Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
The altercation with Elon Musk was the reason for the change in the security system.
Signal enhances the security of the desktop version of messenger by changing the way encryption keys are stored. This important step was taken after lengthy discussions and criticism that have been going on since 2018.
Problem of 2018
In 2018, it turned out that when installing Signal Desktop for Windows or Mac, an encrypted SQLite database is created to store user messages. The database is encrypted with the generated key without user input. For decryption, the program must have access to the encryption key. In the case of Signal, the key is stored in plain text in the local file "%AppData% \ Signal\config.json "on Windows and" ~ / Library/Application Support/Signal/config. json" on Mac.
However, if Signal can access this key, then any other user or program on the computer can also do so, which makes the encrypted database virtually useless from a security point of view. Researcher Nathaniel Sushi then proposed a solution: encrypt the local database with a password entered by the user, which is not stored anywhere. This approach is used in cloud backup services, browsers, password managers, and crypto wallets.
In 2018, journalists tried to contact Signal about the vulnerability, but received no response. Instead, a Signal support agent on the forum stated that database security is not a company priority.
Drama inX
Almost 6 years after the first report of security issues, in May 2024, Elon Musk made a fuss at X*. Musk posted a tweet about the discovered Signal vulnerabilities, "which are not fixed," which was a response to the City Journal article about Signal management's ties to the US government. The article raised questions about the initial funding of Signal and its possible connection with the US intelligence services.
Although Musk did not specify what vulnerabilities he was talking about, the tweet caused a wave of discussions. Some felt that Musk was trying to support Telegram in their claims of greater security over Signal.
Telegram founder Pavel Durov also did not miss the opportunity to criticize the competitor, saying that Signal leaders are used by the US State Department to change regimes abroad and that major US technology companies cannot create their encryption protocols without government intervention.
In response, Meredith Whittaker emphasized that Signal adheres to the principles of responsible disclosure of information, but at the moment there is no evidence of existing vulnerabilities, and their presence has not been reported. In addition, Whittaker noted that Signal is built in such a way that it is impossible to interfere with its work without consequences.
Increased security
Last week, security researchers from the company Mysk warned against using Signal Desktop due to the same security issue that was reported back in 2018. The researchers illustrated how photos and apps sent via messenger are not stored in a secure or encrypted location, and the encryption key for storing messages is still stored in plain text locally on the system.
Signal President Meredith Whittaker tried to smooth things over, saying that if an attacker already has full access to a user's device, Signal cannot fully protect the data.
Meanwhile, independent developer Tom Plant suggested using Electron's SafeStorage API to improve the security of the Signal data warehouse against offline attacks. The SafeStorage Electron API provides methods for more secure storage of the encryption key for data stored locally on the device. For example, on a Mac, the encryption key will be stored in a keychain, and on Linux, the secret storage of the window manager will be used, such as kwallet and gnome-libsecret.
However, for Windows, the SafeStorage API uses the DPAPI feature, which only protects the encryption key from other users on the same device. In other words, any program or malware running under the same account can theoretically gain access to the data.
Last week, a Signal representative revealed that the company has implemented support for SafeStorage Electron, which will be available in the upcoming beta. Signal has also implemented a rollback mechanism that allows the program to decrypt the database using the old encryption key, which will help minimize data loss if errors related to the key store are detected during migration and deployment.
The outdated key will be removed after testing the new feature. While it's nice to see additional security measures being implemented, many are disappointed that this only happened after the social media hype.
Source
Signal enhances the security of the desktop version of messenger by changing the way encryption keys are stored. This important step was taken after lengthy discussions and criticism that have been going on since 2018.
Problem of 2018
In 2018, it turned out that when installing Signal Desktop for Windows or Mac, an encrypted SQLite database is created to store user messages. The database is encrypted with the generated key without user input. For decryption, the program must have access to the encryption key. In the case of Signal, the key is stored in plain text in the local file "%AppData% \ Signal\config.json "on Windows and" ~ / Library/Application Support/Signal/config. json" on Mac.
However, if Signal can access this key, then any other user or program on the computer can also do so, which makes the encrypted database virtually useless from a security point of view. Researcher Nathaniel Sushi then proposed a solution: encrypt the local database with a password entered by the user, which is not stored anywhere. This approach is used in cloud backup services, browsers, password managers, and crypto wallets.
In 2018, journalists tried to contact Signal about the vulnerability, but received no response. Instead, a Signal support agent on the forum stated that database security is not a company priority.
Drama inX
Almost 6 years after the first report of security issues, in May 2024, Elon Musk made a fuss at X*. Musk posted a tweet about the discovered Signal vulnerabilities, "which are not fixed," which was a response to the City Journal article about Signal management's ties to the US government. The article raised questions about the initial funding of Signal and its possible connection with the US intelligence services.
Although Musk did not specify what vulnerabilities he was talking about, the tweet caused a wave of discussions. Some felt that Musk was trying to support Telegram in their claims of greater security over Signal.
Telegram founder Pavel Durov also did not miss the opportunity to criticize the competitor, saying that Signal leaders are used by the US State Department to change regimes abroad and that major US technology companies cannot create their encryption protocols without government intervention.
In response, Meredith Whittaker emphasized that Signal adheres to the principles of responsible disclosure of information, but at the moment there is no evidence of existing vulnerabilities, and their presence has not been reported. In addition, Whittaker noted that Signal is built in such a way that it is impossible to interfere with its work without consequences.
Increased security
Last week, security researchers from the company Mysk warned against using Signal Desktop due to the same security issue that was reported back in 2018. The researchers illustrated how photos and apps sent via messenger are not stored in a secure or encrypted location, and the encryption key for storing messages is still stored in plain text locally on the system.
Signal President Meredith Whittaker tried to smooth things over, saying that if an attacker already has full access to a user's device, Signal cannot fully protect the data.
Meanwhile, independent developer Tom Plant suggested using Electron's SafeStorage API to improve the security of the Signal data warehouse against offline attacks. The SafeStorage Electron API provides methods for more secure storage of the encryption key for data stored locally on the device. For example, on a Mac, the encryption key will be stored in a keychain, and on Linux, the secret storage of the window manager will be used, such as kwallet and gnome-libsecret.
However, for Windows, the SafeStorage API uses the DPAPI feature, which only protects the encryption key from other users on the same device. In other words, any program or malware running under the same account can theoretically gain access to the data.
Last week, a Signal representative revealed that the company has implemented support for SafeStorage Electron, which will be available in the upcoming beta. Signal has also implemented a rollback mechanism that allows the program to decrypt the database using the old encryption key, which will help minimize data loss if errors related to the key store are detected during migration and deployment.
The outdated key will be removed after testing the new feature. While it's nice to see additional security measures being implemented, many are disappointed that this only happened after the social media hype.
Source
