• x1gma@lemmy.world
    link
    fedilink
    arrow-up
    99
    arrow-down
    19
    ·
    edit-2
    6 months ago

    How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

    You. Don’t. Store. Secrets. In. Plaintext.

    There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

    Edit: “If you got malware then this is a problem anyway and not only for signal” - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

    “you need device access to exploit this” - There is no exploiting, just reading a file.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      15
      ·
      6 months ago

      If someone has access to your machine you are screwed anyway. You need to store the encryption key somewhere

      • x1gma@lemmy.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        4
        ·
        edit-2
        6 months ago

        Yes, in your head, and in your second factor, if possible, keeping derived secrets always encrypted at rest, decrypting at the latest possible moment and not storing (decrypted) secrets in-memory for longer than absolutely necessary at use.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      20
      arrow-down
      6
      ·
      edit-2
      6 months ago

      How in the fuck are people actually defending signal for this

      Probably because Android (at least) already uses file-based encryption, and the files stored by apps are not readable by other apps anyways.

      And if people had to type in a password every time they started the app, they just wouldn’t use it.

      • Liz
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        3
        ·
        6 months ago

        Popular encrypted messaging app Signal is facing criticism over a security issue in its desktop application.

        Emphasis mine.

        • ChapulinColorado@lemmy.world
          link
          fedilink
          arrow-up
          15
          arrow-down
          2
          ·
          6 months ago

          I think the point is the developers might have just migrated the code without adjustments since that is how it was implemented before. Similar to how PC game ports sometimes run like shit since they are a close 1-1 of the original which is not always the most optimized or ideal, but the quickest to output.

          • x1gma@lemmy.world
            link
            fedilink
            arrow-up
            6
            ·
            6 months ago

            Been a few days since using electron, but AFAIK electron can’t be used as a wrapper for android apps, or can it? Or is their android app a web app wrapped into a “native” android app too?

            Also, since this seems to be an issue since 2018, 6 years should be plenty to rewrite using a native secure storage…

      • uis@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        AFAIK Android encrypts entire fs with one key. And ACL is not encryption.

    • uis@lemm.ee
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      6 months ago

      You. Don’t. Store. Secrets. In. Plaintext.

      Ok. Enter password at every launch.

      • x1gma@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Chrome cookies are encrypted, for exactly the reasons stated. If malware gains access to your system and compromises it in a way that DPAPI calls can be replicated in the way Chrome does it, then your sessions will also be compromised. But this is way harder to do, and at least prevents trivial data exfiltration.