In the age of ubiquitous government surveillance, the only way citizens can protect their privacy online is through encryption. Historically, this has been extremely difficult for mere mortals; just watch the video Edward Snowden made to teach Glenn Greenwald how to encrypt his emails to see how confusing it gets. But all of this is quickly changing as high-quality, user-friendly encryption software becomes available.
App maker Open Whisper Systems took an important step in this direction today with the release of a major new version of its Signal encrypted calling app for iPhones and iPads. The new version, Signal 2.0, folds in support for encrypted text messages using a protocol called TextSecure, meaning users can communicate using voice and text while remaining confident nothing can be intercepted in transit over the internet.
That may not sound like a particularly big deal, given that other encrypted communication apps are available for iOS, but Signal 2.0 offers something tremendously useful: peace of mind.
Unlike other text messaging products, Signal’s code is open source, meaning it can be inspected by experts, and the app also supports forward secrecy, so if an attacker steals your encryption key, they cannot go back and decrypt messages they may have collected in the past.
Signal is also one special place on the iPhone where users can be confident all their communications are always fully scrambled. Other apps with encryption tend to enter insecure modes at unpredictable times — unpredictable for many users, at least. Apple’s iMessage, for example, employs strong encryption, but only when communicating between two Apple devices and only when there is a proper data connection. Otherwise, iMessage falls back on insecure SMS messaging. iMessage also lacks forward secrecy and inspectable source code.
Signal also offers the ability for power users to verify the identity of the people they’re talking to, confirming that the encryption isn’t under attack. With iMessage, you just have to take Apple’s word for it.
Strong, reliable, predictably-applied encryption is especially important at a time when the world just found out, via a report by The Intercept, that American and British spies hacked into the world’s largest SIM card manufacturer and stole the encryption keys that are used to protect communication between handsets and cell phone towers. With these keys, spies can eavesdrop on phone calls and texts just by passively listening to the airwaves.
Signal development is also noteworthy because its makers, Open Whisper Systems and that company’s founder Moxie Marlinspike, are gaining a reputation for combining trustworthy encryption with ease of use and mobile convenience. Open Whisper Systems recently partnered with the makers of the messaging app WhatsApp to add encryption to that popular product (WhatsApp is not yet fully encrypted across all platforms and media types).
“We want to make private communication simple,” says Marlinspike, who designed the encryption protocols that power his company’s apps. “Our objective is to do new cryptographic research and development that advances the state of the art while simultaneously making it frictionless and accessible for anyone.”
iPhone users can find Signal here. For Android users, the product is, at the moment, split into two apps: TextSecure for private texting and RedPhone for private voice calls. “We’re working towards a single unified Signal app for Android, iPhone and the desktop,” says Marlinspike.
It’s important to keep in mind that no technology is 100 percent secure, and an encrypted messaging app can only be as secure as the device you install it on. Intelligence agencies and other hackers can still exploit security bugs that have not been fixed, known as zero day exploits, to take over smartphones and bypass the encryption that privacy apps employ. But apps like Signal go a long way to making mass surveillance of billions of innocent people infeasible.
Update: Changed wording in the lede to better reflect the caveats deeper in the piece.
There’s a big problem with these apps from Open Whisper Systems:
Many friends of mine, especially the very most of them which are at least a little bit privacy concerned at all, use almost Google-freed cell phones. And we are very happy to use par example Cyanogenmod and maybe F-Droid without bloating our devices with Google Play Store and all that comes with it.
The problem is now, that especially those privacy concernced people are technically excluded from using Redphone and Textsecure because both are exclusivly available on Google Play Store.
Isn’t that ironic?
There is no apk package with sha256sum check available anywhere.
If we want to use these programs we are forced to install the Google bloat-ware first or have to mange to compile it from source but very few of us have the technical skills to the latter.
