from the tried-to-search-on-'Signal'-but-got-lots-of-noise dept.
Approximately two weeks ago, Open Whisper Systems announced the merger of two of its Android apps, Redphone (secure calling) and TextSecure (encrypted messaging) into one: Signal for Android. This is a counterpart to Signal for iOS, created by the same team. A Chrome extension is forthcoming.
Signal has been getting a lot of love from the security community (Snowden, Schneier, etc) specifically for it's user-friendliness --- something that has prevented the adoption of other crypto software.
The encrypted messaging algorithm seems to be a version of OTR modified for asynchronous mobile environments. Some version of this has been implemented in CyanogenMod as WhisperPush and WhatsApp.
Their blog has a lot of nerdy crypto detail for those interested. For example: deniability, forward secrecy, calling network.
All of their code is open source and funded by donations. Donations are also possible using bitcoin. Accepted pull requests get a payout using another of their projects, Bithub (code).
Related Stories
http://www.tomshardware.com/news/signal-messenger-standalone-desktop-app,35810.html
Open Whisper Systems (OWS), the non-profit that develops the Signal messenger and its end-to-end encryption protocol, released a new standalone desktop application that will replace the existing Signal Chrome App. The move comes as Google is preparing to end support for Chrome Apps in its browser.
[...] Because Google is deprecating its Chrome Apps, Signal's developers had to find another way to offer their users a desktop application without having to rewrite one from scratch. The group used Electron, an open source framework for creating native applications using HTML, CSS, and JavaScript. This way, OWS was able to convert its existing Chrome App code into a standalone Electron application without too many changes.
Although we don't get a truly native Signal application, there are still some advantages to be gained from this transition. For one, you don't need to install Chrome anymore, just to be able to use the desktop Signal application. Firefox and Safari users can run the new Signal app separately, just like any other desktop app.
The second advantage is that you no longer need to keep your smartphone around to be able to chat via the desktop app, as you have to do with the desktop version of WhatsApp, for instance. After the initial set-up and linking of your smartphone to the desktop app, the new desktop app can be used independently of a smartphone.
Related: Redphone and TextSecure are now Signal
Egypt has Blocked Encrypted Messaging App Signal
Encrypted Messaging App Signal Uses Google to Bypass Censorship
(Score: 0) by Anonymous Coward on Friday November 20 2015, @01:58PM
I have this on IOS9, but it doesn't "see" my contact list. I keep my contacts on my own server across many devices and not the icloud/google/somethingsomething solution. This means I can't use it to send invites to the service or anything else for that matter. ;_;
(Score: 4, Interesting) by kadal on Friday November 20 2015, @02:34PM
Have you reported it? https://github.com/WhisperSystems/Signal-iOS [github.com]
(Score: 2) by davester666 on Friday November 20 2015, @07:25PM
well then, code up a fix so it can see your own server, and then side-load it onto your iDevice...you don't have to pay anything to do this now. It's how I got flux onto my iPhone...
(Score: 4, Interesting) by boltronics on Friday November 20 2015, @02:23PM
Open source code, but not very committed to "open source" or free software in practise. No F-droid repository, and as I understand it, this is not a priority for Open Whisper Systems. Oh well.
It's GNU/Linux dammit!
(Score: 5, Interesting) by kadal on Friday November 20 2015, @02:33PM
That's what I thought. Then I read this: https://github.com/WhisperSystems/Signal-Android/issues/127#issuecomment-13335689 [github.com] . I think his stance is not unreasonable.
(Score: 4, Informative) by radu on Friday November 20 2015, @02:42PM
Actually only the last sentence makes sense (but it's enough sense for me):
(Score: 2) by boltronics on Saturday November 21 2015, @08:28AM
3rd party to who? Google? Google's a 3rd party to my point of view. The Google proprietary components are probably full of spyware for all we know. If I'm using Replicant, having Google's signature hardly matters. If Open Whisper Systems published their own F-Droid repository, they could sign all their own packages.
The problem with Open Whisper System's stance is that they somehow believe people who prefer free software are all "power" users, and that's BS. We want *everyone* to benefit from free software - not just geeks.
Moxie's contributing to a world where security software for the average person is expected to run on top of proprietary software, and we desperately need to put a stop to that. You don't need to be a security expert to see the problem with contributing to that trend.
It's GNU/Linux dammit!
(Score: 5, Insightful) by drgibbon on Friday November 20 2015, @02:46PM
Moxie is definitely not against free software, his concerns are security based. There's a thread on the Github tracker [github.com] where he explains why he prefers that F-Droid don't package Signal (back when it was TextSecure). Of course someone could just package it anyway, but ok, the guy has contributed a massive amount to security so people respect that. From what I remember, Moxie's main reasons are that he's against people checking "install apps from unknown sources" and he is also against the F-Droid centralised signing process. Actually OpenWhisper could just make their own F-Droid repo, but that would still mean that users need to install "unknown apps", which Moxie sees as a return to the "desktop security model". I can see where he's coming from, but I still think OpenWhisper should make their own F-Droid repo and release it quietly for the people who want it. However, what he doesn't want to see is geeks putting F-Droid on normal peoples' phones and checking "allow unknown apps" thus weakening security for those that don't know how to manage it. He would be happy to have APKs outside of the Play Store based on the conditions in this post [github.com], although I don't see how that gets around installing "unknown apps".
