It doesn’t necessarily mean that the phone number is sent with every API call.
The real authentication of who sent the message happens on the receiver’s device when they decrypt it.
In a centralized database, this seems like it’d be trivial to get around. You’d only have to look at the client sent messages and correlate them to the receiving ones.
It’s more complex than that. The client doesn’t authenticate itself to the server. It only shows a certificate that says “I have a right to send messages to this person”. This certificate is anonymous and was initially generated by the receiver, and then sent via the encrypted session.
The server could still correlate the IP, which is much less valuable and can be hidden through VPNs or even the built-in censorship circumvention proxy.
Reading over this again. The primary identifier in signal, is phone numbers. You think signal doesn’t store those, or use them to route messages?
It doesn’t necessarily mean that the phone number is sent with every API call. The real authentication of who sent the message happens on the receiver’s device when they decrypt it.
How would the signal server know who to route the message to?
They know who the receiver is. They don’t need to know who sent the message. They only have to route it to the receiver.
In a centralized database, this seems like it’d be trivial to get around. You’d only have to look at the client sent messages and correlate them to the receiving ones.
It’s more complex than that. The client doesn’t authenticate itself to the server. It only shows a certificate that says “I have a right to send messages to this person”. This certificate is anonymous and was initially generated by the receiver, and then sent via the encrypted session.
More details here.
The server could still correlate the IP, which is much less valuable and can be hidden through VPNs or even the built-in censorship circumvention proxy.