Submitted by ActivePersona t3_11b6wx9 in technology
ArcherBoy27 t1_j9xpzay wrote
Reply to comment by Prestigious_Push_947 in Signal CEO: We “1,000% won’t participate” in UK law to weaken encryption by ActivePersona
Encryption in transit is HTTPS, that's not end to end.
What the bill is saying is we can't read your letters in the middle so we will read them over your shoulder instead. How comforting...
Prestigious_Push_947 t1_j9zop4q wrote
There are a lot more kinds of encryption in transit than HTTPS, Signal is absolutely not using HTTPS as the protocol to protect your messages in transit. That said, yes, the British proposal is wrong - as I said in my post. But if you're going to criticize them without understanding the proposal, you hurt the effort to counter the it.
ArcherBoy27 t1_ja0g2bk wrote
I never suggested they were, just stated that only encryption in transit isn't e2ee. If it was, this wouldn't even be an issue in the first place. I understand the proposal just fine.
Prestigious_Push_947 t1_ja0pzke wrote
Okay, so you misunderstand what encryption in transit, E2EE or HTTPS are, got it. You know the words, but you don't actually understand any of them. E2EE is by definition encryption in transit. It is encryption from end to end, between two ends, whilst transiting between them. All E2EE is encryption in transit, though not all encryption in transit is E2EE.
HTTPS is just a kind of encryption in transit that protects HTTP traffic while it moves over the wire. There are lots of other protocols that provide encryption in transit for other cleartext protocols. You can even have multiple different ways to provide encryption in transit for different protocols. Signal provides encryption in transit for message traffic, and it only provides encryption in transit. It does not provide other types of encryption (i.e. encryption at rest) for your messages.
You don't understand the proposal, you don't understand even the very basics of any of this.
5thvoice t1_ja0wsaz wrote
Of course Signal encrypts data at rest. Why would they want other apps installed on your phone to be able to snoop on your messages?
Prestigious_Push_947 t1_ja1fuo9 wrote
You should look deeper into the app. It has been reported repeatedly that content is available on the endpoint either in cleartext or in a way that can be trivially recovered. Signal themselves have repeatedly stated that they do not intend to be secure against someone in control of the device. Their encryption on the device is not hardened, and it's not meant to be. They recommend using robust full-disk encryption to secure your messages at rest.
spektre t1_ja2m0hx wrote
What they are saying is that they can't protect against someone for example forcing you to unlock it, installing a keylogger, or taking screenshots of your conversations. Because that would be a pretty hard problem to solve.
ArcherBoy27 t1_ja3n0ub wrote
Relevant XKCD
Prestigious_Push_947 t1_ja4n234 wrote
No, this is not a relevant XKCD, you dunce.
ArcherBoy27 t1_ja4v4ju wrote
I'll agree to disagree.
Not sure there was a need to name call. Completely uncalled for. Comment with respect or not at all.
Prestigious_Push_947 t1_ja4nxer wrote
This really depends on a lot of scenarios. For example, if you use Signal for desktop on a Windows system without Bitlocker, your message content can be recovered easily without forcing you to unlock the device or installing any kind of keylogger. If you have FDE enabled, but your device is unlocked, then your message content can be retrieved. No keylogger or additional tooling is necessary. Signal is as secure as your device is, it provides no additional security for your messages. They have repeatedly classified bug reports for weak local security as "Won't fix" because they are up front about the fact that their intent is ONLY to secure messages in transit.
ArcherBoy27 t1_ja2h05o wrote
Yes I know. I was just stating "just" encryption in transit isn't E2EE (I.e. https).
E2ee is encrypted from end to end. From when it is written and saved on the source to when it is received and read on the destination. Anything except you that can read messages before you do, without your permission, and potentially send it off somewhere breaks E2EE, which is what they are proposing.
> It does not provide other types of encryption (i.e. encryption at rest) for your messages.
Going to need a source on that, no encryption at rest. Nothing I can find suggests that. I have found some claim it can be broken with physical device access but if the device itself is encrypted then it doesn't matter.
Prestigious_Push_947 t1_ja4max0 wrote
You're just speaking nonsense. You don't understand these concepts at all. I'm not sourcing anything for some high school kid who's taken one IT class and thinks they're hot shit b/c they know CIA. There are loads of people reporting "vulnerabilities" in Signal because the on-device data is trivially accessed. Signal's response is consistently and repeatedly that their intent is not to provide on-device security and that you should use FDE. This is a very easy Google search away for you.
ArcherBoy27 t1_ja4uvhh wrote
Great source, everywhere I could find didn't mention anything like that. You are giving me no reason to believe you.
No need to be aggressive, I asked for a source since I couldn't find one to match what you are saying.
Besides this has nothing to do with client side scanning, the reason signal said what they said, at all.
Forget it, I'm not spending time with someone that can't be civil.
Viewing a single comment thread. View all comments