Jump to content

Signal (software): Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m w
Developers: + clarification
Line 97: Line 97:
Signal is developed by Open Whisper Systems, a [[Nonprofit organization|nonprofit]] software group<ref name="mashable2" /> that develops collaborative [[Open Source]] projects with a mission to "make private communication simple".<ref name="about" /> The group consists of a large community of volunteer Open Source contributors, as well as a small team of dedicated grant-funded developers.<ref name="about" /> Open Whisper Systems is funded by a combination of donations and grants, and all of its products are published as [[free and open-source software]] under the terms of the [[GNU General Public License]] (GPL) version 3.
Signal is developed by Open Whisper Systems, a [[Nonprofit organization|nonprofit]] software group<ref name="mashable2" /> that develops collaborative [[Open Source]] projects with a mission to "make private communication simple".<ref name="about" /> The group consists of a large community of volunteer Open Source contributors, as well as a small team of dedicated grant-funded developers.<ref name="about" /> Open Whisper Systems is funded by a combination of donations and grants, and all of its products are published as [[free and open-source software]] under the terms of the [[GNU General Public License]] (GPL) version 3.


The project has received financial support from, among others, the [[Freedom of the Press Foundation]],<ref name="pressfreedomfoundation" /> the [[Knight Foundation]],<ref name="knightfoundation" /> the [[Shuttleworth Foundation]],<ref name="shuttleworthfoundation" /> and the [[Open Technology Fund]],<ref name="opentechfund" /> a U.S. government program that has also funded other privacy projects like the anonymity software [[Tor (anonymity network)|Tor]] and the encrypted instant messaging website [[Cryptocat]].
The project has received financial support from, among others, the [[Freedom of the Press Foundation]],<ref name="pressfreedomfoundation" /> the [[Knight Foundation]],<ref name="knightfoundation" /> the [[Shuttleworth Foundation]],<ref name="shuttleworthfoundation" /> and the [[Open Technology Fund]],<ref name="opentechfund" /> a U.S. government funded program that has also supported other privacy projects like the anonymity software [[Tor (anonymity network)|Tor]] and the encrypted instant messaging website [[Cryptocat]].


== See also ==
== See also ==

Revision as of 20:22, 14 February 2016

Signal
Developer(s)Open Whisper Systems
Initial releaseJuly 2014 (2014-07)[1]
Repository
Operating systemiOS 8.0 or later
Android 2.3 or later
Available in31 languages
TypeEncrypted voice calling and instant messaging
LicenseGPLv3[2][3]
Websitewhispersystems.org

Signal is a free and open-source encrypted voice calling and instant messaging application for iOS and Android. It uses end-to-end encryption to secure all communications to other Signal users. Signal can be used to send and receive encrypted instant messages, group messages, attachments and media messages. Users can independently verify the identity of their messaging correspondents by comparing key fingerprints out-of-band. During calls, users can check the integrity of the data channel by checking if two words match on both ends of the call.

Signal is developed by Open Whisper Systems and is published under the GPLv3 license.

History

Whisper Systems and Twitter (2010–2011)

Signal is the successor of an encrypted voice calling app called RedPhone and an encrypted texting program called TextSecure. The beta versions of RedPhone and TextSecure were first launched in May 2010 by Whisper Systems,[4] a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson.[5][6] Whisper Systems also produced a firewall and tools for encrypting other forms of data.[5][7] All of these were proprietary enterprise mobile security software and were only available for Android.

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company.[8] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[9] Shortly after the acquisition, Whisper Systems' RedPhone service was made unavailable.[10] Some criticized the removal, arguing that the software was "specifically targeted [to help] people under repressive regimes" and that it left people like the Egyptians in "a dangerous position" during the events of the 2011 Egyptian revolution.[11]

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.[5][12][13][14] RedPhone was also released under the same license in July 2012.[15] Marlinspike later left Twitter and founded Open Whisper Systems[1] as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[16]

Open Whisper Systems (2013–present)

Open Whisper Systems' website was launched in January 2013.[16]

Toward the end of July 2014, Open Whisper Systems announced plans to unify its RedPhone and TextSecure applications as Signal.[17] This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client.[17] Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.[1][18] TextSecure compatibility was added to the iOS application in March 2015.[19][20]