Sad but true, but our only option is to use jabber and otr for ourselves without a chance to communicate via encryption with the rest of the world which uses Redphone, Textsecure and Signal :/
The Tor browser – the latest version – continues to be blocked with a ‘DisableNetwork’ function, as the log shows. I must use this browser as all other browsers are easily compromised. At one library that I use (do not have a functioning computer at home and my smartphone has been totally hijacked), Chrome appears to be the default browser, but when you do close the browser, a pop-up box asks if you want to exit Internet Explorer. The pop-ups referencing IE come up at other times as well when the ‘Chrome’ browser wishes to veto an action, suggesting that the Chrome UI is used when the underlying operational browser is IE.
I want the Project community to know about this as it is my (and the world’s ) best interest to find ways to stop this. I thought this would be the most appropriate place to air the problem. Thanks.
Gemplus international is headed Alex J. Mandl, former Director of In-Q-Tel, the venture capital fund created by the CIA with the good offices of the U.S. State!
Ms. Ruth David was commissioned to assemble this background was very close to Sun Microsystems, Oracle, Dell, and Mr. Mandl.
This background work for more than a decade to put in place procedures to spy by means technique all kinds of companies major players in such or such economic areas!
The Wolf is in the sheepfold (Gemplus, Gemalto) long and one is surprised that now they give all the information to the CIA or NSA specifically because it is this agency that harvest all the information including the USA could need either in terms of economic competitiveness or simply to draw all money transfers or spy on communications.
For information, Sun Microsystems used the same protocol for the implementation of ‘back door’ on their processors as those used on smart cards. This protocol allows to transmit a lot of information through the network directly on the servers of the NSA.
Sun and now Oracle has sold a large number of server with these processors to almost all banks in France and the rest of the world…
Open WhisperSystems is a US based organization and cannot be trusted therefore. Being open source doesn’t change that, as I don’t have a way to verify if the downloaded app has been build from this code. I rather go with Threema, which is Swiss based and therefore out of reach of national security letters.
A comment that I posted here appeared briefly but has since vaporized.
In an earlier comment, I wanted to know if there were archives of the technical articles by Micah which I find very informative and useful, so one could use when configuring their system.
In the earlier comment, I wondered if there was an archive of earlier technical articles by Micah which I find informative and helpful, especially for one considering to configure their system.
Once in a while we hear some good news:
~
The U.S. Federal Communications Commission votes to reclassify Internet broadband as a utility, enforcing net neutrality rules.
~
http://tech.slashdot.org/story/15/02/26/1824240/fcc-approves-net-neutrality-rules
~
http://www.fcc.gov/document/fcc-adopts-strong-sustainable-rules-protect-open-internet
~
http://www.nytimes.com/2015/02/25/technology/path-clears-for-net-neutrality-ahead-of-fcc-vote.html
~
http://en.wikipedia.org/wiki/Net_neutrality_in_the_United_States
~
Satyagraha
RCL
If an app is “free,” it is not. “Free” is the most expensive kind of currency. If it’s free, you’re the product being sold.
This “free” is the work on a nonprofit using donations and volunteer work. The code is open source, so you can check it yourself: https://github.com/WhisperSystems/Signal-iOS
There’s no guarantee the code in the link you provided is the one running in the app I downloaded on my iPhone.
How can I trust this isn’t some elaborate scheme by the NSA to get me to install some backdoor on my iPhone? Who is this Micah Lee? I for one am not falling for it.
You shouldn’t trust it implicitly. Look at the code and check it yourself: https://github.com/WhisperSystems/Signal-iOS
Right after the Snowden exposé I suggested for Linux networking libraries to be taken out of the kernel
// __ RFE: moving networking out of the kernel and into to user land …
http://lists.openwall.net/linux-kernel/2013/08/12/543
http://comments.gmane.org/gmane.linux.debian.user/460014
IMO, this should be a first step before anything else is done. In fact, I was amazed no one had proposed/taken care of that. Right now I don’t have time to dedicate to such coding project and I don’t like to mess with projects I wouldn’t maintain myself, but I think any technical person could understand what I mean and this should be that difficult.
Satyagraha,
RCL
Open Whisper Systems and Twitter have commercial arrangements which allow twitter access to data on iphones
No they don’t. If they did it would be possible to prove, both from the source code and by observing network traffic while using the Signal app.
