[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 19/05/18 10:47, Simon Waters wrote: > I wouldn't recommend Signal for desktop, as the Desktop clients that are > available are based on the Electron Framework which is a mess, on Windows > it has had multiple issues that escalate XSS to remote code execution (and > I doubt the other platforms are much better). Although you can probably > virtualise that risk away if it is the best choice for you. Unfortunately I've very recently had to start using Telegram and Signal to keep up with various clients and friends abroad who like living dangerously and aren't quite as keen on diligent security practices as I am (could be worse I suppose - Discord and Slack for example). I keep them both compartmentalised well away from my main system via docker and destroy/re-deploy them fresh every time I need them, even if that means the extra hassle of quickly redoing initial setup each time. I shrugged my way through the recent round of desktop electron client vulnerabilities as per usual because: > Good OpSec trumps a million technical features and issues of your platform. A thousand times this. Just think safely and play it conservative - it's not so much what you're doing that's important, it's _how_ you do it. The same with the PGP issues: there are some underlying technical flaws that definitely need fixing up but seriously, in the Venn diagram of "people using PGP" and "people allowing MUAs to load remote content, automatically decrypt, retain passphrases and render HTML" just what kind of throw-caution-and-common-sense-to-the-wind nutter would you need to be to find yourself in the intersection? Obviously, some people do fit that bill and of course they don't deserve to be hacked but sometimes you do have to put in just a modicum of effort to do things right. Or at least less bad than 99% of the rest of the population. Just a bit of common sense OpSec will do wonders for anyone. Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq