Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I highly doubt that signal does anything to help with mass surveillance. Signal started keeping people's name, photo, phone number, and contacts in the cloud protected by a "secure" enclave the NSA almost certainly has access to and hackers already got into (https://community.signalusers.org/t/sgx-cacheout-sgaxe-attac...) and even leaving all that aside, all anyone needs is a PIN that can be trivially brute forced. (https://www.vice.com/en/article/signal-new-pin-feature-worri...)


I thought it was digits only but see there's always been the option to use an alphanumeric passphrase as the "PIN". That prevents brute-forcing for anyone that bothered to use one, right?


It was only digits initially (https://old.reddit.com/r/signal/comments/oc6ow4/so_a_four_di...), with nothing preventing very easy ones like "1234", but even after they fixed it they continued to call it a PIN and many people would just assume is a number ("number" is right in the acronym), and often a very short one. Most people didn't want to set a PIN at all, they'd been being nagged about setting one and then got nagged again and again to reenter it.

It was not clear to most people that their highly sensitive info was being uploaded to the cloud at all let alone that it was only protected by the PIN. I wouldn't be surprised if a lot of people picked something as simple as possible.

https://old.reddit.com/r/signal/comments/gqc2hu/the_new_pin_...


Their announcement post says "at least 4 digits, but they can also be longer or alphanumeric", though maybe the feature had launched before that was written? https://signal.org/blog/signal-pins/

Far from ideal I agree.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: