[dcow]

Can you link to the implementation? I'll agree that a 4 digit pin is rather egregious and trivially crackable. I don't know a single serious cryptographer that would allow such nonsense which is why your comment sounds so unbelievable. I thought they were blending the pin with some device-local entropy to make a reasonably strong key. I'd like to verify your claim.

[autoexec]

Basically, they planned to get around much of the problem by depending on a very insecure secure enclave to make up for a lack of basic sound security practices.

The scheme they came up with to store user data in the cloud was described here: https://signal.org/blog/secure-value-recovery/

The code is here: https://github.com/signalapp/SecureValueRecovery

This site does a pretty good job of explaining why this isn't a good design: https://palant.info/2020/06/16/does-signals-secure-value-rec...

I'm sure I've linked to it already, but please review the discussion here as well: https://community.signalusers.org/t/sgx-cacheout-sgaxe-attac...

Even more details here: https://community.signalusers.org/t/wiki-faq-signal-pin-svr-...

[dcow]

They definitely do not encrypt your data with a 4 digit pin. They use Argon2 (a slow hash, not that it matters specifically here since the security depends largely on the entropy) to derive a 32-byte key. Then they derive subkeys: an auth key, and part of a final encryption key. The other part of the encryption key is 32-bytes of entropy. You store your entropy in an SGX enclave with a limited number of attempts allowed to combat the possibility of a weak pin.

Few things:

1. The vulnerabilities in question for SGX have been patched, only one of which affected Signal at all.

2. Signal preemptively combats any future speculative execution vulns by adding "don't speculate about this next branch" instructions before every single branch.

3. nit: SRV is a scheme to store the 256bits of entropy in the cloud, not the actual user data. It's unclear from those links whether Signal has actually deployed the "store encrypted contacts" portion.

4. It is concerning that the security of this entropy is tied to Intel's SGX implementation.

5. If you use a strong password, which security nuts would, none of this matters.

6. If you turn off your pin, none of this happens at all (so it's at least opt out but IIRC setting a pin was optional).

7. I don't find your interpretation particularly charitable to the truth of what's actually happened. It's incredibly reactionary.

I will give you:

1. The trust model for Signal has changed to include a dependence on a piece of Signal cloud to enforce a rate limit on (really access to) escrowed entropy IFF you use a weak pin.

2. There does seem to be unnecessary confusion surrounding this whole thing.

What bothers me reading through this is that it was never made clear to users that the security model would change if you enabled a weak pin, in other words that the strength of your pin/password is now important if you don't/can't/won't trust Signal+Intel. If that was made clear there would be no issues at all and concerned citizens would simply disable their pin and deal with the not-improved UX or choose a strong pin such that the entroy escrow SVR thing is entirely moot.

I don't think they need to update their privacy policy or user agreement to reflect these technical implementation details, though, as I've previously stated.

Moxie blames the poor reception on not having analytics. I'd say they should have known, it's pretty obvious you can't pretend you don't need a password and try to hide it from users if you want to add stuff that needs a password, like usernames. But I also know from first hand experience how difficult it is to just sit there and say "whelp, we can't build this thing that will make many users happy and make the product better because it isn't perfect".

What's sad is actually that this is all in service of enabling username messaging and dropping the phone number requirement which is exactly what everyone is yelling about. So it's like, they listen to feedback from people who want to use Signal without a phone number requirement. Then they build the thing that lets them take a crack at the nut. And then they get reamed by HN for having the audacity to try and build a secure solution to a problem that largely only exists on HN and only for Signal (nobody gives a shit that every other app under the sun just stores your contacts in plaintext). Must really suck to get that kind of response.

I'll probably go turn off my pin. I have no interest in signal managing my contacts.

[autoexec]

I did oversimplify their encryption scheme, but the issue is that in the end you still only need a pin to get the unencrypted data. I agree that if they'd been honest about passwords and the need for a strong one this wouldn't be as big an issue. It's because they were not honest that I don't think it's fair to expect their users (even the security nuts) to do it. Their target demographic will include whistleblowers and journalists who aren't necessarily all that tech-savvy.

The strengths and weaknesses of SGX are debatable, I may lean on the pessimistic side, but as you say it impacts the security model of Signal users and to me that means they (and new users) should be clearly informed. The first line of their privacy policy says "Signal is designed to never collect or store any sensitive information." which is demonstrably false.

As for opting out, unless something has changed they still store your data on the cloud, it's just handled differently:

https://old.reddit.com/r/signal/comments/htmzrr/psa_disablin...

I don't know what options someone has after they've already created a pin, if there's a way to remove your data from the cloud, I stopped using signal before they forced the pin (back when you could still just ignore the notice) and getting real answers to these kinds of basic questions is way more difficult than it should be. This is, again, a service targeting very vulnerable people whose lives and freedom may be on the line.

I was one of those Signal users who wanted them to move away from requiring a phone number too. That said, what I was looking for was something more like Jami. They managed to create a system with usernames and passwords but without phone numbers or accounts keeping your data in the cloud.

I'm not shitting on Signal's efforts overall. A lot of great work went into Signal and I'm pissed I still haven't found a good replacement for it, but the changes they made hurt the security and safety of the people who depend on Signal. They are a massive intelligence target and I can't blame them for anything they were forced to do, and if their goal was to subtly drive people away by raising a bunch of red flags I thank them, but if this is their best effort at communication and building trust how charitable can they expect us to be when two years later so many of their users don't have a clear idea of what's being collected and stored or what that means for their safety?