
Signal 2.0 released with private messaging support - bruo
https://whispersystems.org/blog/the-new-signal/
======
tptacek
This is huge. If you have an iPhone, install Signal.

~~~
lukasm
Can you elaborate more, please?

~~~
scott_karana
It's a cryptographically well-audited replacement to iMessage, Skype, and
traditional telephony, all of which leave room for governmental and malicious
meddling.

~~~
WhitneyLand
It's not really a replacement, more of a secure alternative. Ideally it would
be possible to totally replace iMessage with Signal allowing non-secure
messages from legacy contacts. However, even if the team were so inclined
Apple does not provide adequate messaging APIs. For example, there is no way
to intercept an SMS message, see message history, etc.

~~~
mahyarm
TBH I think keeping SMS separate from an ip based communications method is
better. Lets not pretend that SMS is secure. The only thing I would find
missing are quick reply APIs.

~~~
scott_karana
How are IP and SMS traffic different, other than "packet" size and encoding
constraints? Both are easily interceptable and spoofable, necessitating strong
crypto.

I don't see how chacha20/poly1305 is somehow "worse" over SMS.

~~~
nzp
The difference is mostly that in case of SMS, metadata leaks to carriers. In
case of Signal/TextSecure/RedPhone, some limited metadata leaks to Google
Cloud Messaging and Apple's equivalent platform (I can't remember the name).
That's necessary because of scaling problems with push messages, but I
understand there is work going on to develop a self contained alternative
using WebSockets.

------
ogig
I was waiting for this, even donated some time ago. Went to install it but it
requires iOS8 so my perfectly functioning iPhone 4 can't run it.

Is very hard to keep older iOS support?

Side rant: I hate Apple is leaving my hardware off the grid. It is well cared,
like new, battery is ok, no reason to think about replacing other than iOS8,
and that sucks.

~~~
stormbrew
They addressed it in this github issue:
[https://github.com/WhisperSystems/Signal-
iOS/issues/614](https://github.com/WhisperSystems/Signal-iOS/issues/614)

I'm also disappointed in this. The people I most want to use this with are
also the people who have an iphone4.

I don't get the impression it'd be impossible to backport it from that post,
so some enterprising individual could maybe do just that...

~~~
dguido
I'm surprised they didn't mention how amazingly insecure it is to be running a
phone that old. If you're running a private messenger like Signal, you might
not want to install it on a device vulnerable to bootrom exploits that negate
all the advantages of disk encryption.

~~~
stormbrew
While this is true, they also, through TextSecure, support many android phones
that are probably in much worse shape on that front. It's also not like web
browsers refuse to use TLS because your computer's running a compromiseable
version of Windows.

~~~
droopyEyelids
That analogy sure stopped and made me think. What a sticky issue. SHOULD
browsers do that? What if your bank website refused to allow you to sign in
from a machine running unpatched XP?

I think right now there might not be enough exploits targeting banking on XP
machines to justify that inconvenience, but it seems like a responsable
argument could be made for both cases.

~~~
stormbrew
It might seem like a good idea on the surface, but think about the impact this
might have on people who can least afford it (consider why people might be
using old phones or old operating systems, and what impact lack of access to
their bank could have on them for even a day if it's the wrong day), in the
name of protecting them from something theoretical.

------
_jomo
TextSecure for Android is only distributed via the Play Store. So I built it
myself only to notice that Google Play Services are required for chat.

I think depending on proprietary / data gathering apps is the wrong approach
for an open source privacy app. It actually makes me sad.

There was an issue about "This requires Google Play" on GitHub [0] which was
closed by moxie with "TextSecure only requires GSF for data channel messaging.
To use SMS/MMS, it doesn't." Great. I'm not paying 3 cents to send a few bytes
of text via SMS. I'll rather just stick to WhatsApp/Telegram.

There are a lot of issues on GitHub that makes searching them a little hard,
but it seems like there is ongoing development for websockets instead of
(Google-) Push messages. [1][2]

0:
[https://github.com/WhisperSystems/TextSecure/issues/560](https://github.com/WhisperSystems/TextSecure/issues/560)

1:
[https://github.com/WhisperSystems/TextSecure/issues/1000](https://github.com/WhisperSystems/TextSecure/issues/1000)

2:
[https://github.com/WhisperSystems/TextSecure/pull/2423](https://github.com/WhisperSystems/TextSecure/pull/2423)

~~~
pilif
_> I'll rather just stick to WhatsApp/Telegram_

whatsapp and telegram also use google play services for background
notifications. There is no other reliable way to ensure that messages are
always delivered on both iOS (push notifications) and Android (Google Cloud
Messaging).

