this post was submitted on 06 Jul 2024
483 points (94.5% liked)

Privacy

31991 readers
636 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 35 points 4 months ago (11 children)

If someone can read my Signal keys on my desktop, they can also:

  • Replace my Signal app with a maliciously modified version
  • Install a program that sends the contents of my desktop notifications (likely including Signal messages) somewhere
  • Install a keylogger
  • Run a program that captures screenshots when certain conditions are met
  • [a long list of other malware things]

Signal should change this because it would add a little friction to a certain type of attack, but a messaging app designed for ease of use and mainstream acceptance cannot provide a lot of protection against an attacker who has already gained the ability to run arbitrary code on your user account.

[–] [email protected] 14 points 4 months ago* (last edited 4 months ago) (6 children)

Those are outside Signal's scope and depend entirely on your OS and your (or your sysadmin's) security practices (eg. I'm almost sure in linux you need extra privileges for those things on top of just read access to the user's home directory).

The point is, why didn't the Signal devs code it the proper way and obtain the credentials every time (interactively from the user or automatically via the OS password manager) instead of just storing them in plain text?

[–] [email protected] -3 points 4 months ago (2 children)

Feel free to submit a pull request. We could use your help.

[–] [email protected] 1 points 4 months ago (1 children)

I don't see the reasoning in your answer (I do see its passive-aggressiveness, but chose to ignore it).

I asked "why?"; does your reply mean "because lack of manpower", "because lack of skill" or something else entirely?

In case you are new to the FOSS world, that being "open source" doesn't mean that something cannot be criticized or that people without the skill (or time!) to submit PRs must shut the fu*k up.

[–] [email protected] 2 points 4 months ago
load more comments (3 replies)
load more comments (7 replies)