483

Signal under fire for storing encryption keys in plaintext on desktop app (stackdiary.com)

submitted 3 months ago by ForgottenFlux@lemmy.world to c/privacy@lemmy.ml

258 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] gomp@lemmy.ml 14 points 3 months ago* (last edited 3 months ago)

Those are outside Signal's scope and depend entirely on your OS and your (or your sysadmin's) security practices (eg. I'm almost sure in linux you need extra privileges for those things on top of just read access to the user's home directory).

The point is, why didn't the Signal devs code it the proper way and obtain the credentials every time (interactively from the user or automatically via the OS password manager) instead of just storing them in plain text?

[-] douglasg14b@lemmy.world 6 points 3 months ago

They're arguing a red herring. They don't understand security risk modeling, argument about signals scope let's their broken premise dig deeper. It's fundamentally flawed.

It's a risk and should be mitigated using common tools already provided by every major operating system (ie. Keychain).

[-] Liz@midwest.social 3 points 3 months ago

"Highways shouldn't have guard rails because if you hit one you've already gone off the road anyway."

[-] Zak@lemmy.world 5 points 3 months ago

You'd need write access to the user's home directory, but doing something with desktop notifications on modern Linux is as simple as

dbus-monitor "interface='org.freedesktop.Notifications'" | grep --line-buffered "member=Notify\|string" | [insert command here]

Replacing the Signal app for that user also doesn't require elevated privileges unless the home directory is mounted noexec.

[-] 9tr6gyp3@lemmy.world -3 points 3 months ago

Feel free to submit a pull request. We could use your help.

[-] gomp@lemmy.ml 1 points 3 months ago

I don't see the reasoning in your answer (I do see its passive-aggressiveness, but chose to ignore it).

I asked "why?"; does your reply mean "because lack of manpower", "because lack of skill" or something else entirely?

In case you are new to the FOSS world, that being "open source" doesn't mean that something cannot be criticized or that people without the skill (or time!) to submit PRs must shut the fu*k up.

[-] 9tr6gyp3@lemmy.world 2 points 3 months ago

It's in the draft phase from what I can see.

https://github.com/signalapp/Signal-Desktop/pull/6849

this post was submitted on 06 Jul 2024

483 points (94.5% liked)

Privacy

31790 readers

222 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS