264
Signal downplays encryption key flaw, fixes it after X drama (www.bleepingcomputer.com)
submitted 4 months ago by dvdnet62@feddit.nl to c/technology@lemmy.world
23 comments fedilink hide all child comments
all 24 comments
sorted by: hot top controversial new old
[-] quantumcog@sh.itjust.works 185 points 4 months ago* (last edited 4 months ago)

I understand Signal's stance on this. For this vulnerability, the attacker needs physical access to computer. If the attacker has already gained physical access, the attacker can already access your messages, crypto wallets, password managers.

Many password managers also have this flaw. For example, Someone can change Keepass master password if the user is already logged in to the session, if they have physical access to the PC and lock you out of all your accounts.

[-] thurstylark@lemm.ee 13 points 4 months ago

Yeah, this is why I added a hardware key to my db. The hardware key is required not just for reading the db, but writing to it as well.

Another tip: use something like an OnlyKey that has its own locking and self-destruct mechanisms so this method isn't foiled by simply acquiring the key.

[-] uiiiq@lemm.ee 10 points 4 months ago

They don’t need physical access (hold the device in their hand), they just need a command execution, which is a much lower bar. I expect some defence in depth for an application that holds some of the most private information there is about me.

[-] quantumcog@sh.itjust.works 35 points 4 months ago* (last edited 4 months ago)

The argument still holds. If they have remote execution access, they already have your data. Encryption can't protect your data here because encrypted data will automatically become unencrypted once the user logs into the computer. If the attacker has remote access they can log into your account and the data will be unencrypted.

[-] ooterness@lemmy.world 7 points 4 months ago* (last edited 4 months ago)

No, defense in depth is still important.

It's true that full-disk encryption is useless against remote execution attacks, because the attacker is already inside that boundary. (i.e., As you say, the OS will helpfully decrypt the file for the attacker.)

However, it's still useful to have finer-grained encryption of specific files. (Preferably in addition to full-disk encryption, which remains useful against other attack vectors.) i.e., Prompt the user for a password when the program starts, decrypt the data, and hold it in RAM that's only accessible to that running process. This is more secure because the attacker must compromise additional barriers. Physical access is harder than remote execution with root, which is harder than remote execution in general.

[-] sudneo@lemm.ee 4 points 4 months ago

You don't need root (dump memory). You need the user password or to control the binary. Both of them relatively easy if you have user access. For example, change ENV variable to point to a patched binary first, spoof the password prompt, and then continue execution as the normal binary does.

[-] ooterness@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

Sure, but there's still no excuse for "store the password in plaintext lol". Once you've got user access, files at rest are trivial to obtain.

You're proposing what amounts to a phishing attack, which is more effort, more time, and more risk. Anything that forces the attacker to do more work and have more chances to get noticed is a step in the right direction. Don't let perfect be the enemy of good.

[-] sudneo@lemm.ee 2 points 4 months ago

I am not proposing anything actually, I am implying that this change won't modify the threat model in any substantial way. Your comment implied that it kind of did, requiring root access - which is a slightly different tm, not so much on single user machines..

So my point is that "The data is safe until your user password is safe" is a very tiny change compared to "your data is safe until your device is safe". There are tons of ways to get the password once you have local access, and what I strongly disagree with is that it requires more work or risk. A sudo fake prompt requires a 10-lines bash script since you control the shell configuration, for example. And you don't even need to phish, you can simply create a SUID shell and use "sudo chmod +s shell" to any local configuration or script where the user runs a sudo command, and you are root, or you dump the keyring or...etc. Likewise, 99.9% of the users don't run integrity monitoring tools, or monitor and restrict egress access, so these attacks simply won't be noticed.

So what I am saying is that an encrypted storage is better than a plaintext storage for the key, but if this requires substantial energies from the devs that could have been put on work that substantially improved the security posture, it is a net negative in terms of security (I don't know if it is the case), and that nobody after this change should feel secure about their signal data in case their device would be compromised.

[-] partial_accumen@lemmy.world 7 points 4 months ago

For example, Someone can change Keepass master password if the user is already logged in to the session, if they have physical access to the PC and lock you out of all your accounts.

This seems like easy fix is available. On Windows, Access Shadow copies, restore previous version from $DayBeforeLockout. Or on Linux, specific file systems have automatic volume level snapshotting available. Or on either...restore the keepass file from a backup before the change.

[-] quantumcog@sh.itjust.works 4 points 4 months ago

Yeah, I know about this. That's why backups are so important.

[-] eager_eagle@lemmy.world 87 points 4 months ago* (last edited 4 months ago)

The whole drama seems to be pushing for Electron's safeStorage API, which uses a device's secrets manager. But aren't secrets stored there still accessible when the machine is unlocked anyway? I'm not sure what this change accomplishes other than encryption at rest with the device turned off - which is redundant if you're using full disk encryption.

I don't think they're downplaying it, it just doesn't seem to be this large security concern some people are making it to be.

This is like the third time in the past two months I've seen someone trying to spread FUD around Signal.

[-] priapus@sh.itjust.works 35 points 4 months ago

Yeah they are, this problem is super overblown. Weirdly I've seen articles about this coming up for other apps too, like the ChatGPT app for MacOS storing conversation history in plain text on the device. Weird that this is suddenly a problem.

If someone wants better security, the can use full disk encryption and encrypt their home directory and unlock it on login.

[-] mp3@lemmy.ca 10 points 4 months ago* (last edited 4 months ago)

Security comes in layers, still better than storing the keys in plaintext, and FDE is also important.

[-] GamingChairModel@lemmy.world 8 points 4 months ago

But aren't secrets stored there still accessible when the machine is unlocked anyway?

I think the OS prevents apps from accessing data in those keychains, right? So there wouldn't be an automated/scriptable way to extract the key in as easy of a way.

[-] eager_eagle@lemmy.world 4 points 4 months ago

But that's the thing: I haven't found anything that indicates it can differentiate a legitimate access from a dubious one; at least not without asking the user to authorize it by providing a password and causing the extra inconvenience.

If the wallet asked the program itself for a secret - to verify the program was legit and not a malicious script - the program would still have the same problem of storing and retrieving that secret securely; which defeats the use of a secret manager.

[-] GamingChairModel@lemmy.world 1 points 4 months ago

I haven't found anything that indicates it can differentiate a legitimate access from a dubious one

It's not about legitimate access versus illegitimate access. As I understand it, these keychains/wallets can control which specific app can access any given secret.

It's a method of sandboxing different apps from accessing the secrets of other apps.

In function, browser access to an item can be problematic because browsers share data with the sites that it visits, but that's different from a specific app, hardcoded to a specific service being given exclusive access to a key.

[-] eager_eagle@lemmy.world 2 points 4 months ago* (last edited 4 months ago)

upon reading a bit how different wallets work, it seems macos is able to identify the program requesting the keychain access when it's signed with a certificate - idk if that's the case for signal desktop on mac, and I don't know what happens if the program is not signed.

As for gnome-keyring, they ackowledge that doing it on Linux distros this is a much larger endeavor due to the attack surface:

An active attack is where the attacker can change something in your security context. In the context of gnome-keyring an active attacker would have access to your user session in some way. An active attacker might install an application on your computer, display a window, listen into the X events going to another window, read through your memory, snoop on you from a root account etc.

While it'd be nice for gnome-keyring to someday be hardened against active attacks originating from the user's session, the reality is that the free software "desktop" today just isn't architected with those things in mind. We need completion and integration things like the following. Kudos to the great folks working on parts of this stuff:

- Trusted X (for prompting)
- Pervasive use of security contexts for different apps (SELinux, AppArmor)
- Application signing (for ACLs)

We're not against the goal of protecting against active attacks, but without hardening of the desktop in general, such efforts amount to security theater.

Also

An example of security theater is giving the illusion that somehow one application running in a security context (such as your user session) can keep information from another application running in the same security context.

In other words, the problem is beyond the scope of gnome-keyring. Maybe now with diffusion of Wayland and more sandboxing options reducing this context becomes viable.

[-] AProfessional@lemmy.world 1 points 4 months ago

You are absolutely correct. This can help in a world where every app is well sandboxed (thus can be reliably identified and isolated).

[-] woelkchen@lemmy.world 8 points 4 months ago

This is like the third time in the past two months I’ve seen someone trying to spread FUD around Signal.

If any other messenger had the same issue, Moxie Marlinspike and fans would have an outcry on biblical proportions.

[-] whostosay@lemmy.world 10 points 4 months ago

They do

[-] pewgar_seemsimandroid 23 points 4 months ago

xz? twitter? x11? placeholder?

[-] Tja@programming.dev 11 points 4 months ago

It's an equation. One of those "left for the reader". Please start solving it.

this post was submitted on 12 Jul 2024
264 points (100.0% liked)

Technology

59475 readers
3254 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world