// __ Building backdoors into encryption isn’t only bad for China, Mr President, Trevor Timm
~
theguardian.com/commentisfree/2015/mar/04/backdoors-encryption-china-apple-google-nsa
~
theguardian has become quite a bit more “responsible” (“responsibly” selective?).
Trevor tries to keep it “UNresponsible” which IMO is what we all actually need
~
Satyagraha,
RCL
As far as a Swiss resident looking at this, I’d rather rely on Enigma or Threema. Fully dev & hosted in Switzerland. If it comes from the US it is just has good as to say it is coming from China, if one cannot trust the chinese gov’t then it just can’t trust the US gov’t.
Even if Signal is free/libre software, the iThing platform is still a proprietary monster. Apple can extract various personal data from an iPhone at will, and does so for the state.
See http://gnu.org/philosophy/proprietary/malware-apple.html
and http://gnu.org/philosophy/free-software-even-more-important.html.
Great article. I hope you and the Intercept continue to write about well-engineered privacy software that’s suitable for mass adoption.
I do have two interrelated criticisms:
1) You ought to define your audience, especially when describing tech to non-technical readers. If “you” in the headline is everyone who wants or has an Iphone then of course anything is better than the default of no protection at all. However if “you” means other journalists, this headline is misleading. Of course journalists should install this and encrypt their Iphone calls when possible. But the bigger issue is that journalists should _not_ be communicating with sources or doing other critical work over a cellphone. Unfortunately, journalists do not yet come standard with the ability to judge the difference between forward secrecy on top of a proprietary OS (plus proprietary radio-receiver OS, for Christ’s sake) vs. OTR and/or onion-routing on top of a GPL-licensed OS with a decentralized, securely-signed repository. It’s sad, especially a device for the latter can be purchased for only $35, but until that knowledge comes pre-installed at journalism school those of use with the disease of caring about how computers work have to keep repeating clearly what we know for those who clearly don’t. That clearly stated message: no matter what the app, do _not_ use an iphone to talk to sources.
2) You have to follow your logic all the way to the end. It’s not enough to say that an app “can only be as secure as the device you install it on.” That’s just as true for an Iphone as it is for an RPI, which is to say it’s essentially meaningless to a non-technical reader. You ought to say explicitly that just as an open source app can be inspect by experts (in fact any anyone with access to the internet), a proprietary app like the Iphone’s _entire_ operating system severely restricts what can be inspected, and by whom. Yes, you’re going to sound like Richard Stallman. But he was right about the freedom to understand source code, and right about the dangers of surveillance decades before the Snowden leaks. Lead people all the way through the same argument that persuaded a bearded post-grad to write his own operating system from the ground up, and- if we’re not living under a tyranny in twenty years– they’ll thank you for doing so.
This is a very important point and should not be limited to journalists. Right now, privacy and cellphones are two incompatible ideas. It doesn’t have to be that way, but right now it is. Today, cellphone encryption is like filtered cigarettes–marketing based self delusion.
http://www.extremetech.com/computing/170874-the-secret-second-operating-system-that-could-make-every-mobile-phone-insecure
anyone with some technical sense knows that and MICAH LEE certainly does as well, so this article is an odd joke, why does he keep entertaining illusions?
He doesn’t even talk like a technical person, more like a sale’s dept one. I can’t even imagine phrases such as “high-quality, user-friendly encryption” being said by some techie
Satyagraha,
RCL
also Aple is a U.S. based company so it must “by the rule of law” submit to snitching
Satyagraha,
RCL
Thanks! You bring up some good points, but I also don’t entirely agree with the premise behind them.
Free and open source software is incredibly important, and frankly I think in so many ways it’s simply better for the world to support and use these projects than proprietary software. In terms of security, open source offers a major benefit over proprietary software: transparency. It’s much harder for an open source app to be malicious and get away with it for long, and without leaving any sort of audit trail (note that I said much harder, not at all impossible — check out the Underhanded C Content for an example of how possible it in fact is).
But it’s important to keep in mind that transparency is not the same thing as security. It turns out that in the real world, Linus’s Law (“given enough eyeballs, all bugs are shallow”) is simply false. The truth is given enough security engineering, unit tests, and a team of active and well-paid software developers, your software generally has way fewer security vulnerabilities than when it’s written by volunteers.
For example, the OpenSSL code is an utter mess, which lead to heartbleed, and it probably contains several other similar vulnerabilities that either haven’t been found or haven’t been published yet–but it’s a transparent mess. iOS, on the other hand, is actually a pretty amazing piece of security engineering. Every app is sandboxed, everything stored on disk is encrypted in well-thought-out ways, etc. This is because Apple has the budget to hire some of the best security engineers in the world and pay them a lot of money to do good work. But unlike OpenSSL, iOS is an fairly opaque operating system (I say fairly because it actually relies on a lot of open source software under the hood), and it doesn’t offer nearly as much transparency as open source projects–it requires trusting Apple to be benevolent a lot more. So much so that it’s entirely possible for Apple to betray its users without it ever coming to light.
To switch directions a bit, the target of this article is everyone, but all journalists should definitely follow its advice as well. The reason is simple: every single journalist uses a smartphone, and most of them use their phones to communicate with sources. It’s better if this communication is end-to-end encrypted, and if the journalists and sources need to be specifically targeted for attack, than if it’s in plaintext and there’s no chance of privacy to begin with. Most sources aren’t extremely sensitive, most of them aren’t anonymous, and most sources and journalists don’t know how to or feel like they have time to learn really complicated crypto stuff. However pretty much all of them know how to install an app and start using it instead of the insecure defaults.
If you have a very sensitive anonymous source then obviously you need to take more precautions and communicate with them in less convenient ways. But for the other 99% of your life, it would be a good idea to start locking up your bike instead of leaving it on a busy street for anyone to take (even if bike thieves might be able to break your lock).
The difference between dragnet surveillance and targeted surveillance is also huge and often ignored. The status quo is almost everything on the internet is trivially spied on. If we all start using encryption more, then we force spies to hack into our devices if they want to spy on us. This means that rather than spying on everyone, only people who are targeted will get spied on. So even if iOS were easily hacked (or if Apple could silently install backdoors on devices at the request of the government or something terribly malicious like that), it still makes sense for everyone to use encryption on their iPhones. Then at least there needs to be an active leak investigation into you before your privacy is violated, rather than having your privacy violated by default.
I can see how, on paper, this seems like a seductively obvious truth, but things don’t work this way at all in practice. Frankly, you are completely ignoring how we got to “full disclosure” of computer vulnerabilities in the first place.
https://en.wikipedia.org/wiki/Full_disclosure_%28computer_security%29
Let me try it this way, would it make any sense to you if I said the best way to eat healthy food is to go out to eat for every meal instead of cooking at home?
You could make very persuasive arguments that professional highly paid food developers know much more than “volunteers” and are much better at their job than just average folks. The problem is the word “job.”
Deep fried salt sells food, and those “professionals” aren’t working for me.
Now you can argue that eventually capitalism will catch up with educated consumer demand in the field of software, and you might be right–someday. Until that day comes, we have “volunteers.”
Now since the Freedom of the Press Foundation is giving money to the Signal project maybe what you mean by the above statement is that you would rather only have paid developers contribute to the Signal project. Maybe you should just come out and say that.
By the way, how much was Aaron Swartz paid for developing SecureDrop?
One more point.
You are really overestimating paid professionalism. Passion beats a paycheck by a million fold. Just look at Glenn. How much total money has been paid to “professional” journalists over the last decade? All that money had it’s ass kicked up and down the street by one very passionate person.
A paycheck buys so little.
I’m in almost complete agreement! Passion is essential, and just because people get paid to be programmers doesn’t mean they’re any good at it. I only point out the “well-paid software developers” part at all because I’ve worked on open source projects before and I see how they go when they’re only developed on the weekends after work (I’m the core developer of some open source projects myself that I don’t have time to work on during the work day, and I can see how those suffer too).
I definitely don’t think only paid devs should contribute to the Signal project. Anyone who submits code that passes review should contribute. But SecureDrop is a good example. Aaron originally programmed DeadDrop as a passion project and didn’t get paid for it. But since FPF took it over, it has gotten far better. Aaron did a good job of coming up with the basic architecture, but the first version was very hard to use and took an expert to figure out how to actually install. It didn’t have glaring security problems, though a lot of it was sloppy and has since been refactored. But because FPF was able to hire two developers (paying them a lot less than they were getting in their previous jobs) to coordinate a group of other volunteer devs (myself included), we’ve moved the SecureDrop project so much farther along than it ever would have gotten otherwise. And if FPF could afford to hire more developers, and pay them competitive salaries, it will get even better, more usable, and more secure, much quicker.
Micah, thanks for your reply.
Here is ultimately the biggest problem with the idea that pay correlates to quality:
If that’s true then capitalism is just like the minor leagues–Anyone with any talent is long gone. The best you can hope for is a few years from the talented when they are young, and then you will never see them again.
In other words, if pay correlates to quality, then capitalism is almost exclusively staffed by those without enough talent to leave, and psychopaths. The talent pool is basically scrubs and nutjobs.
Said another way. If you are only doing something because you are paid, then you aren’t good at your job.
Said another way again. You can’t buy passion, but you can keep it from starving to death.
“It’s sad, especially a device for the latter can be purchased for only $35, but until that knowledge comes pre-installed at journalism school those of use with the disease of caring about how computers work have to keep repeating clearly what we know for those who clearly don’t.”
If you were repeating it clearly, I’d know what this $35 device is and where to get one. Less self-congratulation, more information. I want that device – enlighten me.
can this work for a droid?
Yup, for Android you need to install the RedPhone app for voice and the TextSecure app for text. These two apps are fully compatible with Signal for iPhone.
Signal is owned by Twitter.
Why is the App free? After you download it, it seeks access to your Contacts and microphone. And presumably dumps your private data onto twitters database. How else would they make money?
Yikes! Buzz killer!!!!
And then again, OWC and Signal are not owned by Twitter. See here: https://whispersystems.org/about/
{And the smile returned to my inner being.}
According to Wikipedia, Open Whisper Systems; the producers of Signal, was acquired by Twitter in 2011 see link below
https://en.wikipedia.org/wiki/Open_Whisper_Systems
It was Whisper Systems (not Open Whisper Systems) that was aquired by Twitter. Whisper Systems developed TextSecure and RedPhone, both which was later released under GPLv3. Open Whisper Systems was then a community based project that took over the development of TextSecure and RedPhone, and later also released Signal. All of it is open source, and none of it has connections to Twitter (any more).
Forbes anounced in 2011 Twitter acquired OpenWhisperSystem; Signal’s App Maker
http://www.forbes.com/sites/andygreenberg/2011/11/28/twitter-acquires-moxie-marlinspikes-encryption-startup-whisper-systems/
As others have already pointed out, Signal isn’t owned by Twitter. This is in their FAQ. Signal requires access to your contact list because the app doesn’t maintain its own contact list. If it didn’t require this permission, you wouldn’t be able to see a list of your contacts that also use Signal. And Signal requires your microphone because… it’s a voice call app. Having a voice call without a microphone would be quite dull, don’t you think?
When you start a call or send a text, you encrypt the data locally on your device before you send it to Signal’s server (this is what end-to-end encryption means), so Signal doesn’t have access to any plaintext content of your communications, only encrypted content to help deliver it, and they don’t have the keys (the users do, on their phones). Signal has to get some metadata about your communications to properly route them, but they claim to not actually store any of this information at all on their servers, they just use it to help deliver messages and then discard it. I personally know and trust a few of the Open Whisper Systems developers, and I believe these claims. You can read more about this here:
http://support.whispersystems.org/customer/portal/questions/6050357-what-exploitable-metadata-is-associated-with-redphone-and-textsecure-communications-
http://support.whispersystems.org/customer/portal/questions/9554531-message-retention-on-server
It accesses contacts to check if they’ve installed Signal and populates your Signal contact list with those who have. It accesses the microphone because… well… you can’t speak to people over the phone, without the use of the microphone.
The thought that Open Whisper Systems is working to keep the spy guys out and that that news upsets the plutoctopus is a bright spot in my day. We need a lot more OWS types helping us. It’s a bit of good news as the 99% tries to right the ship.
“Nothing is going to guarantee bug free code.”
Agreed. Software and technically advanced people understand that. However, I think even among them there’s still too much trust in open-source as a magic bullet against any accidental or malicious “error”.
And most regular users will take open-source as a very high assurance, the way it is presented in articles like this one. It is not. One is assured, however, that open source *will* be examined by spy agencies, and any vulnerability found will be exploited, and not reported.
That problem exists for closed-source systems too. The major differences are it is much more difficult to hide backdoors, and security through obscurity does not apply. The people reviewing the code can see if something like a well-known strong encryption algorithm is being used versus some proprietary one of indeterminate strength.
It sounds great. The only problem is Signal is being developed with WhatsApp which his owned by Facebook so Zuckerberg has access to all of it. And you know he will not respect that info. He will have the greatest contempt for any of us who thought this was super-secure. I’m hypothesizing and catastrophising only a little, no?
Signal isn’t being developed with WhatsApp. Signal developers gave assistance to WhatsApp developers, but WhatsApp/Facebook certainly doesn’t have any access to anything having to do with Signal.
For those of you looking for alternatives or something that runs on a different platform, this gives a good breakdown and description of which programs are secure and what specific features they have. The last update was 2-17-15 so the information is current.
https://www.eff.org/secure-messaging-scorecard
I would — but I don’t own a smartphone! My main quibble with smartphones is the fact that use of a touchscreen is required, to the best of my knowledge anyway. (There are other complaints, by they are general complaints that can apply to dumb phones as well — but is there an option to randomize the smartphone MAC address on a timed interval, let’s say every five minutes?)
Do you know of a recent Android smartphone with at least a physical key board?
Any good crypto options for dumb phones?
Blackberry still makes phones with physical keyboards. They don’t have the app selection of iOS or Android, but the security is pretty good on them.
Thanks once again Micah. You have enlightened those of us with only one brain cell.
Just tried the app on my iPhone – unfortunately it started with asking permission to access my contacts. I opted out but later could not invite a single contact – so I decided to destroy the just created account and deleted the app. I do not like how all these “communications” apps collect complete contacts databases – those are my contacts and not for take, especially not for free :)
– Swami –
It’s a messaging app. How is it supposed to work if it’s not connected to your contact list?
If Ed Snowden would endorse a secure communications solution, I’d be on board right away.
Ed, please launch a crowd sourced project to this end.
http://www.cbc.ca/news/canada/kitchener-waterloo/the-apps-edward-snowden-recommends-to-protect-your-privacy-online-1.2981754
You can trash Whatsapp and replace it with Telegram at telegram.org .
It won’t be long before communication itself is destroyed. I don’t see encrypted communication surviving for long.
Does anyone else find it ironic that a site that has shown us internet anonymity is a joke is recommending an app that obviously couldn’t be safeguard against the massive spying apparatus that is our government?
CraigSummers and I will agree with you. Then there are a few more blokes, but right now they are busy piloting drones.
Ironic is understatement. How about breathtaking naiveté. And the language in the article is so breathless and seductive, could have been an advert.
(Oh, duh!)
When will generations X,Y, and Z realize their hydra-headed government has and always will surveil illegally and surreptitiously? Their beloved purveyors of tech trinkets sold out China’s dissidents with nary a blush. And they won’t sell you, too?
The only, indeed the best, defense against such tyranny is to “own” what you think, say or do. Now stand up for that.
Micah,
Thanks for the information about Signal. Like Stephan below (“You can’t escape the fact that Signal / OpenWhisper, being developed and hosted in the US, cannot escape the laws of that country. True, they seem to have opened an office in Switzerland, but until they’ve fully left the US and moved over to Swiss jurisdiction (body, mind, soul, and servers), they won’t prevent You-Know-Who to give them that phone call – or that National Security Letter.”) I, too, wonder about whether Signal is somehow protected from NSA demands. Is Signal only intended to ward off interception by the sort of people who pick up info from the insecure wi-fi service at the corner coffee shop? Or is it supposed to be secure against all attempts, the way StartMail (just as an example) is?
