Signal under fire for storing encryption keys in plaintext \ stacker news ~privacy

Signal under fire for storing encryption keys in plaintext stackdiary.com/signal-under-fire-for-storing-encryption-keys-in-plaintext/

587 sats \ 10 comments \ @kepford 9 Jul privacy

According to reports Signal's desktop applications are storing account encryption keys in plain text.

view all related items

0 replies \ @kepford OP 10 Jul

Signal is planning to address this. Thanks to @ek for sharing

15 sats \ 0 replies \ @Bell_curve 9 Jul

don't use desktop app!!!

68 sats \ 5 replies \ @SatsMate 9 Jul

This is not good. Can't the developers change this if they care about fixing this vulnerability?

13 sats \ 4 replies \ @kepford OP 9 Jul

There is debate about if it is a vulnerability so... we aren't even that far.

You could mitigate this by at least encrypting your computer's drive so your keys aren't just there if someone picks up your drive.

If on Linux you could install as root which would change the permissions so that another non-root process can't read your keys.

I hope they do resolve this because it is unwise to run Signal Desktop on any machine that isn't very locked down. Its bad enough that the key is there but its worse that it can be copied to another machine and Signal could be installed on another device without you ever knowing your linked machine has a clone.

In the meantime I would recommend not using Signal Desktop. Delete it. The mobile apps do not have this issue.

113 sats \ 1 reply \ @Zk2u 9 Jul

Agree with OP. I would delete or at the least disconnect desktop linked devices. It certainly is a vulnerability, but mitigating effectively is very difficult on some platforms. Storing a key on disk is mostly fine if the OS enforces that only your app can access it. Android and iOS are built on this sandboxing, desktops (mostly) aren’t. macOS has keychain access which if signal used would make this a lot more secure. Other desktops aren’t so lucky - fixes on Linux and windows (windows I know for sure, unless you use something like windows hello) aren’t really fixes. The OS needs to limit access at a lower ring to user space, like macOS does with keychain access, to mitigate this issue.

To clarify, the biggest issue isn’t putting it on disk (it has to be stored somewhere) because you should be using full disk encryption in whatever the platform offers for it, such as FileVault on macOS. The main issue is other apps running at the same user level as signal being able to access it, again because desktop OSs don’t really sandbox things. On the server (Linux) we generally do this using service accounts, but no one is using separate service accounts for most software installed on a Linux desktop.

I think people forget this is also how your SSH keys are stored too lol.

13 sats \ 0 replies \ @kepford OP 9 Jul

The main issue is other apps running at the same user level as signal being able to access it, again because desktop OSs don’t really sandbox things. On the server (Linux) we generally do this using service accounts, but no one is using separate service accounts for most software installed on a Linux desktop.