@clacke @harrysintonen no, that's just the standard consensus in the security community: PFS is meaningless if you don't also have expiring messages to close the backdoor access to those messages. So it's implied. But nobody wants to look too deeply into how flawed this logic is.
First it was push notifications. "We'll encrypt them so Google/Apple can't see them or hand them to the Feds"
Okay. But what about the other plaintext traces on the device like the iOS notification database because you still opted to display sensitive information outside control of the app anyway? Oops iOS was a leak...
PFS is like protecting a secret you have from spreading. It doesn't work if you involve too many people. Signal's centralization is pretty important for ratcheting to support it in large groups IIRC. But you can't know if someone in the group is breaking the trust through backups or if they're a mole anyway. You have to keep the group as small as possible and it should be people you know and can trust for this to work right. You need careful coordination to manage and guard the secret information properly. This doesn't work for the general public. PFS makes promises it can't deliver if your design allows any leaks. This means:
- no notifications can expose anything about the contents of the messages
- backups should never be allowed
- software needs to do extra work to ensure deletion events are handled carefully and all traces of the original data are scrubbed everywhere
Signal didn't want to do the first two and failed at the third
But security thought leaders have convinced their security-conscious laymen followers that PFS has more importance than those three items, when those are highly likely attack vectors and capture-and-decrypt-later attacks are basically a myth.
If Signal did those three and had no PFS it would be more secure than it is now...
