Signal Secure Backups

Posted by keyboardJones 5 days ago

983 points | 440 commentspage 6

KingOfCoders 4 days ago|

I know many people are of the opinion, paid features are a guarantee that you're not the product. I fear a slippery slope for money, it's premium features first, then essential features, then money tops security. Or replaces everything else, like with Firefox.

maqp 5 days ago||

Shoutout to Signal team for another fantastic achievement!

As a fun evening read I'd like to remind everyone of Pavel Durov's gaslighting on how their approach of everything-leaks-to-server was the right way to implement "cloud backups" for Telegram.

https://web.archive.org/web/20200226124508/https://tgraph.io...

Nice to finally see someone competent show how it's actually done :)

withinrafael 5 days ago||

Do backups get pruned over time? Is there an expiration? I don't think folks want old lost-key backups sitting around forever for quantum to catch up, right?

blintz 5 days ago|

It’s symmetric keys, so quantum doesn’t matter.

FergusArgyll 4 days ago||

"On the other hand, symmetric algorithms such as AES are believed to be immune to Shor. In most cases, the best-known quantum key recovery attack uses Grover’s algorithm which provides a generic square-root speed-up over classical exhaustion in terms of the number of queries to the symmetric algorithm. In other words, Grover would recover the 256-bit key for AES-256 with around 2^128 quantum queries to AES compared to around 2^256 classical queries for exhaustion. "

- https://csrc.nist.gov/csrc/media/Events/2024/fifth-pqc-stand...

</pedantry>

the paper itself concludes "the practical security impact of Grover with existing techniques on plausible near-term quantum hardware is limited."

j1000 4 days ago||

I was always thinking it was a feature not a bug

ipv6ipv4 5 days ago||

That Signal data doesn’t just transfer like any other data on iOS when upgrading phones is seriously dumb.

Wrap it in whatever security deemed necessary (or make migration/backup opt-in), but just let the blob copy over like every other app on the planet.

This cumbersome backup nonsense is a senseless no more secure bandaid for a problem that shouldn’t exist in the first place.

h4ck_th3_pl4n3t 4 days ago||

The actual question I have now is: if backup and restore were not working before, why were the keys backed up via Google Play services?

netule 5 days ago||

Do I get this for free if I’m a monthly donator?

IshKebab 5 days ago||

Doesn't sound like it, but just decrease your donation and buy a subscription. Donations are donations.

drnick1 5 days ago||

Signal is open source, so security claims can be verified unlike anything made by Apple or other Big Tech companies.

john01dav 4 days ago||

What does this have to do with the message that you replied to?

drnick1 4 days ago||

I meant to reply to another comment.

komali2 5 days ago|

I'm confused, I've restored Signal from encrypted backups before. I did it like 4 months ago. What's this feature?

chimeracoder 5 days ago||

> I'm confused, I've restored Signal from encrypted backups before. I did it like 4 months ago. What's this feature?

Those backups are stored locally, are platform-specific (Android-only), and there is no feasible way to automate their transfer to any other device, which means that either you have to manually manage them regularly, or you risk losing your entire message history if your phone suddenly dies (or is stolen, or broken beyond repair, etc.).

This is a true automated, off-site backup feature.

Marsymars 5 days ago||

Cloud storage for your backup.

More comments...