28
65
231
Conversation
Explanation: For years has been adding features while retaining the core commitment to a secure communications protocol with a functioning client and no more. Now, Signal will backup your data to their computers, protected by that PIN they’ve been nagging you about.
3
68
123
Signal was proud to have a network that retained no user information. Until a few days ago they could brag about this, and justifiably so. That is no longer the case. Signal is now storing your data inside SGX enclaves — a sort of wet paper bag for clustering sensitive info.
6
79
190
There is no way to opt out of Signal’s data grab.
13
15
71
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
Originally, it was a registration lock PIN. It stopped your phone number from being reassigned to another instance of Signal due to SIM jacking, etc. A weak PIN made sense for that. They overhauled the feature and turned it into a remote backup / sync implementation too.
It only backs up contacts, profile, etc. but it's a lot different from the original purpose and it's not adequately explained in the app. Also, a weak PIN is not sufficient for deriving a proper encryption key. They do let you to set a strong passphrase, but it's not encouraged.
1
So, generate a strong random passphrase and you don't need to rely on sketchy SGX integration for throttling key derivation. Back up the passphrase in a password manager and turn off reminders. The problem is the UX, lack of explanation, dark patterns and their response.
1
Show replies