Egregoros

#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.

This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.

TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.

Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt

#fulldisclosure #infosec #cybersecurity

@harrysintonen I'd have a different recommendation for the vendor: Stop trying to pretend disappearing messages are a thing.

Signal has backups. Revocation from old backups is a very hard problem that they don't even try to store.

With the old backup model, each day got a completely new snapshot of all messages and media. If any participant in a chat has backups turned on and doesn't clean out their old backups, disappearing messages are recoverable at an arbitrary point in the future.

The newer backup is similar, each day generates a new snapshot of all messages, it's just that they reference media that are backed up separately.

And that's assuming everyone is using the official client. But any user using a different client may simply choose not to delete them.

I have one chat where I set deleting messages to try to encourage people to write discussions up elsewhere, I wouldn't use it as a security or privacy feature and I think it's quite misleading that Signal pretends that it is either.