Signal under fire for storing encryption keys in plaintext on desktop app

E2EE is not supposed to protect if device get compromised.

One could argue that Windows is compromised right out of the box.
- Source:
Intrinsically/semantically no but the expectation is that the texts are encrypted at rest and the keys are password and/or tpm+biometric protected. That's just how this works at this point. Also that's the government standard for literally everything from handheld devices to satellites (yes, actually).

At this point one of the most likely threat vectors is someone just taking your shit. Things like border crossings, rubber stamped search warrants, cops raid your house because your roommate pissed them off, protests, needing to go home from work near a protest, on and on.
- If your device is turned on and you are logged in, your data is no longer at rest.
  
  Signal data will be encrypted if your disk is also encrypted.
  
  If your device's storage is not encrypted, and you don't have any type of verified boot process, then thats on you, not Signal.
- TPM isn't all that reliable. You will have people upgrading their pc, or windows update updating their bios, or any number of other reasons reset their tpm keys, and currently nothing will happen. In effect people would see Signal completely break and loose all their data, often seemingly for no reason.
  
  Talking to windows or through it to the TPM also seems sketchy.
  
  In the current state of Windows, the sensible choice is to leave hardware-based encryption to the OS in the form of disk encryption, unfortunate as it is. The great number of people who loose data or have to recover their backup disk encryption key from their Microsoft account tells how easily that system is disturbed (And that Microsoft has the decryption keys for your encrypted date).
Mfw end to end can be compromised at the end.

That said, they should fix this anyway
Indeed, End-to-End Encryption protects data between those ends, not ends themselves. If ends are compromised, no math will help you.
Plaintext should never be used in any application that deals with security, ever.
- Oh no, tell that to SSH.
- It doesn't use plain text. It is end to end encrypted but that isn't what this "issue" is
- unless you're reading ciphertext yourself, this doesn't make sense

How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

You. Don't. Store. Secrets. In. Plaintext.

There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

Edit: "If you got malware then this is a problem anyway and not only for signal" - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

"you need device access to exploit this" - There is no exploiting, just reading a file.

You. Don't. Store. Secrets. In. Plaintext.

SSH stores the secret keys in plaintext too. In a home dir accessible only by the owning user.

I won't speak about Windows but on Linux and other Unix systems the presumption is that if your home dir is compromised you're fucked anyway. Effort should be spent on actually protecting access to the home personal files not on security theater.
- Kinda expected the SSH key argument. The difference is the average user group.
  
  The average dude with a SSH key that's used for more than their RPi knows a bit about security, encryption and opsec. They would have a passphrase and/or hardening mechanisms for their system and network in place. They know their risks and potential attack vectors.
  
  The average dude who downloads a desktop app for a messenger that advertises to be secure and E2EE encrypted probably won't assume that any process might just wire tap their whole "encrypted" communications.
  
  Let's not forget that the threat model has changed by a lot in the last years, and a lot of effort went into providing additional security measures and best practices. Using a secure credential store, additional encryption and not storing plaintext secrets are a few simple ones of those. And sure, on Linux the SSH key is still a plaintext file. But it's a deliberate decision of you to keep it as plaintext. You can at least encrypt with a passphrase. You can use the actual working file permission model of Linux and SSH will refuse to use your key with loose permissions. You would do the same on Windows and Mac and use a credential store and an agent to securely store and use your keys.
  
  Just because your SSH key is a plaintext file and the presumption of a secure home dir, you still wouldn't do a ~/passwords.txt.
- Not true, SSH keys need their passphrase to be used. If you don't set one, that's on you.
- SSH has encrypted keys
If someone has access to your machine you are screwed anyway. You need to store the encryption key somewhere
- Yes, in your head, and in your second factor, if possible, keeping derived secrets always encrypted at rest, decrypting at the latest possible moment and not storing (decrypted) secrets in-memory for longer than absolutely necessary at use.
How in the fuck are people actually defending signal for this

Probably because Android (at least) already uses file-based encryption, and the files stored by apps are not readable by other apps anyways.

And if people had to type in a password every time they started the app, they just wouldn't use it.
- Popular encrypted messaging app Signal is facing criticism over a security issue in its desktop application.
  
  Emphasis mine.
- AFAIK Android encrypts entire fs with one key. And ACL is not encryption.
You. Don't. Store. Secrets. In. Plaintext.

