Voluntarily sharing informative posts from unaffiliated sources.

  • 59 Posts
  • 4 Comments
Joined 1 year ago
Cake day: January 16th, 2024
  • ForgottenFlux@lemmy.worldOPtoPrivacy@lemmy.mlSignal under fire for storing encryption keys in plaintext on desktop appEnglish
    1065·
    11 months ago

    Summary:

    • Signal’s desktop app stores encryption keys for chat history in plaintext, making them accessible to any process on the system
    • Researchers were able to clone a user’s entire Signal session by copying the local storage directory, allowing them to access the chat history on a separate device
    • This issue was previously highlighted in 2018, but Signal has not addressed it, stating that at-rest encryption is not something the desktop app currently provides
    • Some argue this is not a major issue for the “average user”, as other apps also have similar security shortcomings, and users concerned about security should take more extreme measures
    • However, others believe this is a significant security flaw that undermines Signal’s core promise of end-to-end encryption
    • A pull request was made in April 2023 to implement Electron’s safeStorage API to address this problem, but there has been no follow-up from Signal