The developers of Signal are currently doing a user survey:

surveys.signalusers.org/s3

I told them that I really like the app but also that I would like:
a) Signal on @fdroidorg
b) a proper desktop client
c) no data stored in "secure enclaves"

Maybe you'd like to tell them, too?

#freeyourandroid
#freesoftware
#android

Folgen

I think that one of the biggest issues with |s is being forced to use them, @waterbear.
If they were optional, I would feel less uncomfortable using them. However, the current situation creates a compliance issue when using in a business environment in the EU, as the highest EU court has ruled that US servers cannot be considered |s anymore
@__h2__
@fdroidorg

@tetrapyloctomist

Think their use isnt as secure as signal suggests either. SGX isnt a secure enclave. Its using root-of-trust signing. If I'm not getting confused all Intel CPUs have keys that can do SGX attestations. If you keep one from getting updated, while watching for and examining any updates they get, may find a way in.
Alternatively just try hard to attack one, maybe an older, less secure design. Or an employee leaks the keys.

1/2
@waterbear @__h2__ @fdroidorg

@tetrapyloctomist
Signal is relying on this to increase security of the encryption on this metadata. Its running on servers they don't control

They pretty much forced people into setting this up (couldnt use the app otherwise)without explaining properly what was going on

The app offered a keypad - where users were highly likely to set up a weak pin

Could of easily included all this data in existing backups, which use a secure passphrase that the app assigns @waterbear @__h2__ @fdroidorg

Melde dich an, um an der Konversation teilzuhaben
muenchen.social - Die erste Mastodon Instanz für München

Hallo auf muenchen.social Dies ist eine deutschsprachige Mastodon Instanz für München zum tröten, neue Leute kennenlernen, sich auszutauschen und Spass zu haben. +++ Bitte beachtet, dass derzeitig keine Neuregistrierungen mit gmail.com Adressen angenommen werden. +++