Ok. Enter password at every launch.
All your session cookies are stored in plaintext.
- Chrome cookies are encrypted, for exactly the reasons stated. If malware gains access to your system and compromises it in a way that DPAPI calls can be replicated in the way Chrome does it, then your sessions will also be compromised. But this is way harder to do, and at least prevents trivial data exfiltration.

Sure, I was aware. You have the same problem with ssh keys, gpg keys and many other things

However, you can save encrypted ssh, gpg keys and save that encryption key in the OS keyring.
- Yes, but you STILL need to enter password on every reboot.
- Is it possible to seamlessly integrate, so when something requests those keys you'll get a prompt?

The backlash is extremely idiotic. The only two options are to store it in plaintext or to have the user enter the decryption key every time they open it. They opted for the more user-friendly option, and that is perfectly okay.

If you are worried about an outsider extracting it from your computer, then just use full disk encryption. If you are worried about malware, they can just keylog you when you enter the decryption key anyways.

The third option is to use the native secret vault. MacOS has its Keychain, Windows has DPAPI, Linux has has non-standardized options available depending on your distro and setup.

Full disk encryption does not help you against data exfil, it only helps if an attacker gains physical access to your drive without your decryption key (e.g. stolen device or attempt to access it without your presence).

Even assuming that your device is compromised by an attacker, using safer storage mechanisms at least gives you time to react to the attack.
- Linux has the secret service API that has been a freedesktop.org standard for 15 years.
The alternative is safeStorage, which uses the operating system's credential management facility if available. On Mac OS and sometimes Linux, this means another process running in the user's account is prevented from accessing it. Windows doesn't have a protection against that, but all three systems do protect the credentials if someone copies data offline.

Signal should change this, but it isn't a major security flaw. If an attacker can copy your home directory or run arbitrary code on your device, you're already in big trouble.
A better thing to be worried about IMO is that Signal contains proprietary code. Also to my knowledge nobody is publicly verifying the supposed "reproducible builds" if they even still exist.

That applies to pretty much all desktop apps, your browser profile can be copied to get access to all your already logged in cookie sessions for example.

IIRC this is how those Elon musk crypto livestream hacks worked on YouTube back in the day, I think the bad actors got a hold of cached session tokens and gave themselves access to whatever account they were targeting. Linus Tech Tips had a good bit in a WAN show episode
And there are ways to mitigate this attack (essentially the same as a AiTM or pass-the-cookie attacks, so look those up). Thus rendering your argument invalid.

Just because "something else might be insecure", doesn't in any way imply "everything else should also be insecure as well".
- It is the same concept. Once your machine is pwded you are screwed

While it would certainly be nice to see this addressed, I don't recall Signal ever claiming their desktop app provided encryption at rest. I would also think that anyone worried about that level of privacy would be using disappearing messages and/or regularly wiping their history.

That said, this is just one of the many reasons why whole disk encryption should be the default for all mainstream operating systems today, and why per-app permissions and storage are increasingly important too.

Full disk encryption doesn't help with this threat model at all. A rogue program running on the same machine can still access all the files.
- It does help greatly in general though, because all of your data will be encrypted when the device is at rest. Theft and B&Es will no longer present a risk to your privacy.
  
  Per-app permissions address this specific threat model directly. Containerized apps, such as those provided by Flatpak can ensure that apps remain sandboxed and unable to access data without explicit authorization.
Exactly.

I'll admit to being lazy and not enabling encryption on my Windows laptops. But if I deployed something for someone, it would be encrypted.
I don’t recall Signal ever claiming their desktop app provided encryption at rest.

I'm not sure if they've claimed that, but it does that using SQLCipher.
Does encrypting your disks change something for the end user in day to day usage? I'm honest, I've never used encrypted disks in my life.
- Whole disk encryption wouldn't change your daily usage, no. It just means that when you boot your PC you have to enter your passphrase. And if your device becomes unbootable for whatever reason, and you want to access your drive, you'll just have to decrypt it first to be able to read it/write to it, e.g. if you want to rescue files from a bricked computer. But there's no reason not to encrypt your drive. I can't think of any downsides.
- It's transparent for end user basically, but protects the laptop at least when outside and if someone steals the computer. As long as it was properly shutdown.
- It depends on how you set it up. I think the default in some cases (like Windows Bitlocker) is to store the key in TPM, so everything becomes transparent to the user at that point, although many disagree with this method for privacy/security reasons.
  
