The recent controversy over the replacement of the registration lock PIN with a mandatory sync feature is a symptom of broader issues. The main issue I have with it is not their design decision but rather how they've presented it and responded to valid criticism and questions.
Conversation
Signal already had an encrypted backup feature with a strong key. It could be made more usable by using a seed phrase instead of presenting the user with a bunch of numbers. Having users select credentials, especially when they're encouraged to use a weak PIN is much worse.
1
4
18
They're presenting this as something they have to do to support usernames. It's not true. My question at twitter.com/DanielMicay/st was left unanswered. If they had modern storage support, users could also choose to store their encrypted backups via the sync service of their choice.
Quote Tweet
Replying to @moxie @RichFelker and 2 others
What's wrong with having it locally in the Signal app and relying on the same encrypted backup / restore feature as everything else? System contacts are also local data with the option to do backup / restore.
2
2
11
It was inaccurately claimed that the ability to do local backups is going away. That couldn't be further from the truth. I responded to that at twitter.com/DanielMicay/st. Again no response, but they continue to make these kinds of false claims despite it clearly not being accurate.
Quote Tweet
Replying to @moxie @RichFelker and 2 others
Backing up locally via SAF works fine. No need for the deprecated Storage permission. The app can request persistent access to a directory for backups and the user just chooses the backup directory via SAF and the app. Can't something similar be done on iOS via their equivalent?
2
2
10
Replying to
OK, I understand. I think I agree.
Just to clarify...Do not store any personal info a private server, regardless of level of encryption.
Correct?
Encrochaf type of mistake?
1
Replying to
No, that's not what I said. Signal encourages using a weak PIN and uses it to store data (contacts, profiles, etc.) on their server. SGX doesn't provide strong security. Signal's PIN feature only provides strong encryption if you set a strong passphrase, and we know users won't.
1
Especially since it ENCOURAGES using a weak PIN and they have posts making it seem that it's secure despite it relying on SGX. The UX is designed in a way that most people aren't even going to notice that they can set a passphrase, and a user-selected passphrase is problematic.
1
Replying to
I get it.
Should he encourage use of a 2nd party to set a random passphrase? Or abandon the effort all together?
I realize a 2nd party is more likely to be not be as secure as they state...
1
Replying to
No, that's not what I said at all. I don't think Signal shouldn't be using a user-generated credential for doing encrypted backups, especially remote backups. Encouraging setting a weak PIN in the UI instead of a strong passphrase and their hand waving with SGX makes it worse.
2
Replying to
OK. I agree with that.
If they do start using a method to connect users without a phone #, would be for it if the UI gave the users a more detailed example of what they're doing?
1
Replying to
This feature is not required to implement that. As I explained in the thread you're replying to, it's misleading and incorrect for them to be portraying this as a requirement for that feature. I strongly suggest reading my whole thread and the tweets / threads that I linked.