Security holes : messages not deleted in the database and the server

link2xt · May 29, 2021, 6:12pm

This is by design, deleting a chats deletes messages locally, not remotely. Deleting individual messages schedules a job to delete them remotely too. I am not sure right now why this is the case, but changing it will probably cause problems with users using another client side-by-side with DC and having all messages to a particular user deleted is probably not expected when you delete a conversation with a contact.

Edit: also note that in multi-device setup the conversation will not be deleted from your other device. And your server (most likely Dovecot) will by no means securely delete the messages, it will do it in the fastest way possible.

PRAGMA secure_delete=on is enabled here:

github.com

deltachat/deltachat-core-rust/blob/d8ba466c6a2154b54adc5fd7688644432c70f773/src/sql.rs#L87


      
              open_flags.insert(OpenFlags::SQLITE_OPEN_CREATE);
          }
          
          // this actually creates min_idle database handles just now.
          // therefore, with_init() must not try to modify the database as otherwise
          // we easily get busy-errors (eg. table-creation, journal_mode etc. should be done on only one handle)
          let mgr = r2d2_sqlite::SqliteConnectionManager::file(dbfile)
              .with_flags(open_flags)
              .with_init(|c| {
                  c.execute_batch(&format!(
                      "PRAGMA secure_delete=on;
                       PRAGMA busy_timeout = {};
                       PRAGMA temp_store=memory; -- Avoid SQLITE_IOERR_GETTEMPPATH errors on Android
                       ",
                      Duration::from_secs(10).as_millis()
                  ))?;
                  Ok(())
              });
          
          let pool = r2d2::Pool::builder()
              .min_idle(Some(2))

If it does not work for some reason it is a bug indeed. I have just checked my account database with a command-line tool and it says secure_delete PRAGMA is enabled.

$ sqlite3 ac0/db.sqlite 'pragma secure_delete'
1

Note that messages are stored in “blobs” outside the database, so secure_delete is not protecting outgoing message contents from being persisted to disk (if they are encrypted, they are stored in encrypted form though), and may not even protect the database for some filesystems. The only bulletproof solution I see is to always use full disk encryption provided by your operating system.

Edit: even the page you linked to says the same: “Be aware that SQLite cannot securely delete information from the underlying storage device. If the write operation causes the filesystem to allocate a new device-level block, the old data may still exist on the raw device.”. Storage encryption is better done at the operating system level.

VACUUM is executed periodically during “housekeeping” job.

See related feature request about local encryption:

Encrypting the database makes some sense if you store everything in the database and want to have encrypted backups, you can simply re-encrypt the key with a new passphrase and copy the rest of the database. But it does not make the data on device more secure unless you keep asking the user for passphrase each time and user actually uses secure passphrase. It’s not really usable, this is why I think it’s not available in Signal, but only in Signal fork Molly. So I think we should encourage users to use filesystem-level encryption rather than trying to implement local encryption into the core.