Signal under fire for storing encryption keys in plaintext
stackdiary.com
external-link
Popular encrypted messaging app Signal is facing criticism over a security issue in its desktop application. Researchers and app users are raising
@x1gma@lemmy.world
link
fedilink
87
edit-2
4M

How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

You. Don’t. Store. Secrets. In. Plaintext.

There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

Edit: “If you got malware then this is a problem anyway and not only for signal” - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

“you need device access to exploit this” - There is no exploiting, just reading a file.

All your session cookies are stored in plaintext.

Chrome cookies are encrypted, for exactly the reasons stated. If malware gains access to your system and compromises it in a way that DPAPI calls can be replicated in the way Chrome does it, then your sessions will also be compromised. But this is way harder to do, and at least prevents trivial data exfiltration.

@uis@lemm.ee
link
fedilink
64M

You. Don’t. Store. Secrets. In. Plaintext.

Ok. Enter password at every launch.

If someone has access to your machine you are screwed anyway. You need to store the encryption key somewhere

@x1gma@lemmy.world
link
fedilink
-1
edit-2
4M

Yes, in your head, and in your second factor, if possible, keeping derived secrets always encrypted at rest, decrypting at the latest possible moment and not storing (decrypted) secrets in-memory for longer than absolutely necessary at use.

lemmyvore
link
fedilink
424M

You. Don’t. Store. Secrets. In. Plaintext.

SSH stores the secret keys in plaintext too. In a home dir accessible only by the owning user.

I won’t speak about Windows but on Linux and other Unix systems the presumption is that if your home dir is compromised you’re fucked anyway. Effort should be spent on actually protecting access to the home personal files not on security theater.

@uis@lemm.ee
link
fedilink
04M

SSH has encrypted keys

Kinda expected the SSH key argument. The difference is the average user group.

The average dude with a SSH key that’s used for more than their RPi knows a bit about security, encryption and opsec. They would have a passphrase and/or hardening mechanisms for their system and network in place. They know their risks and potential attack vectors.

The average dude who downloads a desktop app for a messenger that advertises to be secure and E2EE encrypted probably won’t assume that any process might just wire tap their whole “encrypted” communications.

Let’s not forget that the threat model has changed by a lot in the last years, and a lot of effort went into providing additional security measures and best practices. Using a secure credential store, additional encryption and not storing plaintext secrets are a few simple ones of those. And sure, on Linux the SSH key is still a plaintext file. But it’s a deliberate decision of you to keep it as plaintext. You can at least encrypt with a passphrase. You can use the actual working file permission model of Linux and SSH will refuse to use your key with loose permissions. You would do the same on Windows and Mac and use a credential store and an agent to securely store and use your keys.

Just because your SSH key is a plaintext file and the presumption of a secure home dir, you still wouldn’t do a ~/passwords.txt.

Not true, SSH keys need their passphrase to be used. If you don’t set one, that’s on you.

lemmyvore
link
fedilink
24M

If someone gets access they can delete your keys, or set up something that can intercept your keys in other ways.

The security of data at rest is just one piece of the puzzle. In many systems the access to the data is considered much more important than whether the data itself is encrypted in one particular scenario.

Mubelotix
link
fedilink
17
edit-2
4M

Come on, 95% of users don’t set passwords on their ssh keys

idunnololz
link
fedilink
54M

Where are these stays from lmao.

Mubelotix
link
fedilink
54M

Counting my friends

You can count me too

Well yes, but also how would users react if they had to type in their passphrase every time they open the app? This is also exactly what we’re giving up everywhere else by clicking ‘remember this device’.

How in the fuck are people actually defending signal for this

Probably because Android (at least) already uses file-based encryption, and the files stored by apps are not readable by other apps anyways.

And if people had to type in a password every time they started the app, they just wouldn’t use it.

@uis@lemm.ee
link
fedilink
24M

AFAIK Android encrypts entire fs with one key. And ACL is not encryption.

Liz
link
fedilink
214M

Popular encrypted messaging app Signal is facing criticism over a security issue in its desktop application.

Emphasis mine.

I think the point is the developers might have just migrated the code without adjustments since that is how it was implemented before. Similar to how PC game ports sometimes run like shit since they are a close 1-1 of the original which is not always the most optimized or ideal, but the quickest to output.

Been a few days since using electron, but AFAIK electron can’t be used as a wrapper for android apps, or can it? Or is their android app a web app wrapped into a “native” android app too?

Also, since this seems to be an issue since 2018, 6 years should be plenty to rewrite using a native secure storage…

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 2.97K Posts
  • 74.6K Comments
  • Modlog