478

Signal under fire for storing encryption keys in plaintext on desktop app (stackdiary.com)

submitted 1 week ago by ForgottenFlux@lemmy.world to c/privacy@lemmy.ml

258 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] douglasg14b@lemmy.world 7 points 1 week ago* (last edited 1 week ago)

That's not how this works.

If the stored data from signal is encrypted and the keys are not protected than that is the security risk that can be mitigated using common tools that every operating system provides.

You're defending signal from a point of ignorance. This is a textbook risk just waiting for a series of latent failures to allow leaks or access to your "private" messages.

There are many ways attackers can dump files without actually having privileged access to write to or read from memory. However, that's a moot point as neither you nor I are capable of enumerating all potential attack vectors and risks. So instead of waiting for a known failure to happen because you are personally "confident" in your level of technological omnipotence, we should instead not be so blatantly arrogant and fill the hole waiting to be used.

Also this is a common problem with framework provided solutions:

https://www.electronjs.org/docs/latest/api/safe-storage

This is such a common problem that it has been abstracted into apis for most major desktop frameworks. And every major operating system provides a key ring like service for this purpose.

Because this is a common hole in your security model.

[-] 9tr6gyp3@lemmy.world -3 points 1 week ago* (last edited 1 week ago)

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

[-] douglasg14b@lemmy.world 2 points 1 week ago

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

Damn reading literacy has gone downhill these days.

Please reread my post.

But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

OSs provide keyring features already
The framework signal uses (electron) has a built in API for this EXACT NEED

Cmon, you can do better than this, this is just embarrassing.

[-] 9tr6gyp3@lemmy.world 1 points 1 week ago

Why exactly am I re-reading your post? Im in complete agreement with you? Should I not be?

this post was submitted on 06 Jul 2024

478 points (94.3% liked)

Privacy

30002 readers

969 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS