I'd love to use Signal, but are you required to grant it permission to access your contacts?
I loaded it up and declined to let it access my contacts, but unfortunately it seems like it won't let me attempt to send any messages. I just get a screen that always says "None of your contacts have Signal!"
From what I understand, the reason it wants access to my contacts is to make it easier for me to find out which of my friends already use Signal or TextSecure. But none of my friends use these apps, and my goal is to get them to start. Unfortunately they'll refuse to use it if I have to tell them "Well, you'll need to let Signal upload all of your contacts to their server."
I was hoping for the ability to send a message by typing in a phone number directly. Does anyone know if this is possible? If not, would it be possible to add this feature?
Maybe it could work like this: You tap "new message" and then type in a phone number, just like how regular text messages normally work. Then when you're finished typing in the phone number, the app checks with Signal's server to find out whether that number uses Signal. If that number doesn't use Signal, then the app pops up a message saying "Your friend doesn't seem to be using Signal."
That way I can ask my friends to install Signal and send me a message. When they load up the app for the first time and Signal asks to access their contacts, they can click "no" and then type in my phone number directly.
It seems like many people won't be comfortable letting Signal upload all of their contacts, so unless there's some way to call or send a message by typing in a phone number directly, those people won't start using Signal. I'll have a hard time convincing my friends to use it without this.
It's a cryptographically well-audited replacement to iMessage, Skype, and traditional telephony, all of which leave room for governmental and malicious meddling.
It's not really a replacement, more of a secure alternative. Ideally it would be possible to totally replace iMessage with Signal allowing non-secure messages from legacy contacts. However, even if the team were so inclined Apple does not provide adequate messaging APIs. For example, there is no way to intercept an SMS message, see message history, etc.
TBH I think keeping SMS separate from an ip based communications method is better. Lets not pretend that SMS is secure. The only thing I would find missing are quick reply APIs.
How are IP and SMS traffic different, other than "packet" size and encoding constraints? Both are easily interceptable and spoofable, necessitating strong crypto.
I don't see how chacha20/poly1305 is somehow "worse" over SMS.
The difference is mostly that in case of SMS, metadata leaks to carriers. In case of Signal/TextSecure/RedPhone, some limited metadata leaks to Google Cloud Messaging and Apple's equivalent platform (I can't remember the name). That's necessary because of scaling problems with push messages, but I understand there is work going on to develop a self contained alternative using WebSockets.
I was waiting for this, even donated some time ago. Went to install it but it requires iOS8 so my perfectly functioning iPhone 4 can't run it.
Is very hard to keep older iOS support?
Side rant: I hate Apple is leaving my hardware off the grid. It is well cared, like new, battery is ok, no reason to think about replacing other than iOS8, and that sucks.
I'm surprised they didn't mention how amazingly insecure it is to be running a phone that old. If you're running a private messenger like Signal, you might not want to install it on a device vulnerable to bootrom exploits that negate all the advantages of disk encryption.
The idea is to get everyone to routinely use encryption like Signal. This increases the cost of drag-net surveillance, forcing instead more specific targets.
For that scenario, it doesn't matter if you're also vulnerable to direct hacks. You can still help normalise encryption.
While this is true, they also, through TextSecure, support many android phones that are probably in much worse shape on that front. It's also not like web browsers refuse to use TLS because your computer's running a compromiseable version of Windows.
That analogy sure stopped and made me think. What a sticky issue. SHOULD browsers do that? What if your bank website refused to allow you to sign in from a machine running unpatched XP?
I think right now there might not be enough exploits targeting banking on XP machines to justify that inconvenience, but it seems like a responsable argument could be made for both cases.
It might seem like a good idea on the surface, but think about the impact this might have on people who can least afford it (consider why people might be using old phones or old operating systems, and what impact lack of access to their bank could have on them for even a day if it's the wrong day), in the name of protecting them from something theoretical.
If it introduces new vulnerabilities, I wouldn't want them to do it. They also have a reputation to maintain. If news starts popping out that TextSecure is vulnerable and such, fewer people will be interested in installing it anyway.
But if that's not an issue, and they can afford to support at least iOS7, maybe they should do it. However, I'd rather have them focus resources on bringing Signal to Android and to the desktop. I think those are much bigger priorities than enabling Signal for a few extra million iPhone 4/S users.
