• communism@lemmy.ml
    link
    fedilink
    arrow-up
    5
    arrow-down
    3
    ·
    7 days ago

    I already enter a passphrase every time I want to use Signal; I use the Molly client on my phone. It’s really not a big deal. I also enter a passphrase every time I launch my password manager, every time I launch my two-factor authentication app on my phone, and every time I open my email client. I think it’s fairly standard to protect sensitive data on your computer with encryption at rest and to decrypt it upon launching the application that handles the data.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      7 days ago

      It’s really not a big deal

      For most casual users, it is a deal-breaker. And it’s hard to get everyday people to use your software with roadblocks like that.

      every time I open my email client.

      You must not get email very often, this is absolutely a non-starter for me.

      • communism@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        7 days ago

        For most casual users, it is a deal-breaker. And it’s hard to get everyday people to use your software with roadblocks like that.

        That’s fair enough, but the way the mobile app works is that you can opt in to having encryption at rest with a passphrase, so if you want to leave your signal database unencrypted you can.

        You must not get email very often, this is absolutely a non-starter for me.

        Once you open it you can leave it open if you need notifications. Sometimes I leave it open, sometimes I just want to check my emails and then close it. Idk, I really think typing in a password for authentication/decryption regularly is such a non-issue, like for instance do you not regularly type in a password when you run a command with sudo? Again, if it’s opt-in I also don’t see the issue, except for the issue of allowing people to not encrypt their Signal data thus potentially compromising the people they’re messaging, but obviously that issue is currently universal for Signal desktop.

    • kbal@fedia.io
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      edit-2
      7 days ago

      Huh. I would’ve thought most desktop users just leave it running all day long like I do. Obviously there is the disk encryption passphrase at boot, adding another one for signal would in my case be redundant.

      But the point is not only how easy it is to enter a passphrase, but also how much security that actually gains you. I don’t think it does much on the typical desktop, be it windows or linux, where there are so many ways to escalate or persist privilege for anyone that has user-level access.

      • refalo@programming.dev
        link
        fedilink
        arrow-up
        5
        ·
        7 days ago

        I would’ve thought most desktop users just leave it running all day long like I do.

        They do. OP is not a normal user.

      • communism@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        7 days ago

        Obviously there is the disk encryption passphrase at boot, adding another one for signal would in my case be redundant.

        I also have full disk encryption, but I still have some databases on my disk encrypted because I decrypt my disk when I boot my computer. But yeah if you have Signal open (& its db decrypted) all the time it would probably be minimal. I don’t have Signal open all the time though, only when I want to check messages or am actively using it

        I don’t think it does much on the typical desktop, be it windows or linux, where there are so many ways to escalate or persist privilege for anyone that has user-level access.

        The point would be encryption, even the root user wouldn’t be able to read encrypted data if they don’t have the passphrase

        • kbal@fedia.io
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          7 days ago

          If you have root, intercepting all the user’s keystrokes is trivial.

    • TmpodMA
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      7 days ago

      This has nothing to do with the mobile app, which also has password/biometric unlocking, it’s about the desktop electron app.

        • kbal@fedia.io
          link
          fedilink
          arrow-up
          1
          arrow-down
          3
          ·
          7 days ago

          You did but it says “desktop” right in the page title.

          • communism@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            7 days ago

            I’m now genuinely not sure what you’re saying. I did what? I said it was about the mobile app? I didn’t say it was about the mobile app?

            • kbal@fedia.io
              link
              fedilink
              arrow-up
              1
              arrow-down
              3
              ·
              edit-2
              7 days ago

              If I’m not mistaken you were talking about how things work “on my phone” but I suppose you had in mind that the principle would apply to desktop as well.

              In practice it does somewhat come down to how well containerized and locked-down the environment is, so I think the difference does matter. Android for instance sucks in very many ways, but it’s somewhat reliable in usually keeping apps from interfering with each other. There are a few desktops that try to do that, but they’re still not too popular I think. Desktop users are used to having full control of everything. Seems to me the pervasive compartmentalization of everything (it wouldn’t be sufficient for the purposes we’re talking about to put only Signal in a secure container) is accepted as necessary on mobile devices mostly because so many of the apps are terrible.

              • communism@lemmy.ml
                link
                fedilink
                arrow-up
                4
                ·
                7 days ago

                If I’m not mistaken you were talking about how things work “on my phone” but I suppose you had in mind that the principle would apply to desktop as well.

                Yes, I was using it as a comparator as an example as to why it’s not a big deal to type a password every time you open an app, which I don’t think is any different between mobile and desktop.