  The other method is to provide a password or keyfile during bootup, which does change something for the end user somewhat.
- No, the average user will never know the difference. I couldn't tell you exactly what the current performance impact is for hardware encryption, but it's likely around 1-4% depending on the platform (I use LUKS under Linux).
  
  For gamers, it's likely a 1-5 FPS loss, depending on your hardware, which is negligible in my experience. I play mostly first and third person shooter-style games at 1440p/120hz, targeting 60-90 FPS, and there's no noticeable impact (Ryzen 5600 / RX 6800XT).

Ah yes, another prime example that demonstrates that Lemmy is no different than Reddit. Everyone thinks they are a professional online.

Nothing sensitive should ever lack encryption especially in the hands of a third party company managing your data claiming you are safe and your privacy is protected.

No one is invincible and it's okay to criticize the apps we hold to high regards. If your are pissed people are shitting on Signal you should be pissed Signal gave people a reason to shit on them.

Where are you going to store the encryption key? At the end of the day the local machine is effectively pwded anyway
If your device gets compromised, it's no longer the company's problem.
lack encryption especially in the hands of a third party company managing your data

Are we still talking about local-only keys?
I presume keys are already sort of encrypted?
- Nope. Your presumption is wrong.

Why is Signal almost universally defended whenever another security flaw is discovered? They're not secure, they don't address security issues, and their business model is unsustainable in the long term.

But, but, if you have malware "you have bigger problems". But, but, an attacker would have to have "physical access" to exploit this. Wow, such bullshit. Do some of you people really understand what you're posting?

But, but, "windows is compromised right out of the box". Yes...and?

But, but, "Signal doesn't claim to be secure". Fuck off, yes they do.

But, but, "just use disk encryption". Just...no...WTF?

Anybody using Signal for secure messaging is misguided. Any on of your recipients could be using the desktop app and there's no way to know unless they tell you. On top of that, all messages filter through Signal's servers, adding a single-point-of-failure to everything. Take away the servers, no more Signal.

If someone can read my Signal keys on my desktop, they can also:

Replace my Signal app with a maliciously modified version

Install a program that sends the contents of my desktop notifications (likely including Signal messages) somewhere

Install a keylogger

Run a program that captures screenshots when certain conditions are met

[a long list of other malware things]

Signal should change this because it would add a little friction to a certain type of attack, but a messaging app designed for ease of use and mainstream acceptance cannot provide a lot of protection against an attacker who has already gained the ability to run arbitrary code on your user account.
- Not necessarily.
  
  https://en.m.wikipedia.org/wiki/Swiss_cheese_model
  
  If you read anything, at least read this link to self correct.
  
  This is a common area where non-security professionals out themselves as not actually being such: The broken/fallacy reasoning about security risk management. Generally the same "Dismissive security by way of ignorance" premises.
  
  It's fundamentally the same as "safety" (Think OSHA and CSB) The same thought processes, the same risk models, the same risk factors....etc
  
  And similarly the same negligence towards filling in holes in your "swiss cheese model".
  
  "Oh that can't happen because that would mean x,y,z would have to happen and those are even worse"
  
  "Oh that's not possible because A happening means C would have to happen first, so we don't need to consider this is a risk"
  
  ....etc
  
  The same logic you're using is the same logic that the industry has decades of evidence showing how wrong it is.
  
  Decades of evidence indicating that you are wrong, you know infinitely less than you think you do, and you most definitely are not capable of exhaustively enumerating all influencing factors. No one is. It's beyond arrogant for anyone to think that they could 🤦🤦 🤦
  
  Thus, most risks are considered valid risks (this doesn't necessarily mean they are all mitigatable though). Each risk is a hole in your model. And each hole is in itself at a unique risk of lining up with other holes, and developing into an actual safety or security incident.
  
  In this case
  
  signal was alerted to this over 6 years ago
  
  the framework they use for the desktop app already has built-in features for this problem.
  
  this is a common problem with common solutions that are industry-wide.
  
  someone has already made a pull request to enable the electron safe storage API. And signal has ignored it.
  
  Thus this is just straight up negligence on their part.
  
  There's not really much in the way of good excuses here. We're talking about a run of the mill problem that has baked in solutions in most major frameworks including the one signal uses.
  
  https://www.electronjs.org/docs/latest/api/safe-storage
- Those are outside Signal's scope and depend entirely on your OS and your (or your sysadmin's) security practices (eg. I'm almost sure in linux you need extra privileges for those things on top of just read access to the user's home directory).
  