With Signal, the encryption keys are generated on your phone when you first open the app, and those are the keys that are used to communicate privately with other Signal users. So if the US government forced Open Whisper Systems to hand over user data, there would be no plaintext content to hand over. Open Whisper Systems does learn metadata about its users, but they appear to take active steps to reduce what metadata they learn.
These links might give you some of the answers you’re looking for:
http://support.whispersystems.org/customer/portal/questions/6050357-what-exploitable-metadata-is-associated-with-redphone-and-textsecure-communications
https://whispersystems.org/blog/contact-discovery/
If you use Signal, you can rest assured knowing that Open Whisper Systems have engineered themselves out of being able to eavesdrop on you.
Now I’m gonna go on a slight tangent, but it’s an important one. To be clear, Signal (and StartMail, and all other products and services) is not secure against “all attempts”. For example, Signal can’t protect your communications if your phone is hacked. If your phone has malware, it could spy on what you’re doing, even if Signal does everything perfectly. And of course, like all other software, Signal has bugs. Being an open source project, you can check out its bug tracker and submit new bugs yourself if you find them. It’s possible that there’s a security bug that the developers are unaware of, that could be used to somehow compromise the security (again, this is true of every piece of software you have ever used).
Then there’s the encryption. With the exception of the one-time pad there isn’t any crypto that has been mathematically proven to be secure. This means that a secret breakthrough in mathematics, or a secret weakness in an encryption system, could be exploited to break the encryption. Bear in mind: mathematicians around the world have failed to solve these challenging problems for decades, and sometimes centuries. It’s possible, but much simpler and cheaper for attackers to just hack your phone.
Humans haven’t yet figured out how to make unhackable computers. All the experts are pretty sure it’s impossible. But using encryption software like Signal moves the bar for those attacking your communications from “trivial” to “quite hard”. It certainly makes passive attacks, such as NSA listening to the airwaves and decrypting your phone calls using keys they already stole, not work anymore.
Thank you. And thank you for responding to the many questions you are getting about this. I suspect we all are avidly reading every response from you, looking for answers to questions we didn’t want to look ignorant by asking or didn’t even know enough to ask.
I believe the U.S. is one of only a handful of countries that don’t have mandatory data retention laws. I may not have it correct, but a company operating servers can pull the plug with regards to NSLs like Lavabit did. In other places, the operator would get in trouble for doing so without keeping records to turn over to the authorities. As for actual security, the EFF gives it top marks:
https://www.eff.org/secure-messaging-scorecard
Don’t forget about Surespot which is also open source and on Android and iOS. There are some advantages to Surespot over Signal. 1) No need for a phone number, you can create your own ID. 2) ID keys can be exported to other devices or from an old phone to a new phone. 3) Can delete messages (numerous other advantages as well).
In 2015 it is hard not to be cynical of US government financing of security apps. You want proof? Can’t help you with that. But using it gives you “peace of mind” and “confident nothing can be intercepted”? No thanks! I liked this coverage: http://revolution-news.com/us-government-funds-favorite-nsa-proof-apps/.
Cynicism is fine, but is it really wise to abandon the best and most transparent security software that exists without having any evidence of foulplay? It’s possible for developers to accept grants with the only deliverables being things like “build this feature” or “port this to a new platform”, even if the grant money was ultimately tied to the US government.
USG is a complicated beast with lots of conflicting interests. It conducts terrible wars and invests in spying on billions of innocent people, but sometimes it also funds open source privacy tools, as well as national parks, improved infrastructure, and scientific research for the public good. It would be nice if we could just decide that any software with funding ties to USG was bad, but it’s not nearly that simple.
Yes, I agree with you. The Tor browser is also a good example. But like I mentioned before, the ability to hear things behind walls makes encryption of electronic communication quite useless.
Pete & Repeat, The new App iPhone that will make you die laughing!
Apple already encrypts your iMessages, so why would you use this 3rd party software?
So you can securely communicate with your friends who have Android phones?
Or so your “secure” iMessages don’t get backed up in plain text to Apple’s computers.
Sheesh, users can be obtuse.
