A fresh install of Signal takes up 410MB, blowing both Firefox and Chromium out of the water

alyth@lemmy.world to Mildly Infuriating@lemmy.world – 472 points –

... and I can't even continue the chat from my phone.

180

You are viewing a single comment

Am encrypted container doesn't help if the directory is mounted and accessible or if the key is in plaintext. Also doesn't help if the process isn't isolated. You need a bunch of extra measures like using the OS keystore set to only allow the correct program to retrieve the key, keeping secrets only in process memory, etc.

Tldr it's a lot of work to do it right. If you do it the simple way like throwing it all in SQLite with encryption active you still leak metadata.

I have never worked on a properly hardened desktop app, so I don't have much of a perspective on that, and can definitely see that it might not be worthwhile for the signal team.

I would appreciate some level of encryption, thinking that it might help with less targeted attacks. I'd also appreciate a Web client, like Threema's with none permanent sessions. But all that's, as you'd say in German, "Meckern auf hohem Niveau", especially since I'm not currently contributing to Signal.

1 more...