Egregoros

of course you can. they just won't get it before they come online. which is kind of duh! for instant messaging, isn't it?

now, if you're concerned about the two of us never being online at the same time, install Jami on your home server, or on a VPS, link your account there, and it will get a copy of your messages whenever you send or receive them, and it will transfer them to your peers or to your own device whenever they come online.

now, if that's not good enough for you, I guess you really prefer to share your conversations with third parties for them to do this for you. me, I prefer my autonomy.

CC: @davep@infosec.exchange @rysiek@mstdn.social

nope. I'm told they don't even have access to data, or even metadata, thanks to some technology indistinguishable from magic in its protocol. but I won't pretend I really understand how that works.

the main problem with signal is their insistence on demanding a snoop phone to get started. that spoils the entire experience, and probably exposes its users' conversations, metadata and even secret keys to third parties. see https://blog.lx.oliva.nom.br/2026-02-01-signal-of-awareness.en.html and https://blog.lx.oliva.nom.br/2026-01-25-compromising-encryption-keys.en.html

the secondary problem with signal is its insistence on centralization. this makes the "not being online at the same time" a problem for all its users, when their centralized servers are not online

CC: @feld@friedcheese.us @rysiek@mstdn.social

@lxo @feld @rysiek
I agree with the centralisation risk. But those articles have nothing to do with needing a telephone number. They're more of an indictment of Windows and tend to back up Signal's worry about LLMs embedded into the OS.

If your endpoint is compromised, anything you read is also compromised.

As for the "magic" comment, it's just that they encrypt basically all the metadata that the likes of WhatsApp don't. And with the double ratchet protocol they can't decrypt that data. They *could* make logs of who called or messaged who, but don't. If this were decentralised, what's to stop a bad actor logging such information? Just curious. It may need a rethink of the whole architecture (I'm not saying that's a bad thing by the way).

you seem knowledgeable about signal. I hope you don't mind if I shoot you some questions.

does it use TPM features on mobile phones as well?

how does it deal with linking multiple devices to an account? does each device get a separate key generated locally using TPM? or do they all share the keys first generated in a compromised mobile phone?

when you link a new device to an account, does it gain access to past messages, or only to future messages?

is there any way for you to tell in case someone else uses your compromised keys/credentials to gain access to your account, e.g. by linking a device that becomes visible to other devices or somesuch?

thanks in advance,

CC: @feld@friedcheese.us @rysiek@mstdn.social

@lxo @davep @rysiek

> does it use TPM features on mobile phones as well?

yes

> how does it deal with linking multiple devices to an account? does each device get a separate key generated locally using TPM? or do they all share the keys first generated in a compromised mobile phone?

AIUI same keys, there's just a different identifier that tells you which device it is. Someone wrote a tool that can sniff "read receipts" and determine if someone is "at home" based on if it was sent from their phone or desktop.

> when you link a new device to an account, does it gain access to past messages, or only to future messages?

Yes, as of last year you can choose to sync old messages when you link a new device (like your Desktop)

> is there any way for you to tell in case someone else uses your compromised keys/credentials to gain access to your account, e.g. by linking a device that becomes visible to other devices or somesuch?

There is *now* after Russian soldiers were infiltrating Ukrainian military Signal chats by linking their own devices to existing Ukrainian military members accounts through hacks/tricking them into following links, or just taking phones off their dead bodies.


Not mentioned in this thread is that your Signal account key is stored in Signal's cloud as you can recover your account with a PIN which wouldn't be possible if they didn't have your key