Signal under fire for storing encryption keys in plaintext

Recant@beehaw.org to Free and Open Source Software@beehaw.org – 105 points –
Signal under fire for storing encryption keys in plaintext
stackdiary.com

As mentioned in the comments, plain text keys aren't bad because they are necessary. You have to have at least one plain text key in order to be able to use encryption

46

You are viewing a single comment

The back end is open source, but sometimes they've lagged years behind releasing the source code.

I think this is the more worrying part if true. The backend is licensed under the AGPL, so this would technically be a violation of their terms

  1. Remote Network Interaction; Use with the GNU General Public License.

Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software

Edit: For anyone else reading I looked into it a bit more and looks like the issue came to a head around 3 years ago, with this comment being made after a year of missing source code. The public repo has been pretty active since then, so the issue seems to be resolved

1 more...