TextSecure for Android is only distributed via the Play Store. So I built it myself only to notice that Google Play Services are required for chat.
I think depending on proprietary / data gathering apps is the wrong approach for an open source privacy app. It actually makes me sad.
There was an issue about "This requires Google Play" on GitHub [0] which was closed by moxie with "TextSecure only requires GSF for data channel messaging. To use SMS/MMS, it doesn't."
Great. I'm not paying 3 cents to send a few bytes of text via SMS. I'll rather just stick to WhatsApp/Telegram.
There are a lot of issues on GitHub that makes searching them a little hard, but it seems like there is ongoing development for websockets instead of (Google-) Push messages. [1][2]
whatsapp and telegram also use google play services for background notifications. There is no other reliable way to ensure that messages are always delivered on both iOS (push notifications) and Android (Google Cloud Messaging).
Apps just don't get enough API access to do this on their own in a totally reliable way and even if they did, the overhead of multiple applications keeping multiple connections open (and the radio active) would cause a lot more drain on the battery.
Neither TextSecure not Signal use the platform provided notification features for unencrypted data though, so your messages are still safe.
There's been a lot of talk over the years of implementing a data modem over GSM voice - as far as I can tell, this would solve basically all the issues with the current crop of encryption products. Instead of constantly polling or faffing about with third party servers, one phone could simply initiate a two-way connection to another phone the old fashioned way: via phone call. There's your "push messaging". You wouldn't even have to leave your data on. Your text messages would also probably arrive faster than an SMS.
I'm very disappointed that despite numerous papers on the subject in the past decade (even a DEFCON presentation), no implementation has yet appeared, not even a demo.
Well, I installed Telegram via F-Droid and WhatsApp from their website. Took about half a minute each and they work - without any Google Apps installed.
It actually seems to indicate that F-Droid has addressed every last obstacle Moxie has posed, even the more ridiculous ones. They're now even willing to distribute developer signed versions if reproducible by their build server. He seems to be standing by this ridiculous "F-Droid is harmful" non-sense with no good reasoning at this point. Hopefully someone will talk some sense into him sooner rather than later.
What's weird is that F-Droid uses the same distribution model as any ordinary Linux distro, where it is assumed that all binaries are compiled from source by the distro maintainers, if for no other reason than to build them against system libraries. The binaries themselves are guaranteed to be built directly from public upstream repositories, in an automated fashion - rather like FreeBSD's ports or Arch's PKGBUILDs.
The real reason Moxie doesn't like F-Droid seems to be that it doesn't provide him with analytics "with a nice web interface that displays graphs and trends of time" - rather a nasty conflict of interest in a product that bills itself as "private" and "secure", if you ask me.
If anyone from Whisper Systems is reading, can you please tell me how I can disassociate my number from a Cyanogenmod installed version of TextSecure in my (now formatted and sold) Nexus 4 and get it working with my no sim Nexus 5 with Google Voice/Hangouts?
Sadly, it's been over a year since that post and the modifications to CyanogenMod and TextSecure haven't taken: I'm unable to unregister either CM or TS, using their tools or their website.
I went through the steps and unregistered. It looks like it worked. As for the SSL, my hope is that the EFF and Mozilla project will make it easier to deploy https certificates everywhere.
I just set up TextSecure with my Google Voice number. The SMS failed, but after a couple minutes it went to a fallback verification by phone call that worked. I'm on Lollipop, not sure if that's important.
One question I always have with secure systems distributed by app stores, even the open source ones, is how to you verify the source you're reading is the app you're using?
Google Play Store requires the developer to sign the program with their private key, and only the developer can provide future versions of the program. Moxie from whisper systems seems to trust this system (decentralized signing of binaries) more than the f-droid one (centralized signing of binaries).
If I understand correctly, the iPhone only cares that the chain of trust for an app key is validated up to their CA.
In other words, if the bad guys with guns coerce Apple to mint them a cert, they could simply replace your known good binary with a crocked one signed with the new key, and your phone will happily run it. Getting that binary onto your phone is an exercise left to the reader, but there are many means, legal and otherwise, that could be employed to make that happen.
If your privacy means your life is on the line, you probably shouldn't be running stock Android or iOS. (And depending on how you feel about basebands, any modern smartphone, period.)
The greatest material curse to the profession, despite all its advantages, is undoubtably the telephone. It is a constant source of temptation to slackness. And even if you do not use it carelessly yourself, the other fellow, very often will, so in any case, warn him. Always act on the principle that every conversation is listened to, that a call may always give the enemy a line. Naturally, always unplug during confidential conversations. Even better is it to have no phone in your room, or else have it in a box or cupboard.
That's talking about the plane old telephone in the 1960s.
The message I get from it? If your life is on the line, consider not using any electronic communication at all.
I guess there's no way but if it's open source, like this one, you can recompile it. The iOS version seems to use CocoaPods for the dependencies so it should be easy to compile the project.
Even that isn't strictly guaranteed to work; have you read ken's Reflections on Trusting Trust? Strictly speaking, you'd need to hand-compile (or at least hand-verify) the app, and trust the underlying platform as well (dalvik and/or the hardware).
Well, there are several ways to get read access to the iPhone's filesystem. You can grab the binary from the phone and verify that its the same as when you compile the app on your own machine.
So, I'm not intimately familiar with the code signing process, but I imagine that the bundle on the iPhone wouldn't match the one you would get by compiling the source on your machine.
The former would be signed with Whisper System's distribution certificate, which you couldn't do on your system because you don't have their certificate.
And now you are aware of the difficulties in producing reproducible/deterministic builds. This would be a good starting point for further reading: https://wiki.debian.org/ReproducibleBuilds/About
Is there no option in the store for developers to "sign" the apps in some way and for phones to detect when the app doesn't use the developer's signature?
If such a feature doesn't exist in the app stores, it should.
I think TheLoneWolfling was talking about Verizon or AT&T enabling this kind of "only trust this cert" with one of their own as an intermediary, effectively shutting out Apple and all the actual independent developers on that ecosystem in favor of "The AT&T App Store for your iPhone by AT&T" style closed gardens.
Ultimately, Apple holds the private key that signs every developer's certificate, and thus they have the capability of granting a certificate that is in every way compatible as another developer's certificate. There is no way to escape this scenario, that plagues SSL and TLS as well, without redesigning the asymmetrical certificate infrastructure from the ground up.
How does key management work? Is it all done through Whisper Systems' servers? If that's the case, how is this effectively better than iMessage? iMessage is also (nominally) quite secure, except for the fact that you have to trust Apple to verify pubkeys, which makes it quite feasible to MITM if you can subvert Apple via legal or technical means.
The latter part is the critical bit here; by comparing fingerprints out-of-band you can guarantee that your keys haven't been intercepted and replaced during exchange.
What's the point of that? Why not just indicate somewhere that the conversation isn't completely secure, rather than have the user believe it is when it's not?
That's like saying that SSH isn't more secure than Telnet unless you personally drive to the data center and verify the fingerprints of every single server by hand.
In reality, TOFU is a form of key verification and it is highly effective against MITM attacks because there's no way for an adversary to reliably determine whether or not a user is seeing a fingerprint for the first time. If at any point the fingerprint changes, the users are warned.
Users can also easily check and compare fingerprints too. They are not mutually exclusive.
I'm talking about absolute terms and you're replying with relative terms. I didn't say that SSH isn't more secure than telnet, I said that you can't be secure against an active MITM unless you verify the keys. That's a fact, I'm not sure how one can argue against it.
Sure, TOFU is better than nothing, and might even be very good, but there's still a way for an active adversary to MITM you.
Yeah, I don't think we actually disagree. Key verification is important, which is why it's a feature in Signal.
In order for an active adversary to perform a successful MITM attack against a TOFU scheme they would need to successfully determine when someone is seeing a fingerprint for the first time (or get lucky) and then successfully maintain their MITM position across every single network the device uses, forever. If they fail at either of those, the user will be warned.
I keep bringing up SSH because it's an example of a fingerprint verification system based on TOFU that works incredibly well at preventing MITM attacks. No one is having key signing parties with their servers, and yet connections remain secure.
I agree, but it's much easier for me to tell a friend "hey is this your key?" when we're together than go all the way up to my server and connect directly to it. That's why I think that there should be a UI element that says "you're pretty secure, but if you just check this you're golden".
Is there any documentation out there describing how the encrypted groupchat works? OTR can also give you 1-to-1 encryption, but not encrypted groupchat, so this is great news which I'd like to read more into.
On Android you can use RedPhone for secure calls and TextSecure for secure text messages. These calls and text messages are compatible with calls and text messages in Signal iOS. Someday TextSecure and RedPhone on Android will be integrated into one unified product called Signal.
The TextSecure brand is unfortunately dead to me. Although I liked the idea in theory of the SMS backwards compatibilty layer, in practice it confused people and caused technical problems which stopped many of my friends using it.
With a reboot as a product with the new name Signal, I can market it again. Needs an Android version first though!
I agreed to that from the first day I used it. It's strange that the developers themselves don't realize it. Just kill SMS support. Nobody needs it anymore. I mean for crying out loud, data-only apps such as BBM and Whatsapp became most popular in poor countries, so I don't think the "but not everyone has money for data" argument works anymore.
I disagree. Most of my contact list doesn't use TextSecure/Signal; when I want to send someone a message I don't want to have remember if they use textsecure in order to open the optimal app for messaging them with. Maybe I'd even first open textsecure, then be disappointed that they're not in there and have to open the plain sms app. How annoying that would be.
Nobody needs SMS if everyone could just use the same app. But my brother uses a dumbphone and my mother uses an iPhone with nothing but iMessage and I use an Android and don't really feel like installing whatsapp or whatever the latest fad is just because one or two of my friends has it. Over SMS I can communicate with them all, and if any of them ever install textsecure I get encryption as a bonus.
They're planning to drop support for encrypted SMS fallback (a decision I have mixed feelings about), but plain SMS functionality will remain in the Android client for the forseeable future.
On Android, they first started with TextSecure years ago, then built the voice app, RedPhone.
Signal is a rebranding that began with the first app on the iOS platform, which happened to be the voice app. However, Signal is intended to be a fully "integrated" app, that will include text, voice, photo/video attachments, and hopefully video-chatting eventually, too, to take on Skype.
The Android version of Signal will probably arrive this year, too, and when it does TextSecure and RedPhone should be gone from the Play Store.
Question: how and where message is stored when my phone is off and somebody will send me a message? How it is encrypted and then decrypted on my device once turned on?
It will either be on the remote device, or os Signal's servers, depending on how the implementation works. Either way doesn't really matter; the whole point of encryption like this is to prevent third-party access to your communications.
It could be stored at NSA central for all it matters, and you'd still be the only one able to read the message (using the keys on your device).
I know how encryption works. My question was rather design wise. I.e. Which keys are used to encrypt messages on WhisperSystems servers (my public key? Or sender's?). But I'll have a look on the link below describing modified OTR protocol.
What's the difference between this and Telegram? I'm starting to feel a bit overwhelmed with what messaging app I'm supposed to use. Also, why is ios8 required?
I'm a Signal/TextSecure contributor. There's been a lot of controversy over the Telegram encryption protocol, and any cryptographer that looks at it cringes.
Beyond doubts with the protocol itself, I think the more important consideration is that most people never use it. Telegram is not encrypted by default. Users have to create a special "secret chat" with contacts that is ephemeral, and some Telegram clients don't even support that mode. Last I checked, there was no way to have group "secret chats" in any client at all.
The result is an unfortunate situation where many users seem to think that Telegram is somehow secure by default, when it definitely isn't. Telegram even stores plaintext copies of everyone's entire message history on the server for multi-device sync.
Signal/TextSecure is Free Open Source Software. There is no company behind the development of the App. It is the Software with the best security model so far. The cryptography behind Telegram is not what you would expect of todays crypto standards. A lot of security researcher have commented on this already.
Sure there is a company (Whispersystems) doing most the work behind it. As they state: "dedicated development is supported by community donations and grants". This is good, it allows for very focused development.
Open WhisperSystems isn't a company. WhisperSystems was a company, it was acquired by Twitter which open sourced TextSecure. OWS, is just a name for the community effort around these tools: https://whispersystems.org/about/
WhatsApp is a closed-source proprietary app owned by Facebook. Metadata is owned and kept by them, and normal chat data is also theirs. They claim they have started using the textsecure encryption mechanisms on their apps, but this appears to only be true for the most-recent Andriod app. So there is a high probability some or all of your messages are either not encrypted or encrypted with a key that you do not have. For these messages the police or other government agency could retrieve via a warrant or other means. Whatsapp uses a subscription model and they can decide to change the terms or costs at any time, or discontinue the product. They are not very transparant and take a long time to implement changes / fixes that they promise will be implemented. The app has a very large user base in many markets.
