Signal under fire for storing encryption keys in plaintext on desktop app
Signal under fire for storing encryption keys in plaintext on desktop app
Popular encrypted messaging app Signal is facing criticism over a security issue in its desktop application. Researchers and app users are raising
You're viewing a single thread.
E2EE is not supposed to protect if device get compromised.
One could argue that Windows is compromised right out of the box.
Source:
source: 93% of ransomware are windows based
Correlation is not causation.
Causation was never stated nor implied
99% of people in France are French
BUT WHAT OF QUEBEC
Are they in france?
I mean… basically
Therefore France is french righr out of box
Microsoft are integrating adware and spyware straight into the os.
Source:
Try setup fresh windows 11 system.
I don't understand how that would prove anything.
A lot of tracker and spyware already mention in setup. And without bypass you cannot setup without microsoft account.
It's right there in the open. Install windows and you'll see it. There is personalised ads in the start menu and the os is uploading your private files to the cloud automatically, taking screenshots and uploading them, etc. It's not hidden whatsoever.
"The computer" decides when to install updates and which ones to install.
Intrinsically/semantically no but the expectation is that the texts are encrypted at rest and the keys are password and/or tpm+biometric protected. That's just how this works at this point. Also that's the government standard for literally everything from handheld devices to satellites (yes, actually).
At this point one of the most likely threat vectors is someone just taking your shit. Things like border crossings, rubber stamped search warrants, cops raid your house because your roommate pissed them off, protests, needing to go home from work near a protest, on and on.
If your device is turned on and you are logged in, your data is no longer at rest.
Signal data will be encrypted if your disk is also encrypted.
If your device's storage is not encrypted, and you don't have any type of verified boot process, then thats on you, not Signal.
Signal data will be encrypted if your disk is also encrypted.
True.
and you don't have any type of verified boot process
How motherboard refusing to boot from another drive would protect anything?
Its more about protecting your boot process from malware.
Well, yes. By refusing to boot. It can't prevent booting if motherboard is replaced.
EDIT: s/do anything/prevent booting/
Thats correct. Thats one of the many perks.
EDIT: s/do anything/prevent booting/
If the hardware signatures don't match, it wont boot without giving a warning. If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.
If the hardware signatures don't match
Compromised hardware will say it is same hardware
If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.
Compromised hardware controls execution of software. Warning is done in software. Conpromised hardware won't let it happen.
TPM isn't all that reliable. You will have people upgrading their pc, or windows update updating their bios, or any number of other reasons reset their tpm keys, and currently nothing will happen. In effect people would see Signal completely break and loose all their data, often seemingly for no reason.
Talking to windows or through it to the TPM also seems sketchy.
In the current state of Windows, the sensible choice is to leave hardware-based encryption to the OS in the form of disk encryption, unfortunate as it is. The great number of people who loose data or have to recover their backup disk encryption key from their Microsoft account tells how easily that system is disturbed (And that Microsoft has the decryption keys for your encrypted date).
Plaintext should never be used in any application that deals with security, ever.
Oh no, tell that to SSH.
unless you're reading ciphertext yourself, this doesn't make sense
It doesn't use plain text. It is end to end encrypted but that isn't what this "issue" is
Mfw end to end can be compromised at the end.
That said, they should fix this anyway
Indeed, End-to-End Encryption protects data between those ends, not ends themselves. If ends are compromised, no math will help you.