Nevertheless, there's always a spark behind all the smoke...
As reported by BleepingComputer in 2018, when Signal Desktop for Windows or Mac is installed, it creates an encrypted SQLite database to store a user's messages. This database is encrypted using a key generated by the program and without input from the user. For a program to be able to decrypt an encrypted database and use it to store data, it must have access to the encryption key. In Signal's case, it stores the key as plain text in a local file called '%AppData%\Signal\config.json' in Windows and '~/Library/Application Support/Signal/config.json' on a Mac. However, if Signal can access this key then so can any other user or program running on the computer, making the encrypted database worthless and providing little to no extra security.
Almost six years later, and Elon Musk tweeted, "There are known vulnerabilities with Signal that are not being addressed. Seems odd…" Musk did not share what vulnerabilities he was referring to, and some saw Musk's tweet as an attempt to assist Telegram in a campaign claiming it was more secure than Signal. Signal President Meredith Whittaker responded that no known vulnerabilities need to be addressed, and if there are, they should be responsibly disclosed to the organization.
Statistics: Posted by Midas — Fri Jul 12, 2024 8:27 am