|
Top-level
Hi Meredith, let me address your points: 1) The issue we highlighted does not require “full” access to the device. Signal desktop stores the chat database in an unprotected area of the file system that’s accessible by any user process. This would allow any program without any special permissions or user prompts to access the database in full. This can be solved by sandboxing, which relies on the OS to prevent any process from accessing data within the sandbox. … 🧵 1/4 8 comments
3/4 3) We “the posters” didn’t feel the need to reach out to Signal first since the issue had been known to Signal’s developers since 2018. After 6 years without a resolution, we believe it becomes more important to raise awareness than to attempt to directly engage with Signal, or any other vendor. Also, I challenge you to point out any instance of inflammatory language in our posts about Signal. …🧵 4/4 Finally, Signal has a huge responsibility towards your users, many of whom rely on Signal to be the most secure way of communicating in areas of the world where their lives would be in danger if their messages were to be compromised. This is not hyperbole, and Signal needs to continue to live up to that responsibility. All I can say as a user who relies on Signal a lot and is one of few who actually supports Signal by monthly donations through its app is this: The expectation from the paragon of private and secure messaging platform is that it is indeed fully private and secure to a point where even physical access (short of knowing admin credentials), Signal must be made to ensure of anything within it is encrypted, including pictures and documents that may be shared. I love Signal and will continue to use and support and recommend it but it’s things like this that slowly begin to leave a bad taste in your mouth. I hope this is resolved soon. By the looks of it, it can be as it’s a technical issue and we don’t seem to be limited by technology unless my interpretation and inference from all that I have read is incorrect. Please look into this more and share an update with a fool proof resolution for the millions relying on it.  @mysk @mysk plus Desktop Systems are a lot more vulnerable and susceptible to malware than Mobile OS's, especially Windows. I have always been wary of using Messenger Apps on Desktop - rightfully so, it turns out. @mysk 🙏 f.y.i. they only talk about Windows & Mac - hopefully Penguins will be fixed too. https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/ @lawrenceabrams |
Gregory's Server
@Mer__edith
2/4
2) The issue was reported to Signal by others back in 2018, so we didn’t find anything new. App sandboxing technology had been available for a long time on desktop (Windows AppContainer and macOS App Sandbox). Even if we ignore sandboxing, while Signal encrypts the chat database, it stores the encryption key insecurely in plaintext.
… 🧵