Apps just don't get enough API access to do this on their own in a totally
reliable way and even if they did, the overhead of multiple applications
keeping multiple connections open (and the radio active) would cause a lot
more drain on the battery.

Neither TextSecure not Signal use the platform provided notification features
for unencrypted data though, so your messages are still safe.

~~~
dTal
There's been a lot of talk over the years of implementing a data modem over
GSM voice - as far as I can tell, this would solve basically all the issues
with the current crop of encryption products. Instead of constantly polling or
faffing about with third party servers, one phone could simply initiate a two-
way connection to another phone the old fashioned way: via phone call. There's
your "push messaging". You wouldn't even have to leave your data on. Your text
messages would also probably arrive _faster_ than an SMS.

I'm very disappointed that despite _numerous_ papers on the subject in the
past decade (even a DEFCON presentation), no implementation has yet appeared,
not even a demo.

------
minot
If anyone from Whisper Systems is reading, can you please tell me how I can
disassociate my number from a Cyanogenmod installed version of TextSecure in
my (now formatted and sold) Nexus 4 and get it working with my no sim Nexus 5
with Google Voice/Hangouts?

~~~
clpwn
Your unregistering options are best summarized here:
[http://support.whispersystems.org/customer/portal/articles/1...](http://support.whispersystems.org/customer/portal/articles/1476197)

~~~
wtbob
Sadly, it's been over a year since that post and the modifications to
CyanogenMod and TextSecure haven't taken: I'm unable to unregister either CM
or TS, using their tools or their website.

------
matt2000
One question I always have with secure systems distributed by app stores, even
the open source ones, is how to you verify the source you're reading is the
app you're using?

~~~
adrusi
Well, there are several ways to get read access to the iPhone's filesystem.
You can grab the binary from the phone and verify that its the same as when
you compile the app on your own machine.

No one's going to do that for most apps though.

~~~
citruspi
So, I'm not intimately familiar with the code signing process, but I imagine
that the bundle on the iPhone wouldn't match the one you would get by
compiling the source on your machine.

The former would be signed with Whisper System's distribution certificate,
which you couldn't do on your system because you don't have their certificate.

~~~
zokier
Compared to other issues I think stripping/ignoring signatures for comparison
should be fairly minor issue.

------
wyager
I installed it and texted my friend.

It never asked me to verify his pubkey.

How does key management work? Is it all done through Whisper Systems' servers?
If that's the case, how is this effectively better than iMessage? iMessage is
also (nominally) quite secure, except for the fact that you have to trust
Apple to verify pubkeys, which makes it quite feasible to MITM if you can
subvert Apple via legal or technical means.

~~~
jlund
Keys are trusted on first use, similar to SSH. The app also provides an
interface you can use to verify fingerprints:

[https://github.com/WhisperSystems/Signal-
iOS/wiki/FAQ#can-i-...](https://github.com/WhisperSystems/Signal-
iOS/wiki/FAQ#can-i-verify-my-contacts-key)

~~~
StavrosK
What's the point of that? Why not just indicate somewhere that the
conversation isn't completely secure, rather than have the user believe it is
when it's not?

~~~
jlund
TOFU has proven to be _quite_ resilient against MITM attacks. Do you think
it's a stretch to say that SSH is secure?

~~~
StavrosK
I think it's a stretch to say that there can be security without verifying
keys.

~~~
jlund
That's like saying that SSH isn't more secure than Telnet unless you
personally drive to the data center and verify the fingerprints of every
single server by hand.

In reality, TOFU is a form of key verification and it is highly effective
against MITM attacks because there's no way for an adversary to reliably
determine whether or not a user is seeing a fingerprint for the first time. If
at any point the fingerprint changes, the users are warned.

Users can also easily check and compare fingerprints too. They are not
mutually exclusive.

~~~
StavrosK
I'm talking about absolute terms and you're replying with relative terms. I
didn't say that SSH isn't more secure than telnet, I said that you can't be
secure against an active MITM unless you verify the keys. That's a fact, I'm
not sure how one can argue against it.

Sure, TOFU is better than nothing, and might even be very good, but there's
still a way for an active adversary to MITM you.

~~~
jlund
Yeah, I don't think we actually disagree. Key verification is important, which
is why it's a feature in Signal.

In order for an active adversary to perform a successful MITM attack against a
TOFU scheme they would need to successfully determine when someone is seeing a
fingerprint for the first time (or get lucky) and then successfully maintain
their MITM position across every single network the device uses, forever. If
they fail at either of those, the user will be warned.

I keep bringing up SSH because it's an example of a fingerprint verification
system based on TOFU that works incredibly well at preventing MITM attacks. No
one is having key signing parties with their servers, and yet connections
remain secure.

