Conversation

1/3 Thankyou

I entirely agree. "My major issue with SVR is that it’s something I basically don’t want, and don’t trust." Yep. And thanks for telling me I can at least generate a high-entropy password instead of a PIN - that is not at all obvious from the UI.

Quote Tweet

Matthew Green

@matthew_d_green

Jul 12, 2020

I wrote a post about why Signal’s “Secure Value Recovery” backup system (and decision to force users to choose PIN codes) has made me so concerned. blog.cryptographyengineering.com/2020/07/10/a-f

Show this thread

Vanessa Teague

@VTeagueAus

Jul 13, 2020

2/3 If you can get through this blog post without running away screaming when it mentions replicated SGX state (

@Yuvalyarom

) there's a very interesting point at the end:

Vanessa Teague

@VTeagueAus

Jul 13, 2020

3/3 "Signal has added a “disable PINs” feature into its latest beta. Encrypted data still goes to Signal servers, but it’s now encrypted in a way that nobody can access." Really? I'm going to need more detail about that, or I'm going to need a new messaging app.

Replying to

It generates a high entropy key on your behalf instead of deriving it from a passphrase. The issue is asking users for a PIN to secure this data. Encouraging them to use a weak PIN makes it worse, but even if it did tell users to choose a secure passphrase we know they won't.

Replying to

and

SGX is used as a way to throttle an attempt to decrypt it, but it depends on the security of SGX and SGX attestation which is based on a root of trust. They're using that to justify this design and encouraging a weak PIN. At the moment, they just backup contacts, settings, etc.

Replying to

and

In the past they've made a big deal out of the fact they don't store a user's contacts, groups, etc. signal.org/bigbrother/eas The server does handle metadata but it didn't store it. Before they added the toggle for this, you could just generate a random high entropy passphrase.

Replying to

and

Most users are going to use a weak PIN especially since they're encouraged by the app to do it. Even power users are likely to be misled by their hand waving with SGX. People who know better than relying on SGX security + attestation based on a root of trust can avoid this.

5:34 PM · Jul 13, 2020Twitter Web App

Replying to

and

Worth noting there was an existing encrypted backup feature in the Android app, which generates a strong key and has you record it as a series of numbers. That backs up message and your keys so you can migrate phones without losing safety numbers. Could have done it like that.

Replying to

and

Could be made more usable by using a BIP39 seed phrase like proper cryptocurrency wallets (12 words from a list of 2048 for an 128-bit key with a checksum, with first four letters of each being unambiguous) and advanced users could have the option of setting the BIP39 passphrase.

Show replies