July 11, 2024 at 04:53PM
Signal is improving its desktop client’s security by changing how it stores plain text encryption keys for the data store. Previously, the keys were stored in a local file, posing a security risk. The company is now implementing Electron’s SafeStorage API to further secure the encryption keys, making it more resistant to offline attacks.
Based on the provided meeting notes, it appears that Signal’s desktop client has been criticized for not adequately securing the encryption keys for its data store, leaving user data vulnerable to potential breaches. In 2018, it was revealed that the encryption key was stored as plain text, making it accessible to any user or program on the computer. Despite this flaw being highlighted by researchers, Signal initially downplayed the issue, claiming that at-rest encryption was not something it claimed to provide.
The discussion surrounding this security vulnerability resurfaced in 2024 when Elon Musk made a cryptic tweet about known vulnerabilities in Signal. Signal’s President, Meredith Whittaker, responded that there were no known vulnerabilities and that any valid issues would be responsibly disclosed and quickly fixed. However, mobile security researcher Tommy Mysk reiterated the security weakness, emphasizing that the encryption key for the message store was still stored in plain text, leaving users vulnerable to exfiltration.
In response to these concerns, Signal has announced plans to tighten database encryption by implementing Electron’s SafeStorage API, which provides additional methods to secure the encryption key used to encrypt locally stored data. This new implementation aims to use the operating system’s cryptography system and secure key stores to enhance the security of the encryption keys. Additionally, a fallback mechanism will be included to minimize data loss during the migration process and production rollout.
While it is encouraging to see these additional protections being implemented, it is disappointing that they are only being addressed after public scrutiny. BleepingComputer has attempted to get further information from Signal but has not received a response as of yet.