Conversation

Daniel Micay
@DanielMicay
Replying to
@DanielMicay
I replied to
@chrisrohlf
at twitter.com/DanielMicay/st noting the PIN existed before as a useful registration lock feature and the importance of securing the app for how most people use it, not just power users. It encourages a weak PIN for sync.
@moxie
blocked me for that tweet.
Quote Tweet
Daniel Micay
@DanielMicay
Replying to @chrisrohlf @signalapp and @moxie
Hopefully as a toggle so that it's still possible to have a registration lock PIN without contact syncing, as it was before this was introduced. Most people are going to use the defaults so that's what really matters, and a user-generated PIN + SGX is not a secure approach.
1
11
Daniel Micay
@DanielMicay
Again, Signal already has an encrypted backup / restore mechanism (at least on Android) with a strong key generated by the app. This sync feature is only secure if users realize they can and should set a strong passphrase and do it. The app encourages a weak PIN + they make it...
2
9
Daniel Micay
@DanielMicay
... seem like that's fine based on using SGX when it's an extremely problematic approach that's ultimately unworkable. The reliance on SGX is at serious odds with past design choices: end-to-end encryption, encrypted backup / restore with a strong key, etc. Also again, my main...
1
8
Daniel Micay
@DanielMicay
... issue is not these recent design decisions but rather how they've handled the response to it including valid criticism. Repeatedly making false claims, misrepresenting criticism/suggestions and responding with a holier-than-thou attitude, platitudes and fallacies. Bad look.
1
12
Daniel Micay
@DanielMicay
It's possible to set a strong passphrase as this PIN and avoid depending on SGX security. The issue is how they've converted an existing feature, the lack of a proper explanation for users, their dismissive response to valid criticisms about it and inaccurate/misleading claims.
1
11
Daniel Micay
@DanielMicay
The experience of the registration lock PIN being converted to this resembles dark patterns used by Facebook. It wasn't clear even to highly technical people what was happening and what the new PIN they were creating was doing. It is STILL a problem with them adding an opt-out.
1
10
Daniel Micay
@DanielMicay
They did such a good job designing features like link previews and profiles in a privacy-preserving way. Don't understand how they go from that to this. Bonus of a response resembling a cover-up hand waving away the criticism + blocking people with legitimate questions/concerns.
1
12
Daniel Micay
@DanielMicay
A weak PIN was fine for the registration lock feature, but it doesn't work well as a way of deriving a meaningful encryption key. Adding a way to opt-out doesn't change that they encourage doing this and it looks like you won't be able to just set a registration lock like before.
2
11
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@_modroplavo
Attestation is not all equal. Verifying based on a root of trust might be good enough for DRM, anti-cheat, etc. but not real security. A key can be leaked by an employee or it can be leaked from the oldest, least secure hardware implementation with no firmware updates applied.
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@_modroplavo
Attestation based on proper pairing is much better, but not what SGX attestation provides. However, using it to try securely running code on a computer controlled by an adversary? That just seems foolish. Doing it with SGX which isn't even a secure element is doubly foolish.
1
Show replies