Egregoros · Phoenix Framework

Post

Remote status

Context

Harry Sintonen

#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.

This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.

TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.

Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt

#fulldisclosure #infosec #cybersecurity

feld

@feld@friedcheese.us remote

@harrysintonen

> This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.

> TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.

But this is the main selling point of Signal's Perfect Forward Secrecy that everyone says is so important and nobody should use a messenger without it...

PFS isn't really about security in the normal sense, it's about the data transmitted being ephemeral and irrecoverable through cryptographic guarantees. That's why DeltaChat's upcoming implementation will not use the PFS terminology but will be called "reliable deletion".

So now we have another case of Signal's PFS being broken: first through the iOS notification database not being cleared properly, now through MacOS not actually removing the deleted messages from the database.

I think people need to stop trusting Signal's word and start demanding detailed proof that their security promises hold up on every platform.

Tired Bunny

@tiredbun@akko.wtf remote

@feld @harrysintonen

DeltaChat's decision of renaming PFS to "reliable deletion" was quite dumb, as it led to at least several people I know thinking they are working on message deletion UX/getting rid of bug with messages not deleting visually on recepient's device, as it's unclear from the name that this is a cryptographic feature.

Replying to @tiredbun@akko.wtf

feld

@feld@friedcheese.us remote

@tiredbun @harrysintonen it's not worse than the terrible PFS naming convention

Replies

Replying to @feld@friedcheese.us

Tired Bunny

@tiredbun@akko.wtf remote

@feld @harrysintonen PFS at least is recognizable by someone who heard of it, which is why I am critical of changing to another name that still causes confusion but this time to everyone, instead of only people that didn't know what is PFS.

(The bug I only heard in passing by people misunderstanding the announcement, not sure if it's reported)

Replying to @tiredbun@akko.wtf

feld

@feld@friedcheese.us remote

@tiredbun @harrysintonen but the problem is that nobody actually knows what PFS is except the people who designed it. Everyone uses the terminology wrong. There's so focused on "if someone captures network traffic, they can't decrypt messages with a leaked key" -- but that's only half the story. The entire point is that anything you delete cannot be recovered no matter who captures what. That's why "Reliable Deletion" is a more user-friendly name.

And then there's the problem of sometimes it only being called Forward Secrecy instead of Perfect Forward Secrecy...