In October 2014, researchers from Ruhr University Bochum published an analysis of the protocol that is used in Signal to encrypt its instant messages.[21] Among other findings, they presented an unknown key-share attack on the protocol, but in general, they found that the encrypted chat client is secure.[22]

In November 2015, the TextSecure and RedPhone applications on Android were merged to become Signal for Android.[23] A month later, Open Whisper Systems announced Signal Desktop, a Chrome app that can link with a Signal client.[24] As of December 2, 2015, the app is in beta and can only be linked with the Android version of Signal.[24]

Features

Signal allows users to call other Signal users on iOS and Android. All calls are made over a Wi-Fi or data connection and are free of charge, including long distance and international.[18] Signal also allows users to send group, text, picture, and video messages over a Wi-Fi or data connection to other Signal users on iOS and on Android.

All communications to other Signal users are automatically end-to-end encrypted. The keys that are used to encrypt the user's communications are generated and stored at the endpoints (i.e. by users, not by servers). Signal implements forward secrecy.[25][26]

Signal has built-in mechanisms for verifying that no man-in-the-middle attack has occurred. For calls, Signal displays two words on the screen. If the words match on both ends of the call, the call is secure.[18][27] For messages, Signal users can compare key fingerprints (or scan QR codes) out-of-band.

The Android version of Signal has two features that the iOS version does not. On Android, Signal can be used as the default SMS application, allowing the user to send and receive unencrypted SMS messages in addition to the standard end-to-end encrypted Signal messages. The iOS version of Signal can not be used as the default SMS application because of restrictions in the operating system. The Android version of Signal also allows the user to set a passphrase that encrypts the local message database. On iOS, the local message database is encrypted by the operating system if the user has a passphrase on their lock screen.

Limitations

Signal requires that the user has a phone number for verification.[28] The number does not have to be the same as on the device's SIM card; it can also be a VoIP number[28] or a landline as long as the user can receive the verification code and have a separate device to set-up the software. A number can only be registered to one device at a time.[28]

Centralization

Signal's server architecture has been partially decentralized since December 2013, when it was announced that the messaging protocol that is used in Signal had successfully been integrated into the Android-based open-source operating system CyanogenMod.[29][30][31] As of CyanogenMod 11.0, the client logic is contained in a system app called WhisperPush. According to Open Whisper Systems, "the Cyanogen team runs their own [Signal messaging] server for WhisperPush clients, which federates with [Open Whisper Systems' Signal server], so that both clients can exchange messages with each-other seamlessly".[31] The WhisperPush source code is available under the GPLv3 license.[32] In January 2016, however, the CyanogenMod team announced that they will be discontinuing WhisperPush on February 1, and recommended that its users switch to Signal.[33] After this, Signal's server architecture will be entirely centralized.

Android specific

Signal's official Android client requires the proprietary Google Play Services because the app is dependent on Google's GCM push messaging framework.[34] As of March 2015, Signal's message delivery has been done by Open Whisper Systems themselves and the client relies on GCM only for a wakeup event.[35] The developers have added support for WebSocket to the open source Signal server.[34] They claim that "[WebSocket] won't work as well as push messages that are sent via GCM", but that it will allow Signal to work independently of GCM "once support has been added to the client".[34]

Architecture

Encryption protocols

Signal instant messages are encrypted with the TextSecure encryption protocol (developed by Open Whisper Systems[19]), which uses a variation of the Axolotl key management protocol.[36][37] Signal voice calls are encrypted with the RedPhone encryption protocol, which is based on the ZRTP encryption protocol (developed by Phil Zimmermann) and SRTP.[1][38]

Servers

Signal messages and calls are routed through Open Whisper Systems' servers. Open Whisper Systems has set up dozens of servers to handle the encrypted calls in more than 10 countries around the world to minimize latency.[1] According to the developers, Signal servers do not keep metadata about who called who and when.[26] A network level adversary would only see encrypted data flowing into and out of the Signal infrastructure.[26] All client-server communications are protected by TLS.[21][38]

Messages are handled by a REST API and push messaging (both GCM and APN).[39]

In order to determine which contacts are also Signal users, cryptographic hashes of the user's contact numbers are periodically transmitted to the server.[40] The server then checks to see if those match any of the SHA256 hashes of registered users and tells the client if any matches are found.[40] Moxie Marlinspike has written that it is easy to calculate a map of all possible hash inputs to hash outputs and reverse the mapping because of the limited preimage space (the set of all possible hash inputs) of phone numbers, and that "practical privacy preserving contact discovery remains an unsolved problem".[40]

The group messaging mechanism is designed so that the servers do not have access to any group metadata such as the membership list, group title, or group icon.[41] Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in exactly the same way that group conversation messages are delivered.[41][42]

Licensing

The complete source code of the Signal clients for Android and iOS are available on GitHub under a free software license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by Open Whisper Systems.[2][3]

The software that handles Signal's message routing is also open source.[39] This enables anyone to examine the code. Even though it is not officially supported by Open Whisper Systems,[43] anyone can set up and host their own Signal server and messaging network.

Distribution

Signal is officially distributed only through Google Play and App Store. Open Whisper Systems have declined requests to distribute the Android version of Signal through third-party distribution platforms.[34]

Signal's predecessor (TextSecure) was briefly included in the F-Droid software repository in 2012, but was removed at the developer's request because it was an unverified build and exceptionally out of date. Open Whisper Systems have subsequently said that they will not support their applications being distributed through F-Droid because it does not provide timely software updates, relies on a centralized trust model and necessitates allowing the installation of apps from unknown sources which harms Android's security for average users.[34]

Reception

In October 2014, the Electronic Frontier Foundation (EFF) included Signal in their updated surveillance self-defense guide.[44] In November 2014, "Signal / RedPhone" received a perfect score on the EFF's secure messaging scorecard;[25] they received points for having communications encrypted in transit, having communications encrypted with keys the providers don't have access to (end-to-end encryption), making it possible for users to independently verify their correspondent's identities, having past communications secure if the keys are stolen (forward secrecy), having their code open to independent review (open source), having their security designs well-documented, and having recent independent security audits.[25] As of 10 July 2015, "ChatSecure + Orbot", Cryptocat, TextSecure, Pidgin, Silent Phone, Silent Text, and Telegram's secret chats also have seven out of seven points on the scorecard.[25]

On December 28, 2014, Der Spiegel published slides from an internal NSA presentation dating to June 2012 in which the NSA deemed RedPhone on its own as a "major threat" to its mission, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as "catastrophic," leading to a "near-total loss/lack of insight to target communications, presence..."[45][46]

Former NSA contractor Edward Snowden has endorsed Open Whisper Systems' applications on multiple occasions. In his keynote speech at SXSW in March 2014, he praised TextSecure and RedPhone for their ease-of-use.[47] During an interview with The New Yorker in October 2014, he recommended using "anything from Moxie Marlinspike and Open Whisper Systems".[48] During a remote appearance at an event hosted by Ryerson University and Canadian Journalists for Free Expression in March 2015, Snowden said that Signal is "very good" and that he knew the security model.[49] Asked about encrypted messaging apps during a Reddit AMA in May 2015, he recommended “Signal for iOS, Redphone/TextSecure for Android”.[50][51]

In September 2015, the American Civil Liberties Union called on officials at the U.S. Capitol to ensure that lawmakers and staff members have secure communications technology.[52] One of the applications that the ACLU recommended in their letter to the Senate Sergeant at Arms and to the House Sergeant at Arms was Signal, writing:

One of the most widely respected encrypted communication apps, Signal, from Open Whisper Systems, has received significant financial support from the U.S. government, has been audited by independent security experts, and is now widely used by computer security professionals, many of the top national security journalists, and public interest advocates. Indeed, members of the ACLU’s own legal department regularly use Signal to make encrypted telephone calls.[53]

Developers

Signal is developed by Open Whisper Systems, a nonprofit software group[54] that develops collaborative Open Source projects with a mission to "make private communication simple".[55] The group consists of a large community of volunteer Open Source contributors, as well as a small team of dedicated grant-funded developers.[55] Open Whisper Systems is funded by a combination of donations and grants, and all of its products are published as free and open-source software under the terms of the GNU General Public License (GPL) version 3.

The project has received financial support from, among others, the Freedom of the Press Foundation,[56] the Knight Foundation,[57] the Shuttleworth Foundation,[58] and the Open Technology Fund,[59] a U.S. government funded program that has also supported other privacy projects like the anonymity software Tor and the encrypted instant messaging website Cryptocat.

