Signal downplays encryption key flaw, fixes it after X drama \ stacker news ~security

Signal downplays encryption key flaw, fixes it after X drama www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/

615 sats \ 5 comments \ @Rsync25 11 Jul security

view all related items

412 sats \ 3 replies \ @ek 11 Jul freebie

"The community note is wrong and Elon Musk is right. Signal's desktop apps encrypt local chat history with a key stored in plain text and made accessible to any process," tweeted Mysk in another thread.

"This leaves users vulnerable to exfiltration. The issue was reported in 2018, but it hasn't been addressed"

Encrypting the database key makes encryption at rest more secure but it doesn't prevent exfiltration in all scenarios afaik.

When you open Signal Desktop, your data gets decrypted and thus malware just has to wait until you do that.

I think that's what Whittaker means with "Signal cannot completely protect your data" and why this issue wasn't taken serious:

In response, Whittaker downplayed the flaw, stating that if an attacker has full access to your device, Signal cannot completely protect the data.

"The reported issues rely on an attacker already having full access to your device — either physically, through a malware compromise, or via a malicious application running on the same device," Whittaker tweeted.

"This is not something that Signal, or any other app, can fully protect against. Nor do we ever claim to."

I can kind of get behind this reasoning but it's still weird that this wasn't implemented until now. It was maybe a UX vs security trade-off?

234 sats \ 0 replies \ @kepford 11 Jul

I co-sign this @ek

I do wonder if the recent spiciness around Signal and its board might be contributing to this stuff. It is hard to separate the technical from the political as we know from the bitcoin world.

100 sats \ 0 replies \ @nout 11 Jul

It's the same thing on the phone. If you caught Pegasus, then using Signal doesn't provide any extra privacy - all your taps or keystrokes can be tracked and exported.

10 sats \ 0 replies \ @wealthcrumb 11 Jul

It also takes a while to open up. IDK if a fix would slow that down even more or not

0 sats \ 0 replies \ @SatsMate 12 Jul

This I see at positive. People should be publicly going after companies with vulnerabilities. If you are creating products, expect people to come back dissecting the flaws. You see change quick then!

I think Signal should have more bug bounties/white hackers though. Companies never want to erode their reputation.