Hi all, hi Scott,
Public issue is created. See under
Von: Scott Nonnenberg
Gesendet: Freitag, 2. Juni, 18:31
Betreff: Re: [whispersystems] Security enhancements for Signal Chrome extension app
An: Tarkan Y
Hi there, Tarkan. It's definitely interesting to see the results of real hacking! I encourage you to create an issue at our public Signal Desktop repository: https://github.com/<https://github.com/WhisperSystems/Signal-Desktop/issues> WhisperSystems<https://github.com/WhisperSystems/Signal-Desktop/issues> /Signal-Desktop/issues<https://github.com/WhisperSystems/Signal-Desktop/issues>
You might even consider assembling a pull request to add this feature to the product. Of the top of my head I'm not sure if we have the data you'd like to surface in the UI - your first step might be to see what we have to show.
On Fri, Jun 2, 2017 at 5:12 AM, Tarkan Y < tarkanyavas<mailto:***@hotmail.de> @hotmail.de<mailto:***@hotmail.de>> wrote:
In my master thesis I did a security check of the Signal protocol. Among other things, I executed replay attacks on an active Signal session with the help of a tool called Fiddler. I have found a problematic case and would like to suggest enhancements (see attachments): I found that the error message in the Signal app is potentially misleading when a replay attack occurs.
You can see my idea attached.
Compared to the Telegram Chrome Extension I am missing some settings:
My suggestion (especially for the Chrome Extension) is that the user gets noticed of hacking attempts. Instead of a internal error like Bad MAC, the user should be informed about the following things:
Thank you for your attention!
Beuth University of applied sciences Berlin