Micah, I have a question about how this would work. One of the things about PGP that seemed hopeless to me, is both parties have to use it and exchange keys. I think using encryption is not only a good idea, but absolutely essential for the security of all digital information. However, nearly everyone else I know has a far more cavalier attitude about these things and really can’t be bothered with anything the least bit inconvenient.
So my question is this, if I use Signal (or it’s Android equivalents), but those with whom I communicate do not, then are the communications encrypted or not?
If you use Signal you can only send messages to others who use Signal, RedPhone, or TextSecure. So from within Signal you just can’t send messages to those other people. You need to get them to install it first. But one of the huge differences between Signal and PGP is that Signal doesn’t require any training and there isn’t any learning curve, so there should be much less friction.
Thanks so much for the response! I’ll get to work on brushing up my persuasion skills… Thanks again.
1. Gus is right. Nobody hardly ever checks open source code. It’s too complex, and required skills are too scarce. And anyway, what makes you think that Signal / TextSecure servers actually run that published code? Has anybody audited their servers?
2. You can’t escape the fact that Signal / OpenWhisper, being developed and hosted in the US, cannot escape the laws of that country. True, they seem to have opened an office in Switzerland, but until they’ve fully left the US and moved over to Swiss jurisdiction (body, mind, soul, and servers), they won’t prevent You-Know-Who to give them that phone call – or that National Security Letter.
3. That Whatsapp stuff you write is misleading and dangerous. True, Marlinspike said he had contributed encryption technology to Whatsapp, and literally everybody repeated that, but Whatsapp never, ever, confirmed this information. There isn’t a *single* piece of info regarding end-to-end encryption on their website or in their communications. Zip, blank, only Marlinspike spoke. Instead, out of the blue Whatsapp released this new feature – Whatsapp Web – which lets you find and continue your past conversations on the web. Guys, what’s wrong with this picture?! Seamless sync for conversations between your device and Whatsapp’s Web servers, and you still think they would even care to wish for end-to-end encryption? So who’s telling the truth here?
So, the technical foundation for end-to-end encrypted communication in Signal is promising, but that’s not the point. It’s an issue of trust – can you trust those people. And here, there’s a mixture of white knight halo, mixed with shady signals (no pun), that tells me this all looks like a honeypot and I don’t want to trust them. Not yet.
Are you saying that people who don’t use iPhone are not welcome here?
Could be taken that way.
Open source is, unfortunately, no protection. See heartbleed…
I’m pleased that security is getting attention, though cross platform currently seems flaky for this development line.
At the end of the day if you want certainty, using computers may be unwise.
If you use them doing your own encryption seems wiser than trusting somebody else’s automation!
Signal for iPhone is fully compatible with RedPhone and TextSecure for Android. And even people who don’t use smartphones are welcome here.
Thanks Micah Lee.
Presentation of software applications that provide positive alternatives to rote acceptance of mass surveillance is constructive and necessary.
The road to progress is paved with resistance.
Keep on keeping on.
Any concern that development of these applications is funded by the US government, according to http://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-brief-history-of-the-bbg/ ? Or are those claims not trustworthy?
The non-profit and free software world has a different funding model than that of proprietary software companies. Rather than selling products, funding comes from writing grant proposals and getting awarded money from foundations. Open Technology Fund is one of the foundations that has money in their budget to award grants to privacy projects like this.
It always makes sense to look for evidence of foulplay when funding is concerned, but just because the government funds something doesn’t automatically make it malicious. And Open Whisper Systems’ commitment to transparency in its products (the source code and protocols are completely open for inspection) alleviates any of these concerns. Pando needs to be more specific, like find actual evidence of something malicious going on, to make these pieces of software untrustworthy.
Unfortunately, the heartbleed incident proved that a product being open-source is not a guarantee against either accidental or malicious bug introduction staying out there for quite a while without being noticed.
Nothing is going to guarantee bug free code. But free software increases the chance of finding these bugs as more people use it and inspect it. Anything that is constructed by humans is prone to errors. Opensource is a broad term. Read the FSF blog on this matter.
What is the procedure to verify the executable from the app store was compiled with unadulterated code, I.E. Te source codecwe can examine is whats actually running on or phone?