Comments (2)
Anyone who can extract the
%AppData%
directory from a computer can silently follow any communication of the attacked person(s).
Is this actually the case? because if the client is continued to be used, they should have the same keys, so both installations would share the server-queue, meaning all messages that arrive on one do not arrive anymore on the other because they are considered delivered. Not necessarily immediately obvious, but certainly not silent, unless I'm missing something here?
Aside from the fact that security issues starting with "if the attacker has full disk access" are generally difficult to impossible to defend against. At that point, there could be keyloggers deployed or the data in the app folder/the Signal installation used could simply be modified to disregard the fingerprinting mechanism alltogether, because why would an attacker be doing this and then not go the extra mile to just patch that protection out on their own client? The data and the keys are there, after all.
So requiring the fingerprinting mechanism here seems to be an approach that would realistically only hit legitimate users, but would not constitute a reliable (if any) defense against a malicious actor?
from signal-desktop.
This isn't a security issue in Signal Desktop. As an application that runs on top of the base operating system layer, Signal cannot mitigate OS-level vulnerabilities or the complete compromise of your computer.
If someone has obtained access to your computer and is able to extract arbitrary files from the filesystem, they can indeed use that extraordinary level of access to do anything on your computer (or another computer) with the same level of access as you. It wouldn't be appropriate for a privacy-focused application like Signal to implement a form of DRM that profiled and collected detailed hardware information, nor would it be appropriate to upload a function of that hardware profile to a remote service. The Signal service is specifically designed to store as little information as possible.
The proposed approach likely wouldn't work under real-world conditions anyway, because any hypothetical attacker with the necessary level of unauthorized access to extract arbitrary files from a compromised device also likely has the ability to see all of the hardware on the compromised system. That attacker could then simply steal the authentication credentials and send a matching device fingerprint — either by mimicking the hardware or by compiling a custom client that simply reported the expected value to the service.
We don't use GitHub issues as a platform for discussions, but we encourage you to post on the community forum if you would like to continue the conversation there. Thanks for sharing your ideas!
from signal-desktop.
Related Issues (20)
- Render process is gone when turning on my VPN while Signal is running on OSX Ventura HOT 1
- Selecting messages, then "delete messages" deletes everything in thread. HOT 4
- Crash in machine. GPU process exited unexpectedly: exit_code=133 HOT 12
- I would like to remove the background for each chat message. HOT 1
- Signal Desktop App on Windows does not properly handle UNC attachment or sticker paths. HOT 2
- Photos are duplicated in local storage and not deleted HOT 2
- "Note to Self" chat keeps getting unpinned after every update HOT 6
- Main window does only conditionally open up when using wayland (signal-desktop 6.43.1) HOT 1
- IP leak when calling someone HOT 2
- Unable to send messages to specifc contact HOT 8
- Pinned direct message chats not staying pinned in signal desktop HOT 8
- SIGNAL desktop App doesn't display/receive pictures HOT 25
- Edited Message Fails to Propagrate, Subsequent Post, Similarly HOT 6
- Scrolling in sticker panels does not work HOT 2
- External monitor starts blinking when launch Signal Desktop. MacBook M3 Pro HOT 1
- Frequent database errors that crashes Signal. Restart possible, but errors increasingly more frequent HOT 7
- Send story preview image shouldn't be interactive HOT 1
- Clicking "Create/upload sticker pack" immedaitely crashes Signal HOT 4
- Stories Sent From Desktop do not Sync with Mobile HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from signal-desktop.