See also

References

  1. ^ a b c d e Greenberg, Andy (29 July 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved 18 January 2015.
  2. ^ a b Open Whisper Systems. "Signal-iOS". GitHub. Retrieved 14 January 2015.
  3. ^ a b Open Whisper Systems. "Signal-Android". GitHub. Retrieved 5 November 2015.
  4. ^ "Announcing the public beta". Whisper Systems. 25 May 2010. Archived from the original on 30 May 2010. Retrieved 22 January 2015.
  5. ^ a b c Garling, Caleb (20 December 2011). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired. Retrieved 21 December 2011.
  6. ^ "Company Overview of Whisper Systems Inc". Bloomberg Businessweek. Retrieved 2014-03-04.
  7. ^ Greenberg, Andy (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28.
  8. ^ Cheredar, Tom (28 November 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21.
  9. ^ Yadron, Danny (9 July 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Retrieved 10 July 2015.
  10. ^ Greenberg, Andy (2011-11-28). "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved 2011-12-21.
  11. ^ Garling, Caleb (28 November 2011). "Twitter Buys Some Middle East Moxie | Wired Enterprise". Wired. Retrieved 21 December 2011.
  12. ^ Aniszczyk, Chris (20 December 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on 24 October 2014. Retrieved 22 January 2015.
  13. ^ "TextSecure is now Open Source!". Whisper Systems. 20 December 2011. Archived from the original on 6 January 2012. Retrieved 22 January 2015.
  14. ^ Pachal, Pete (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01.
  15. ^ "RedPhone is now Open Source!". Whisper Systems. 18 July 2012. Archived from the original on 31 July 2012. Retrieved 22 January 2015.
  16. ^ a b "A New Home". Open Whisper Systems. 2013-01-21. Retrieved 2014-03-01.
  17. ^ a b Mimoso, Michael (29 July 2014). "New Signal App Brings Encrypted Calling to iPhone". Threatpost.
  18. ^ a b c Evans, Jon (29 July 2014). "Talk Private To Me: Free, Worldwide, Encrypted Voice Calls With Signal For iPhone". TechCrunch. AOL.
  19. ^ a b Lee, Micah (2015-03-02). "You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone". The Intercept. Retrieved 2015-03-03.
  20. ^ Geuss, Megan (2015-03-03). "Now you can easily send (free!) encrypted messages between Android, iOS". Ars Technica. Retrieved 2015-03-03.
  21. ^ a b Frosch, Tilman; Mainka, Christian; Bader, Christoph; Bergsma, Florian; Schwenk, Jörg; Holz, Thorsten. "How Secure is TextSecure?" (PDF). Horst Görtz Institute for IT Security, Ruhr University Bochum. Retrieved 4 November 2014.
  22. ^ Pauli, Darren. "Auditors find encrypted chat client TextSecure is secure". The Register. Retrieved 4 November 2014.
  23. ^ Marlinspike, Moxie (2 November 2015). "Just Signal". Open Whisper Systems. Retrieved 2 November 2015.
  24. ^ a b Franceschi-Bicchierai, Lorenzo (2 December 2015). "Snowden's Favorite Chat App Is Coming to Your Computer". Motherboard. Vice Media LLC. Retrieved 4 December 2015.
  25. ^ a b c d "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 4 November 2014.
  26. ^ a b c Brandom, Russell (29 July 2014). "Signal brings painless encrypted calling to iOS". The Verge. Retrieved 26 January 2015.
  27. ^ "Exactly how does Zfone and ZRTP protect against a man-in-the-middle (MiTM) attack?". The Zfone Project. Retrieved 25 January 2015.
  28. ^ a b c Kolenkina, Masha (20 November 2015). "Will any phone number work? How do I get a verification number?". Open Whisper Systems. Retrieved 20 December 2015.
  29. ^ Andy Greenberg (2013-12-09). "Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default". Forbes. Retrieved 2014-02-28.
  30. ^ Seth Schoen (2013-12-28). "2013 in Review: Encrypting the Web Takes A Huge Leap Forward". Electronic Frontier Foundation. Retrieved 2014-03-01.