It's a bit of a hassle, but for myself I just build a version of Signal from source every now and then. They do at least make that process very easy.
Certified Soylent Fresh!
(Score: 5, Insightful) by melikamp on Friday November 20 2015, @05:53PM
I am getting a similar impression: not a lot of care be it the user freedom or the user security.
Seriously, let's have a discussion, because sometimes I feel like either me or the hole world is going crazy, and either possibility is really bad :) What can we infer about a security solution provider who does not ever ever mention a giant by-design security hole in their application? In this case, it's the fact that all target operating systems are adversarial (because non-free). How does the Signal app cope with the operating system or any of its privileged apps logging keystrokes? It doesn't. The overt assumption is that the OS is secure, which would be reasonable about a free GNU/Linux installation, for example. But the commercial deployments of Android offer neither security nor privacy, they are rooted by parties other than the user, often in an exploitative manner. Same for IOS. These are basic facts of life: non-free systems spy on their users. They do so because it's profitable, it's not illegal, and many users are so out of touch with security issues, they don't quite understand why this is bad, so they consent to it. The so-called security professionals who gloss over these facts really make me wonder. Don't they owe to the user at least a warning??? With big bold red letters: THIS APP ONLY RUNS ON NON-FREE PHONES, WHERE THE OS MAY BE LOGGING ALL KEYSTROKES AND SCREEN INFORMATION, AND THERE IS NO WAY TO KNOW WHEN IT DOES THAT OR TO MITIGATE THE LOSS OF PRIVACY IN ANY WAY. Because this is what's going on, right? Shouldn't the user be aware? What would be the reason to gloss over that?
I personally can hardly believe Snowden suggested the app to people, although his actual words may have been mangled by the interview process. I myself can sign under "IF you use Android, THEN Signal is the most secure option", but I would also add "which doesn't mean anything on an Android-based cell phone, but hey, everything else is even worse". And Schneier I actually spoke to, and he said he uses an Apple phone. OK, I guess he is being consistent with his advice, but now I am loosing my grip on what Schneier means by privacy.
Am I completely out of touch, people? What is the freaking point of making security and/or privacy solutions based on non-free platforms? The whole idea of a non-free platform to to strip the security, the privacy, and the control privileges from the user. None of the security features can be guaranteed there. Why are we wasting resources on this crap? Why is there a Windoze build of TOR, for example? Just so that the attackers can snoop over TOR communications through the backdoors in Windoze? I do not seriously suggest that TOR developers are screwing over their users on purpose, but there is this blindness to the issue, and I find it scary.
(Score: 0) by Anonymous Coward on Friday November 20 2015, @06:34PM
I agree with you to some extent, but there is a fundamental problem here: Most users don't want to give up convenience for privacy and security. Oftentimes non-free proprietary software is more convenient at the moment (not to mention pushed on people by multi-million dollar ad campaigns which of course do not inform users of what they're really getting), so people use that. Still, even under these circumstances, there's a chance that things like TOR could help, even if users would be better off with free platforms. Perfection is the enemy of... slightly better.
(Score: 5, Insightful) by melikamp on Friday November 20 2015, @08:05PM
You know, that's great, and probably true: we can reasonably suppose that using TOR on Windows (or Signal on IOS) does increase privacy and security, although the end result is still really really bad. What stymies me is... Where's the admission? Where's a fair warning? Where's the honest efficiency assessment by the devs or the security experts? If they want to spend their time developing "security" solutions for spy-phones, I can't complain, but what's that with pretending they work? Just tell the user like it is. The sooner users are aware of the basic facts, the sooner they will push legislators to marginalize the whole damn non-free software ecosystem.
(Score: 1) by tftp on Friday November 20 2015, @10:52PM
Which TCP & UDP ports need to be available?
You need to open TCP 31337 and all UDP ports in order for Signal to work. Signal uses a non-standard TCP port to catch filtering issues at the signaling step and a random UDP port. All UDP ports will need to be opened.
(Score: 0) by Anonymous Coward on Friday November 20 2015, @11:35PM
It should be possible to make it use a customizable range of UDP ports.
(Score: 2, Interesting) by tftp on Saturday November 21 2015, @12:11AM
It should be possible to make it use a customizable range of UDP ports.
It should be possible to make it use a single, randomly selected by the user, negotiable UDP port. Like BitTorrent, for example.
Reliance upon a fixed TCP port 31337 will make this connection very easy to detect and block at any router. The TCP port number should be also negotiable. If the software offers random TCP and UDP port numbers for the user to adopt and then open at their router, the overall picture will be random enough, hard to detect and hard to block.