The developers of Signal are currently doing a user survey:

I told them that I really like the app but also that I would like:
a) Signal on @fdroidorg
b) a proper desktop client
c) no data stored in "secure enclaves"

Maybe you'd like to tell them, too?


I think that one of the biggest issues with #SecureEnclave|s is being forced to use them, @waterbear.
If they were optional, I would feel less uncomfortable using them. However, the current situation creates a compliance issue when using #Signal in a business environment in the EU, as the highest EU court has ruled that US servers cannot be considered #SafeHabour|s anymore


Think their use isnt as secure as signal suggests either. SGX isnt a secure enclave. Its using root-of-trust signing. If I'm not getting confused all Intel CPUs have keys that can do SGX attestations. If you keep one from getting updated, while watching for and examining any updates they get, may find a way in.
Alternatively just try hard to attack one, maybe an older, less secure design. Or an employee leaks the keys.

@waterbear @__h2__ @fdroidorg

Signal is relying on this to increase security of the encryption on this metadata. Its running on servers they don't control

They pretty much forced people into setting this up (couldnt use the app otherwise)without explaining properly what was going on

The app offered a keypad - where users were highly likely to set up a weak pin

Could of easily included all this data in existing backups, which use a secure passphrase that the app assigns @waterbear @__h2__ @fdroidorg

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!