identity" (from a company that hard-verifies your phone number no less!) wtaf. But eh... one trust-us-pinkie-promise-company hand in hand with another pinkie-promise-company.
     Very entertaining, from an outside perspective 🍿

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:27:30 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Yellow Flag

     @WPalant correct.

   • Embed this notice
     Yellow Flag (wpalant@infosec.exchange)'s status on Wednesday, 22-Jan-2025 19:27:31 JST Yellow Flag

     in reply to

     @rysiek It seems that Cloudflare has only 6 data centers in Germany. There is a single data center in all of North Rhine-Westphalia with its 18 million people. Yes, this isn’t exactly impressive position pinpointing.

     I guess somebody on the run who doesn’t want to disclose which country they are in would be concerned about this issue. Then again, they probably wouldn’t want to expose their real IP address to the Signal infrastructure in the first place.

   • Embed this notice
     adb (adbenitez@mastodon.social)'s status on Wednesday, 22-Jan-2025 19:30:52 JST adb

     in reply to

     @rysiek I don't think people should be using #Signal, besides this problem, it is a centralized service which means it is vulnerable to enshitification and it requires phone numbers to register which sucks a hell lot

     I use #DeltaChat, decentralized, anonymous, no data required for registration, and it doesn't have this deanonymization attack problem

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:30:52 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • adb

     @adbenitez I would love people to use decentralized tools. I did a talk/rant about things that annoy me in Signal at MCH2022. This included the phone numbers thing:
     https://media.ccc.de/v/mch2022-196-signal-you-were-the-chosen-one-

     That does not mean that Signal has no value. If somebody is already using Signal, they're in a way, way better position, than if using any of the corporate apps (like WhatsApp), or any of the shady crap (like Telegram).

     It's a question of harm reduction.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:32:49 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • KM6ECC

     @km6ecc people using Signal have certain expectations, even if these are sometimes somewhat uninformed. This goes against these expectations. So, it's an issue.

   • Embed this notice
     KM6ECC (km6ecc@mastodon.radio)'s status on Wednesday, 22-Jan-2025 19:32:50 JST KM6ECC

     in reply to

     @rysiek Unpopular opinion: there is no such thing as anonymity. Only temporary evasion. The key point here is, do you need it to stay safe? If you do, you already know *a lot more* than "signal"...

   • Embed this notice
     opal (wowaname@freesoftwareextremist.com)'s status on Wednesday, 22-Jan-2025 19:32:59 JST opal

     in reply to

     • Xerz! :blobcathearttrans:
     @rysiek @xerz
     👉 never accept using a service behind cloudflare
     snacks likes this.
   • Embed this notice
     opal (wowaname@freesoftwareextremist.com)'s status on Wednesday, 22-Jan-2025 19:33:04 JST opal

     in reply to

     • Xerz! :blobcathearttrans:
     • opal
     @rysiek @xerz there are pre-existing alternatives to signal, ones with hostable foss servers and not a walled-garden moxie's-ego-is-the-law approach to client/server development
     snacks likes this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:33:42 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Leszek
     • Cassandra Granade 🏳️‍⚧️
     • Avitus

     @xgranade @Avitus @makdaam that's the statement from the gist. I'd like a statement directly from Signal somewhere.

   • Embed this notice
     Cassandra Granade 🏳️‍⚧️ (xgranade@wandering.shop)'s status on Wednesday, 22-Jan-2025 19:33:43 JST Cassandra Granade 🏳️‍⚧️

     in reply to

     • Leszek
     • Avitus

     @rysiek @Avitus @makdaam IIRC, 404 uses a loginwall to prevent AI scraping, for the most part. Anyway, Signal's alleged statement from the article:

   • Embed this notice
     nerdwoman (nerdwoman@infosec.exchange)'s status on Wednesday, 22-Jan-2025 19:35:22 JST nerdwoman

     in reply to

     @rysiek I think even just turning off details in push notifications (using name only, or none of the above) would also stop the 0-click version from succeeding. No need to kill signal push notifications entirely.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:38:13 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • pkprotoplasm

     @pkprotoplasm well, I disagree. This is a solid write-up and the issue *can* put (very specific) people (doing very specific things) in danger.

