Discussion:
Security enhancements for Signal Chrome extension app
Add Reply
Tarkan Y
2017-06-02 12:12:22 UTC
Reply
Permalink
Raw Message
Hi all,

In my master thesis I did a security check of the Signal protocol. Among other things, I executed replay attacks on an active Signal session with the help of a tool called Fiddler. I have found a problematic case and would like to suggest enhancements (see attachments): „I found that the error message in the Signal app is potentially misleading when a replay attack occurs.“

You can see my idea attached.

Compared to the Telegram Chrome Extension I am missing some settings:

Set additional
password
Active Sessions
Email-Login



My suggestion (especially for the Chrome Extension) is that the user gets noticed of hacking attempts. Instead of a internal error like “Bad MAC”, the user should be informed about the following things:



Active Sessions:

IP Address
Location
Platform
Device





Thank you for your attention!



Tarkan Yavas

M. Eng.

Beuth University of applied sciences Berlin
Tarkan Y
2017-06-06 12:42:40 UTC
Reply
Permalink
Raw Message
Hi all, hi Scott,

Public issue is created. See under

https://github.com/WhisperSystems/Signal-Desktop/issues/1230

Best regards,
Tarkan Yavas


Von: Scott Nonnenberg

Gesendet: Freitag, 2. Juni, 18:31

Betreff: Re: [whispersystems] Security enhancements for Signal Chrome extension app

An: Tarkan Y

Cc: ***@lists.riseup.net


Hi there, Tarkan. It's definitely interesting to see the results of real hacking! I encourage you to create an issue at our public Signal Desktop repository: https://github.com/<https://github.com/WhisperSystems/Signal-Desktop/issues> WhisperSystems<https://github.com/WhisperSystems/Signal-Desktop/issues> /Signal-Desktop/issues<https://github.com/WhisperSystems/Signal-Desktop/issues>


You might even consider assembling a pull request to add this feature to the product. Of the top of my head I'm not sure if we have the data you'd like to surface in the UI - your first step might be to see what we have to show.


Thanks!

Scott


On Fri, Jun 2, 2017 at 5:12 AM, Tarkan Y < tarkanyavas<mailto:***@hotmail.de> @hotmail.de<mailto:***@hotmail.de>> wrote:

Hi all,

In my master thesis I did a security check of the Signal protocol. Among other things, I executed replay attacks on an active Signal session with the help of a tool called Fiddler. I have found a problematic case and would like to suggest enhancements (see attachments): „I found that the error message in the Signal app is potentially misleading when a replay attack occurs.“

You can see my idea attached.

Compared to the Telegram Chrome Extension I am missing some settings:

Set additional

password

Active Sessions

Email-Login



My suggestion (especially for the Chrome Extension) is that the user gets noticed of hacking attempts. Instead of a internal error like “Bad MAC”, the user should be informed about the following things:



Active Sessions:

IP Address

Location

Platform

Device





Thank you for your attention!



Tarkan Yavas

M. Eng.

Beuth University of applied sciences Berlin

Loading...