Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Signal Unveils New ‘Sealed Sender’ Feature

Open Whisper Systems on Monday announced that the latest beta version of the Signal messaging app includes a new feature that aims to protect the identity of the sender.

Open Whisper Systems on Monday announced that the latest beta version of the Signal messaging app includes a new feature that aims to protect the identity of the sender.

Signal uses end-to-end encryption to protect messages and it avoids storing data such as contacts, conversations, locations, avatars, profile names, and group details. However, current stable versions do rely on the service knowing where a message comes from and where it’s going.

Signal developers hope to further reduce the amount of data accessible to the messaging service with a new feature, named “sealed sender,” that eliminates the need to know who the sender is.Signal launches Sealed Sender

The application’s developers noted that when the Signal client authenticates on the service it needs to validate the sender’s identity in order to prevent spoofing. The sender’s identity is also important for rate limiting and abuse prevention mechanisms.

The implementation of “sealed sender” meant that Open Whisper Systems had to come up with an alternative to these functions. The first issue was addressed by having the client periodically fetch a short-lived sender certificate that contains the user’s phone number and public identity key. By including this certificate in sent messages, receiving clients can easily check its validity and verify the sender’s identity.

As for abuse prevention, Signal developers have decided that an efficient alternative would be to use 96-bit delivery tokens derived by clients from the profile key. The tokens are registered with the service and clients are required to prove knowledge of the token when sending “sealed sender” messages.

“Since knowledge of a user’s profile key is necessary in order to derive that user’s delivery token, this restricts ‘sealed sender’ messages to contacts who are less likely to require rate limits and other abuse protection. Additionally, blocking a user who has access to a profile key will trigger a profile key rotation,” Signal’s Joshua Lund wrote in a blog post.

Users also have the option to allow anyone (i.e., people not in their contact list) to send “sealed sender” messages. However, Signal warned that this increases the risk of abuse.

Once the feature is rolled out to all users, messages will automatically be sent out without giving away the sender’s identity, at least whenever possible. In the meantime, “sealed sender” can be tested by installing the latest beta release.

“These protocol changes are an incremental step, and we are continuing to work on improvements to Signal’s metadata resistance. In particular, additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development,” explained Lund.

Open Whisper Systems has made significant improvements to Signal over the past years, but researchers have also discovered potentially serious security issues in the messaging service, including code execution vulnerabilities, failure to delete messages from devices, and bugs that could have been exploited to alter attachments.

Related: Standalone Signal Desktop Messaging App Released

Related: WhatsApp Co-founder Invests $50 Million in Signal

Related: “Signal” Uses Domain Fronting to Bypass Censorship

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...