Privacy

30753 readers

933 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

474

Signal under fire for storing encryption keys in plaintext on desktop app (stackdiary.com)

submitted 1 month ago by [email protected] to c/[email protected]

258 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 11 points 1 month ago (2 children)

There is just no excuse for not even salting or SOMETHING to keep the secrets out of plaintext. The reason you don't store in plaintext is because it can lead to even incidental collection. Say you have some software, perhaps spyware, perhaps it's made by a major corporation so doesn't get called that and it crawls around and happens to upload a copy of a full or portion of the file containing this info, now it's been uploaded and compromised potentially not even by a malicious actor successfully gaining access to a machine but by poor practices.

No it can't stop a sophisticated malware specifically targeting Signal to steal credentials and gain access but it does mean casual malware that hasn't taken the time out to write a module to do that is out of luck and increases the burden on attackers. No it won't stop the NSA but it's still something that it stops someone's 17 year old niece who knows a little bit about computers but is no malware author from gaining access to your signal messages and account because she could watch a youtube video and follow along with simple tools.

The claims Signal is an op or the runner is under a national security letter order to compromise it look more and more plausible in light of weird bad basic practices like this and their general hostility. I'll still use it and it's far from the worst looking thing out there but there's something unshakably weird about the lead dev, their behavior and practices that can't be written off as being merely a bit quirky.

[–] [email protected] 10 points 1 month ago (2 children)

To encrypt it you would need to store a encryption key

[–] [email protected] 6 points 1 month ago

It's plaintext all the way down.

[–] [email protected] 3 points 1 month ago

The irony

[–] [email protected] 1 points 1 month ago (1 children)

for not even salting

Wrong secret

[–] [email protected] 1 points 1 month ago (1 children)

I mean combined with any kind of function, even a trivial kind. A salt derived from some machine state data (a random install id generated on install, a hash of computer name, etc) plus a rot13 or something would still be better than leaving it plaintext.

[–] [email protected] 1 points 1 month ago

Malware has access to it.

If fs is not encrypted, then malicious hardware(FSB agent's laptop) also has access to it. If encrypted, then it we are back to statement many people told here about encrypting fs.

plus a rot13

That's not salting.