[codethief]

> I'm not sure who particularly cares about the stuff Signal is doing with SGX anyway.

Security researchers like Matthew Green seem to care[0], the Signal people surely do, I myself do, too. Isn't that enough to raise that question?

> if you're paranoid enough to worry about it

You make it seem like that's an outlandish thought, when in reality there have been tons of reported vulnerabilities for SGX. And now QC represents another risk.

> it's not like Signal would be less secure than any other third party if SGX were broken

That's a weird benchmark. Shouldn't Signal rather be measured by whether it lives up to the security promises it makes? Signal's whole value proposition is that it's more secure than "third parties".

[0]: https://blog.cryptographyengineering.com/category/signal/

[codethief]

EDIT: The link should have been https://blog.cryptographyengineering.com/2020/07/10/a-few-th...

[rcxdude]

I mean, if you're worried about Signal being a bad actor you also should probably be worried about Intel being a bad actor, and they hold the keys to SGX (especially because the biggest threat, if you're worried about this at all, is going to be governments compelling the involved companies to hand over data or attempt to intercept messages). And Signal is also a third party to your communications, that's how it works. But nothing about SGX makes me think Signal is more trustworthy, it doesn't meaningfully remove actions that they could take to compromise my communications.

[codethief]

Agreed, I never put much trust in Intel SGX, either. I was bringing up the whole topic rather because I'm secretly hoping it will force Signal to revisit the whole Signal PIN debacle and they will ultimately find a better solution.