pull down to refresh

It’s the desktop apps that are the issue. iOS and android perform proper sandboxing and I know macOS provides keychain APIs and the security model to provide pretty good sandboxing. It’s complex but they should’ve been using platform specific keychains for the desktop app. This is a rookie error.
100 sats \ 1 reply \ @Zk2u 6 Jul
So turns out electron (the tech that signal desktop is built on) has a safeStorage API that does exactly what I said. It uses the OS’s cryptography systems to store the keys to the db. Someone actually sent a PR implementing this but it seems to have been ignored. https://github.com/signalapp/Signal-Desktop/pull/6849
reply
13 sats \ 0 replies \ @Zk2u 8 Jul
Following up on this, yes macOS is generally the most secure option here. Windows’ keys use DPAPI, which protects keys from other users but not other apps, no different to Linux and what signal does here. macOS uses keychain which will stop apps from accessing other apps’ keychains even when on the same user. Generally Apple platform security is much higher than competitors and a much higher chance at fending off an attack than most systems
reply
Is this a Signal specific issue? Aren't there .ssh folders and config files with session tokens lying around everywhere on desktops?
reply
117 sats \ 1 reply \ @Zk2u 6 Jul
Not a signal specific issue. This is true. I personally use secretive instead for things like ssh keys.
reply
101 sats \ 0 replies \ @Zk2u 6 Jul
Link for those interested. https://github.com/maxgoedjen/secretive
reply