#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation).
-
@harrysintonen
> This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.
> TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.
But this is the main selling point of Signal's Perfect Forward Secrecy that everyone says is so important and nobody should use a messenger without it...
PFS isn't really about security in the normal sense, it's about the data transmitted being ephemeral and irrecoverable through cryptographic guarantees. That's why DeltaChat's upcoming implementation will not use the PFS terminology but will be called "reliable deletion".
So now we have another case of Signal's PFS being broken: first through the iOS notification database not being cleared properly, now through MacOS not actually removing the deleted messages from the database.
I think people need to stop trusting Signal's word and start demanding detailed proof that their security promises hold up on every platform.@feld @harrysintonen
DeltaChat's decision of renaming PFS to "reliable deletion" was quite dumb, as it led to at least several people I know thinking they are working on message deletion UX/getting rid of bug with messages not deleting visually on recepient's device, as it's unclear from the name that this is a cryptographic feature. -
@feld @harrysintonen
DeltaChat's decision of renaming PFS to "reliable deletion" was quite dumb, as it led to at least several people I know thinking they are working on message deletion UX/getting rid of bug with messages not deleting visually on recepient's device, as it's unclear from the name that this is a cryptographic feature.@tiredbun @harrysintonen it's not worse than the terrible PFS naming convention -
@feld @harrysintonen
DeltaChat's decision of renaming PFS to "reliable deletion" was quite dumb, as it led to at least several people I know thinking they are working on message deletion UX/getting rid of bug with messages not deleting visually on recepient's device, as it's unclear from the name that this is a cryptographic feature.@tiredbun @harrysintonen
> message deletion UX/getting rid of bug with messages not deleting visually on recepient's device
also is this a reported bug? I've never heard of it and never experienced it. Messages always delete successfully when done manually or with the expiration timer set on a chat. -
@tiredbun @harrysintonen it's not worse than the terrible PFS naming convention@feld @harrysintonen PFS at least is recognizable by someone who heard of it, which is why I am critical of changing to another name that still causes confusion but this time to everyone, instead of only people that didn't know what is PFS.
(The bug I only heard in passing by people misunderstanding the announcement, not sure if it's reported) -
@feld @harrysintonen PFS at least is recognizable by someone who heard of it, which is why I am critical of changing to another name that still causes confusion but this time to everyone, instead of only people that didn't know what is PFS.
(The bug I only heard in passing by people misunderstanding the announcement, not sure if it's reported)@tiredbun @harrysintonen but the problem is that nobody actually knows what PFS is except the people who designed it. Everyone uses the terminology wrong. There's so focused on "if someone captures network traffic, they can't decrypt messages with a leaked key" -- but that's only half the story. The entire point is that anything you delete cannot be recovered no matter who captures what. That's why "Reliable Deletion" is a more user-friendly name.
And then there's the problem of sometimes it only being called Forward Secrecy instead of Perfect Forward Secrecy... -
@harrysintonen I'd have a different recommendation for the vendor: Stop trying to pretend disappearing messages are a thing.
Signal has backups. Revocation from old backups is a very hard problem that they don't even try to store.
With the old backup model, each day got a completely new snapshot of all messages and media. If any participant in a chat has backups turned on and doesn't clean out their old backups, disappearing messages are recoverable at an arbitrary point in the future.
The newer backup is similar, each day generates a new snapshot of all messages, it's just that they reference media that are backed up separately.
And that's assuming everyone is using the official client. But any user using a different client may simply choose not to delete them.
I have one chat where I set deleting messages to try to encourage people to write discussions up elsewhere, I wouldn't use it as a security or privacy feature and I think it's quite misleading that Signal pretends that it is either.
@david_chisnall @harrysintonen
Before:
"does it have PFS? I can't trust this software if it doesn't have PFS"
Now:
"well, PFS doesn't actually matter because people can have plaintext backups"
We knew this all along but allowed security thought leaders to gain traction and convince the masses otherwise. It's rather disappointing because this is a pattern of behavior between tech folks and their layman audiences.
We need to find a way to make the rational voices louder -
#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.
This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.
TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.
Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt
@harrysintonen thanks. thanks especially for making this easy to understand for someone who doesn't program or has studied infosec. this is terrible and i am very disappointed in signal. i may research if a different client like molly is somewhat more trustworthy at this point (even if i'm aware a different client cannot fix server side issues)
-
#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.
This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.
TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.
Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt
Isn't deleting not truly deleting an unavoidable issue due to stuff like cpu caches?
-
@david_chisnall @harrysintonen while obviously true in the sense of "you cannot control information that leaves your hands", there are other purposes for deleting messages, like "protect myself/others if my hardware is stolen". in that kind of scenario you *do* control the data you care about, and choose the app.
I do wish it was presented differently though. it's practically a fad at this point, with loads of deeply misleading implementations, and misconceptions from one source get carried over to others
@groxx
The other day I sent my sister a view-once picture on Signal and she took a screenshot of it. What's even the point of that feature?
@david_chisnall @harrysintonen -
#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.
This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.
TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.
Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt
@harrysintonen interesting. Wondering why @signalapp choose for this approach to delete messages.
Absolutely loved seeing KENSENTME in the explanation. Leasure Suit Larry brought back to live!
-
@harrysintonen
> This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.
> TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.
But this is the main selling point of Signal's Perfect Forward Secrecy that everyone says is so important and nobody should use a messenger without it...
PFS isn't really about security in the normal sense, it's about the data transmitted being ephemeral and irrecoverable through cryptographic guarantees. That's why DeltaChat's upcoming implementation will not use the PFS terminology but will be called "reliable deletion".
So now we have another case of Signal's PFS being broken: first through the iOS notification database not being cleared properly, now through MacOS not actually removing the deleted messages from the database.
I think people need to stop trusting Signal's word and start demanding detailed proof that their security promises hold up on every platform.@feld @harrysintonen Who has been conflating cryptographic guarantees and message deletion?
Genuine question; I haven't been following mass media or social media discourse over secure messengers. Has Signal been saying that their disappearing messages are better than those of other messengers because of how they are encrypted in transit?
-
@feld @harrysintonen Who has been conflating cryptographic guarantees and message deletion?
Genuine question; I haven't been following mass media or social media discourse over secure messengers. Has Signal been saying that their disappearing messages are better than those of other messengers because of how they are encrypted in transit?
@clacke @harrysintonen no, that's just the standard consensus in the security community: PFS is meaningless if you don't also have expiring messages to close the backdoor access to those messages. So it's implied. But nobody wants to look too deeply into how flawed this logic is.
First it was push notifications. "We'll encrypt them so Google/Apple can't see them or hand them to the Feds"
Okay. But what about the other plaintext traces on the device like the iOS notification database because you still opted to display sensitive information outside control of the app anyway? Oops iOS was a leak...
PFS is like protecting a secret you have from spreading. It doesn't work if you involve too many people. Signal's centralization is pretty important for ratcheting to support it in large groups IIRC. But you can't know if someone in the group is breaking the trust through backups or if they're a mole anyway. You have to keep the group as small as possible and it should be people you know and can trust for this to work right. You need careful coordination to manage and guard the secret information properly. This doesn't work for the general public. PFS makes promises it can't deliver if your design allows any leaks. This means:
- no notifications can expose anything about the contents of the messages
- backups should never be allowed
- software needs to do extra work to ensure deletion events are handled carefully and all traces of the original data are scrubbed everywhere
Signal didn't want to do the first two and failed at the third
But security thought leaders have convinced their security-conscious laymen followers that PFS has more importance than those three items, when those are highly likely attack vectors and capture-and-decrypt-later attacks are basically a myth.
If Signal did those three and had no PFS it would be more secure than it is now... -
@groxx
The other day I sent my sister a view-once picture on Signal and she took a screenshot of it. What's even the point of that feature?
@david_chisnall @harrysintonen@nunesgh @groxx @david_chisnall @harrysintonen the argument against screenshot blocking is that it's not hard to overcome and enabling it will create a false sense of security.
most people i know use those pictures as a gentle "this is not for sharing" reminder. for example (real-life one), a friend asking if a new bra looks good on them. it's a matter of trust. -
@harrysintonen I'd have a different recommendation for the vendor: Stop trying to pretend disappearing messages are a thing.
Signal has backups. Revocation from old backups is a very hard problem that they don't even try to store.
With the old backup model, each day got a completely new snapshot of all messages and media. If any participant in a chat has backups turned on and doesn't clean out their old backups, disappearing messages are recoverable at an arbitrary point in the future.
The newer backup is similar, each day generates a new snapshot of all messages, it's just that they reference media that are backed up separately.
And that's assuming everyone is using the official client. But any user using a different client may simply choose not to delete them.
