[CtrlAltT5wpm]

I'm hoping someone here has some insight they can share, because I've not really seen it addressed elsewhere.

As per the linked article:

> Another new feature it's testing, called "secure value recovery," would let you create an address book of your Signal contacts and store them on a Signal server, rather than simply depend on the contact list from your phone. That server-stored contact list would be preserved even when you switch to a new phone. To prevent Signal's servers from seeing those contacts, it would encrypt them with a key stored in the SGX secure enclave that's meant to hide certain data even from the rest of the server's operating system [1].

I assume that this is an offshoot or a continuation of what Signal started a few years back with Private Contact Discovery, a truly difficult problem considering the amount of user data and metadata Signal wants to avoid collecting [2]. It's a hell of a job, and I commend Signal's efforts.

Assuming I'm right, I'm curious as to why Signal is going down this road, specifically, relying on SGX (or any proprietary vendor solution) for security, or if they should. Due to the spate of speculative execution vulnerabilities in Intel hardware, it would seem to me (a layman) that this is a bad approach that will create more work for them down the line, and may rely too heavily on a single set of features. The Foreshadow attack was one that supposedly compromised SGX, with full mitigation only being possible with hardware revisions [3]. Even then, it may not be safe to assume that's the end of problems. Only recently, another attack on SGX was found, specifically, PlunderVolt [4], which at least can be supposedly mitigated via microcode update vs hardware refresh. Still, it seems like shaky ground, especially to be building additional Signal features upon.

Much further down the list of concerns, it seems like all these SGX-reliant features lock them into using Intel's platform exclusively. It's probably neither here nor there, but is this something they should be concerned about, or is that just the price to be paid for the advanced privacy features Signal offers? Is there any effort to disconnect these features from the hardware platform? Is it even possible? Should they? Am I even asking the right questions?

My worry is that Signal finally reaches some form of feature parity with the biggest messengers (I'd say it's there, mostly), SGX gets broken in a way that's not easy to fix, and all this time and effort will have been wasted, especially if they have to roll back user features which grow the platform in order to maintain safety.

I ask all this having no solutions myself, unfortunately. I'm neither dev nor cryptographer, only someone curious with some mild technical leanings. I generally lump myself in with the average user crowd, knowing just enough to be saddled with the 'Family's IT Person' label, but not enough to actually work in the field...as such, forgive any ignorance or obvious mistakes on my part. I've just not seen these issues addressed, and figured you would be the crowd best able to do so.

[1] - https://www.wired.com/story/signal-encrypted-messaging-featu...

[2] - https://signal.org/blog/private-contact-discovery/

[3] - https://arstechnica.com/gadgets/2018/08/intels-sgx-blown-wid...

[4] - https://plundervolt.com/

[mfsch]

From what I understood of the article about secure value recovery [1], SGX is used to derive a more secure key from the password you provide, so a broken SGX alone is not enough to decrypt the data stored on the server, you still need to crack the user’s password. Of course this only helps those people with an actually secure password, which is why they go through all the trouble with SGX. This makes me feel a bit better about their reliance on SGX – as long as you use a long random password stored in my password manager, you don’t have to trust SGX at all.

[1]: https://signal.org/blog/secure-value-recovery/

[CtrlAltT5wpm]

Thanks for the reply. That makes sense in the context of Secure Value Recovery (to be rolled out, I think); it sounds similar in concept to how 1Password uses a user-derived master password along with a semi-random secret key in order to make a Master Unlock Key, which is then used to open the vault [1]. This seems pretty solid, at least to me.

It doesn't speak to any unexpected weaknesses in SGX due to hardware issues with Intel, though, that could be exploited with speculative execution attacks, and what possible information might be obtained were that to happen. I'm not certain how useful it would be to attack this specific feature to obtain saved social graphs when it may be easier to leverage those speculative execution flaws elsewhere in Signal's back end (I may be talking out my ass here, since even your link was pretty in the weeds for me).

I'm also not sure if it's prudent to trust SGX when it seems its protections can be overcome. Hiding all this information behind different SGX features might be all for naught if SGX itself isn't much of an impediment. Which all gets back to my original concern: is this trust in SGX (and by extension Intel) putting too many eggs in a single basket? Is there any fallback, just in case? What would that look like?

I sure as hell don't know, but I haven't even seen the question asked. Signal hasn't addressed it, and it may not even be worth making hay over, but I figured the smart folks around here would, if nothing else, be able to make some headway.

[1] - https://1password.com/files/1Password-White-Paper.pdf; pgs. 24-26