this post was submitted on 17 Feb 2025
7 points (100.0% liked)

The Signal messenger and protocol.

1864 readers
51 users here now

https://signal.org/

founded 4 years ago
MODERATORS
max@lemmy.ml
7
safest way to verify safety numbers? (lemm.ee)
submitted 2 days ago by tilefan@lemm.ee to c/signal@lemmy.ml
5 comments fedilink hide all child comments
 

the safest form of messaging I have is Signal, but the whole point of the safety number is to verify that the person you're talking to on Signal is really that person, so I can't send my safety number through Signal. any other option I have, the data is going to be harvested by somebody.

how do you all do it if you don't have physical contact with your Signal people?

top 5 comments
sorted by: hot top controversial new old
[–] CameronDev@programming.dev 2 points 2 days ago (1 children)

Call them and read the number out? I dont think it matters if someone else can see your safety number, you can print it in a newspaper if you really wanted to.

[–] tilefan@lemm.ee 2 points 2 days ago (1 children)

then I do not understand how safety numbers work.

[–] p_consti@lemmy.world 3 points 2 days ago* (last edited 2 days ago) (1 children)

The safety number is not part of the encryption. It just says: this person is who they say they are. So as long as you can trust that the number actually came from that person, it's fine. Afaik, the number is derived from the encryption keys, so it can't be faked, but I would verify that if you're unsure.

Edit: was curious, here's the blog post that introduced them: https://signal.org/blog/safety-number-updates/ Essentially, it's a hash of the public key, so safe to broadcast, similar the HTTPS certificates employed on the web. They even say so: "the share button on the safety number screen and selecting FB, Twitter, email, etc to send the safety number to your contact."

[–] tilefan@lemm.ee 2 points 2 days ago (1 children)

but if somebody else got my safety key for some other person, what could they do with it?

[–] CameronDev@programming.dev 5 points 2 days ago

Nothing, it can't be used for anything else. You can't reverse the encryption keys from it. Its like adding all the digits in your phone number and giving that out. People with your phone number can verify it, but to everyone else, its basically useless.