I have one chat where I set deleting messages to try to encourage people to write discussions up elsewhere, I wouldn't use it as a security or privacy feature and I think it's quite misleading that Signal pretends that it is either.
@david_chisnall @harrysintonen to be fair, if you read what Signal writes about disappearing messages, they're presented as a cleanup tool, and deliberately not as a security tool.
https://support.signal.org/hc/en-us/articles/360007320771-Set-and-manage-disappearing-messages -
@nunesgh @groxx @david_chisnall @harrysintonen the argument against screenshot blocking is that it's not hard to overcome and enabling it will create a false sense of security.
most people i know use those pictures as a gentle "this is not for sharing" reminder. for example (real-life one), a friend asking if a new bra looks good on them. it's a matter of trust.@nunesgh @groxx @david_chisnall @harrysintonen to be clear, if there were a good way to do screenshot blocking i'd be in favour of such a feature. i'm just not convinced that such a way exists.
-
@nunesgh @groxx @david_chisnall @harrysintonen to be clear, if there were a good way to do screenshot blocking i'd be in favour of such a feature. i'm just not convinced that such a way exists.
@Yuvalne @nunesgh @groxx @david_chisnall @harrysintonen Yeah, Signal's screenshot-blocking has always struck me as dangerous. If I only used it on desktop on Windows (where it does block screenshots), I'd assume everyone else was blocked from screenshotting lik eme. Yet on my Android phone or on the Linux VM on my Chromebook, I can screenshot things just fine. It's also just inconsistent UX, for no clear reason, given that at least on Android you *can* block screenshots.
-
@Yuvalne @nunesgh @groxx @david_chisnall @harrysintonen Yeah, Signal's screenshot-blocking has always struck me as dangerous. If I only used it on desktop on Windows (where it does block screenshots), I'd assume everyone else was blocked from screenshotting lik eme. Yet on my Android phone or on the Linux VM on my Chromebook, I can screenshot things just fine. It's also just inconsistent UX, for no clear reason, given that at least on Android you *can* block screenshots.
@tamzin @nunesgh @groxx @david_chisnall @harrysintonen Signal offers screenshot blocking *on your device*, the same way it offers incognito keyboard mode on your device. the assumption for those two is that you aren't trying to overcome privacy measures put there by yourself, not that you can force them on anyone else.
-
@tamzin @nunesgh @groxx @david_chisnall @harrysintonen Signal offers screenshot blocking *on your device*, the same way it offers incognito keyboard mode on your device. the assumption for those two is that you aren't trying to overcome privacy measures put there by yourself, not that you can force them on anyone else.
@tamzin @nunesgh @groxx @david_chisnall @harrysintonen and the reason it blocks screenshot on Windows by default is that's the only way to guarantee Recall is also blocked. Windows is the only platform where screenshot blocking on your own end is enabled by default.
-
@tychotithonus @harrysintonen
Seconded. This sort of thing is not surprising to me given Apple's and MS's design philosophy. Is this also the case on Android and Linux?And it occurs to me a feature I wish Signal already had was something reporting whether the other person I am corresponding with is using actual Signal and whether they are backing up messages.
It's been hard to miss that many prosecutions mention Signal messages recovered from the other end of the person's conversations.
@ohmu @tychotithonus @harrysintonen
> is this also the case on Android and Linux?i suspect it's a desktop thing in general, and that Android by doing a lot more committing should be safer on that front, but i'm not an expert on the matter so i may be wrong. desktop in general is more open than the mobile apps, like the time it was discovered possible to locally change attachments on the desktop app if, well, you have full local over said desktop... (was solved since btw)
-
@ohmu @tychotithonus @harrysintonen
> is this also the case on Android and Linux?i suspect it's a desktop thing in general, and that Android by doing a lot more committing should be safer on that front, but i'm not an expert on the matter so i may be wrong. desktop in general is more open than the mobile apps, like the time it was discovered possible to locally change attachments on the desktop app if, well, you have full local over said desktop... (was solved since btw)
@ohmu @tychotithonus @harrysintonen
also desktop does have better encryption at rest nowadays so it's not like every process on your device can read deleted messages.
https://community.signalusers.org/t/signal-stores-encryption-key-in-plain-text-on-desktop-client-s/61675/53
Android doesn't have encryption at rest and relies on the containerisation Android naturally does (if you also want encryption at rest you should use Molly) but as mentioned should not have this deletion issue.
i'm even less familiar with iOS but it should be similar to Android i think.
