Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signal has been subverted! WARNING do not use it anymore! It is not secure #7676

Closed
hydrogenpi opened this issue Apr 14, 2018 · 7 comments
Closed

Comments

@hydrogenpi
Copy link

@hydrogenpi hydrogenpi commented Apr 14, 2018

Signal has been subverted! WARNING do not use it anymore! It is not secure
http://archive.is/tF8I8

Signal is forcing an update in order to continue to use it. Even the apk version will stop working until end user is forced to update to the newest version of signal.

Problem is newest version of Signal has gotten rid of the passphrase in favor of forcing everyone to use a fingerprint for the screenlock. Now no one is able to set their own passwords anymore! Why this change?

Stranger still, there is now suddenly a mysterious retroactive flip-flop akin to the "Mandela Effect" whereby now the developer of Signal wants us all to beLIEve that it has always been the case that Signal never offered true "end to end encryption" at rest, and that the passphrase for the signal app was never anything more than a useless "screenlock"... When other users pointed out the blatant inconsistency in this regard, the developer promptly closed and then LOCKED the topic/issue at hand.

However, recall that not long ago Signal was praised by many as the only IM app that offers true end to end encryption at rest!

https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/
http://archive.is/jXFgP

To quote the Intercept article/review of Signal app in relevant part:

""Finally, online backups are a gaping hole in the security of WhatsApp messages. End-to-end encryption only refers to how messages are encrypted when they’re sent over the internet, not while they’re stored on your phone. Once messages are on your phone, they rely on your phone’s built-in encryption to keep them safe (which is why it’s important to use a strong passcode). If you choose to back up your phone to the cloud — such as to your Google account if you’re an Android user or your iCloud account if you’re an iPhone user — then you’re handing the content of your messages to your backup service provider.

By default, WhatsApp stores its messages in a way that allows them to be backed up to the cloud by iOS or Android.
If you back up your phone to your Google or iCloud account, Signal doesn’t include any of your messages in this backup. WhatsApp’s gaping backup issue simply doesn’t exist with Signal, and there’s no risk of accidentally handing over your private messages to any third-party company.

""

Stranger still, there is now suddenly a mysterious retroactive flip-flop akin to the "Mandela Effect" whereby now the developer of Signal wants us all to beLIEve that it has always been the case that Signal never offered true "end to end encryption" at rest, and that the passphrase for the signal app was never anything more than a useless "screenlock"... When other users pointed out the blatant inconsistency in this regard, the developer promptly closed and then LOCKED the topic/issue at hand.

#7553
http://archive.is/MvzRO

https://github.com/samlanning/Signal-Android/wiki/Using-Signal
http://archive.is/mH0bJ

Previously before the change we had this official faq->
In relevant part:

"The first time you run Signal, it will ask you to create a passphrase. This passphrase will be used to encrypt all of Signal's secret information, including the keys used to encrypt your text messages. The security of your messages depends on the strength of this passphrase, so make it good. Signal can be configured to cache this passphrase in memory for as long as its running, or for a specific length of time, so you won't need to be constantly re-entering it in order to access or send messages. This passphrase cannot be recovered if it is lost."
and
"All text messages are encrypted with your passphrase before being stored. This encryption includes the bodies of the text messages themselves" under the "Secure Storage" section....

Now, after the change, fingerprints will be forced to be used for all security in place of the passphrase. They have entirely removed the ability to set a custom password or even to use a custom passphrase that is independent of the underlining phone OS security credentials!

I refuse to believe the developer of Signal is not aware of the fact that using fingerprints (as opposed to passwords) gives up the Constitutional rights and the Fifth amendment rights!

https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/01/18/minnesota-court-on-the-fifth-amendment-and-compelling-fingerprints-to-unlock-a-phone/?noredirect=on&utm_term=.a5fe7809afed
http://archive.is/QEsru

I say boycott Signal, I say Signal has been subverted to the dark side. I say Signal is CIA, I call BS

@hydrogenpi

This comment has been minimized.

Copy link
Author

@hydrogenpi hydrogenpi commented Apr 14, 2018

https://www.tomsguide.com/us/how-to-textsecure-encrypted-texts,news-18475.html
http://archive.is/hzirQ

Ever since the TExtSecure days, the OWN app itself says the passphrase IS used to encrypt the data at rest.... now the developer claims it was never the case?

what gives

@hydrogenpi

This comment has been minimized.

Copy link
Author

@hydrogenpi hydrogenpi commented Apr 14, 2018

I'm pretty sure this post is gonna get dissappeared soon.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Apr 14, 2018

LOL what?!

@Trolldemorted

This comment has been minimized.

Copy link
Contributor

@Trolldemorted Trolldemorted commented Apr 14, 2018

"end to end encryption at rest"? That makes no sense at all.

If you want encryption by passphrase, encrypt your entire disk.

@Rafficer

This comment has been minimized.

Copy link

@Rafficer Rafficer commented Apr 14, 2018

Inb4 he will take it as evidence that his post was removed from the ProtonMail subreddit.

@2-4601

This comment has been minimized.

Copy link
Contributor

@2-4601 2-4601 commented Apr 14, 2018

Please don't remove the issue template when filing bug reports. This looks more like a post that should be on your own blog, not here. If you want to discuss about the screenlock feature in a constructive manner the right place is at the forums: https://community.signalusers.org/

@2-4601 2-4601 closed this Apr 14, 2018
@HeroicKatora

This comment has been minimized.

Copy link

@HeroicKatora HeroicKatora commented Apr 14, 2018

22 days ago, @moxie0 commented that
In any case, I'm going to lock this issue now in favor of discussion on the forum.
after dismissing all critical questions about Signals security model. Since you seem to be quite engaged in your forums, which btw you are surely able to control much better than Github, there surely already is a discussion you could link us to, given the confusion and concerns of your community.

At the current state of this discussion, I must say that the signal team sounds extremely dismissive and does not seem to address any of the factual points made.

And for the record, I want to disagree with the technical assessment of , it's not really possible. . It might be challenging but I am sure it is not theoretically impossible.

@signalapp signalapp locked and limited conversation to collaborators Apr 15, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.