The developers of Signal are currently doing a user survey:
I told them that I really like the app but also that I would like:
a) Signal on @fdroidorg
b) a proper desktop client
c) no data stored in "secure enclaves"
Maybe you'd like to tell them, too?
I think that one of the biggest issues with #SecureEnclave|s is being forced to use them, @waterbear.
If they were optional, I would feel less uncomfortable using them. However, the current situation creates a compliance issue when using #Signal in a business environment in the EU, as the highest EU court has ruled that US servers cannot be considered #SafeHabour|s anymore
Think their use isnt as secure as signal suggests either. SGX isnt a secure enclave. Its using root-of-trust signing. If I'm not getting confused all Intel CPUs have keys that can do SGX attestations. If you keep one from getting updated, while watching for and examining any updates they get, may find a way in.
Alternatively just try hard to attack one, maybe an older, less secure design. Or an employee leaks the keys.
Signal is relying on this to increase security of the encryption on this metadata. Its running on servers they don't control
They pretty much forced people into setting this up (couldnt use the app otherwise)without explaining properly what was going on
The app offered a keypad - where users were highly likely to set up a weak pin
Theres a whole load of SGX exploits been developed
Hallo auf muenchen.social Dies ist eine deutschsprachige Mastodon Instanz für München zum tröten, neue Leute kennenlernen, sich auszutauschen und Spass zu haben. +++ Bitte beachtet, dass derzeitig keine Neuregistrierungen mit gmail.com Adressen angenommen werden. +++