  The point is, why didn't the Signal devs code it the proper way and obtain the credentials every time (interactively from the user or automatically via the OS password manager) instead of just storing them in plain text?
- (for Android) https://molly.im/ restores the encryption to this file and adds other useful things
98% of desktop apps (at least on Windows and Linux) are already broken by design anyways. Any one app can spy on and keylog all other apps, all your home folder data, everything. And anyone can write a desktop app, so only using solutions that (currently) don't have a desktop app version, seems silly to me.
- I don’t think apps can read keystrokes for other apps on Wayland.
- Linux has a sandbox solution growing in popularity, flatpak.
Now replace "signal" in your comment with "ssh" and think it over.
Whats the next best alternative?
- Meeting in person.
- That depends on your threat model. What are you worried about?
- Matrix or xmpp, bonus points with a personal server
  
  Thanks to interest of late, the conversations and gajim apps have come a long way in recent years, and matrix has made good strides too with element-x
- (for Android) https://molly.im/
I hope you are joking
Basically for the same reason people often defend apple: the user interface is shiny, and they claim to be privacy oriented.

Signal is a centralized US hosted service, that alone should be enough to disqualify it, outside of our many other criticisms.
But, but, "just use disk encryption". Just...no...WTF?

So not encrypting keys is bad, but actually encrypting them is bad too? Ok.

Any on of your recipients could be using the desktop app and there's no way to know unless they tell you.

Another applefan? How it THIS supposed to be in scope of E2EE? Moreover, how having a way to know if recepient is using desktop app is not opposite of privacy?

On top of that, all messages filter through Signal's servers, adding a single-point-of-failure to everything. Take away the servers, no more Signal.

Indeed. This is why I use Matrix. Also, fuck showing phone numbers to everyone(I heard they did something about it) and registration with phone numbers.
- Any "secure" so that relies on someone else for security is not secure.
  
  Fuck the scope of E2EE. Signal makes a lot of claims on their website that are laughable. The desktop app is their main weakness. Attachments are stored unencrypted, keys in plaintext. If they were serious about security, they would depricate the windows app and block it from their servers.
  
  WTF does Apple have to do with anything?
What app stops a pre install keylogger. I'm all for hearing criticism of Signal but it's always about things they can't control.
- They can't control if the encryption keys are stored in plaintext?

The real problem is that the security model for apps on mobile is much better than that for apps on desktop. Desktop apps should all have private storage that no other non-root app can access. And while we're at it, they should have to ask permission before activating the mic or camera.

macOS has nailed it*, even though it’s still not as good as iOS or Android, but leagues and bounds better than Windows and especially Linux.

ETC: *sandboxing/permission system
- What's wrong with the Flatpak permissions system on Linux?
- What does Windows do? Genuine question, I've not used it since the 7 days. Regarding Linux, that's true for stuff installed through regular package managers and whatnot, but Flatpak is pushing a more sandboxed and permission oriented system, akin to Android.
Firejail and bwrap. Flatpaks. There are already ways to do this, but I only know of one distro that separates apps by default like Android does (separate user per app), which is the brand new "EasyOS".
They do sort of with Flatpak

Whatever its stores and however it stores it doesn't matter to me: I moved its storage space to my ~/.Private encrypted directory. Same thing for my browser: I don't use a master password or rely on its encryption because I set it up so it too saves my profile in the ~/.Private directory.

See here for more information. You can essentially secure any data saved by any app with eCryptfs - at least when you're logged out.

Linux-only of course. In Windows... well, Windows.

Or ext4 encrytion. Which is overpowered. You can have different keys for different files and directories.

I have three things to say:

Everyone, please make sure you've set up sound disk encryption
That's not a suprise (for me at least)
It's not much different on mobile (db is unecrypted) - check out molly (signal fork) if you want to encrypt it. However encrypted db means no messages until you decrypt it.

Bruh windows and linux have a secrets vault (cred manager and keyring respectively, iirc) for this exact purpose.

Even Discord uses it on both OSs no problem

This just in: threat actors compromising your devices is bad. More at 11.

Obviously the keys could be stored more securely, but if you’ve got malware on your machine that can exploit this you’ve already got bigger problems.
- That's not how this works.
  
  This sort of "dismissive security through ignorance" is how we get so many damn security breaches these days.
  
  I see this every day with software engineers, a group that you would think would be above the bar on security. Unfortunately a little bit of knowledge results in a mountain of confidence (see Dunning Kruger effect). They are just confident in bad choices instead.
  
