483
submitted 3 months ago by ForgottenFlux@lemmy.world to c/privacy@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] Majestic@lemmy.ml 14 points 3 months ago

There is just no excuse for not even salting or SOMETHING to keep the secrets out of plaintext. The reason you don't store in plaintext is because it can lead to even incidental collection. Say you have some software, perhaps spyware, perhaps it's made by a major corporation so doesn't get called that and it crawls around and happens to upload a copy of a full or portion of the file containing this info, now it's been uploaded and compromised potentially not even by a malicious actor successfully gaining access to a machine but by poor practices.

No it can't stop a sophisticated malware specifically targeting Signal to steal credentials and gain access but it does mean casual malware that hasn't taken the time out to write a module to do that is out of luck and increases the burden on attackers. No it won't stop the NSA but it's still something that it stops someone's 17 year old niece who knows a little bit about computers but is no malware author from gaining access to your signal messages and account because she could watch a youtube video and follow along with simple tools.

The claims Signal is an op or the runner is under a national security letter order to compromise it look more and more plausible in light of weird bad basic practices like this and their general hostility. I'll still use it and it's far from the worst looking thing out there but there's something unshakably weird about the lead dev, their behavior and practices that can't be written off as being merely a bit quirky.

[-] possiblylinux127@lemmy.zip 10 points 3 months ago

To encrypt it you would need to store a encryption key

[-] rmuk@feddit.uk 6 points 3 months ago

It's plaintext all the way down.

[-] Kajika@lemmy.ml 3 points 3 months ago
[-] uis@lemm.ee 1 points 3 months ago

for not even salting

Wrong secret

[-] Majestic@lemmy.ml 1 points 3 months ago

I mean combined with any kind of function, even a trivial kind. A salt derived from some machine state data (a random install id generated on install, a hash of computer name, etc) plus a rot13 or something would still be better than leaving it plaintext.

[-] uis@lemm.ee 1 points 3 months ago

Malware has access to it.

If fs is not encrypted, then malicious hardware(FSB agent's laptop) also has access to it. If encrypted, then it we are back to statement many people told here about encrypting fs.

plus a rot13

That's not salting.

this post was submitted on 06 Jul 2024
483 points (94.5% liked)

Privacy

31601 readers
414 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS