mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

18K
active users

There's a "Signal deanonymized" thing going around:
gist.github.com/hackermondev/4

Stay calm. Deep breaths.

👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location

👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected

👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.

Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md
GistUnique 0-click deanonymization attack targeting Signal, Discord and hundreds of platformUnique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md

@rysiek This is downplaying it way too much for my taste. Let me explain:

The rough location information is usually only available to servers. Now, even though I prefer zero trust, I would argue that trusting a messenger's server to not give away my rough location is way more reasonable than trusting the person that uploaded the data I'm downloading from the server.

**But in this case, the person that uploaded the data can extract the location I'm downloading it from.** This is big. It takes metadata to a whole different level.

I also want to quickly respond to the arguments:

That very rough radius could actually a pretty big deal in less populated areas.

The second argument is whataboutism. (And there are definitely apps that are not affected.)

Kinda agree with the third one though.

---

If I were #Signal, I would turn off the caching mechanism for now and urge #Cloudflare to rethink their statement. The privacy protection mechanisms are clearly lacking. Cloudflares position is simply not acceptable.

Michał "rysiek" Woźniak · 🇺🇦

@f09fa681

> That very rough radius could actually a pretty big deal in less populated areas.

In less populated areas that data center is going to be hundreds of kilometers away, so the radius will also be hundreds of kilometers. So, no.

> The second argument is whataboutism.

It's not whataboutism, it's context for people who might be considering jumping ship from Signal to something else over this. And might end up with a service that is worse for privacy *and* does not fix this issue.

@f09fa681

> The rough location information is usually only available to servers.

You're confusing "rough location" based on IP address (which is available to the servers) with much more rough location based on which Cloudflare datacenter happened to have a resource already cached.

The difference is one or two orders (or more) of mangitude in radius.

Apples and oranges.

@rysiek Whether it's 10km or 100km doesn't matter much to me. The fact that the location is leaking at all is the concerning factor IMO. Signal and Cloudflare simply brushing that away is quite concerning.

But I want to emphasize that I don't recommend jumping ship from Signal to less secure or similarly affected alternatives either and do support your effort in that respect.

@f09fa681 and in my thread I agree this is concerning, I say that I believe Signal should fix this, and that I would like to hear from Signal about this.

But conflating IP address location with very very rough location based on Cloudflare datacenter is something I would suggest not doing. There is enough confusion out there. And there is a real, important difference between these two situations.