Security News > 2024 > July > Signal downplays encryption key flaw, fixes it after X drama

Signal downplays encryption key flaw, fixes it after X drama
2024-07-11 20:49

Signal is finally tightening its desktop client's security by changing how it stores plain text encryption keys for the data store after downplaying the issue since 2018.

"The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide," responded the Signal employee.

Last week, mobile security researcher Tommy Mysk again warned on X not to use Signal Desktop because of the same security weakness we reported on in 2018.

While the solution would provide additional security for all Signal desktop users, the request lay dormant until last week's X drama.

While the new safeStorage implementation is tested, Signal also included a fallback mechanism that allows the program to decrypt the database using the legacy database decryption key.

"In addition to migrating to encrypted/keystore-backed local database encryption keys on supported platforms, our implementation also includes some additional troubleshooting steps and a temporary fallback option that will allow users to recover their message database using their legacy database encryption key if something goes wrong," explained Signal developer Jamie Kyle.


News URL

https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Signal 3 1 7 5 1 14