Skip to content

Software

Important Changes to Signal Registration and Registration Lock

EDIT: This change has been temporarily rolled back after discussions that took place in the Signal community. It will likely be the way things work in the future, but it seems that the old behavior is now back in place for the time being.

Signal has changed how it handles registration. This primarily affects people who are using a number for Signal that they don't have exclusive access to.

How It Used to Work

As outlined in our Signal Configuration & Hardening Guide, if you registered, set up Registration Lock, and checked into the app at least once every 7 days, nobody could use the number you'd claimed and try to re-register it for themselves without knowing your Registration Lock PIN.

How It Works Now

As outlined in this issue on the Signal-Android GitHub repository, if someone tries to register with that number and is able to get the SMS code, they can kick you out of your Signal account. At that point, you have to re-register by receiving an SMS for that number, and inputting your Signal PIN. If you are unable to do this, the Registration Lock is not enforced after 7 days. Someone who tries to register after that will be prompted to enter the Signal PIN once more. If the correct PIN is not entered, the app will prompt you to create a new PIN, and the account is wiped and the number can be claimed by a person who can receive an SMS code for it.

You can find the relevant changes in the code here.

If Alice registers number X and enables reglock, but Bob later proves ownership of number X (by registering and completing the SMS code), then Alice will >be unregistered. However, if a reglock is present, Bob still won't be able to register immediately if he does not know the reglock code. This allows >reglock to still function as a way to prevent someone else from taking over your account.

However, by unregistering Alice, this starts a 7-day timer. After 7 days, if Alice doesn't re-register, then the reglock is removed and Bob will be free to register the number without needing to know the reglock. But if Alice still truly does own the number, she can simply re-prove ownership and things should go back to normal for her.

This is important because phone number can (and are) re-used among cell carriers. If someone gets a new phone number from their carrier, they should not be prevented from registering with Signal indefinitely because the previous owner has reglock.

The intention of reglock is to prevent hijacking of numbers you actually own, not to guarantee the number for yourself for life.

While this change makes sense from the perspective of making it so you cannot "hold a number hostage" as long as you keep checking in, it is particularly important for people who've used disposable phone numbers to know this.

We recommend migrating to a phone number that you own and will be able to own for the foreseeable future in order to avoid getting locked out of your account and losing your contacts.


Special thanks to the Molly community who made us aware of this change soon after it went live.

A Warning About Signal Proxies in Iran and Other Oppressive Countries

People looking to use Signal Proxies to bypass censorship programs should be aware of a number of issues with Signal’s current proxy implementation. Currently, Signal does not tunnel all application traffic through the specified proxy, which means authorities could still track people using Signal.

2022 Signal Configuration and Hardening Guide

Signal is a widely regarded instant messaging service that is not only easy to use but is also private and secure. Signal's strong E2EE implementation and metadata protections provide a level of assurance that only you and your intended recipients are able to read communications.

Erasing Data Securely from Your SSD or HDD

Erasing data from your computer may seem like a simple task, but if you want to make sure the data is truly unrecoverable, there are some things you should consider.

Removing Metadata from Your Photos, Videos, and Other Files

When sharing files, it's important to remove associated metadata. Image files commonly include Exif data, and sometimes photos even include GPS coordinates within its metadata.

Firefox Privacy: 2021 Update

A lot changed between 2019 and now, not least in regards to Firefox. Since our last post, Mozilla has improved privacy with Enhanced Tracking Protection (ETP). Earlier this year Mozilla introduced Total Cookie Protection (Dynamic First Party Isolation dFPI). This was then further tightened with Enhanced Cookie Clearing. We’re also looking very forward to Site Isolation (code named Fission) being enabled by default in the coming releases.

Choosing The Right Messenger

One of the most common questions users have when it comes to privacy is about messaging services. It seems almost all of them mention some level of privacy or encryption to entice the user to sign up for their service, but how can you be sure you’re using the most secure, privacy respecting platform?

Firefox Privacy: Tips and Tricks for Better Browsing

Mozilla Firefox is one of the most popular web browsers around, and for good reason. It's fast, secure, open-source, and it's backed by an organization that actually respects your privacy. Unlike many other Chrome alternatives and forks, it has a massive development team behind it that publishes new updates on a constant, regular basis. Regular updates doesn't only mean shiny new features, it means you'll also receive security updates that will keep you protected as you browse the web.