←back to thread

Signal Secure Backups

(signal.org)
988 points keyboardJones | 4 comments | 08 Sep 25 16:43 UTC | HN request time: 0s | source
Show context
elvisloops ◴[08 Sep 25 17:02 UTC] No.45170770[source]
I can't believe Signal is doing this.

Signal is known for its cutting-edge cryptographic protocol, but this feature has the effect of throwing that out the window and replacing it with a single static key. If a device with this enabled goes through the whole advanced protocol to receive a message (double ratcheting etc), then turns around and uploads it back to Signal’s servers with a static key, isn't that a roundabout way of replacing all of signal's protocol and its forward secrecy with a static key that has no forward secrecy?

They’re calling it "opt-in," but it doesn't look like that's actually true? You can’t know whether someone you’re talking to -- who may not understand the implications -- has enabled it. In group chats, it looks like a single person turning it on eliminates signal protocol for everyone in the chat.

Based on this post, the only way to actually opt out of this is to force disappearing messages to be enabled for a time under 24 hours for every chat, which is pretty frustrating.

Signal already lags other messengers in reliability, speed, and features. The reason people use it is for its uncompromising security. Shipping something that weakens that foundation undermines the reason people use Signal.

replies(6): >>45170803 #>>45170831 #>>45170946 #>>45172659 #>>45176363 #>>45176500 #
Marsymars ◴[08 Sep 25 17:07 UTC] No.45170831[source]
> They’re calling it "opt-in," but it doesn't look like that's actually true? You can’t know whether someone you’re talking to -- who may not understand the implications -- has enabled it. In group chats, it looks like a single person turning it on eliminates signal protocol for everyone in the chat.

TBF Signal already supports automated key-protected backup (and has for years), it's just stored on-device, but there's no way to know what the other party is doing with that on-device backup.

replies(1): >>45170880 #
elvisloops ◴[08 Sep 25 17:10 UTC] No.45170880[source]
There's a big difference to me between storing it on device and someone else's servers.
replies(2): >>45170929 #>>45170950 #
Marsymars ◴[08 Sep 25 17:16 UTC] No.45170950[source]
Sure, but you already have no way of knowing which one the other parties in your chats are doing.

I already sync my Signal backups to the cloud, because that's the most practical and time/cost-effective way to have a 3-2-1 backup system for my chats.

replies(1): >>45171074 #
elvisloops ◴[08 Sep 25 17:24 UTC] No.45171074[source]
There's a difference between someone in your chats acting adversarially and Signal supporting/encouraging adversarial behavior as part of the way the app works. If Signal published a change to the protocol that removed forward secrecy, we wouldn't consider it a non-event and say "well anyone could screenshot messages anyway," even though that may be true. They're calling this "secure backups," but in truth it appears to reduce security
replies(2): >>45171118 #>>45171172 #
1. joshjob42 ◴[08 Sep 25 17:32 UTC] No.45171172{5}[source]
I don't think it's appropriate to call someone you're talking to with disappearing messages turned off making a backup of the conversation so they have the (non-disappearing) message history if they drop their phone in a lake as "adversarial behavior".

If you don't want them to have a history only communicate via disappearing messages.

replies(1): >>45171577 #
2. elvisloops ◴[08 Sep 25 17:58 UTC] No.45171577[source]
This post says disappearing messages are included in the backups. You have to enable disappearing messages with a timer of less than 24 hours to ensure that you can opt out.
replies(1): >>45171991 #
3. joshjob42 ◴[08 Sep 25 18:30 UTC] No.45171991[source]
Sure but the backup happens each day and then gets overwritten/deleted when the next days backup happens (which then deletes the disappearing messages that are expiring express the next backup). It just ensures you have access to any messages that you’re supposed to have access to according to the timers on said messages.
replies(1): >>45175409 #
4. elvisloops ◴[08 Sep 25 23:20 UTC] No.45175409{3}[source]
That's not how forward secrecy works. Ciphertext isn't "deleted" unless the key used to encrypt it is also deleted. That's the point of Signal's cutting edge protocol. This undoes all of that.