-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is stored on the pc and where? #1318
Comments
Your messages are stored in a leveldb in chrome's extension storage: They are only encrypted if you encrypt the underlying drive. |
Goddamnit, I knew it was unsafe! :( What were the devs thinking when they implemented this? I wonder. Totally safe and fully encrypted on the phone but wide open on the pc... cheesas. |
There is no reasonable need for in-app encryption on the PC. If you encrypt within your app, but without a user-defined key, you must have the key lying around somewhere unencrypted, and all your encryption is worthless. If you are motivated enough to encrypt with a key derivated from a passphrase, you should encrypt the underlying drive (or parts of it). |
If there's no need to encrypt chats, then why even bother, with so very much efforts, to do it on the phone? That doesn't make sense. It would be logical and surely expected by most users that a similar level of security is given by the desktop app instead of compromising the careful security measures done on the phone by spilling all the messages out into the open on the pc for every hacker and intelligence service to collect easily. |
They do it on the phone because encrypting your drive is not possible on older versions of android. On the PC it makes no sense. If you want to protect data on your hard drive, you encrypt your hard drive. |
I don't think that encrypting the complete harddrive is the only and best option on the pc. Encrypting the data before writing them into the db is surely more sensible and not hard to do. You can get the key at the moment you authorize the desktop from your phone. It would even make sense to create a different key only for the desktop at that moment. As you know the session keys are also easily reset anytime. |
You can encrypt the db, even with a key sent from your master device, but you still need it when you open the app, so you have to save it somewhere on your PC. That is snakeoil, not security, as a hacker or intelligence agency will just go for your key. Signal-Android without a passphrase encrypts with a perfectly reproducible key. You don't have to encrypt your entire harddrive, just the folders where Signal-Desktop's database is. |
But keeping the key on the phone to decrypt the chat there is not "snake-oil"? I don't see what you mean. I'm saying, without suggesting a concrete ready-to-implement security concept, it can be done and be made secure enough. But this is actually deceiving the users! Which is even harder to swallow than your snake-oil. Let's see if others have something else to add to this topic. Okay? |
This has become a duplicate of #549. @patlecat, please use the forum to discuss this (https://whispersystems.discoursehosting.net). @Trolldemorted, please be more proactive in reminding users that the issue tracker is for bugs and not for discussion. |
I could not find any information or description on where the desktop chrome extension stores the messages and if they are encrypted or not? I am often shocked to see that messages that I deleted on my phone come back into the desktop app.
How secure are the messages stored/cached on the pc say on Windows10?
Why is that kept a secret on the website?
The text was updated successfully, but these errors were encountered: