
A Formal Security Analysis of the Signal Messaging Protocol - galadran
https://eprint.iacr.org/2016/1013.pdf
======
uselpa
I don't understand all this recent Signal bashing here on HN.

I have been using Signal for some time now on a daily basis and I haven't had
real usability issues. We cannot hold OWS responsible for the insecurity of
our operating systems, the nature of today's cloud or hardware infrastructure,
the choices we make for comfort reasons, and what not. What they do is provide
us with, and I think most of us would actually agree, a secure messenger that
is both free of charge and best of breed, or close to. And as with every open
source project, it's their project, but you're free to fork it and provide us
with something better if you don't agree with their choices.

So if you need a secure messenger _now_ , because you need or want privacy,
Signal is an excellent option, free of charge, open source. What are we
actually complaining about?

I don't know moxie but it seems that he's actually open to suggestions and
offers if you're willing to provide some manpower as well. Then he has his
convictions but still offers to discuss them constructively. Again, what is
there to complain about?

As for myself, I contact support if I have a question or issue, and they have
been very helpful. I donated to the project, also because they are supported
by [http://freedom.press](http://freedom.press), and I value a free press. And
even though I am absolutely not interested into the giphy thing (I'm on iOS so
I haven't really seen it yet), I'll open an issue on github if I want Signal
to change. And I invite everybody to support the project in this way, and make
sure that the projects that are actually supporting our interests don't get
abandoned in favour of comfortable-to-use data-hogs like Facebook, WhatsApp or
Telegram.

~~~
iamnothere
This may not be true of everyone, but my own criticisms of Signal are meant as
a constructive critique, and not as "bashing." Signal occupies a valuable spot
in a new market, and we all win if it continues to improve.

Think about what is at stake. Many people working in politics, law, human
rights, and other areas absolutely need a way to communicate securely,
especially when their causes don't align with the interests of those in power.
If you're wondering why people are so passionate about having a more secure
platform, that's why. In this case, it's important to be forgiving if people
seem hostile or overly critical.

------
moyta
Its great that the underlying Signal protocol is secure, my major worry is how
do we get more people to use it, and how do we make it more reliable?

As it stands right now, Signal is used exclusively by the moderately
technically inclined, with a little over 1 million users. In a perfect world,
it would be bigger than Whatsapp, which uses libsignal but has many metadata
related issues, and also misses many older demographics in the US.
Additionally, server reliability has been something like 710hrs out of 720hrs
usually every month, with an outage just this last Saturday from 19:51 to
22:08 PST for everything but ZRTP calls.

I know Moxie will likely never allow interoperability with his servers after
the cluster that was CyanogenMod WhisperPush interop, but we need something to
allow for self hosting or alternative hosting, Signal's servers are not
bulletproof and a local server in remote areas can be invaluble, essentially
XMPP with Conversations is all we have in this arena right now.

~~~
widforss
I find it's really easy to get people to use it. I tell them to install it and
then use it as my primary communication channel with them. As I do this with
more and more of my contacts some of them will have each others numbers and
will automatically be able to talk to each other via Signal.

~~~
MichaelGG
Yeah, same here. Except then messages arrive out of order, duplicate, for
another session, "bad encrypted message", or simply take minutes to deliver. I
don't understand why duplicates are even possible.

So while I'm able to get people to try it out or use it for "sensitive" stuff,
these issues really hurt usage and I'll just end up reverting to SMS once a
day at least.

Edit: I don't want to sound to be complaining too much. I love Signal and try
to convert people. Just hard when basics mess up. And it's also frustrating
because on the surface some of this stuff doesn't make sense.

~~~
moyta
I experienced this with TextSecure over a year ago, but since then it has been
smooth sailing outside of minor outages (10hrs a month), since the outages are
less than the regional outages we've been experiencing on AT&T and T-Mobile
for SMS as of late (20 to 30hrs a month). Calling has also improved quite a
bit, for Signal enabled contacts I've been using it exclusively for the past 9
months, I can be driving for an hour without call quality issues and maintain
a stable call reliably.

~~~
JshWright
Is the codec choice any better? The last time I tried to use it the audio
quality was awful.

~~~
haffenloher
Audio quality has been good enough for me, but there's definitely room for
improvement as they're still using Speex (if I'm not mistaken).

~~~
moyta
If they'd use Opus I'd really appreciate it, hell, if I could even get
interop, I have hacked together an app to pass the ZRTP codeword to my
deskphone when Freeswitch terminates it and reencodes it as SRTP/TLS for it,
since no deskphone vendor supports ZRTP.

Would make those that insist on ZRTP in my life a lot more convenient to have
extended convos with.

------
iamnothere
The protocol may be in good shape, but Signal's permission model is flawed for
an application that handles sensitive data.

A few examples of excessive permissions:

* Disable your screen lock

* Location permissions

* Set wallpaper ("kitchen sink" feature here)

* External storage (why not use internal "app only" storage?)

* System log data

Android's sandbox will do its best to protect the user from compromised
applications, but it can't do anything to protect you if the application
already has full permissions. Based on recent events, I would assume that
Signal users are at risk of targeting as a block -- their desire for privacy
makes them interesting targets from an intelligence and LEO perspective.

Many successful applications follow a plugin model, where intrusive
permissions are split off into separate, optional applications. Signal should
do the same.

~~~
codethief
> A few examples of excessive permissions: > * Disable your screen lock

I believe this is for the "call screen" (though it's never really worked for
me and my phone gets or stays locked nonetheless when I call someone or
someone calls me).

> * External storage (why not use internal "app only" storage?)

Because otherwise you can't extract photos you received (let alone view
videos) which, from a security standpoint, is good but it's something you'll
have a hard time selling to the average user. The same goes for sharing your
location.

~~~
iamnothere
I agree that there are legitimate reasons for these permissions, I just don't
think they match up with everyone's use case for the product. This is why they
should be split into plugins.

Example of how the UX for this works:

1\. User chooses "attach photo."

2\. If user has not installed the plugin, Signal gives them an informational
prompt and a button that opens the app store link.

3\. User clicks the button to go to the app store.

4\. User clicks "install." Application is installed (should be quick, small
app)

5\. User can now attach photos from external storage.

Steps 2-4 are short and occur only one time. You would not want this kind of
extra friction in a true mass market app, but I'd argue that Signal is not and
never will be mass-market. (We can hope, but it's not likely.) Signal's target
users, on the other hand, would be likely to appreciate this extra focus on
security and user control.

~~~
tedks
Here's how the UX actually works:

1\. User chooses "attach photo."

2\. The user hasn't installed the plugin. Who does that? So signal doesn't
work.

3\. The user sends their contact a facebook message saying "signal isn't
working" and attaches the photo.

4\. Both users uninstall signal and tell everyone who mentions it that it
can't even send picture messages.

~~~
iamnothere
That would be poor design. Are you saying that the Signal team would not be
capable of implementing a more effective path? Other applications have
followed this approach before; it's not rocket science.

~~~
unhammer
I believe you misread tedks.

I read

> 2\. The user hasn't installed the plugin. Who does that? So signal doesn't
> work.

as "when the user sees that it doesn't work out of the box, and sends you to
an app store instead, they consider it broken."

~~~
iamnothere
If that was their intent, then yes, that would be an issue. The key is good
UX; don't send the user there without explanation. A well-designed "read
this!" screen is key, and even then you will lose some users. It's a trade-
off.

Also, I did acknowledge that this approach will turn away "mass market" users,
but again, I don't think that those users will ever be Signal's primary user
base. Most people are going to use stock apps or whatever is most heavily
marketed (read: whoever spends the most dollars on acquiring users). Signal
frankly can't afford to buy its way into the mass market. It's a niche app,
and it should focus on catering to that niche.

------
claudius
Rather pointless to have a "trusted" application on an operating system you
cannot trust – and not even the possibility to run the application on an even
remotely trusted and private system, in particular without giving
unaccountable root access to Google.

~~~
tptacek
This is more or less a way of saying it's "rather pointless to have secure
messengers on iOS". I understand why open source advocates say that, because
they've been saying it for 20 years now, but I'm not sure we need to litigate
the point or pretend it's some great insight.

~~~
claudius
Let me put it like this – if OpenWhisperSystems had an explicit toggle in
their protocol which, after flipping it, would allow them to access all future
communications and where the user was unable to tell whether it had or had not
been flipped, nobody would call the protocol "secure" or write a "Trust It"
headline about it.

However, if OWS only supports systems on which such a toggle exists via a
third-party provider, that somehow makes them secure?

I find this hard to understand. Yes, of course an app which encrypts data
against some adversaries is nice, but it should definitely be called "secure-
against-some-people", not "secure", and people shouldn’t write "Trust It" but
rather "Trust It if you also trust X and Y and Z".

~~~
tptacek
Again: this is a point that can be made to sound interesting with lots of
extra words, but all you're saying is that people run applications on
operating systems you don't like. They're not going to switch.

~~~
eeZah7Ux
Ad-personam attacks are not useful

Clarification: "...operating systems you don't like" implies that claudius is
biased and that his point about OS security is made invalid by that.

~~~
lorenzhs
That's true, but this isn't one. This is what respectfully disagreeing looks
like. Ad hominem would be "No, you're an idiot and people don't care what you
think just because you disagree with choices they made". That would have been
inappropriate.

~~~
JoeAltmaier
The implication was there - that a point was made 'only' because of an os they
didn't like. Its Ad-Hominem. It was pretty far from 'respectfully disagreeing'

~~~
pessimizer
That isn't ad hominem, though. An attack that implies personal qualities isn't
the same as an attack on the person.

I think the point is that someone who is choosing an OS that is controlled by
a particular company has chosen to trust that company.

------
VLM
Serious question, if both the endpoints are completely powned by corporations
and governments, what do I gain by having the traffic on the wire be secure?
Who is the only Opfor I'm defending against, Sprint? They can barely provide
working service and correct billing.

Its a given that secret juicy electronic stuff always ends up on wikileaks, so
anything important I discuss live in person and never electronically. So if,
in a massive delusion of self importance, everything I do thats juicy can't
show up on wikileaks because its not electronic, regardless of any app I use
or don't use, and the only thing I use electronics for is the security
equivalent of "don't forget to buy a quart of milk at the store on the way
home" then how does encrypting my quart of milk purchase help me? Is there any
reason to not take it as a given that any juicy electronic stuff ends up on
wikileaks regardless of this app?

Realize that if I wanted to keep my visit to the supermarket a secret using
this app, I can't. Facebook and google sell my GPS data. Tomorrow google
rewards will send me a survey asking what I thought of my visit to the store.
The store sniffs the wifi MACs and bluetooth data and camera data to track my
every move, that free internet for customers isn't entirely free. Not to
mention I'm on probably 50 camera recordings. And the phone company knows
where I am, every step of the way, for supposed 911 purposes. And my credit
card is rubbed up against my receipt purchase data to data mine the hell out
of my milk purchase. But I'm supposed to feel perfectly private and secure
because Sprint can't read the contents of my wife's shopping list, uh huh.

If you keep things super nebulous and don't think too hard, it seems I'd be
protecting myself against someone, and protecting is always good and there's
always a someone to fear so obviously it must be awesome. But analysis shows
there's not a problem and I'm not defended against any important forces only
against a single weak and unimportant force and wide open to absolutely
everyone else.

~~~
SomeStupidPoint
You may be abnormal, but most people text sexually explicit comments they'd
prefer neither be in corporate or government databases. (And a ton of other
highly private, perfectly inocuous material.)

There's no reason people should be confined to only discussing those topics
with people in physical proximity, and encrypted IM apps perfectly fit that
use case.

There's also a legal and technical distinction between the NSA (or phone
company) reading plaintext on the wire and actively compromising a device.
Your comment faceteously ignores that.

Ed: I think of it like locking my front door. My deadbolt won't stop the
government getting in, but it establishes (for legal reasons) that I had taken
steps to ensure privacy and it raises the chance they leave signs of entry,
rather than being covert.

It's not that Im trying to hide things from the government -- they could just
ask me anything they wanted to know. I just want them to have to ask, not just
covertly take whatever they want.

~~~
VLM
I admit your front door deadbolt analogy is a very persuasive argument,
however this is being marketed as a technically perfect nuclear material /
army weapons locker grade bank vault door that solves all security problems
when installed and used. Which might be correct.

However, I will extend your admittedly excellent analogy with unfortunately
this probably high quality piece of security hardware is installed in a garden
shed that has easily breakable windows with no curtains and at least a couple
unlocked back doors and an unknown number of (old fashioned electronic) bugs
installed in the shed and the news is full, every day, of stories of garden
sheds being broken into and peoples secrets on the front page, or at least the
front page of wikileaks. Yet the marketing spiel is something like "once you
install this really nice door, that's all you need to be completely secure and
can feel comfy doing anything that needs to be private or is illegal"

"There's no reason people should be confined to only discussing those topics
with people in physical proximity"

Pragmatically, sure there is, its because they don't want it made public.
Extremely optimistically, all you need to do is install this really top
quality bank vault door on your garden shed, then ...

~~~
SomeStupidPoint
I don't disagree that security talk could be better about threat models, total
evaluation, etc.

But in this case, we also have to imagine that the bank-grade vault door to
the shed costs about the same as a regular door.

While I agree the marketing is nonsense (you need lots of other secure
features too!), there's absolutely no reason people shouldn't a) start locking
their doors, since most current "robberies" are walking in the front door
without challenge and b) use the high security door, because the cost is the
same as a regular one while the benefits are strictly greater.

I agree that Signal needs to tone down the complete security language, but I
think too many security professionals scare people out of making improvements
by talking about how there are still compromises. There are lots of middle-
ground social goals, like reaching a level of security that makes bulk
collection untennable, but leaves targetted attacks open. It's the digital
equivalent of closing your blinds in a locked house -- government can still
get in to see if they have reason, but they can't see when just wandering by
on the street. And they can't pretend their intent _wasn 't_ to violate your
privacy by entering, since the low technical barriers still require active
bypass.

The vault door may not keep your shed from being robbed, afterall there's a
ton of easy-to-kick-in windows, but forcing it to be B&E instead of a walk in
is meaningful. The law might be ambiguous about walk-ins, but is clear about
B&E. (Id argue the other "unlocked" doors are really just getting keys from
the landlord, which is a separate problem.)

~~~
VLM
"we also have to imagine that the bank-grade vault door to the shed costs
about the same as a regular door."

I admit defeat. Two extremely strong back to back arguments, both very
persuasive and well written.

I see we have common ground on the toning down the security language. That
specific aspect of the issue triggered me a bit into a general, eventually
proven somewhat wrong, rant.

Have a pleasant day!

------
redwood
When I first looked at this, it boggled my mind that they require a phone
number to sign up. Maybe that's no longer the case? But assuming it is, it
just struck me as the epitome of breaking away from the concept of secure
anonymity.

~~~
Amir6
You are absolutely right! Plus, getting a copy of all your contacts is and
invasion of privacy for an app that is advocating for privacy and security.
You cant even use a online voip phone number for this app. Its just such a
turn off and I'm extremely disappointed with endorsements from people like
Snowden ignoring such fundamental flaws.

~~~
haffenloher
> You cant even use a online voip phone number for this app.

That's incorrect. Signal works perfectly fine with any mobile, landline or
VoIP number.

~~~
Amir6
In fact, what you just claimed is wrong. The app waits for the phone to
receive the text and there is no way to enter the verification code you
receive in another voip app. This is on top of not being able to use this app
on multiple devices.

~~~
haffenloher
Let the SMS verification expire and do a phone call verification.

Concerning multiple devices: I use Signal on my phone and on two desktops,
works perfectly fine.

~~~
Amir6
I have tried that and it didnt work but I'll give it a try one more time.
Regarding multiple devices I mean multiple mobile devices (iOS and Android
apps) and not through a browser and extension.

------
teekert
Currently I'm on telegram primarily. Loving it, using the bots, using the gifs
built in, using the stickers and the cloud storage. I don't love the
encryption.

But my next switch will be to a self hosted/federated solution such as
[https://riot.im/](https://riot.im/), at least for me and my wife. I will not
be able to make friends use and trust my server (they shouldn't for their
private messages) and they won't run their own.

Signal looks nice but man the Telegram desktop client on Linux is also very
very convenient, plus the fact that you don't need your phone to be on.

~~~
moyta
Is it still insecure?

[http://gizmodo.com/why-you-should-stop-using-telegram-
right-...](http://gizmodo.com/why-you-should-stop-using-telegram-right-
now-1782557415)

~~~
lucb1e
That article is complete bullshit. I sent them a big email pointing out
mistake after mistake and of course never got any response nor did they
publish anything to correct their "journalism".

There are legitimate concerns with Telegram that I share with all other
technically inclined people, but this article is like saying "use a firewalled
Windows 95 instead" because something is wrong with Vista. You really should
disregard everything they say because the true parts are too interwoven with
fabrications.

~~~
moyta
Sure, I didn't look for an amazing article, just remember hearing about their
homebrew "crypto" years ago and going eww.

This might be slightly better:

[http://security.stackexchange.com/questions/130559/is-
telegr...](http://security.stackexchange.com/questions/130559/is-
telegram-e2e-still-insecure)

------
throw2016
I don't understand how a company based in the US and one that requires a phone
number can make any kind of claims about security or privacy, without being
looked on as a honeypot untill it redeems itself with evidence to the
contrary.

Why would a privacy centric protocol choose to use a phone number which
directly connects a user to their identity. How can this make sense?

There is enough evidence most US based companies are in bed with the nsa,
compromised or can be easily compromised.

Companies or open source projects can be bullied and threatened by government
officals, legally forced to give up their users, gagged and forced to betray
users, co-opted, infiltrated or compromised. Lavabit has already happened.

Why do we need encryption, security or privacy? If it is exclusively against
state actors then we know its a serious challenge against extremely powerful,
well resourced, and legally empowered actors and illusions of privacy, hand
flailing 'something is better than nothing' and half baked measures won't do.

It's reasonable then to expect any solution claiming security or privacy in
this context to explicitly spell out how they address or plan to address these
threat models. The alternative is acting in bad faith and making users
vulnerable.

------
lhlmgr
Since I'm very happy with the usability of the WIRE messenger I would
appreciate if someone would do a formal security analysis on their (modified)
axolotl protocol.

------
jonathanstrange
Maybe I'm too grumpy today, but the gist of the summary of the review to me is
not 'trust it' but rather 'the protocol is new and overly complex and the
security goals have not been stated clearly' with the addition that no major
error was found.

~~~
moyta
Yeah, pretty much. Its good enough that Whatsapp, Allo and many others paid
chump change to license it ($1 mil each I heard) since its cheaper and better
vetted than anything they'd develop internally.

------
eveningcoffee
I think that this is relevant
[https://news.ycombinator.com/item?id=12880520](https://news.ycombinator.com/item?id=12880520)

I would recommend to read the article first and then follow the protectionism
in the comments later.

The main claim of the article is that we need federation, as we do with the
email (but imo we are loosing it).

In addition, Signal shares a problem with email - information about your
communication circle is not secure.

