this post was submitted on 06 Jul 2024
473 points (94.0% liked)

Privacy

32173 readers
208 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] 9tr6gyp3 14 points 5 months ago* (last edited 5 months ago) (2 children)

If your device is turned on and you are logged in, your data is no longer at rest.

Signal data will be encrypted if your disk is also encrypted.

If your device's storage is not encrypted, and you don't have any type of verified boot process, then thats on you, not Signal.

[–] douglasg14b 6 points 5 months ago* (last edited 5 months ago) (1 children)

That's not how this works.

If the stored data from signal is encrypted and the keys are not protected than that is the security risk that can be mitigated using common tools that every operating system provides.

You're defending signal from a point of ignorance. This is a textbook risk just waiting for a series of latent failures to allow leaks or access to your "private" messages.

There are many ways attackers can dump files without actually having privileged access to write to or read from memory. However, that's a moot point as neither you nor I are capable of enumerating all potential attack vectors and risks. So instead of waiting for a known failure to happen because you are personally "confident" in your level of technological omnipotence, we should instead not be so blatantly arrogant and fill the hole waiting to be used.


Also this is a common problem with framework provided solutions:

https://www.electronjs.org/docs/latest/api/safe-storage

This is such a common problem that it has been abstracted into apis for most major desktop frameworks. And every major operating system provides a key ring like service for this purpose.

Because this is a common hole in your security model.

[–] 9tr6gyp3 -2 points 5 months ago* (last edited 5 months ago) (1 children)

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

[–] douglasg14b 2 points 5 months ago (1 children)

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

Damn reading literacy has gone downhill these days.

Please reread my post.

But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

  1. OSs provide keyring features already
  2. The framework signal uses (electron) has a built in API for this EXACT NEED

Cmon, you can do better than this, this is just embarrassing.

[–] 9tr6gyp3 1 points 5 months ago

Why exactly am I re-reading your post? Im in complete agreement with you? Should I not be?

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

Signal data will be encrypted if your disk is also encrypted.

True.

and you don't have any type of verified boot process

How motherboard refusing to boot from another drive would protect anything?

[–] 9tr6gyp3 1 points 5 months ago (1 children)

Its more about protecting your boot process from malware.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

Well, yes. By refusing to boot. It can't prevent booting if motherboard is replaced.

EDIT: s/do anything/prevent booting/

[–] 9tr6gyp3 1 points 5 months ago (1 children)

Thats correct. Thats one of the many perks.

[–] [email protected] 1 points 5 months ago (1 children)

EDIT: s/do anything/prevent booting/

[–] 9tr6gyp3 1 points 5 months ago (1 children)

If the hardware signatures don't match, it wont boot without giving a warning. If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

If the hardware signatures don't match

Compromised hardware will say it is same hardware

If the TPM/Secure Enclave is replaced/removed/modified, it will not boot without giving a warning.

Compromised hardware controls execution of software. Warning is done in software. Conpromised hardware won't let it happen.

[–] 9tr6gyp3 1 points 5 months ago (1 children)

Compromised hardware doesn't know the signatures. Math.

[–] [email protected] 1 points 5 months ago (1 children)

Compromised hardware can't create new signatures, but it doesn't matter because it controls execution of software and can skip any checks.

[–] 9tr6gyp3 1 points 5 months ago (1 children)

If the hardware is tampered, it will not pass the attestation test, which is an online component. It will fail immediately and you will be alerted. Thats the part of verified boot that makes this so much harder for adversaries. They would have to compromise both systems. The attestation system is going to be heavily guarded.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

which is an online component.

So, storing on Signal's server key to decrypt keys. Welcome back to apple-isms and online-only.

It will fail immediately and you will be alerted.

Provided you have some other non-compromised way of communications.

[–] 9tr6gyp3 1 points 5 months ago

Yes, verified boot will have out-of-bands alerts for you by design. Without the online component, you will risk not being able to detect tampering.