Viewing a single comment thread. View all comments

ArcherBoy27 t1_ja0g2bk wrote

I never suggested they were, just stated that only encryption in transit isn't e2ee. If it was, this wouldn't even be an issue in the first place. I understand the proposal just fine.


Prestigious_Push_947 t1_ja0pzke wrote

Okay, so you misunderstand what encryption in transit, E2EE or HTTPS are, got it. You know the words, but you don't actually understand any of them. E2EE is by definition encryption in transit. It is encryption from end to end, between two ends, whilst transiting between them. All E2EE is encryption in transit, though not all encryption in transit is E2EE.

HTTPS is just a kind of encryption in transit that protects HTTP traffic while it moves over the wire. There are lots of other protocols that provide encryption in transit for other cleartext protocols. You can even have multiple different ways to provide encryption in transit for different protocols. Signal provides encryption in transit for message traffic, and it only provides encryption in transit. It does not provide other types of encryption (i.e. encryption at rest) for your messages.

You don't understand the proposal, you don't understand even the very basics of any of this.


5thvoice t1_ja0wsaz wrote

Of course Signal encrypts data at rest. Why would they want other apps installed on your phone to be able to snoop on your messages?


Prestigious_Push_947 t1_ja1fuo9 wrote

You should look deeper into the app. It has been reported repeatedly that content is available on the endpoint either in cleartext or in a way that can be trivially recovered. Signal themselves have repeatedly stated that they do not intend to be secure against someone in control of the device. Their encryption on the device is not hardened, and it's not meant to be. They recommend using robust full-disk encryption to secure your messages at rest.


spektre t1_ja2m0hx wrote

What they are saying is that they can't protect against someone for example forcing you to unlock it, installing a keylogger, or taking screenshots of your conversations. Because that would be a pretty hard problem to solve.


Prestigious_Push_947 t1_ja4nxer wrote

This really depends on a lot of scenarios. For example, if you use Signal for desktop on a Windows system without Bitlocker, your message content can be recovered easily without forcing you to unlock the device or installing any kind of keylogger. If you have FDE enabled, but your device is unlocked, then your message content can be retrieved. No keylogger or additional tooling is necessary. Signal is as secure as your device is, it provides no additional security for your messages. They have repeatedly classified bug reports for weak local security as "Won't fix" because they are up front about the fact that their intent is ONLY to secure messages in transit.


ArcherBoy27 t1_ja2h05o wrote

Yes I know. I was just stating "just" encryption in transit isn't E2EE (I.e. https).

E2ee is encrypted from end to end. From when it is written and saved on the source to when it is received and read on the destination. Anything except you that can read messages before you do, without your permission, and potentially send it off somewhere breaks E2EE, which is what they are proposing.

> It does not provide other types of encryption (i.e. encryption at rest) for your messages.

Going to need a source on that, no encryption at rest. Nothing I can find suggests that. I have found some claim it can be broken with physical device access but if the device itself is encrypted then it doesn't matter.


Prestigious_Push_947 t1_ja4max0 wrote

You're just speaking nonsense. You don't understand these concepts at all. I'm not sourcing anything for some high school kid who's taken one IT class and thinks they're hot shit b/c they know CIA. There are loads of people reporting "vulnerabilities" in Signal because the on-device data is trivially accessed. Signal's response is consistently and repeatedly that their intent is not to provide on-device security and that you should use FDE. This is a very easy Google search away for you.


ArcherBoy27 t1_ja4uvhh wrote

Great source, everywhere I could find didn't mention anything like that. You are giving me no reason to believe you.

No need to be aggressive, I asked for a source since I couldn't find one to match what you are saying.

Besides this has nothing to do with client side scanning, the reason signal said what they said, at all.

Forget it, I'm not spending time with someone that can't be civil.