Summarize

Simplifying... Inshort

Signal's desktop app has finally addressed a long-standing security flaw where the encryption key was stored in plain text, making it accessible to anyone using the computer.
Despite criticism for not addressing this issue sooner, Signal has now implemented Electron's safeStorage support, a solution proposed by developer Tom Plant, to better secure data from offline attacks.
However, the company maintains that if an attacker gains full access to a device, complete data protection cannot be guaranteed.

Was a long read? Making it simpler...

Next Article

The issue was first reported in 2018

Signal users rejoice! Desktop app gets long-awaited security fix

By Dwaipayan Roy

Jul 12, 2024

11:57 am

What's the story

Signal, a privacy-centric messaging app, has announced plans to bolster the security of its desktop client, by modifying how it stores plain text encryption keys for data storage. The decision comes in response to public criticism and follows years of downplaying the issue since it was first reported in 2018. The company's desktop version for Windows or Mac uses an encrypted SQLite database to store user messages, which are encrypted via a key generated by the program without user input.

Flaw

Encryption key vulnerability sparks concern

The encryption key, stored as plain text in a local file, is accessible to any user/program running on the computer. This accessibility compromises the security of the encrypted database. Nathaniel Suchy, who discovered this flaw, proposed encrypting the local database with a password supplied by the user that is never stored anywhere. This method mirrors practices used by web browsers, cloud backup software, password managers, and cryptocurrency wallets.

Company response

Response to encryption key flaw criticized

Despite being alerted about this flaw in 2018, Signal did not respond. A Signal Support Manager later addressed a user's concerns on their forum, stating, "The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide." In 2024, Elon Musk tweeted about known vulnerabilities with Signal that were not being addressed, without specifying what these vulnerabilities were.

Warning

Signal's security weakness highlighted by mobile security researchers

Last week, mobile security researchers Talal Haj Bakry and Tommy Mysk, warned against using Signal Desktop due to its security weakness. They pointed out that photos and apps sent via the app are not stored securely, and that the encryption key for the message store, is still kept in plain text on the system. In response, Signal President Meredith Whittaker downplayed the flaw, claiming that if an attacker gains full access to a device, Signal cannot fully protect the data.

Security upgrade

Signal implements support for Electron's safeStorage

In April, developer Tom Plant proposed a solution to secure Signal's data store from offline attacks, using Electron's safeStorage API. This API provides extra methods to secure the encryption key utilized to encrypt data stored locally on a device. However, this solution was not fully effective for Windows, as it only secures encryption key against other users on the same device. Last week, Signal announced that it had implemented Electron's safeStorage support, which would be offered in a beta update.