     It's just much less of an issue that clickbaity headline and somewhat sensational claims could lead people to believe.

   • Embed this notice
     pkprotoplasm (pkprotoplasm@mastodon.sdf.org)'s status on Wednesday, 22-Jan-2025 19:38:14 JST pkprotoplasm

     in reply to

     @rysiek if I had a nickel for every write up I’ve read from a “15 year old who hacks big companies and builds cool stuff” that turns out to be a CVSS of √-1

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:44:09 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Signal
     • Frederik Braun �

     @freddy @signalapp I tend to agree, but I would expect Signal to push on them to fix this.

     And by "fix this" I mean "stop broadcasting cache status and POP site location in HTTP response headers all the time".

   • Embed this notice
     Frederik Braun � (freddy@social.security.plumbing)'s status on Wednesday, 22-Jan-2025 19:44:13 JST Frederik Braun �

     in reply to

     • Signal

     @rysiek @signalapp excellent analysis. Fully agree that this attack doesn't match the average user's threat model and great suggestion that the probe can be eliminated by disabling read notifications. I would add that this is more of a Cloudflare bug. They should fix this.

   • Embed this notice
     lit (ll1t@mastodon.social)'s status on Wednesday, 22-Jan-2025 19:45:46 JST lit

     in reply to

     • 0xfffffffe

     @rysiek while I agree with you last point and mitigations, the first point irks me, as we arrived at a re-identifiaction rate of 80% in datasets based on cell tower locations and connected users already in 2008[1]. At that time this was comparably sparse data. Late work on less sparse data achieves even better results and that’s all before the current proliferation of GPUs. It’s never just location, sets of locations are intricately linked to identities. @0xfffffffe

     [1] https://www.researchgate.net/profile/Yoni-Mulder/publication/221342258_Identification_via_location-profiling_in_GSM_networks/links/0912f50b75c74ea717000000/Identification-via-location-profiling-in-GSM-networks.pdf

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:46:29 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • lit
     • 0xfffffffe

     @ll1t @0xfffffffe fair point. Just to be clear, I'd like Signal to treat this as an issue and make sure this is fixed. But this is not something to switch away from Signal over, unless one's threat model is very very specific.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 22-Jan-2025 19:51:35 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • adb
     • contrapunctus ✊🏳️‍🌈🏳️‍⚧️

     @contrapunctus @adbenitez I happen to be using DeltaChat, the UI/UX is fine.

   • Embed this notice
     contrapunctus ✊🏳️‍🌈🏳️‍⚧️ (contrapunctus@en.osm.town)'s status on Wednesday, 22-Jan-2025 19:51:37 JST contrapunctus ✊🏳️‍🌈🏳️‍⚧️

     in reply to

     • adb

     @adbenitez @rysiek I was ready to boost in the first paragraph, and then I saw the #DeltaChat recommendation 😅

     I haven't heard good things about DeltaChat UX. #XMPP allows you to self-host, register on public servers without even providing an email address, and ask non-geek contacts to install Quicksy or Prav (so they can register using phone numbers). It's got AV calls and other features expected in modern chat.

     And XMPP is actually made for chat from the ground up.

   • Embed this notice
     phryk 🏴 (phryk@mastodon.social)'s status on Wednesday, 22-Jan-2025 20:05:28 JST phryk 🏴

     in reply to

     @rysiek I think there's two points here:

     1) If this is a security consideration for you, take note that much more granular location tracking is commonplace in mobile apps and prioritize mitigating that over the much more coarse location you can get by querying CDNs.

     2) Using third-party services *always* introduces security considerations. If you're a programmer, think about what this means for your software before you integrate them.

   • Embed this notice
     d.rift (feonixrift@x0r.be)'s status on Wednesday, 22-Jan-2025 20:05:46 JST d.rift

     in reply to

     • lit
     • 0xfffffffe

     @rysiek @ll1t @0xfffffffe Location data is in my opinion probably worth an "adjust settings so this is harder to hit without user interaction", as you suggested up-thread, for people with moderate risks. It has a nasty tendency to be possible to refine over time, in the hands of persistent stalkers.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Thursday, 23-Jan-2025 00:48:39 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • pkprotoplasm

     @pkprotoplasm heh, nothing to apologize for. :blobcatcoffee:

   • Embed this notice
     pkprotoplasm (pkprotoplasm@mastodon.sdf.org)'s status on Thursday, 23-Jan-2025 00:48:40 JST pkprotoplasm

     in reply to

     @rysiek Apologies, this was more a commentary on the youthful perspective’s “imaginary severity” (the 250+ km radius isn’t practically actionable in any realistic case) and not the quality of the explanations. I agree he’s a smart kid but there’s just no measurable risk there.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Thursday, 23-Jan-2025 23:38:55 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Lenny

     @f09fa681

     > That very rough radius could actually a pretty big deal in less populated areas.

     In less populated areas that data center is going to be hundreds of kilometers away, so the radius will also be hundreds of kilometers. So, no.

     > The second argument is whataboutism.

     It's not whataboutism, it's context for people who might be considering jumping ship from Signal to something else.

   • Embed this notice
     Lenny (f09fa681@digitalcourage.social)'s status on Thursday, 23-Jan-2025 23:38:57 JST Lenny

     in reply to

     @rysiek This is downplaying it way too much for my taste. Let me explain:

     The rough location information is usually only available to servers. Now, even though I prefer zero trust, I would argue that trusting a messenger's server to not give away my rough location is way more reasonable than trusting the person that uploaded the data I'm downloading from the server.

     **But in this case, the person that uploaded the data can extract the location I'm downloading it from.** This is big. It takes metadata to a whole different level.

     I also want to quickly respond to the arguments:

     That very rough radius could actually a pretty big deal in less populated areas.

     The second argument is whataboutism. (And there are definitely apps that are not affected.)

     Kinda agree with the third one though.

     ---

     If I were #Signal, I would turn off the caching mechanism for now and urge #Cloudflare to rethink their statement. The privacy protection mechanisms are clearly lacking. Cloudflares position is simply not acceptable.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Thursday, 23-Jan-2025 23:40:46 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Lenny

     @f09fa681

     > The rough location information is usually only available to servers.

     You're confusing "rough location" based on IP address (which is available to the servers) with much more rough location based on which Cloudflare datacenter happened to have a resource already cached.

     The difference is one or two orders (or more) of mangitude in radius.

     Apples and oranges.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Thursday, 23-Jan-2025 23:43:30 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Lenny

     @f09fa681 this attack is in no way the same. The WebRTC one was about the IP address of the target. IP address provides much, much more exact location data.

     This attack only gives the attacker information on which Cloudflare datacenter had the resource cached. In other words, that the target is in teh "capture area" of that datacenter.

     That is orders of magnitude less exact than having an IP address of the target.

     Again, you are confusing two different things, and comparing apples to oranges.

   • Embed this notice
     Lenny (f09fa681@digitalcourage.social)'s status on Thursday, 23-Jan-2025 23:43:31 JST Lenny

     in reply to

     @rysiek You all remember the WebRTC "IP leak" fiasco from back then, right? Where people could be called on some messengers and before even accepting the call, your own IP would leak to the caller? (And also Natalie Silvanovich showed everyone why it's a bad idea to start the WebRTC state machine prior to accepting a call to everyone because it's a huge attack surface - https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html) Pretty much everyone jumped ship back then and agreed it to be a big no no.

