Why does any additional encryption need to be broken? Signal dark patterns users into using insecure few digit 'pins' to protect their data, then waves some SGX hokum around that as an argument as to why very short pins have acceptable security. Of course, no one with physical access / state level resources is meaningfully impaired by SGX, so the security is just a trivial pin crackable by a speak and spell.
Concerns that were all dismissed when the insecure pin system was introduced because only contacts and settings were hosted, not content. ...
It's already known that users can't choose secure passwords even without UI that tries hard to encourage an insecure choice and that the rare ones that are secure are the ones that also get lost/forgotten. As a cryptosystem "user chooses and remembers a key" is known to be broken. So backup to the cloud really just means "hand to NSA with already known broken encryption".
If you think they've gone rogue and are working with the NSA or whatever, why can't they be doing the same thing with your e2e messages while in transit? What do they gain by getting it through backups?
> why can't they be doing the same thing with your e2e messages while in transit?
They can, and maybe they do. We can't really verify whether their servers run only what's published on GitHub (remember the MobileCoin gap? [1]).
> What do they gain by getting it through backups?
They don't need to capture the messages through backups, but the feature is a plausible reason for the users to foot the storage bills. Maybe the donations are not enough.
The backup is secured with "a strong key", implying that all PFS guarantees go out the window regardless of the PFS algorithm used to send the messages in the first place. Signal had great guarantees by how they both enforced a single client and was limited largely to screenshots as backups, now you'll never know if the person you're talking to has a full backup in the cloud, with metadata to match the actual conversation times, destroying the repudiability (i.e. plausible deniability) feature.
