Comment by londons_explore
16 hours ago
> don't really see how it's possible to mitigate client compromise.
Think of the way DRM'ed video is played. If the media player application is compromised, the video data is still secure. Thats because the GPU does both the decryption and rendering, and will not let the application read it back.
That's not what signal's doing though. It's just asking the OS nicely to not capture screen contents. There are secure ways of doing media playback, but that's not what signal's using.
Video decryption+decoding is a well-defined enough problem that you can ship silicon that does it. You can't do the same thing for the UI of a social media app.
You could put the entire app within TrustZone, but then you're not trusting the app vendor any less than you were before.
Although now I think about it more, you could have APIs for "decrypt this [text/image] with key $id, and render it as a secure overlay at coordinates ($x, $y)"
Exactly. Thats how DRM video works, and I don't see why you couldn't do the same for text.
1 reply →
There will always, ALWAYS be the analog hole in security models like this.
It's pretty hard for the government or service provider to snoop through the analog hole unless they have a camera on your forehead...