~~~
StavrosK
I agree, but it's much easier for me to tell a friend "hey is this your key?"
when we're together than go all the way up to my server and connect directly
to it. That's why I think that there should be a UI element that says "you're
pretty secure, but if you just check this you're golden".

------
saghul
Is there any documentation out there describing how the encrypted groupchat
works? OTR can also give you 1-to-1 encryption, but not encrypted groupchat,
so this is great news which I'd like to read more into.

~~~
pilif
[https://whispersystems.org/blog/private-
groups/](https://whispersystems.org/blog/private-groups/) is going into some
detail.

~~~
saghul
Thanks!

------
AceJohnny2
Why is the iPhone app called Signal whereas the Android app is called
RedPhone?

(as an aside, I love the screenshots for RedPhone
[https://play.google.com/store/apps/details?id=org.thoughtcri...](https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en))

~~~
joycey
I've contributed to the development of Signal 2.0, and you can also check out
this blog post.
[https://whispersystems.org/blog/signal/](https://whispersystems.org/blog/signal/)

On Android you can use RedPhone for secure calls and TextSecure for secure
text messages. These calls and text messages are compatible with calls and
text messages in Signal iOS. Someday TextSecure and RedPhone on Android will
be integrated into one unified product called Signal.

~~~
frabcus
Great!

The TextSecure brand is unfortunately dead to me. Although I liked the idea in
theory of the SMS backwards compatibilty layer, in practice it confused people
and caused technical problems which stopped many of my friends using it.

With a reboot as a product with the new name Signal, I can market it again.
Needs an Android version first though!

~~~
higherpurpose
I agreed to that from the first day I used it. It's strange that the
developers themselves don't realize it. Just kill SMS support. Nobody needs it
anymore. I mean for crying out loud, data-only apps such as BBM and Whatsapp
became most popular in _poor_ countries, so I don't think the "but not
everyone has money for data" argument works anymore.

~~~
unhammer
I disagree. Most of my contact list doesn't use TextSecure/Signal; when I want
to send someone a message I don't want to have remember if they use textsecure
in order to open the optimal app for messaging them with. Maybe I'd even first
open textsecure, then be disappointed that they're not in there and have to
open the plain sms app. How annoying that would be.

Nobody needs SMS if everyone could just use the same app. But my brother uses
a dumbphone and my mother uses an iPhone with nothing but iMessage and I use
an Android and don't really feel like installing whatsapp or whatever the
latest fad is just because one or two of my friends has it. Over SMS I can
communicate with them all, and if any of them ever install textsecure I get
encryption as a bonus.

~~~
nzp
They're planning to drop support for encrypted SMS fallback (a decision I have
mixed feelings about), but plain SMS functionality will remain in the Android
client for the forseeable future.

------
SpaceInvader
Question: how and where message is stored when my phone is off and somebody
will send me a message? How it is encrypted and then decrypted on my device
once turned on?

~~~
matthewmacleod
It will either be on the remote device, or os Signal's servers, depending on
how the implementation works. Either way doesn't really matter; the whole
point of encryption like this is to prevent third-party access to your
communications.

It could be stored at NSA central for all it matters, and you'd still be the
only one able to read the message (using the keys on your device).

~~~
SpaceInvader
I know how encryption works. My question was rather design wise. I.e. Which
keys are used to encrypt messages on WhisperSystems servers (my public key? Or
sender's?). But I'll have a look on the link below describing modified OTR
protocol.

------
mjewkes
For those interested, I think Whisper Systems is currently hiring iOS + UX in
the Bay Area:
[https://news.ycombinator.com/item?id=9127708](https://news.ycombinator.com/item?id=9127708)

------
jscheel
What's the difference between this and Telegram? I'm starting to feel a bit
overwhelmed with what messaging app I'm supposed to use. Also, why is ios8
required?

~~~
moxie
I'm a Signal/TextSecure contributor. There's been a lot of controversy over
the Telegram encryption protocol, and any cryptographer that looks at it
cringes.

Beyond doubts with the protocol itself, I think the more important
consideration is that most people never use it. Telegram is not encrypted by
default. Users have to create a special "secret chat" with contacts that is
ephemeral, and some Telegram clients don't even support that mode. Last I
checked, there was no way to have group "secret chats" in any client at all.

