[LurkersWillLurk]

No, you're absolutely right. The author complains that with physical possession of the device that it's possible to transfer Signal's private key material to a new device, leaving the old safety number intact.

The author apparently expects the safety number to change in order to alert the person on the other end that there "might be a hostage situation," evidently not realizing that the attacker could just, well, use the unlocked phone right in front of them.

[pennyintheslot]

Well, if I assume that I just got temporary access to someone’s unlocked device, then it would probably be a lot more convenient for me to quickly transfer the account to one of my own devices and then access it from there instead of accessing it from my targets device which I might lose access to any moment.

So from that point of view it would be legitimate to argue that I might want to get notified if one of my contacts transfers his account. I can then double check : “Did you just transfer your signal account to a new device or was that an attacker?”

That might only be interesting for high-risk users though and could impair the UX. Why not make it optional?

[UncleMeat]

Configurable security posture is the sort of thing that got RSA into trouble. For the huge majority of users, opinionated security is a much better approach, even ignoring the maintenance problems of having special features.

The temporary access threat model is a common criticism that people use, but it is largely incoherent. Once you are making human judgements like "enough time to transfer a signal account but not enough time to install a rootkit" things quickly break down into meaninglessness.

[mindslight]

I don't really like trusted computing, but it is part of the mobile security model. There's a distinction between Signal deliberately facilitating extraction of the keys, and having to break a device's security to do so.

[goodpoint]

No, the author is right.

There are many cases where an attacker can access a device for a short time and/or without the owner realizing that the phone was tampered with.

[staticassertion]

Just because that's possible doesn't mean that it's within Signal's threat model.

[contravariant]

Sure, but exactly how would you build something that's robust against that kind of access?

If you leave cryptographic keys lying around unprotected they should be assumed to be compromised.

[klyrs]

Signal has a PIN, too. If that's required for the transfer, then it would prevent this in the case of brief, surreptitious access. A hostage scenario is impossible

[contravariant]

Well, maybe, but 'brief' is doing a lot of the heavy lifting in that sentence.

[klyrs]

> There are many cases where an attacker can access a device for a short time and/or without the owner realizing that the phone was tampered with.

This is what you originally responded to. I paraphrased it. The "heavy lifting" meme that you've employed is rarely more than a shallow dismissal. Be better.