- 0 Posts
- 8 Comments
True. And although perfect forward secrecy isn’t a huge deal, it is potentially useful, if (for example) you have the encrypted messages backed up, then deleted from your phone, and someone gets access to both your backup and secret key (somehow).
If a hacker had access to the private long-term key, though, odds are extremely high that they have access to the message database of decrypted messages that signal keeps around to show your history - so kinda moot at that point. There are some useful niche cases for it, though.
Not a dealbreaker for my by far.
lol.
- post asks which app is preferred
- a clear winner with lots of reasons why emerges
- “propagandists!”
I dislike Signal because of the abandonment of SMS as an option. Without that, it’s on par with (not really ahead of) most other secure messengers. Session is pretty decent, and I am curious if SimpleX will take off.
Anyways. Not a Session fanboy by any means, but I cam still see that (given the two options asked about) session is the clear winner. But your take on this all is hilarious.
Hehe! I was just bitching about them dropping SMS (and a crapton of users) in another post.
It used to be the perfect app to get people into secure messaging. Now it’s just another chat app to most people, who tend to think “who really cares when you’ve got WhatsApp etc, that actually have users? Why would I want some obscure app on my phone? More shit to think about.”
There used to be: Signal.
With Signal as your default messaging app, you could just tell people to switch to Signal and use one app. If both parties had Signal, secure messaging was used automatically.
Friends and family slowly started using Signal, because it’s just a nice messaging app, plus it’s potentially more secure.
Then Signal decided to tank SMS. …and slowly, friends and family started leaving Signal, and now it’s just us security-conscious folks again.
There’s a physical necessity to keep all of the information necessary to decrypt messages in the app’s folder.
Anything the signal app shows you can also be seen by an app with access to Signal’s data on that device. This is true of any E2E encrypted messenger service.
Of course, this is disallowed by the OS, but if you have physical access to that device, you have and can access that data. That includes the database of all of your messages on that device, and the key to decrypt them.
PFS prevents someone using the key your device has on it from decrypting earlier cyphertexts. But if they have access to that key, they almost inevitably also have access to the database that signal keeps all of your messages in.
Thus PFS only works in practice if you delete the data from both the sending and receiving devices. PFS is useful, but it’s usefulness is fairly limited in typical scenarios. But, if someone sniffed the cyphertext and then you read the message and deleted it/had disappearing messages on, and they later hacked your phone and got the key, you’d be safe and they couldn’t decrypt the cyphertext they’d sniffed earlier.
It’s just… …it’s a really niche scenario, and most people (except the very paranoid) aren’t regularly deleting every message.