Signal stores your decryption key in a plain text file on MacOS

There are a plethora of apps to get a number with no KYC and all you need is an email, again easy to get throwaway ones, and an internet connection. Then you just set a passcode in Signal and you have a functioning account. The whole “It needs a phone number so it’s not private” argument makes no sense. Signal isn’t marketed as an anonymous communication platform so throwing a fit over it not being anonymous enough is nonsensical. Especially when anonymity is easy enough to setup.


Not easy for non-techy people

Again thats missing the point, it’s not designed or marketed for anonymous use


It appears Signal has decided to address this, and will begin testing soon.

As to the earlier question about Linux, this comment sheds some light


I understand where you are coming from, but if your life depends on the messenger, and you just believe the marketing thing, they can also use WhatsApp or Telegram. So, without doing basic opsec and research no app can save them. Even if they use simplex, they might have a non-secure phone/laptop/operating system, have an app that logs everything.

Considering the whole discussion is about desktop app, there are thousands of threat vectors before it coming to signal keeping the key in plain text.

Yes, they should fix this, I cannot understand why they did not do it at first place. Still, there is no need for fearmongering.


The worst is that even after the security issue was disclosed, the signal team downplayed its importance and then told that the issue was invalid.

There is trust in the software, and also trust in the people.
Signal reacted really bad for this case. They should have been way better

  1. Acknoledging the issue
  2. Saying sorry
  3. Promising inspection and fix
    We got almost the opposite, and it’s why it’s bad.

Remember how lastpass handled their hacking, with lies, de eption, and 6 month-1 year delay to write the whole truth ?

How can you trust software when the team that handle it is untrustable ?


Only if you don’t verify the security codes.

I completely agree that they messed up their communications. But comparing signal with last pass is apples and oranges.
As @ph00lt0 pointed out, it’s a design flaw and not a bug. It’s not a vulnerability, but the lack of an advanced or further measure. You cannot compare being hacked of last pass with signal’s one missing measure and mismanagement of the issue. Did they downplay the issue? To some extent.
As @jonah shared the post, it is not fair to say that signal desktop is not secure and immediately uninstall the app etc. It was Mysk, afaik.
He said in one tweet that Google managed a process better. Hell ya, good management does not mean a good software, and one bad management does not mean it’s bad.


Their whole desktop applications are messed up and their communication. Using electron is a terrible choice for security, they don’t properly sign binaries on Windows, are not using local encryption or the OS’s tools to do better, offering the application only for Debian based distros and so on. Also they seem to have ignored many important concerns raised in their issue tracker for years. Their wages are ridiculously high, so they should have people who know better.

This does not fit the way they do their Android application where they don’t even allow to automatically store media outside of the app’s private folder for security, which is a major convenience downside, if this is your main communication channel and you have gigabyte’s of pictures sent to you. They really should leave this choice to users.


To be fair, this is an expliot where one needs either physical access or download an app that they do not trust, so to say that the desktop app is completely messed up is a bit much.

For me this only shows the weakness of tradional computing platforms, aplications should not be able to interact in this kind of manner unless you specifically allow it to, even if an app has crap security.

That said, i do agree that signals comms should have been better.

All that matter now is that there is a fix in the works, and thats all that truly matters for end users.


So what? That’s the problem with open source apps and community. Everybody has their own expectations and it’s impossible for them to meet all.
Google and Microsoft are closed source, so the expectations about privacy and security are much lower to non existent.
Things should have been better. Yes. Mozilla should not do this and that. Signal should not use electron etc. Even big companies like Bitwarden have just started to offer natively written apps on desktop.
The point is that maybe 99% of users do not care about the encryption thing etc. They simply want a messenger more private than WhatsApp and telegram.
Signal resists to provide signal web for various reasons. But check forums you will see that most users do not care about it, because they wanna use the same feature provided by WhatsApp and Telegram.
I don’t wanna say half glass argument but, the missing things should not cover that they have tons of important and useful features.

1 Like

+1 to this :+1:

This speaks volumes about whats really important to them.

1 Like

Lots of heated emotions in this thread, and also similarly hard binary takes. I feel like it’s forgotten that we all have a different threat model and need to understand legitimate risks. I am not particularly concerned with this attack surface, although I would certainly hope they fix this + think about who their audience is.


Nothing of this has to do with open source

Companies can’t be open or closed source. Both are signifikant contributors to open source projects, especially Google with their work for AOSP, Chromium and the Linux kernel.

Most users don’t know and if they knew, they wouldn’t understand. That does not make anything better and they are still affected by it. Signal does a lot of things right, but their desktop situation is not one of these.

Oh nice no need for encryption on computers right