  31. ^ a b Moxie Marlinspike (2013-12-09). "TextSecure, Now With 10 Million More Users". Open Whisper Systems. Retrieved 2014-02-28.
  32. ^ CyanogenMod (Jan 7, 2014). "android_external_whispersystems_WhisperPush". GitHub. Retrieved Mar 26, 2015.
  33. ^ Sinha, Robin (20 January 2016). "CyanogenMod to Shutter WhisperPush Messaging Service on February 1". Gadgets360. NDTV. Retrieved 23 January 2016.
  34. ^ a b c d e Kolenkina, Masha (25 November 2015). "Why do I need Google Play installed to use Signal? How can I get Signal APK?". Open Whisper Systems. Retrieved 5 December 2015.
  35. ^ Marlinspike, Moxie (6 March 2015). "Saying goodbye to encrypted SMS/MMS". Open Whisper Systems. Retrieved 20 December 2015.
  36. ^ Marlinspike, Moxie (22 August 2013). "Forward Secrecy for Asynchronous Messages". Open Whisper Systems. Retrieved 2014-03-01.
  37. ^ Open Whisper Systems. "ProtocolV2". GitHub. Retrieved 21 January 2015.
  38. ^ a b Marlinspike, Moxie (17 July 2012). "Encryption Protocols". GitHub. Archived from the original on 5 September 2015. Retrieved 8 January 2016.
  39. ^ a b Open Whisper Systems. "TextSecure-Server". GitHub. Retrieved 2 March 2014.
  40. ^ a b c Moxie Marlinspike (3 January 2013). "The Difficulty Of Private Contact Discovery". Open Whisper Systems. Retrieved 14 January 2016.
  41. ^ a b Moxie Marlinspike (5 May 2014). "Private Group Messaging". Open Whisper Systems. Retrieved 2014-07-09.
  42. ^ Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open Whisper Systems. Retrieved 26 February 2014.
  43. ^ Kolenkina, Masha (22 November 2015). "How can I host my own server?". Open Whisper Systems. Retrieved 4 January 2016.
  44. ^ "Surveillance Self-Defense. Communicating with Others". Electronic Frontier Foundation. 2014-10-23.
  45. ^ SPIEGEL Staff (28 December 2014). "Prying Eyes: Inside the NSA's War on Internet Security". Der Spiegel. Retrieved 23 January 2015.
  46. ^ "Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not" (PDF). Der Spiegel. 28 December 2014. Retrieved 23 January 2015. {{cite web}}: Italic or bold markup not allowed in: |publisher= (help)
  47. ^ Eddy, Max (11 March 2014). "Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff". PC Magazine: SecurityWatch. Retrieved 2014-03-16.
  48. ^ "The Virtual Interview: Edward Snowden - The New Yorker Festival". YouTube. The New Yorker. 11 October 2014. Retrieved 24 May 2015.
  49. ^ Cameron, Dell (6 March 2015). "Edward Snowden tells you what encrypted messaging apps you should use". The Daily Dot. Retrieved 24 May 2015.
  50. ^ Yuhas, Alan (21 May 2015). "NSA surveillance powers on the brink as pressure mounts on Senate bill – as it happened". The Guardian. Retrieved 24 May 2015.
  51. ^ Beauchamp, Zack (21 May 2015). "The 9 best moments from Edward Snowden's Reddit Q&A". Vox Media. Retrieved 24 May 2015.
  52. ^ Nakashima, Ellen (22 September 2015). "ACLU calls for encryption on Capitol Hill". The Washington Post. Nash Holdings LLC. Retrieved 22 September 2015.
  53. ^ Macleod-Ball, Michael W.; Rottman, Gabe; Soghoian, Christopher (22 September 2015). "The Civil Liberties Implications of Insecure Congressional Communications and the Need for Encryption" (PDF). Washington, DC: American Civil Liberties Union. pp. 5–6. Retrieved 22 September 2015.
  54. ^ Franceschi-Bicchierai, Lorenzo (18 November 2014). "WhatsApp messages now have Snowden-approved encryption on Android". Mashable. Retrieved 23 January 2015.
  55. ^ a b Open Whisper Systems. "About us". Retrieved 18 January 2015.
  56. ^ "Open Whisper Systems". Freedom of the Press Foundation. Retrieved 18 January 2015.
  57. ^ "TextSecure". Knight Foundation. Retrieved 5 January 2015.
  58. ^ "Moxie Marlinspike". Shuttleworth Foundation. Retrieved 14 January 2015.
  59. ^ "Open Whisper Systems". Open Technology Fund. Retrieved 26 December 2015.