Signal is a free open-source iOS app from whispersystems, licensed under the GPL. It's counterpart on Andriod is testsecure/redphone, which will eventually be reimplemented and rebranded as Signal for Andriod. It is secure by default, all messages are encrypted using private keys of the participants... whisper does not have they keys (so they can not turn the keys or content over to anyone). You can audit this since it is an open source app, and if you would like to fix a bug or work on a feature you can do that as well. It does not have nearly as big of a user base as WhatsApp, and needs some love before usability/features/bugginess are on-par which whatsapp (shouldn't be too hard to match as WhatsApp itself is not very feature rich and often quite buggy itself). Signal has taken it's time in development (Textsecure for iOS was 'on track' to be released in summer of 2013)...
You can also make secure phone calls with Signal/Redphone, but not WhatsApp.
I installed 2.0 and added the phone number of a friend also using 2.0. I click the + icon and I see my friend's name grayed out so I can't send him a message. What does that mean?
Awesome. Is there a rough timeline for Signal on Android? What about the desktop version - will there still be one? (at least a Whatsapp Web/Pushbullet style "desktop app")
There are some compatibility problems between Signal and RedPhone. I can't seem to get the two to work together for international calling. Googling "Signal can't connect to RedPhone" shows that I'm not alone in this. Guess I'll have to wait for the Android version of Signal.
Congrats on the launch of Signal 2.0. I hope it'll be a popular app, but I have a question slightly off topic: Why can't we get an app like Signal for the desktop? Yes, I'm aware there are alternatives for the desktop (mainly Pidgin + OTR), but none of them work like Signal does (ease of use) and frankly I don't really trust using them. I'd like to think I'm ignorant on the subject and there's a good alternative out there, and if so, please do tell.
All the protocols for Signal / TextSecure are open source. Seems like people will probably implement desktop clients at some point, which would be really nice.
Seems like it's not tested well. I updated to Signal 2.0 on an iPhone 6 with the latest iOS 8.x. It said that none of my contacts have Signal (that's true) and had a link titled "Invite your friends". Tapping on that took me to the home screen. Killed it and tried a few more times. No use.
If it were as usable as Telegram, I'd insist my contacts to switch. But not right now.
Presumably there are still multiple ways for messages to be intercepted from the user's iPhone:
- Physical access or confiscation of the device
- Possible backdoor in iOS or the physical iPhone hardware?
- Compromise or physical access to a host machine where the user backs up their device.
Although, I'm not sure what can be done to stop this.
There's no such thing as perfect security in the real world. Instead, your best bet is to raise the cost of breaking the security that you do have. If you raise that cost above the value of that which you're securing, then you are in good shape.
I recently learned about Sancus [0]. It provides a way to protect an application from the operating system. It requires hardware support though. So not available in any mainstream hardware right now. It also allows very secure DRM.
I've been using textsecure for a long time now: so far I haven't had any issues messaging new iOS users including mixed groups. In my experience, there might be some mms edge cases when mixing with other messaging apps, but not too many and bug reports are monitored regularly on github.
Cool, thanks. So, I got it working with some friends. The start is rough when you don't have any contacts. There is no hand holding like you'd expect from other messaging apps. Especially the first message to the first contact is a tough discovery. I managed to mistakenly call instead of texting and another friend did exactly the same.
The error message when you are not registered yet is also not totally clear. One friend complained that he couldn't see when I had read the message (compared to Facebook Messenger).
On the plus side, you've come really far in usable crypto when you're being compared to that.
yeah, i gather this can't be used to completely replaces sms? The handy part of the android textsecure is that it's my sms app for everyone whether or not they use it. I just send a message the normal way and if they're using it, a little lock icon is on the message.
yeah, I've been burned a few times by photos. Luckily, never in a case where the sender couldn't try again using something else (it's only happened on non textsecure to textsecure, if both people use it, I haven't had any issues)
There was a bug a while back where photos would only download via cellular, but the app would try to use WiFi if you were connected. I think it is fixed now.
