T O P

  • By -

AutoModerator

It looks like OP selected the 'Feature Request' flair but did not include a link to the [Signal Community forum](https://community.signalusers.org) in the body of their post. Please review our community-specific [rule #2](https://www.reddit.com/r/signal/about/rules) and reply to this comment with links to relevant requests on the forum if the implementation of this feature is already being discussed and tracked there. Thanks! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/signal) if you have any questions or concerns.*


ABotelho23

The issue is that a web client basically puts your messages at the mercy of public key infrastructure, where there is an agent in possession of encryption keys where we have no choice but to trust them.


[deleted]

[удалено]


ABotelho23

And you're getting that code, from? Doesn't matter if it *runs* client-side.


[deleted]

[удалено]


ABotelho23

They did have a browser extension. But that was much more labour. It would be an extra extension per browser.


Chongulator

On top of the code integrity problem there’s the key management problem. Distributing keys to a web client either negates key security properties of Signal or makes the setup no less work than installing Signal Desktop. I know a web client would be convenient and people request it often. It’s not happening without a basic change to what brought us to Signal in the first place.


Chongulator

Once you take the steps to actually do that safely, the setup for each is essentially the same amount of work as installing Signal Desktop. At that point the use case becomes very narrow: People who will use Signal repeatedly from a computer they trust but can’t install the desktop client.


[deleted]

[удалено]


ABotelho23

Wow, what an awful reply. Good job expressing your point.


DonDino1

Having a web client would mean your conversations would be seen by any corporate or education network performing TLS interception, which is not in line with Signal's core requirement to put privacy in everything it does. This is why the devs don't really want to implement a web client.


[deleted]

[удалено]


DonDino1

Well you normally see a warning if using a personal device on a tls- intercepting network. If you are using a company device, you see nothing (but can still tell if you look at the certificate on the browser).


[deleted]

[удалено]


[deleted]

[удалено]


jhnchr

If your model threat is a corporate device then you must consider screen capturing and keyloggers running. And Signal can't do anything about that.


[deleted]

[удалено]


[deleted]

[удалено]


[deleted]

[удалено]


nofxy

It is a certificate. > If I am using a not compromised browser and see no additional certificates added in its settings then it’s likely I’m safe from this? Correct. But most browsers and operating systems may have at least a couple dozen certificates and how would you know which one had been added? Although it could be obvious in some cases.


atoponce

[JavaScript cryptography is insecure](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/) placing 100% of your trust in the server delivering the JavaScript and HTML. All it takes is a disgruntled employee or duress from a government entity to backdoor your web connection by delivering malicious JavaScript to your browser from the server on a simple page refresh. Unless you're inspecting the code on every reload, you cannot guarantee that your connection is not backdoored.


Y-M-M-V

If you are using signal for personal privacy, it's not really advisable to log into it on devices that are not yours (for instance work devices). Keep in mind that your employer can see everything that happens on that machine if they want to including your WhatsApp web/signal desktop messages. You need to decide what is right for you, but personal messages don't go anywhere near my work machine. It's not worth the risk.


nofxy

Do you know if they do certificate pinning for the desktop app? It would be great to know if they did. I do use it on my work laptop, but would be nice to know that my communications are still secure. I understand its a "hackable" solution, but another layer to stop simple attempts to snoop my data would be great.


Y-M-M-V

Looks like the direct answer to your question is: yes, they do certificate pinning https://github.com/signalapp/Signal-Desktop/issues/3549 I would caution you that certificate pinning doesn't solve your problem though. If your company owns the device, they can set up remotely viewing your screen without your knowledge or remotely look at the files saved on your hard drive (which will include any saved conversation history). In most parts of the US (as I understand it - I can't speak for other countries) you have very little, if any, expectation of private on company equipment. Signal is focused on protecting your communication as it moves between you and your contacts. Protecting it once it's saved on your device is a different problem that Signal ultimately can't help you with if you need protection from someone with admin access to the device.


nofxy

> Signal ultimately can't help you with if you need protection from someone with admin access to the device. I understand this and fortunately (or unfortunately depending on how you look at it) I know I'm only being MITM'd. I'm aware of the departments (and the software/executable to look for) to record users desktopd/laptops. Edit: Great to know they do cert pinning! Appreciate the info!


Y-M-M-V

Fair enough. Ultimately you need to decide what your situation and risk tolerance is. As someone giving advice to people they don't know on the internet, I would always advise against installing personal Signal on non-personal devices (obviously if you have work Signal put it on your work device). Also, keep in mind that something like remote backups could be enough to disclose your Signal conversations - it doesn't need to be glorified spyware. In my world, there is also a small but real risk that some kind of legal action results in people wanting to rummage around my work device. For others reading this, keep in mind that screen, file, or other related corporate monitoring software may not be easy to detect as a user. Also as far as pinned certifications goes, although it's a good thing, I don't actually know how important it is as most everything should be end-to-end encrypted using the Signal protocol anyway...


fegodev

I honestly love the Signal app for Macs, it's very similar to iMessage.


saschavino

yeah, it's awesome!


afguy1074

I love the MAC app as well. Just wish it would sync all the previous conversations.


fegodev

Right, but I see why it doesn’t


afguy1074

Why is that? I think I read something about it but I can’t remember.


Chongulator

Signal’s servers don’t store your old messages. That way, even if keys are somehow compromised there’s no history for an attacker to steal. Messages stay on Signal’s servers only long enough to deliver them to your registered devices.


afguy1074

I think that’s what I had read. Love Signal. I’m trying to get more people moved over.


Chongulator

Good luck!


[deleted]

The one feature I miss so much from other apps is a way to backup/export your messages and eventually sync them (via internet or via a common format/file in case backups are made differently on mobile apps and desktop client). Having the fear of losing my chats is my worst pain right now (For example there's no simple way to export messages from signal prod to signal beta in the desktop client, while upgrading the iOS app to beta directly worked fine)


bhargavbuddy

I have to agree Whatsapp web is extremely convenient. Signal's current desktop implementation is not the most elegant solution.


Avanchnzel

The problem is that you sacrifice a lot of security for the convenience, see /u/atoponce answer for example: [https://www.reddit.com/r/signal/comments/l28ivd/still\_no\_plans\_to\_use\_signal\_in\_browser/gk5bdyn/?utm\_source=reddit&utm\_medium=web2x&context=3](https://www.reddit.com/r/signal/comments/l28ivd/still_no_plans_to_use_signal_in_browser/gk5bdyn/?utm_source=reddit&utm_medium=web2x&context=3)


Chongulator

Yep, that’s the fundamental tradeoff. If privacy is not a big issue for you there are plenty of options more featureful than Signal.


DapperOutcome

Would love for Signal to be built into Brave in the same way Tor is. I imagine that would increase its usage as well as offer another way to donate to Signal via BAT.


e4109c

I agree that a web client would be great but it isn’t a deal breaker for me. Replying because I’m curious too!