~~~
throwanem
This is a classic example of making the perfect the enemy of the good.

~~~
eveningcoffee
I disagree. These are valid points and dismissing them based on ignorance
would be wrong.

Instead we should discuss why these are not implemented and how could be
proceed to implement them.

~~~
throwanem
That's not what the article you cite is saying. It's saying "don't use Signal
because Signal is less than perfect". Calling the counterarguments in that
thread "protectionism" suggests you feel likewise.

If you want to discuss how a follow-on from Signal could and maybe should
address some or all of those points, great! That's a conversation worth
having. But it doesn't sound from your toplevel comment as though it is the
conversation you're trying to start.

~~~
bahjoite
> It's saying "don't use Signal because Signal is less than perfect".

This is mis-categorisation. The article says "I won't recommend the use of
Signal" and gives reasons and desired improvements.

------
potatosoup
Installed Signal, wanted to use it. First step is to connect with my phone
number and there is no other way to create an account. This is an unfortunate
privacy-blind choice for what otherwise could be a great platform.

~~~
HurrdurrHodor
It's probably somebody from the "Usernames are bad UX and if we have bad UX
nobody will use the messanger and then we don't actually get a secure
messenger because we don't get a messenger that anybody uses at all"-camp".

------
tptacek
Ugh. The paper isn't from "the International Association for Cryptologic
Research". IACR is simply a site that hosts academic crypto papers. The paper
is fine, but probably disregard the article.

~~~
24gttghh
And what article would that be? The link goes directly to the PDF...

~~~
tptacek
The submission has been updated. It originally pointed to an article on The
Register.

~~~
24gttghh
Ah I was not aware of that, thank you!

------
sametmax
I can't help but feel like the word "normies" is somewhat insulting. Although
I never read it before, but it sounds very condescending.

~~~
moyta
It is moderately condescending, but it is very handy to describe average
technical competence and what to expect from said humans.

Things need to be straightforward & familiar for normies (eg. Pokemon Go vs
Ingress) and you can't expect to hold a high level conversation with a good
chunk of them, whether that be about mathematics, policy (so much circular
logic), reality (citations & sources are not a thing many normies are willing
to use), etc.

That being said, its not all bad, just set expectations accordingly, just like
you would going on HN. I do not expect the average HN reader to understand
much about traffic dynamics and the minimal efficiency gains that may come
with self driving cars, or the sheer volume of people a moderate sized light
rail network can move in a timely manner, so I set my expectations very low.

Its like talking to a Microsoftie about rail or self driving cars, there is a
lack of knowledge (the fact that Amtrak runs trains from Vancouver to Seattle
to Portland and is paying BNSF to make the route more reliable) and a
conceptual barrier that I do not expect them to rapidly grasp (bullet trains
need dead straight rights of way, no exceptions).

Edit: Apparently I can't reply to you, nevertheless I picked up normie as a
term in meatspace, and while it might not meet your sensibilities, I do not
see a more accurate term, and I'm not here to intimately know & defend your
sensibilities. Same goes for asking me or telling me your pronoun, great for
you, I give not a single shit, use what you want and cut to the chase.

~~~
nickpsecurity
I agree with the throwaway. You should drop it in favor of average person or
something else that's neutral. People seeing us insult them will only hurt
adoption. Plus, many of these people that dont know much about computers are
smart in other fields or have other talents. We aren't all supposed to have
same strengths. So it's double-insulting shen it's an intelligent, but non-
technical, user we're talking about.

~~~
throwaway98764
I don't know about the rest of you, but I'm here for the insights. Trying to
court everyone just waters down the comments until HN is indistinguishable
from reddit. I prefer apparent condescension and a thick skin over PC half-
conversations and watered-down intelligence.

~~~
taejo
You can have the insights without the insults. They add literally nothing,
except to degrade the conversation until HN is indistinguishable from 4chan.

