You are talking out of your ass. First, a timing attack requires numbers to correlate - reasonable numbers of people using a node or server and a LOT of packets going back and forth. Neither are true for a Signal server. Second, they don’t get the phone numbers if contacts are using only their username (with phone number sharing disabled). Your criticisms are over the top and not at all nuanced to the degree of protection of metadata that was built into signal. If it was as bad as you imply, a whole heck of a lot of the most respected security researchers would have to be complete idiots.

That a timing attack could be successful is not a given. It’s a possibility, yes, but there is very likely sufficient mixing happening to make that unrealistic or unreliable. An individual doesn’t create much traffic, and thousands are using the server constantly. Calling it a honeypot or claiming the phone number and device is are available is a stretch.

Timing attacks can work in tor when you are lucky enough to own both the entrance and exit node for an individual because very few people will be using both, and web traffic from an individual is relatively heavy and constant to allow for correlation.

That’s not exactly true. See Sealed sender: https://signal.org/blog/sealed-sender/

At least in theory, this is mitigated. The signal activation server sees your phone number, yes. If you use Signal, the threat model doesn’t protect you from someone with privileged network or server access learning that you use Signal (just like someone with privileged network access can learn you use tor, or a vpn, etc).

But the signal servers do not get to see the content of your group messages, nor the metadata about your groups and contacts. Sealed sender keeps that private: https://signal.org/blog/sealed-sender/

You would obviously want to join those groups with a user Id rather than your phone number, or a malicious member could out you. It’s not the best truly anonymous chat platform, but protection from your specific threat model is thought through.

edit: be sure to go to Settings > Privacy > Phone Number. By default anyone who already has your phone number can see you use signal (used for contact discovery, this makes sense to me for all typical uses of Signal), and in a separate setting, contacts and groups can see your phone number. You will absolutely want to un-check that one if you follow my suggestion above.

It’s insane that this is even needed. Show me ads for things relevant to the content of the web page and nothing else. If I’m reading about furnace filters, sure, show me an ad for buying furnace filters, I might buy from you, but don’t follow me around for 2 weeks shoving furnace filter ads in my face. If I’m not reading about them anymore, I’ve moved on.

The added benefit of this approach for advertisers would be that you can literally embed the ads in the page, making ad-blockers ineffective. They literally chose the worst method for everyone involved.

Entropy is calculated from the character set size to the exponent the length of the string: E = log2(R^L). A long string of numbers can have more entropy than a shorter alphanumeric string with special characters. I looked it up and apparently their account number is 16 digits. That’s 53 bits of entropy, which is not guessable. Someone brute forcing would have quadrillions of login attempts to try.

Wireguard is just the vpn software, not a service. Most of these services are running wireguard under the hood now because it’s so good. You can also use wireguard yourself to connect your own machines together, (or friends machines, allowing file sharing like a LAN) but that doesn’t help you with torrenting.

Unless you are willing to do the math, “no entropy really” deserves a [citation needed]

Yes it is. Signal isnt PGP email. A lot of work went into protecting metadata.

What is the threat model where this matters? You have to trust the recipient with Signal. The only one I can think of is the case where your recipient is using a compromised fork and is unaware. In this case, talking about the tool and checking with them about what they are using is really the only countermeasure.

When I originally switched, I kept an ultra clean windows 2000 VM going for a solid decade. Any time I needed it, I could install stuff, do the work, and then blow away the crud that always builds up with Windows. I would suggest using the oldest version of Windows you can practically use, de-bloating it, and taking vm snapshots.

You could even firewall it using another VM or the host if you wanted. Put windows in jail, erase its memory, and cut it off from the outside world so it behaves, lol.