Bleeping Computer once again doing the absolute best job of compiling information about an issue.
There has been a long standing argument about Signal Desktop in my circles. Ranging from vague "don't use it" to a more nuanced "the desktop OS is weaker than the mobile device and therefore using it for secure comms is bad practice".
Given that the original issue was brought up as far back as 2018 I'm a little shocked it was vague at all. While infostealers are the hottest new topic in security (thanks Snowflake) the history of infiltration of a similar nature goes back decades. They're the reason that tools like Tails exist, because no system install that has been on a network, especially the internet, is worthy of trust when it comes to the highest levels of security. Airgapped systems exist for a reason.
All that being said, the idea that you'd have a database of all your Signal chats protected by the thinnest veil of security theater against local attacks is fairly awful. If your machine is ever compromised, or confiscated, that is a heck of a risk.
The article above mentions the complicated nature of the fix they're putting in, and how it is being phased in over time.
Signal is great, and you and your sources should use it appropriately. Turning on expiring messages, and using it on the most trustworthy devices you own is bare minimum for sensitive communications.
Comments