zlacker

[return to "Signal Server code on GitHub is up to date again"]
1. red_tr+G1[view] [source] 2021-04-07 15:08:20
>>domano+(OP)
Is there any mechanism to validate that the code running on Signal's servers is the same as on Github?
◧◩
2. Someon+f2[view] [source] 2021-04-07 15:10:49
>>red_tr+G1
How would that work? You'd be layering trust on trust, wherein if they're willing to lie about one thing they're willing to lie about confirmation of that same thing (or not).

Unless you're going to hire some independent auditor (that you still have to trust) it seems logically problematic.

◧◩◪
3. madars+K2[view] [source] 2021-04-07 15:13:49
>>Someon+f2
SGX enclaves can attest to the code they are running, so you don't exactly need to take Signal's word on faith.
◧◩◪◨
4. eptcyk+R3[view] [source] 2021-04-07 15:18:31
>>madars+K2
Except SGX enclaves are horribly broken.
◧◩◪◨⬒
5. monoca+f5[view] [source] 2021-04-07 15:23:41
>>eptcyk+R3
Like, does an SGX enclave attest that meltdown is patched in microcode? That's one way to pull the keys out.

The recentish work to get read write access to some Intel CPU's microcode can probably break SGX too. I wouldn't be surprised if the ME code execution flaws could be used that way too.

[go to top]