> your private key is protected only by a verification text message and short PIN. That's very low entropy compared to a full ED25519 keypair.
Can you explain what you mean by this? In practice, I can see the argument that the only verified identity (phone number) for most users is the one protected by a flimsy SMS verification message, but I don't believe that that implies your private key is terribly vulnerable to e.g. SIM swap attacks. Or perhaps I'm misunderstanding you.
Put another way: if you rigidly adhere to out-of-band-verified pubkeys for contacts, you should be fairly safe. True that Signal's UI makes this hard to do, but that's a different conversation than "your keys are only protected by SMS verification".
Do you think so? The app provides a "Safety Number" and QR code with built-in scanner to verify that yup, your device and their device have nobody in the middle. It has a visible reminder that you checked this person's actual identity (if you did) and a message appears if the keys change. If you are "rigidly adhering" to protocol your response should be to arrange an in-person meet-up to reconfirm, not "New phone? Cool".
I agree that verification is easy. I think they have softened the warnings and behavior surrounding key changes to accommodate their users that have virtually no understanding of crypto (i.e. the majority of people). It's an understandable position for them to take, but yes, in my opinion the alarm bells when a key unexpectedly changes are more oriented towards casual users than a (to paraphrase c7DJTLrn) Snowden-level user. For the latter, I expect behavior more similar to an OpenSSH key mismatch (which is quite a bit more strongly worded than Signal's).
Can you explain what you mean by this? In practice, I can see the argument that the only verified identity (phone number) for most users is the one protected by a flimsy SMS verification message, but I don't believe that that implies your private key is terribly vulnerable to e.g. SIM swap attacks. Or perhaps I'm misunderstanding you.
Put another way: if you rigidly adhere to out-of-band-verified pubkeys for contacts, you should be fairly safe. True that Signal's UI makes this hard to do, but that's a different conversation than "your keys are only protected by SMS verification".