The result is an unfortunate situation where many users seem to think that
Telegram is somehow secure by default, when it definitely isn't. Telegram even
stores plaintext copies of everyone's entire message history on the server for
multi-device sync.

~~~
rakoo
> I'm a Signal/TextSecure contributor.

That's a bit of an understatement.

Anyway, thank you for your work, and congratulations for the release !

------
iaskwhy
Can anyone explain what's the difference between using Signal and using
WhatsApp (assuming TextSecure is the default protocol being used - is it?)?

~~~
vitno
Signal is open-source while WhatsApp is proprietary.

WhatsApp also uses the 2-part ratcheting developed in Aoxotle my understanding
is, but they are not mutually compatable on-the-wire transport.

~~~
frabcus
Only the Android version of WhatsApp has encryption, as far as I can tell.

Also WhatsApp (i.e. Facebook) get the metadata still - who messaged who, and
when.

------
mperham
I installed 2.0 and added the phone number of a friend also using 2.0. I click
the + icon and I see my friend's name grayed out so I can't send him a
message. What does that mean?

~~~
mullen
Has your friend installed the 2.0 client on their iOS device? My wife has not,
so her status is also greyed out on my iPhone with 2.0 installed.

------
higherpurpose
Awesome. Is there a rough timeline for Signal on Android? What about the
desktop version - will there still be one? (at least a Whatsapp Web/Pushbullet
style "desktop app")

~~~
citruspi
Signal for Android is already available, kinda...

It's split into TextSecure for the messaging portion and RedPhone for the call
portion[0].

[0][https://whispersystems.org/](https://whispersystems.org/)

~~~
desdiv
There are some compatibility problems between Signal and RedPhone. I can't
seem to get the two to work together for international calling. Googling
"Signal can't connect to RedPhone" shows that I'm not alone in this. Guess
I'll have to wait for the Android version of Signal.

------
dombili
Congrats on the launch of Signal 2.0. I hope it'll be a popular app, but I
have a question slightly off topic: Why can't we get an app like Signal for
the desktop? Yes, I'm aware there are alternatives for the desktop (mainly
Pidgin + OTR), but none of them work like Signal does (ease of use) and
frankly I don't really trust using them. I'd like to think I'm ignorant on the
subject and there's a good alternative out there, and if so, please do tell.

~~~
clpwn
That's currently in the works as a browser extension:
[https://github.com/whispersystems/textsecure-
browser](https://github.com/whispersystems/textsecure-browser)

You can keep track of its progress there :).

~~~
dombili
Yeah, I'm aware of that, but doesn't that require a smartphone with TextSecure
installed? I don't own a smartphone. (I accept that I'm a weirdo.)

~~~
tga_d
No, just requires a phone number. It's still under development, but if you're
curious you can check out install instructions here:
[https://github.com/WhisperSystems/TextSecure-
Browser/blob/ma...](https://github.com/WhisperSystems/TextSecure-
Browser/blob/master/CONTRIBUTING.md)

~~~
dombili
Huh, I didn't know that. Thanks for the link.

------
wtmt
Seems like it's not tested well. I updated to Signal 2.0 on an iPhone 6 with
the latest iOS 8.x. It said that none of my contacts have Signal (that's true)
and had a link titled "Invite your friends". Tapping on that took me to the
home screen. Killed it and tried a few more times. No use. If it were as
usable as Telegram, I'd insist my contacts to switch. But not right now.

------
mekal
Has anybody with an iphone bothered to check the privacy policy yet?
[https://whispersystems.org/signal/privacy](https://whispersystems.org/signal/privacy)
(404 with a link to Moxie's homepage)

Annnd its fixed the second after I post...dang it. 404's still link you to
thoughtcrime.org. Possibly a mistake.

------
deanclatworthy
Presumably there are still multiple ways for messages to be intercepted from
the user's iPhone:

\- Physical access or confiscation of the device \- Possible backdoor in iOS
or the physical iPhone hardware? \- Compromise or physical access to a host
machine where the user backs up their device.

Although, I'm not sure what can be done to stop this.

~~~
lallysingh
There's no such thing as perfect security in the real world. Instead, your
best bet is to raise the cost of breaking the security that you do have. If
you raise that cost above the value of that which you're securing, then you
are in good shape.

------
microkernel
Fantastic! Go-and-install-immediately!

------
dcre
I see it's open source, but is there a good third-party security evaluation of
this anywhere?

~~~
dcre
Ha — found one:

> You need to have Signal on your iPhone. Full stop.

[https://twitter.com/tqbf/status/572469319554088960](https://twitter.com/tqbf/status/572469319554088960)

~~~
huhtenberg
That's an endorsement, not security evaluation. Not exactly the same thing.

