Signal under fire for storing encryption keys in plaintext in Desktop app

Other research links mentioned in this thread :

Mike Kuketz’s post

Meredith Whittaker’s response :


That response is crazy.

We ask those who are serious about security and privacy to please engage us directly in the future, instead of resorting first to online claims that can confuse non-experts and lead people to make unsafe choices and develop inaccurate mental models based on scary language.

This is basically implying that there is nothing to worry about and people are just confused.

Instead of a meaningless statement like this, it would inspire a lot more confidence, if they simply explained what they do and don’t properly encrypt and what their rationale for those decisions are.

The reported issues rely on an attacker already having full access to your device

Well, yeah, that is how privilege escalation works. That doesn’t really make it not a problem.

We continue working to harden our desktop build across supported operating systems and take advantage of new platform capabilities as they emerge. Those of you following our repo can follow this work there.

This is pretty funny since there has been an open PR for the last 3 months to address the issue and nobody even acknowledged or commented on it until this issue went public.

The posters who raised this issue did so without contacting us directly. Instead, they went straight to social media, in some cases using inflammatory language. And they dropped these claims over a US holiday weekend. This is the opposite of responsible disclosure.

When the information has been public since at least 2018 and you have made public statements claiming that it is by design, I don’t think that responsible disclosure applies.


Mike Kuketz brings it to the point:

This is known since 2015. This is nothing new but just clickbait.

“We’re not going to be adding any local access control or protection. You can use Chrome profiles, full disk encryption, and a screenlock.”

1 Like

I think it is more than clickbait because it is something that while public information, is probably not broadly known or understood. I think that getting it more attention and making people aware so they can properly protect themselves is worthwhile.


Isn’t this the same app that people love to say it is private and better than Whatsapp from a security standpoint and whatnot? Well, doesn’t seem like it, frankly. No doubt that it is more private than Whatsapp, but really? Even if it is ultimately the responsibility of the user for the security of their system, the fact that it is stored as such goes against what I’ve heard people say about it.

Other messenger handle it the same on the PC. The end-to-end encryption is for the transport layer. The local store on the PC is not encrypted.

And telegram for example does not even offer secret chats for the desktop clients.

then why is this a big fuss, exactly? if this is the industry standard, why are its users and researchers firing up about it?

I am going to be honest, the internet is, and I’m sorry for swearing here, a f*cking nightmare sometimes. You learn about something and then 5 minutes later you learn it isn’t a big deal, then you learn it is if you do x thing. Like seriously, decide already if I should worry or not, goddamn it. Where’s the truth in this entire thing?

I’m sorry, I think I will go take a bit of a breather.

1 Like

Because they are encrypting local data. When something is encrypted, the expectation is that it is encrypted in a meaningful way. Not that it is encrypted in a way that anyone can easily decrypt it.

This is the nature of privacy and security.

Things that are secure in an absolute sense wouldn’t be very usable.

You have to decide what you are trying to protect against and then evaluate if this application meets that need.

Basically, you can’t protect against everything, so what do you care about?

Part of the challenge is that we all have different use cases. Someone with a laptop who does lots of general computing on public wifi has a different set of concerns then someone who uses a desktop in a secure environment but deals with lots of sensitive data.

1 Like

Not shocked after them refusing to push change on they’re github … Who know what was going at that time. After that it was hard IMO to trust them to even run the same code than the github.

But at least they offer the server software on github. And the delay, which was in 2021, was well explained. I would not be concerned about it.

Which other messenger offers everything (client+server) as open source?

Personally, i don’t see a well explained answer from them. For months they ignored everyone that ask them why/when. Why not simply saying it at that time ? See fishy IMO.




well, ok. I was not thinking about niche solutions. I was more thinking about real competition like Whatsapp, Threema, Telegram, Facebook Messenger, etc. But ok.

I use Matrix and Element which would qualify as well. I speak to most of my family and friends on there.


Matrix is pretty good, only reproach i have “against” it, is the fact that its difficult to use for non tech savey people. Lots of my friends that tried it, know how to use Discord, Element take some part of the Discord UI/UX but private conversations are hard to them to grasp since you can have private conversation with the same person via different servers or spaces.

I do a mix of session, matrix with a self-hosted server :slight_smile: and discord since some peoples don’t want to secure they’re communications :sweat_smile:

1 Like

Never heard of this until now but there again I never really message anyone anyways. The touts of being alone i suppose and having no family left. However without going into this (no i didnt click the link didn’t care that much about it) However I did want to ask the question isn’t what is stored on your system YOUR responsibility? And what would it matter if it was encrypted the right people with access to your system could still figure out how to use it to get the information they want. As long as the communication is encrypted that is all that matters for the password as far as a company would be concerned.


Signal is one of those projects certain parts of the privacy concerned community love to hate on. That in many respects comes part and parcel with being a popular choice. Brave is in the same boat.

It’s not doing too badly though, if the biggest issue held against it is that someone with the read access of your own account, on your own computer, can access some sensitive data… I mean, “thanks captain obvious” :sweat_smile:

The real issue in this hypothetical scenario:
Your system is compromised and this has nothing to do with Signal. A bad actor already has access to everything that’s personal to you. The issue being raised here is simply, “yes but they could also see your Signal key”.


Yeah. The people going off on Signal about this are just overdoing it. If a hacker can access everything on your system, your signal chat history is quite possibly the least of your worries. Bitwarden, your browser’s config directory, client/company documents, your unpublished writings and art, your other unencrypted but very personal files, etc.

I mean, unless you are a whistleblower or something in that vain, everything I mentioned above is more important.

Getting access to someone’s browser directory could literally ruin their life.

1 Like

That is exactly the point of the signal developers as far as I understand it. If the chats would be encrypted on your disc, signal would need to store the encryption key on your disc as well. That would make the chats accessible by anybody who knows where the key is stored. And because the signal client is open source it would be easy to find out where that this.

At the end of the day the lesson learned by this discussion is: If somebody has access to your $HOME you are screwed anyways.


The keys could be stored on your keyring which is separately encrypted. Many other applications have a similar issue and overcome it. Password managers for example.

This is a lovely narrative but we shouldn’t accept it. We need applications to get better about securing their data.