back to article Signal security revealed: A triple-Diffie-Hellman with a double ratchet

Signal developer Open Whisper Systems has quietly posted some important documents for developer consumption: the specifications of its signature verification, key agreement, and secret key protocols. The posts are dated 20 November, although a Tweet from 4 November suggests the documentation was stealth-published earlier. The …

  1. Anonymous Coward
    Anonymous Coward

    Capture the message post decryption...

    ... by simply installing malware.

    Given the number of unpatchable mobile phones using vulnerable android, or the hundreds of as-yet-unpatched 0day vulnerabilities in Windows, its simpler than breaking the encryption.

    The weakest link is always the insecure OS platform it runs on and user who decides what to open.

    1. Charlie Clark Silver badge

      Re: Capture the message post decryption...

      I think you're assuming the messages are stored somewhere unencrypted but they're not.

      1. analyzer

        Re: Capture the message post decryption...

        @Charlie C

        I think AC probably meant that point at the end when you'll need plain text. Potentially a screen grab or before being sent to the display, but at some point the message has to be human readable.

        1. Charlie Clark Silver badge

          Re: Capture the message post decryption...

          Signal disables screengrabbing by default and can be configured to require a password to read any message. If I was writing malware I wouldn't start there.

          The encryption stuff is mainly about spooks trying to listen in on all traffic. If they get hold of you and your device then I wouldn't really worry about any passwords.

      2. Tom Paine

        Re: Capture the message post decryption...

        They are necessarily decrypted by the devices used by the two communicating parties so they can read them. Trivial malware that looks for the appropriate process starting up and then screenshots the display every 10s or so would do it (there are lots of other ways of course, those choices are just implementation details.)

    2. Allan George Dyer
      Coat

      Re: Capture the message post decryption...

      ... why bother with malware?

      Obligatory xkcd

      The coat with the heavy object in the pocket, thanks.

  2. Alister
    Trollface

    Signal developer Open Whisper Systems has quietly posted some important documents for developer consumption:

    What! You mean they've posted details of strong encryption algorithms on the Internet!

    But that means the Terrists can use it!

    Traitors!

    (igmc)

  3. John H Woods Silver badge

    Nice ...

    ... to see Kerkhoff's law actually in action

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon