Signal under fire for storing encryption keys in plaintext in Desktop app

There’s the also the fact Signal prides itself on being secure and private. This, kind of, goes against that. There are solutions to this issue, from your keyring suggestion to simply just prompting the user to re-enter their password every time they open up the desktop app.

Maybe if users weren’t so quick to condemn and start blasting social media sites with negative feedback and instead approached the companies with valid feedback and examples of the issues as well as asking for possible solutions there would be a more willingness to listen. If users don’t accept the answers then they can give their reasons why and try to elicit a more positive approach to rectifying some of the issues. The company has the right to decide what and if any changes they make. Users will either accept that or company may lose users based on their answers and decisions. It is what it is but it is up to the users to make valid arguments with positive persuasions that makes sense.

What do you mean by that? Do you ask every desktop application that stores data in my HOME directory to encrypt it? Emails, office documents, everything should be encrypted by the application (libreoffice, thunderbird, etc.)? I dont think that this is the right approach.

I am not saying that libreoffice needs to encrypt my documents automatically. However, if libreoffice adds a function to encrypt documents, I expect that encryption to be secure and reliable.

Likewise, any application that holds secrets, needs to manage them securely. Encryption keys are secrets. Keeping them in a plaintext file is unacceptable. Any application that chooses to do that, should be considered broken and should be fixed.

Just saying, meh, if someone gets access to your data you are screwed anyway isn’t a reasonable or acceptable response for a company to make about their product.

I am not saying “Don’t use Signal”. I am saying “We need hold Signal accountable and ask them to do better with security”.

7 Likes

Absolutely. For the average person (one) a password list breach coupled with (two) all the PII an intruder could grab would be enough to make one’s life unbearable for months and maybe for life if an alternative identity (or identities) is established.

Not for a company no. It comes off as side-stepping or deflecting to be sure.

As someone who lives their life in the minority by refusing to knee-jerk, I completely agree doing the opposite of knee jerk in the scenario you layed out, would be so much more constructive. The knee-jerkers [the ones whose first instinct is to get uber-negative online] forget that they have a choice and can abandon the app whose terms you don’t agree with. Your last two sentences spot on too.

Fascinating thread, intelligent responses. good reading.

2 Likes

Honest question, is session really more private and encrypted than signal? I’ve never heard a solid argument for that, I recall it doesn’t do perfect forwarding or something like that, which is as moot of an argument as this signal situation in the eyes of some. I also remember the consensus being that if you use onion, you stand out like a sore thumb to your isp and anyone watching your isp.

Session doesn’t require a phone number, which may be a privacy advantage depending on your use case.

Session is not “more” encrypted than Signal; in fact, it uses the same end-to-end encryption protocol (the Signal Protocol).

Given that Signal now allows usernames and has an option to completely hide your phone number, I’d say that advantage is even at this point. If there are no other advantages to Session, then trying to convert the masses away from Signal doesn’t seem like a worthwhile endeavor.

It’s good that Signal added support for this, but Session does not require a phone number or email address for creating an account (not just sending messages), so this is a little different. https://getsession.org/faq#identity-protection

Session also routes traffic through Tor’s Onion network (https://getsession.org/faq#onion-routing), making it impossible to track where Session messages are going or coming from. There are not central servers either. In general, it is more anonymous than Signal.

I’m not aware of anyone trying to “convert the masses away from Signal”, but for anyone who was motivated to switch to another messager because of the plaintext encryption key drama, it seems they have addressed that issue in the wake of the Twitter backlash:

1 Like

There are still features of Session that make it worthwhile. I like both, and use Signal more due to the people I need to communicate with. I would prefer to use Session more if not always.

Session has no central service like Signal needs. Session uses less metadata. With Signal, it’s known who you were talking to, but not what was said. Session doesn’t have that issue.

Read up on the Session website and their youtube channel.

Sorry, I meant that from what I understand about Tor, if you use it you stand out like a sore thumb to your ISP because hardly anyone uses it unless you’re in a very dense metro area. So to get into extremes, it might shine a light more so than just a vpn to where they can try to pinpoint the user? I also heard that the majority of the nodes are now controlled by the big boys and it could be compromised?

Signal blocks security researchers

I wouldn’t say security researchers. Just that guy specifically. He hasn’t pointed to any one else being blocked and generally seems to be making a fuss.

1 Like

That was my takeaway impression too after reading that link. It would be more accurate to say Signal blocked Nadim, as “researches” implies more than one. It’s not clear there’s more than one.

Clearly, Nadim is not pleased about that, but the reason why he was blocked isn’t clear either.

If you go and look at the GitHub pull request he screenshots there, you’ll note that the post directly above (not in the screenshot) is a response from a Signal dev explaining how they have addressed the issue and thanking contributors for their assistance.

2 Likes

Apparently the encryption is now secured via the keyring and auto-login users promptly complain because they have to enter the password.

2 Likes

I guess you can’t win them all. I believe for this type of app, though, auto-login shouldn’t really be a feature, for, hopefully, obvious reasons.

4 Likes

I believe storing anything anywhere simply does not guarantee anything even if it is password protected. Same for storing anything on any device that connects to the internet, or even connect to another device that connects to the internet. This is if you want to be sure nobody else gets access!

But still, we have to live with the cloud and the internet. Just be wise!

1 Like

Yep, I agree. In this case, though, I just find the idea of an auto-login feature for something that says it is private and secure and whatnot a bit too slippery in its nature. It is correct that it is ultimately one’s responsibility to take care of their system, but this feature isn’t exactly required on an app of this nature and especially done in this fashion.

1 Like

I believe the “auto-login” was in reference to Linux login, and being asked for a password was in reference to needing to unlock the wallet (eg: KDE Wallet) before Signal would successfully launch.