  "We don't need to use encryption at rest because if the database is compromised we have bigger problems" really did a lot to protect the last few thousand companies from preventable data exfiltration that was in fact the largest problem they had.
  
  Turns out that having read access to the underlying storage for the database doesn't necessarily mean that the database and all of your internal systems are more compromised. It just means that the decision makers were making poor decisions based on a lack of risk modeling knowledge.
  
  That said the real question I have for you here is:
  
  Are you confident in your omniscience in that you can enumerate all risks and attack factors that can result in data being exfiltrated from a device?
  
  If not, then why comment as if you are?

This shows an incredibly cavalier approach to security on the part of the team working on signal.

Moxie would be spinning in his grave if he weren't still working there...
- Moxie tried to put a crypto-coin into signal. He is not to be trusted in the slightest.

They could just add a password

Wire does this too :/

What is Wire?
- A different encrypted messaging service. Decent, but hasn't taken off despite using email for accounts rather than phone bonkers numbers
Don't use Wire as it isn't good for privacy or security
- Don't use signal as its not good for anonymity

Couldn't they set up a 2fa, where it sends a notification to your mobile Signal (since you must have that anyway, to use desktop)? If you want to decrypt your Desktop Signal, you need to allow it on your Mobile Signal.

Alternative headline: Someone has a feature request for Signal which would be of interest to a few people with very specific security needs.

You mean the types of people who would use signal to communicate with others?
It's not a bad feature to ensure that eg if there's a malicious process running on your computer it can't send all your signal data to whomever
- Needing to enter a secure passphrase each time you want to use signal in exchange for one more fragile layer of defence for that one part of your data in a scenario that would normally mean you've already lost unless you're running a super-secure compartmentalized operating system like qubes or something is probably not worth it for most people.

Does anyone know how iMessage handles this on desktop (on Macs) as they (as far as I know) upgraded their encryption recently?

It’s handled through keyring I think.

dawg what the shitfuck

Can we please all just acknowledge that desktop operating systems absolutely suck (in regards to security)?

This is what flatpak brings to the table
How is a Desktop OS any different from a mobile one? This is where you need to be more specific.
- There are too many differences for me to list here, but unlike mobile operating systems, Windows and most Linux desktops do not provide sandboxed environments for userspace apps by default. Apps generally have free reign over the whole system; reading/writing data from/to other apps without restriction or notification. There are virtually no safeguards against malicious actors.
  
  Mobile operating systems significantly restrict system-level storage space, making key areas read-only to prevent data access or manipulation. They also protect app storage, so one app can't arbitrarily access or modify data stored for a different app.
  
  Mobile operating systems also follow an image-based update model, wherein updates are atomic. System software updates are generally applied successfully all at once or not at all, helping to ensure your phone is never left in a partial or unusable state after a system update.
  
  For desktop users, macOS, and atomic Linux distros combined with Flatpak are the closest comparisons.

So many better standards like XMPP and IRC yet people use Signal and Telegram. I hate marketing.

Signal is an objectively better experience than xmpp, and has about identical security (same with matrix). Irc isn't secure afaik. Telegram isn't secure afaik.

A better wish would be that people in 2024 would stop being fuckign weird about their cell number. Some people don't want to give it out despite white pages being the standard for years (and how the Terminator knows who to kill). Other people refuse to use a messaging app where they can't use their phone to sign up. Some people want to sign up with their number but not give it out.

Signal has so many red flags that I'm beginning to wonder if it is a honeypot.

What other red flags do you have in mind?
- Signal is actively hostile to alternative clients, or decoupling from Google.
- Back when the Signal org used to be called Open Whisper Systems it received grants and auditing from the Open Technology Fund which, at the time, was still a part of Radio Free Asia.
  
  https://web.archive.org/web/20150521181458/https://www.opentechfund.org/project/open-whisper-systems
Got some sources for that, chief?

You are telling me this has been going on for almost a decade now, and no one ever noticed ?

So we trust open source apps under the premise that if malicious code gets added to the code, at least one person will notice ? Here it shows that years pass before anyone notices and millions of people's communications could have been compromised by the world's most trusted messaging app.

I don't know which app to trust after this, if any?

Everyone knew that already tbh
Why is this a shock? Someone would need to have already compromised your device. Even if it was encrypted with a password they still could install a key logger
- It is easier to compromise a device than to try and compromise encrypted communications.
Matrix. You can host any version you want, and when you have to update, just do a version diff between you current and latest versions and check yourself.