Don't have Telegram yet? Try it now!
Copy
Tommy Lin
Hi Durov, first of all thanks! I reached out a few times to telegram request form. Are there any plans for making contact discovery more private linked to an ID for example. Based on this information: “ https://encrypto.de/papers/HWSDS21.pdf “ For Teleg.eu…
Hashed phone numbers are unfortunately not a panacea, because they are easily reversible. You won't even have to go through every possible phone number and hash it, because you can first get the numbers of all the people who signed up for the service in a particular country. The study you are referring to claims the researchers identified the phone number of every Signal user in the US last September. So all you need to do is just hash the results and you have a pretty good database to look up every hashed phone number you intercept to "unhash" it.

The Signal team tried to fix the above by using a proprietary feature of Intel chips called SGX, but it turned out that these chips have been backdoored and hacked several times, last time in June. Since then, people have been pointing out that hashing contact numbers with SGX the Signal way is far from bullet-proof and creates an illusion of safety without actually delivering it.

Since Signal hosts the user private data at Amazon, which is known to cooperate with goverments, the contact lists of Signal users are far from invulnerable.

On our part, we maximized security of your data by building our own distributed encrypted cloud infrastructure that I described here https://teleg.eu/s/durovschat/544164

We are constantly exploring ways to make data even better protected, but in our view SGX-hashed phone numbers look more like a publicity stunt than something one can actually rely on.
MyFXSpot