Signal stores your decryption key in a plain text file on MacOS

Definitely a “gold standard” messenger.

1 Like

After all, nobody’s supposed to be able to access a computer, it’s not like a telephone.

Are you being sarcastic or serious?


A bit of both, in general a computer doesn’t leave the house and only the user has ‘access’ to it, whereas a phone can more easily be stolen, lost, confiscated and without a solid password raped.
Naomi herself says below that if you trust your computer, there’s no problem.

Personally, I don’t use Signal on my computer, I don’t trust it enough, for example.

1 Like

Remote access and remote code execution is a thing. A basic app or a script being able to get all of your messages and then stay logged into your Signal account without you ever knowing is crazy.

If you’re using a secure device then that solid password is 6 digit PIN code.

1 Like

They will need sudo privilege right ?

Whether Signal is installed or not, you need to be careful. If you don’t click anywhere or open anything, there’s “normally” little risk of Signal being compromised.

Even if Signal has to do much better, this is not normal for an application with such a reputation

Signal is only as secure as your device is.

A common problem is that applications do not warn users about risks (including applications recommended by PG). An example of good practice in this regard is tird, which warns of risks: GitHub - hakavlad/tird: Encrypt files and hide encrypted data

In any case, you will lose if your device is infected with Pegasus.

Obviously, using a great tool in itself is not a panacea.

1 Like

Storing the keys in a plain text file is still wild and inexcusable.


it’s default for ssh keys

I just checked and Signal PC doesn’t have a PIN code option, which is a shame. The encryption keys thing is OKish, but you should provide way of encrypting with a code if users with (ofc this would need to not be stored in palintext)

Tbf, this is the case of many PC Apps. Even Proton Pass doesn’t have PIN protection by default and you can only choose to put a 6 pin code, not a password.

Apples to oranges.

Not something new. Also signal response was terrible.

Signal has rejected the importance of Jackson’s findings and disputed the assignment of the associated CVE-IDs on the CVE Program.

The president of Signal, Meredith Whittaker, stated on Twitter that it’s not within the software’s scope to protect users from such a level of compromise, where attackers have local access to the target systems.

Hence, it can be concluded that the developers of the secure instant messenger app do not plan to introduce additional security mechanisms to validate attachments or purge locally stored files properly.

If you’re overly worried about the exploitation scenarios described above, you may simply stick to the mobile version of Signal, which isn’t impacted by the newly discovered flaws.

A 6-digit PIN code has 1,000,000 possible combinations, and you will be asked to login to your Proton account after entering the wrong PIN code three times in a row.

Apples and oranges.

may simply stick to the mobile version of Signal

I trust the mobile version less: my LUKS password is 40-symbols, and my phone password is 4-digit.

What phone do you even use?

I can’t remember its name. Something in Chinese. Ah, Infinix.

Ahh, that’s why you trust the mobile version less, lol.

This issue with Signal storing decryption keys in plain text reminds me of the Windows Recall feature. Recall stores screenshots of your PC every few seconds in a local folder, making them accessible to any app on your system, which is indeed a issue. Though I have a question, does that mean that your decryption key is stored locally right? Or is it stored on their servers but as plain text? Both of them are bad still.

It’s stored on your machine.

1 Like