Signal under fire for storing encryption keys in plaintext in Desktop app

There’s the also the fact Signal prides itself on being secure and private. This, kind of, goes against that. There are solutions to this issue, from your keyring suggestion to simply just prompting the user to re-enter their password every time they open up the desktop app.

Maybe if users weren’t so quick to condemn and start blasting social media sites with negative feedback and instead approached the companies with valid feedback and examples of the issues as well as asking for possible solutions there would be a more willingness to listen. If users don’t accept the answers then they can give their reasons why and try to elicit a more positive approach to rectifying some of the issues. The company has the right to decide what and if any changes they make. Users will either accept that or company may lose users based on their answers and decisions. It is what it is but it is up to the users to make valid arguments with positive persuasions that makes sense.

What do you mean by that? Do you ask every desktop application that stores data in my HOME directory to encrypt it? Emails, office documents, everything should be encrypted by the application (libreoffice, thunderbird, etc.)? I dont think that this is the right approach.

I am not saying that libreoffice needs to encrypt my documents automatically. However, if libreoffice adds a function to encrypt documents, I expect that encryption to be secure and reliable.

Likewise, any application that holds secrets, needs to manage them securely. Encryption keys are secrets. Keeping them in a plaintext file is unacceptable. Any application that chooses to do that, should be considered broken and should be fixed.

Just saying, meh, if someone gets access to your data you are screwed anyway isn’t a reasonable or acceptable response for a company to make about their product.

I am not saying “Don’t use Signal”. I am saying “We need hold Signal accountable and ask them to do better with security”.

6 Likes

Absolutely. For the average person (one) a password list breach coupled with (two) all the PII an intruder could grab would be enough to make one’s life unbearable for months and maybe for life if an alternative identity (or identities) is established.

Not for a company no. It comes off as side-stepping or deflecting to be sure.

As someone who lives their life in the minority by refusing to knee-jerk, I completely agree doing the opposite of knee jerk in the scenario you layed out, would be so much more constructive. The knee-jerkers [the ones whose first instinct is to get uber-negative online] forget that they have a choice and can abandon the app whose terms you don’t agree with. Your last two sentences spot on too.

Fascinating thread, intelligent responses. good reading.

2 Likes