~~~
nav1
There's a link to it in that conversation:
[https://eprint.iacr.org/2014/904.pdf](https://eprint.iacr.org/2014/904.pdf)

------
joshstrange
Hmm, about 5 min in and still waiting for a SMS verification message, I assume
they are just backed up right now?

EDIT: After 20 min of no message I just requested another code (I had done
this once or twice before) and it worked.

~~~
stock_toaster
took me a long time to get the code too.

------
petermonsson
How is it working out? Is the messaging solid between Android and iOS? How is
the group messaging working?

Sorry, I just downloaded it, but I have no friends on the list yet. I'm
impatient. I really want it to work.

~~~
mayneack
I've been using textsecure for a long time now: so far I haven't had any
issues messaging new iOS users including mixed groups. In my experience, there
might be some mms edge cases when mixing with other messaging apps, but not
too many and bug reports are monitored regularly on github.

~~~
petermonsson
Cool, thanks. So, I got it working with some friends. The start is rough when
you don't have any contacts. There is no hand holding like you'd expect from
other messaging apps. Especially the first message to the first contact is a
tough discovery. I managed to mistakenly call instead of texting and another
friend did exactly the same.

The error message when you are not registered yet is also not totally clear.
One friend complained that he couldn't see when I had read the message
(compared to Facebook Messenger).

On the plus side, you've come really far in usable crypto when you're being
compared to that.

~~~
mayneack
yeah, i gather this can't be used to completely replaces sms? The handy part
of the android textsecure is that it's my sms app for everyone whether or not
they use it. I just send a message the normal way and if they're using it, a
little lock icon is on the message.

~~~
WhitneyLand
Correct. As I mention above this is unfortunately not possible on iOS due to
API lockdown.

------
subliminalpanda
Blocked in Oman, can't register :(

------
Avalaxy
Argh, I kept reading "SignalR 2.0". This post was so confusing...

------
runn1ng
Maybe a stupid question

What good is open source, when the developer can still add a backdoor later
and put the backdoored version on iOS store?

I still need to trust the developer.

(And Apple, too, but once I can't trust Apple I can no longer the OS itself
and just throw the phone away)

~~~
d2xdy2
I think the premise of that sort of thing is that in theory, you could build
your own copy and install that, or at least check it against the pre-compiled
version.

~~~
runn1ng
Yes, but I cannot do that with Apple's iOS (well, I can, but I have to buy
certificate for 99 dollars)

~~~
d2xdy2
Perhaps its incorrect thinking, but I trust that Moxie and the gang aren't
going to screw me over.

But, yeah, in theory, you can download it and compile it. The fact that you
would have to also buy a certificate from Apple to do it is just a detail. You
_can_ do it.

------
marknutter
The "screen security" feature on iOS appears to do nothing. Not exactly
confidence inspiring.

~~~
dguido
It stops iOS from saving screenshots of the app when it closes. When an app
launches on iOS, it initially draws the UI from a saved screenshot while the
app is loading. This creates a privacy risk since that image may contain
sensitive info.

~~~
marknutter
Oh, wow, I thought it was some sort of lock screen for the app. There should
be a description.

~~~
cheald
TextSecure has the option to lock the app after a timeout (or on command), and
not unlock it until a passcode is given. I suspect Signal has something
similar.

------
zobzu
Great app - but I fail to see how that's going to replace GnuPG.

~~~
matthewmacleod
Have I missed the claim they made that it would?

GnuPG is useful, but it's a totally different product.

~~~
zobzu
This is related to Moxie's blog post from last week just before the release of
this software - which is textsecure for iOS - see
[http://www.thoughtcrime.org/software.html](http://www.thoughtcrime.org/software.html).

Man, you guys can't remember a thing for a single week?

------
13
Still asks for a phone number. Useless.

~~~
aw3c2
Not useless, but not as great as it could be indeed. I would love to publish
my textsecure contact details online but I would never publish my phone
number.

~~~
cheald
Why not use a disposable number, like from Google Voice?

~~~
13
Google Voice is US only.

------
itistoday2
Congrats to the Open WhisperSystems team on this awesome release!

My last gripe (phone call results in only one vibration in vibrate mode), is
apparently slated to be fixed in 2.0.2 [1]. Once that's in, there'll be no
reason for me to use any other voice/chat app on the iPhone!

Edit: Apparently it's an iOS issue. Filed rdar://20008371\. Plz 2 fix it
Apple!

[1] [https://github.com/WhisperSystems/Signal-
iOS/issues/244](https://github.com/WhisperSystems/Signal-iOS/issues/244)

