63
Signal under fire for storing encryption keys in plaintext
(stackdiary.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 06 Jul 2024
63 points (81.2% liked)
privacy
2736 readers
20 users here now
Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.
Partners:
- community.nicfab.it/c/privacy
founded 2 years ago
MODERATORS
Wow that is actually pretty egregious for such a generally security-conscious organization.
Aside from needing a passkey/passphrase every time you open Signal, what would be the solution? If the user can read the unencrypted messages, then so can malware running as the user.
Heck, even if you required some sort of authentication to open the messages, malware could just capture that.
It's the same problem with browser credential stealing, you can grab all the cookies from an authenticated browser session and copy it to a new system.
Really, the biggest issue is that Signal doesn't detect multiple instances running of the same session, but that's also extremely difficult to do without malware being able to work around it.
Not saying there's no solution here, but there is not a simple solution aside from trusting your computer and cancelling sessions if you suspect someone compromised your system (or just not using a desktop app.)
Agreed. If your system is compromised you have other issues and ultimately that falls on you. And on Linux you could very well set permissions yourself for those directories.