Left button/Screen is active conversations.
Right side check box blue thing is the Archive.
Swipe right on a conversation, and it goes into the right hand side.
No idea why it's that way. Very odd. Why even have the option if it's going to be a first level function.
I think the premise of that sort of thing is that in theory, you could build your own copy and install that, or at least check it against the pre-compiled version.
Perhaps its incorrect thinking, but I trust that Moxie and the gang aren't going to screw me over.
But, yeah, in theory, you can download it and compile it. The fact that you would have to also buy a certificate from Apple to do it is just a detail. You _can_ do it.
Open source is, indeed, a red herring when talking about iOS or Android. It's a buzzword more than anything. And if anyone thinks you're somehow safe because people can audit the open source version of a closed iOS app, they are delusional.
You also have the baseband CPU on many devices, which can read unencrypted memory anyway. So it is a hopeless case. Which is why this whole secure text craze HN is on is just insane. You'll never beat the momentum of iMessage or WhatsApp. But worse, there is not even any point! Trust begins and ends with a closed device.
Why is there always some comment that makes a point about the baseband, as if it's novel idea? This is letting great be the enemy of good.
Most of us are not going to be a target of state-level intelligence agencies, which are the only possible actors that have the sophistication to compromise the baseband processor. The idea is to prevent dragnet surveillance.
It stops iOS from saving screenshots of the app when it closes. When an app launches on iOS, it initially draws the UI from a saved screenshot while the app is loading. This creates a privacy risk since that image may contain sensitive info.
TextSecure has the option to lock the app after a timeout (or on command), and not unlock it until a passcode is given. I suspect Signal has something similar.
This is related to Moxie's blog post from last week just before the release of this software - which is textsecure for iOS - see http://www.thoughtcrime.org/software.html.
Man, you guys can't remember a thing for a single week?
Not useless, but not as great as it could be indeed. I would love to publish my textsecure contact details online but I would never publish my phone number.
I'm just astonished that there's even justification for it not being an option. Bang on about easy discovery all you want, there's lots of people who don't want to give out their phone number for no good reason to some strangers.
It is a very real security issue, too. What Matt Blaze is talking about with "extra namespaces" is a giant piece of attack surface TextSecure is avoiding.
We're getting back to the issue of 'usability' though.
My desktop has no phone number, my tablet has no phone number and .. I have multiple phones, which have different phone numbers. I would like to use a single IM account (hey, like with mail. Or xmpp).
TextSecure doesn't allow that. TextSecure is not usable in these scenarios. It's not about "Could TextSecure leak my number", it's more about "The current architecture of TextSecure makes no sense for these use cases and seems to be quite close to WhatsApp et al - even before their agreement".
A telephone number is not an identifier, it's not stable and it's not something you can expect as 'given'. This is a broken system. As 13, the thread starter, mentioned.
It's not a "broken system". It's one that doesn't work for your particular use case. As Matt Blaze pointed out in his Twitter message and I did here: simplifying "identity" down a phone number sidesteps a complicated security problem that has created flaws in other applications and will continue to do so.
I'm sorry you can't use TextSecure right now; it's the only encrypted messaging system I actually like (though I think you can get by with OTR [but not group OTR!] and GPG). They have to start somewhere, though. And it's far better than they get a simple case right than an ambitious case wrong.
Use other tools. There's plenty of alternatives for secure communication. The OWS apps have a specific purpose that's closely tied to how smartphones are used.
I think that I'd be happier with social-network discovery: I can see my friends, and those of their friends whom they have shared with me; I can then ask to become friends with those whom I know, and then see their friends, and so forth. My namespace would be local to me, but I could browse my friends' namespaces as well.
Get a Google Voice number (Free. Use throw away account) and use that. There are instructions out there on how to connect a Google Voice number to Signal.
Congrats to the Open WhisperSystems team on this awesome release!
My last gripe (phone call results in only one vibration in vibrate mode), is apparently slated to be fixed in 2.0.2 [1]. Once that's in, there'll be no reason for me to use any other voice/chat app on the iPhone!
Edit: Apparently it's an iOS issue. Filed rdar://20008371. Plz 2 fix it Apple!
