The recent controversy over the replacement of the registration lock PIN with a mandatory sync feature is a symptom of broader issues. The main issue I have with it is not their design decision but rather how they've presented it and responded to valid criticism and questions.
Conversation
Signal already had an encrypted backup feature with a strong key. It could be made more usable by using a seed phrase instead of presenting the user with a bunch of numbers. Having users select credentials, especially when they're encouraged to use a weak PIN is much worse.
1
4
18
They're presenting this as something they have to do to support usernames. It's not true. My question at twitter.com/DanielMicay/st was left unanswered. If they had modern storage support, users could also choose to store their encrypted backups via the sync service of their choice.
Quote Tweet
Replying to @moxie @RichFelker and 2 others
What's wrong with having it locally in the Signal app and relying on the same encrypted backup / restore feature as everything else? System contacts are also local data with the option to do backup / restore.
2
2
11
It was inaccurately claimed that the ability to do local backups is going away. That couldn't be further from the truth. I responded to that at twitter.com/DanielMicay/st. Again no response, but they continue to make these kinds of false claims despite it clearly not being accurate.
Quote Tweet
Replying to @moxie @RichFelker and 2 others
Backing up locally via SAF works fine. No need for the deprecated Storage permission. The app can request persistent access to a directory for backups and the user just chooses the backup directory via SAF and the app. Can't something similar be done on iOS via their equivalent?
2
2
10
Replying to
OK, I understand. I think I agree.
Just to clarify...Do not store any personal info a private server, regardless of level of encryption.
Correct?
Encrochaf type of mistake?
1
Replying to
No, that's not what I said. Signal encourages using a weak PIN and uses it to store data (contacts, profiles, etc.) on their server. SGX doesn't provide strong security. Signal's PIN feature only provides strong encryption if you set a strong passphrase, and we know users won't.
1
Especially since it ENCOURAGES using a weak PIN and they have posts making it seem that it's secure despite it relying on SGX. The UX is designed in a way that most people aren't even going to notice that they can set a passphrase, and a user-selected passphrase is problematic.
1
Replying to
I get it.
Should he encourage use of a 2nd party to set a random passphrase? Or abandon the effort all together?
I realize a 2nd party is more likely to be not be as secure as they state...
1
Replying to
No, that's not what I said at all. I don't think Signal shouldn't be using a user-generated credential for doing encrypted backups, especially remote backups. Encouraging setting a weak PIN in the UI instead of a strong passphrase and their hand waving with SGX makes it worse.
2
Replying to
The previous encrypted backup feature was well designed but could be made more usable.
Encouraging a weak PIN, not conveying what the feature does to users properly and pushing SGX as a way to work around the limitations is all problematic. More options doesn't resolve it.
The added toggle for the PIN feature doesn't resolve this, and neither would more options like having the app generate and use a strong encryption key. Defaults matter. The way the app is intended and encouraged to be user matters. Niche options for power users doesn't do much.