logoalt Hacker News

gobip01/21/20257 repliesview on HN

"Signal instantly dismissed my report"

"Telegram, another privacy-focused application, is completely invulnerable to this attack"

"Discord […] citing this as a Cloudflare issue other consumers are also vulnerable to"

"Cloudflare ended up completing patching the bug"

I wish Signal would react differently. I still remember the bubble color controversy when they changed their mind after the backlash and not before. :-)

Replies

danielparks01/21/2025

I just sent a feature request[1] to Signal with the following text:

    I understand that Signal does not consider this
    https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 to be
    a valid security bug, but it would be helpful to at least be able to
    mitigate it.

    Please add an option in settings to disable automatically downloading
    attachments.

    That should be enough to change the attack from 0-click (just opening the
    conversation) to 1-click (click the attachment). Most people won’t care
    about this, but for some every little bit of privacy is important.
[1]: https://support.signal.org/hc/en-us/requests/new
show 1 reply
kelnos01/21/2025

> "Cloudflare ended up completing patching the bug"

This short quote fragment is a little misleading: Cloudflare patched the bug in their systems that allow you to send HTTP requests to any CF data center, regardless of where the originator of the request lives. This is likely something they want fixed for a large variety of reasons, some probably much more important than the specific attack OP wrote about.

> I wish Signal would react differently.

The severity of a potential security issue, or the determination of who is responsible for fixing or mitigating it, is a matter of opinion. Just because you think this is important for Signal to fix, it doesn't mean it's some absolute truth that it does. At the risk of appealing to authority, I would expect that people who run a security/privacy-focused messaging project to have a better handle on classifying these sorts of things than random people on HN like you or me.

But of course, sometimes they'll get it wrong too. I'm not familiar with the bubble color thing you mention, but sure, nobody's perfect; we're all human and we make mistakes. I'm personally not convinced Signal needs to do anything here. A 250 mile radius is quite a large area, and users can already choose to not auto-download attachments. To be fair, though, I think a simple way for Signal to fix this would be to disable caching on the attachments HTTP endpoints, though that might increase their bandwidth bills and increase load on their servers, depending on what their access patterns look like.

airstrike01/21/2025

Is there really any difference between dismissing the report or "citing this as a Cloudflare issue"?

show 1 reply
gruez01/21/2025

>"Signal instantly dismissed my report"

>I wish Signal would react differently. I still remember the bubble color controversy when they changed their mind after the backlash and not before. :-)

Can you blame them though? They're a non-profit with limited manpower and resources. There's quite a lot of cranks in the security field, and as many people have echoed in this thread, the bug report is rather sensationalist. At some point you just have to pattern match and ignore any reports that seems a bit too cranky. Is this ideal? No. But I don't see how it's any different than summarily dismissing a vaccine skeptic's claim that vaccines are bad, even if there's a kernel of truth buried in there (eg. that benefits for young people are questionable).

show 1 reply
nunobrito01/21/2025

[flagged]

show 1 reply