this post was submitted on 06 Jul 2024
483 points (94.5% liked)

Privacy

32482 readers
290 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 58 points 5 months ago* (last edited 5 months ago) (3 children)

The backlash is extremely idiotic. The only two options are to store it in plaintext or to have the user enter the decryption key every time they open it. They opted for the more user-friendly option, and that is perfectly okay.

If you are worried about an outsider extracting it from your computer, then just use full disk encryption. If you are worried about malware, they can just keylog you when you enter the decryption key anyways.

[–] [email protected] 14 points 5 months ago (1 children)

The third option is to use the native secret vault. MacOS has its Keychain, Windows has DPAPI, Linux has has non-standardized options available depending on your distro and setup.

Full disk encryption does not help you against data exfil, it only helps if an attacker gains physical access to your drive without your decryption key (e.g. stolen device or attempt to access it without your presence).

Even assuming that your device is compromised by an attacker, using safer storage mechanisms at least gives you time to react to the attack.

[–] [email protected] 9 points 5 months ago (1 children)

Linux has the secret service API that has been a freedesktop.org standard for 15 years.

[–] [email protected] 2 points 5 months ago

Secret service API. Damn. That's how FSB knows what it knows.

[–] [email protected] 8 points 5 months ago

The alternative is safeStorage, which uses the operating system's credential management facility if available. On Mac OS and sometimes Linux, this means another process running in the user's account is prevented from accessing it. Windows doesn't have a protection against that, but all three systems do protect the credentials if someone copies data offline.

Signal should change this, but it isn't a major security flaw. If an attacker can copy your home directory or run arbitrary code on your device, you're already in big trouble.

[–] [email protected] 2 points 5 months ago

A better thing to be worried about IMO is that Signal contains proprietary code. Also to my knowledge nobody is publicly verifying the supposed "reproducible builds" if they even still exist.