How does being email-based instead of phone-number-based meaningfully help security? I would understand something like non-federated Matrix, where only approved users have accounts on your instance. Less phishing at the cost of convenience.
I do get the desire to have something more sovereign maybe even decentralised, but this is some real smooth brain behaviour. I even think they are following some sort of agenda, and just really do not know better.
Signal faces scrutiny following a series of phishing-based account hijackings. As previously reported, attackers impersonated Signal support staff to trick users into revealing registration codes and PINs, enabling them to re-register accounts on devices under their control. Signal clarified that its infrastructure and encryption were not compromised, attributing the incidents entirely to social engineering.
I got scammed therefore Signal insecure. Got it.
A lot of journalists got that wrong in initial reporting. But as an IT administrator you can see where they are coming from with their switch to another platform.
Signal is end user software, and a very good one at that. But it is no enterprise grade software. It lacks the management and policies needed for such user groups, which Wire seems to provide. Things like a mobile number as primary account handle spells ease and low entrance hurdle for end users, and a security problem for administrations.
The fractured nature of the IT in German politics is probably still keeping the attack surface alive. As outlined here by heise:
https://www.heise.de/en/background/Signal-attacks-Political-reality-bites-the-IT-admin-11279251.html
This is due to phishing attacks and account takeover attempts, not due to the platform itself being insecure.
They state that wire can be signed up with using an email instead of phone number, so it’s less likely that someone will know the validation account used to sign up.
Feels to me like it’s just a different attack vector. Maybe it’s harder to do attacks on wire, but they didn’t really say that in this article.
My gut says it’s less attacked just cause it’s less used, not that it’s more secure. But I’m certainly willing to admit that I haven’t looked into wire much.
It‘s her approach to frame the technology instead of acknowledging that she is the victim of a social engineering attack.
Thank you. I do wish the public conversation were more about actual tech vs social engineering and public-vibe opinion.
I like the fact that Wire uses a separate key for every device and every 2-person pair, even in a group chat.
But I hate how much metadata that Wire leaks. I do not want my ISP/VPN provider to be able to track where I am and with whom I am messaging. IP addresses, routing paths, packet sizes, timing…
Both protocols encrypt what you say. Wire betrays where you were when you said it and gives a lot more clues about who you said it to. Exactly what you want people to use, if you are a nation-state able to monitor corporate ISPs and VPNs.
This is due to phishing attacks and account takeover attempts, not due to the platform itself being insecure.
I mean, it’s not that Signal has security issues per se, but it doesn’t have the German government’s security people with control over what goes into releases, either.
If you remember the wake of Signalgate, the US doesn’t allow use by American officials of Signal to do their communications because they don’t certify it for classified information transmission and do have their own app that officials are supposed to be using.
On March 15, Secretary of Defense Pete Hegseth used the chat to share sensitive and classified details of the impending airstrikes, including types of aircraft and missiles, as well as launch and attack times.[1][2] The name of an active undercover CIA officer was mentioned by CIA director John Ratcliffe in the chat,[3] while Vance and Hegseth expressed contempt for European allies.[4][5]
A forensic investigation by the White House information technology office determined that Waltz had inadvertently saved Goldberg’s phone number under Hughes’ contact information. Waltz then added Goldberg to the chat while trying to add Hughes.[15] Subsequently, investigative journalists reported Waltz’s team regularly created group chats to coordinate official work[16] and that Hegseth shared details about missile strikes in Yemen to a second group chat which included his wife, his brother, and his lawyer.[17]
On March 18, 2025, the Pentagon sent a department-wide memo warning, “Please note: third party messaging apps (e.g. Signal) are permitted by policy for unclassified accountability/recall exercises but are NOT approved to process or store nonpublic unclassified information”—a category whose release would be far less potentially damaging than that about ongoing military operations.[27] A former NSA hacker said that linking Signal to a desktop app is one of its biggest risks, as Ratcliffe suggested he had done.[28]
According to the article, German government information security people do that for Wire:
Klöckner highlighted that Wire is already provided by the Bundestag administration and is certified by Germany’s Federal Office for Information Security (BSI).
Weren’t they also using an insecure clone that sent their messages in plaint text to be archived?
Important point about Signalgate: Hegseth & team weren’t even using Signal; they were using some weird-ass fork
Some weird ass fork by a company founded and staffed by Israeli ex-intel officers that allows automatic backup of chats even if they are set to delete after x days
Yeah that incident was also due to a phone number issue. Someone somehow had the name associated with the phone number saved incorrectly. Something to do with iOS and how it saves numbers automatically.
Feels to me like it’s just a different attack vector.
feels like typical security through obscurity
Wire is still around? Tried it literally 10 years ago and didn’t like it at all.
It’s an enigma why they chose it in the first instance.
