Is Signal Desktop considered safe to use?

I heard that it consider insecure by GrapheneOS and Secureblue across the forum. Does this mean it should be avoided?

Thanks.

I think last thing I heard the security vulnerability with signal’s desktop app got fixed. But I could be wrong. They also made it so that the app autoblocks screenshots if you’re worried about Windows 11’s Recall feature.

I certainly hope it’s safe to use. I use it every day because I hate hate hate hate hate hate typing on a phone.

I feel like the care they put on programming the Signal Desktop App is not at par with their mobile Apps.

It should be acceptable enough to use in most use cases. What keeps me from using it is that there is no official flatpak support and I don’t want to recompile on Fedora each time it updates because of the .deb release. I also do not want to learn how to automate compiling because IIRC the builds are currently not reproducible.

Ultimately it boils down to the security of the host.

What GrapheneOS would be referring to is there is tighter control on Android platform in terms of sandboxing, preventing screenshots etc. I doubt there is much risk as far as remote security goes.

If you trust the desktop your using Signal Desktop from then it’s probably fine. Also make sure you have filesystem encryption of some kind. The Linux version I don’t think encrypts the signal database.

No protection of keys, much worse exploit mitigations, Electron app and no meaningful sandboxing. So the protection of Signal (and your host) on Linux compared to on GrapheneOS is much different. For some people this is an acceptable risk, for others it isn’t. If someone wanted to target you, it would definitely be much easier on desktop.

I thought this was resolved?

My understanding is that the issue with Signal desktop was resolved. I’ll admit that I use it every day, and have been using it for a long time. I know a lot of people for whom having a desktop version is a must for a messaging app, because they prefer to type on a computer keyboard.

AFAIK, most of the issues/vulnerabilities are due to the electron framework rather than the signal app itself.

Electron also breaks Content-Security-Policy and other things. Signal being an Electron app without Trusted Types turns it into a huge mess of XSS vulnerabilities. It was way less bad when it was still a Chrome app and moving to Electron to keep it alive with the end of Chrome apps while not turning it into a web app (due to E2EE) was a massive security regression for them.

You can read more about the Signal desktop app and Electron in general here

Sorry, I should have made my statement clearer. I didn’t mean this specific issue, but rather the general lack of secure key stores on Linux, embedded into a proper security model, like they exist on Android. That’s not Signal’s fault, but it is something to consider.