     This attack here is pretty much the same thing without the need to even make a call. It is way more subtle and therefore even more severe IMO.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Thursday, 23-Jan-2025 23:52:15 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Lenny

     @f09fa681 and in my thread I agree this is concerning, I say that I believe Signal should fix this, and that I would like to hear from Signal about this.

     But conflating IP address location with very very rough location based on Cloudflare datacenter is something I would suggest not doing. There is enough confusion out there. And there is a real, important difference between these two situations.

   • Embed this notice
     Lenny (f09fa681@digitalcourage.social)'s status on Thursday, 23-Jan-2025 23:52:16 JST Lenny

     in reply to

     @rysiek Whether it's 10km or 100km doesn't matter much to me. The fact that the location is leaking at all is the concerning factor IMO. Signal and Cloudflare simply brushing that away is quite concerning.

     But I want to emphasize that I don't recommend jumping ship from Signal to less secure or similarly affected alternatives either and do support your effort in that respect.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Friday, 24-Jan-2025 00:10:15 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Lenny

     @f09fa681 that's like saying "I know I rolled a 4 on my d6 so the probability of rolling 4 on a d6 is surely higher than 1/6th."

     What you're missing here is that your personal distance to nearest Cloudflare datacenter is not the same thing as the capture area of that datacenter.

     If I only have your closest Cloudflare DC to go on to figure out where you are, that area is much, much bigger, than the area I have to consider if I have your IP address.

   • Embed this notice
     Lenny (f09fa681@digitalcourage.social)'s status on Friday, 24-Jan-2025 00:10:16 JST Lenny

     in reply to

     @rysiek I would question the IP address providing more precise information **in general**.

     Looking up my IP from both of my ISPs (mobile and landline) I'm getting a similarly accurate geolocation, one ~30km and one ~40km away from me. The Cloudflare airport code gives me ~30km accurate position. That's an anecdotal report for sure but possibly transferable to the general situation in Switzerland.

     So what am I missing here that makes one an apple and the other an orange?

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Friday, 24-Jan-2025 03:43:58 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Lenny

     @f09fa681 it is not similarly bad, because while IP address is associated with your name or ISP or even home address (for example, in case LEA is interested in you), this is very much not.

     I am not going to continue to belabor that point. You made a comparison to an issue that involved IP addresses, which are generally considered personally identifiable information, for good reasons.

     Cloudflare dacatenter thing is not PII, also for very good reasons. You decide to dig your heels in, fine. 🤷♀️

   • Embed this notice
     Lenny (f09fa681@digitalcourage.social)'s status on Friday, 24-Jan-2025 03:44:00 JST Lenny

     in reply to

     @rysiek According to https://www.cloudflare.com/network/ there are 330 data centers, so that may make it less accurate in the general case.

     The quality of data-mined locations associated to IP addresses can however result in similarly accurate or inaccurate locations (also depending on the privacy hygiene of the ISP, the user and other devices using the IP). Another anecdotal evidence: I'm sometimes supposed to be in Lausanne according to IP-based geolocation lookup which is ~180km away from me (and some websites switch to French, yay).

     I'll agree it's not the same thing on a technical level, sure, but would need more data to assess whether the location quality is several orders of magnitudes worse as you claim. In the end, it's similarly bad that it leaks.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Monday, 27-Jan-2025 03:35:50 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Leszek
     • Cassandra Granade 🏳️‍⚧️
     • Avitus

     @Avitus @xgranade @makdaam I would still like to hear more directly from Signal, not via the bounty hunter.

   • Embed this notice
     Avitus (avitus@ioc.exchange)'s status on Monday, 27-Jan-2025 03:35:51 JST Avitus

     in reply to

     • Leszek
     • Cassandra Granade 🏳️‍⚧️

     @rysiek @xgranade @makdaam Signal made a direct statement to the bug bounty hunter, which was provided to 404 Media and published. So the statement given to the bug bounty hunter is the statement from Signal.