![]() |
Credit: Slashgear.com |
When I've read news reporting that the Signal messaging app is "insecure," I bristle a little. In my view, a more appropriate statement is:
"Signal isn't as secure as systems that the U.S. government uses to send classified information."
Sure, that’s a long statement. But it does Signal justice by painting a more accurate and informed picture.
Signal is secure as specified by its design. It offers strong and secure communications suitable for use by the general public. That said, the U.S. Department of Defense (DoD) requires systems to adhere to more detailed, strict, and expansive security and information retention standards.
When I read the recent press coverage, three security concepts come to mind: authentication, authorization, and network trust models.
Authentication
First, let’s define authentication: verifying a user, device, or network is who or what they claim to be before being permitted to access a secured resource.
Signal's Approach
Signal uses several techniques to authenticate end users.
- A phone number-based registration system. Upon initial configuration, the phone number owner confirms ownership using a one-time SMS or voice code.
- A biometric lock, assuming the device running the Signal app supports it.
- A registration lock PIN to safeguard conversations if the mobile phone account is hijacked by a SIM swap.
Signal does not authenticate devices using strong cryptographic checks. The app simply cares about whether the user has access to a verified phone number. It doesn't care about what particular phone, tablet, or computer they are using.
Signal does support device linking (e.g., mobile-to-desktop) using QR code verification, but this is decoupled from hardware identity. Although considered secure, device linking introduces a potential phishing vulnerability that has been exploited by bad actors and attracted media attention.
To be sure, phishing attacks are not limited to Signal; instead, phishing is a common threat to gain access to protected resources — such as your laptop, for example.
DoD's Strategy
DoD systems use multi-factor authentication. Users must provide:
- Something they know (a password or PIN),
- Something they have (a Common Access Card (CAC) or smart card),
- Something they are, in certain cases (via biometric scans, depending on the system and level of access being requested).
In stark contrast to Signal, DoD systems authenticate the devices with digital certificates managed by DoD Public Key Infrastructure (PKI). Devices must show valid, non-expired, DoD-issued certificates and regularly face posture checks (e.g., patch level, encryption status) before access is permitted.
Authorization
Authorization defines what authenticated users or devices can do once admitted into the system.
Signal's Approach
Signal by design delegates authorization to end users, usually via client-side controls. This design makes end users responsible for controlling access to secure Signal communications.
For example, in group chats, the group chat administrator invites new participants by distributing a secure link. Signal apps enforce access control such that invited members are the only ones who can join. Signal servers do not enforce authorization using implemented access policies. This is a key distinction compared to DoD systems.
DoD's Approach
In contrast to Signal's "hands off" approach, DoD systems and their managers grant (or deny) access based on centrally administered and defined policies by using Role-Based Access Controls (RBAC) or Attribute-Based Access Controls (ABAC).
Network Considerations
Signal (and WhatsApp for that matter) are designed for use over public fixed and mobile networks — Wi-Fi, LTE, and 5G. Both applications' security model is based on the end-to-end encryption of messages and media exchanged between clients through the Signal Protocol, which is open source and independently audited.
This implies that, while conversations protected by Signal travel over the internet, Signal’s design ensures only the participants can read and respond to it. To users and systems not admitted to the conversation, what is being discussed looks like a random series of ones and zeros.
Signal's Model
- Uses strong encryption via the public internet
- End-to-end secures messages, calls, and video
- Trusts the user and device to manage encryption keys
DoD's Model
The DoD typically uses physically separate communications networks that employ dedicated infrastructure controlled and managed by the US government to convey secret and top-secret information. These highly secure networks can not be accessed via the public internet.
But, there are exceptions.
Suppose wide area coverage and mobility are required. In that case, DoD can authorize secure communication across commercial networks (e.g., 4G/5G) with secure communications systems that comply with the NSA’s Commercial Solutions for Classified (CSfC) program.
So… Is Signal Secure?
That's a loaded question. A better one is:
Is Signal secure enough for me and the people I want to communicate with, given what we want to talk about?
Signal’s design is what it is: a consumer-grade, privacy-focused messaging system built on best-of-class encryption protocols. Signal will meet your needs if you want to chat with family and friends and have peace of mind that your conversations remain between you and them.
In fact, Signal, by design, is far more secure than LinkedIn messaging (which does not encrypt messages end-to-end at all).
Signal isn’t designed to meet specific enterprise, government, or military security requirements. As always, use communications applications that your organization approves.
Rather than diminishing Signal, this conversation should highlight the importance of choosing tools to protect your communications based on your audience and given your situation.