... issue is not these recent design decisions but rather how they've handled the response to it including valid criticism. Repeatedly making false claims, misrepresenting criticism/suggestions and responding with a holier-than-thou attitude, platitudes and fallacies. Bad look.
Conversation
It's possible to set a strong passphrase as this PIN and avoid depending on SGX security. The issue is how they've converted an existing feature, the lack of a proper explanation for users, their dismissive response to valid criticisms about it and inaccurate/misleading claims.
1
1
11
The experience of the registration lock PIN being converted to this resembles dark patterns used by Facebook. It wasn't clear even to highly technical people what was happening and what the new PIN they were creating was doing. It is STILL a problem with them adding an opt-out.
1
2
10
They did such a good job designing features like link previews and profiles in a privacy-preserving way. Don't understand how they go from that to this. Bonus of a response resembling a cover-up hand waving away the criticism + blocking people with legitimate questions/concerns.
1
3
12
A weak PIN was fine for the registration lock feature, but it doesn't work well as a way of deriving a meaningful encryption key. Adding a way to opt-out doesn't change that they encourage doing this and it looks like you won't be able to just set a registration lock like before.
2
1
11
This Tweet was deleted by the Tweet author. Learn more
Replying to
Bypassing SGX attestation doesn't require hacking it. It only requires having a valid key for signing attestations. Those could be leaked from any hardware including the oldest supported hardware without any updates applied. Alternatively, an employee could leak them, etc.
This Tweet was deleted by the Tweet author. Learn more
Replying to
Your contacts, the contents of your profile and whatever else they end up choosing to backup this way is not just some unimportant metadata. Why have this mechanism at all when there's an existing, secure backup mechanism covering your keys, messages and overlapping with this?
This Tweet was deleted by the Tweet author. Learn more
I get that this is more convenient, but the existing backup implementation now overlaps with this in a confusing way, and the existing mechanism could be improved to offer more usability along with sync support. They already made what they need to do secure sync.
If they used SAF to implement the existing backup feature, it would already be possible to use arbitrary sync services with it directly. They could make it easier by providing that themselves - although they probably don't want to host all that data (maybe as a paid service).
1
Generating a key based on a user provided PIN isn't good enough for encryption. SGX doesn't change that. If they used SGX and didn't pretend it changes much, that wouldn't be a problem. It's not a problem that they use it. It's a problem that they depend on it and change how...
1
Show replies