
Wire open-sourced - arunc
https://github.com/wireapp
======
gfosco
A link to a GitHub organization isn't great.. I'd say this is better:
[https://medium.com/@wireapp/you-can-now-build-your-own-
wire-...](https://medium.com/@wireapp/you-can-now-build-your-own-wire-client-
ea9ed9214e26) but even that doesn't clearly explain what Wire is. Visit
[https://wire.com](https://wire.com) to find out it's an encrypted video and
group chat app.

~~~
walterbell
From [http://fortune.com/2016/07/22/wire-open-
source/](http://fortune.com/2016/07/22/wire-open-source/):

 _... the move has two main objectives: transparency and building an ecosystem
of secure services that can talk to one another ... there is scope for
organizations to design Wire-based apps that are tailored to different use
cases, such as enterprise communications and digital health, and even
automotive and the Internet of things ... "You can register with email and it
doesn’t require mobile.” He also pointed out that the apps don’t need to be
interoperable, though federation at some point would be nice. “It’s a shame we
have so many islands in the communications space,” he added._

HN comments from Wire marketing:
[https://news.ycombinator.com/threads?id=Siimteller](https://news.ycombinator.com/threads?id=Siimteller)

------
grizzles
A bold move by Wire. Open source is still a very disruptive play, and the
world needs something like this. If they manage this well and triple down on
developer engagement, it could work out quite nicely for them. EDIT: Thread
title is slightly misleading. It looks like they did a Telegram. There is no
server here.

~~~
niftich
Correct, there's no server. I will avoid blockquoting large amounts of text
but on their open source summary page [1], they give you two options:

1\. you point your implementation to their server and you have to abide by
their additional terms (which is exactly what I'd expect)

\- or -

2\. you point your implementation to somewhere else, unspecified, and you're
only bound by GPLv3

Right now, #2 is moot because there is no compatible server you can host. Once
someone implements a compatible server, this will get a lot more exciting.

[1] [https://github.com/wireapp/wire#open-
source](https://github.com/wireapp/wire#open-source)

~~~
ZenoArrow
Does the Wire licence agreement allow you to create a standalone server
though?

[https://github.com/wireapp/wire/blob/master/README.md](https://github.com/wireapp/wire/blob/master/README.md)

"Additionally, if you choose to build an Open Source App, certain restrictions
apply, as follows:

a. You agree not to change the way the Open Source App connects and interacts
with our servers"

Even if the company behind Wire seems trustworthy, if I cared about security I
wouldn't want any interaction between clients to go through a server I didn't
have control over.

~~~
chrischen
If the end to end encryption is implemented correctly then you don't have to
worry about what their server does.

~~~
heinrich5991
You still have to worry about that because it still receives the so-called
"metadata".

------
deltaprotocol
I must say that my first impression is beyond positive.

One to one and group chats, group video and audio calls, GIF search built-in,
doodles, the best implementation of photos in the message stream that I've
seen, poking and playable Spotify and Soundcloud music by just sharing links?
All with end-to-end encryption?

I have that "too good to be true" feeling but, still impressed. Just waiting
for possible audits and more feedback from the security community.

Edit: It's also Switzerland based, already supports Win10, MacOS, Web, Android
and iOS, and to complete has the cleanest design I've seen in a messaging app.

~~~
unicornporn
I've been using it with friends and family for awhile on Android and macOS and
it's fantastic, in theory. It has however been plagued with lots of bugs. The
calling functionality, which I've used a lot, often stalls at "joining" and
then nothing happens. It's not as polished or flawless as Telegram. It does
not have a feature to compress video before sending for instance. But I can
only expect that to change. Especially now, when anyone can write their own
client.

~~~
Siimteller
Compress video before sending is there on mobile (at least on iOS, I need to
double check Android, don't have that handy right now).

~~~
unicornporn
Please do, I just tried sending a 100 MB video file recorded with the stock
camera and I got a message saying "Are you sure you want to send 100 MB via
the mobile network?"

------
laksjd
They offer a password reset function. How does that work? Do they hold my
private key in escrow? I'd certainly hope not! Or does the password reset work
by creating a new keypair? If so, does this at least generate WhatsApp style
security warnings for people chatting with me?

With some digging I've found a way to verify key fingerprints so that's nice,
but it's manual, not QR assisted :(

------
melle
I believe all their good intentions and I do hope they succeed. But for me
it's too early to tell whether their business model will hold. If they build
up a sufficiently large user base, but fail to monetize it and sell the
company to e.g. Microsoft or Facebook, then I doubt how much of their original
privacy / openness remains.

Another thing that I wonder about: Does being Swiss-based give them a privacy
advantage?

~~~
laksjd
It might be mostly marketing since the Swiss have long switched from a 'swiss
banking secrecy' mindset to fairly open cooperation with EU and US
investigators.

It's probably nevertheless better than being based in the US, just ask Lavabit
;)

------
saghul
Lots of good stuff in there, thanks Wire! I just wish they had gone with
something other than GPLv3 for libraries, like LGPL. Looks like they changed
them on December, from MPL 2.0 to GPLv3.

At any rate, there are lots of us who can use the code with that license :-)

------
nanch
See [https://wire.com](https://wire.com) for more information since the linked
repos provide no context. "Crystal clear voice, video and group chats. No
advertising. Your data, always encrypted."

~~~
qznc
So, Signal plus video chat?

~~~
stemuk
Probably not, scince Signal doesn't really support secure web communication
(without phone routing).

~~~
lorenzhs
This phone routing story keeps getting repeated here but it's not true and
never was. The devices share a key but are completely independent. You can
easily try it, put your phone into airplane mode and Signal-Desktop works just
the same.

~~~
nxzero
Issue may not be the routing, but that a mobile device is required to create
an account.

Are you saying that the Signal Protocol created Open Whisper Systems, which is
lead by Moxie Marlinspike, does not require a phone number to work? (Say the
Signal Protocol instead of the browser extension since the browser extension
uses the protocol to work.)

~~~
lorenzhs
As far as I'm aware the protocol can use other identifiers. If I remember
correctly the development server allows registering without a phone number for
easier testing of Signal-Desktop. Not sure what is used as an identifier
instead. Not sure where I read it, so it may be the result of the telephone
game. Take this with a grain of salt.

------
jacek
I am a user. I switched myself and my family from Skype a few months ago and
it has been great so far. Quality of video and audio is great, Android app
works very well (better than web based desktop versions). And it also works in
a browser, which is great for me (Linux user).

------
mei0Iesh
Thank you! Wire is the best, with multiple device support, clean mobile app,
and a desktop client. It'd be nice if it were a standard open protocol so
everyone could implement it, and find a way to allow federation. I'd pay to
help support.

------
prayerslayer
Not sure if these are for realsies, but there are some API keys in the webapp
repository:

[https://github.com/wireapp/wire-
webapp/blob/master/app/scrip...](https://github.com/wireapp/wire-
webapp/blob/master/app/script/location/GeoLocation.coffee#L23)

[https://github.com/wireapp/wire-
webapp/blob/master/app/scrip...](https://github.com/wireapp/wire-
webapp/blob/master/app/script/tracking/EventTrackingRepository.coffee#L36)

~~~
Siimteller
Thanks, nothing critical but we'll clear this up.

------
mahyarm
Now all this needs is a few good third party audits, verifiable builds and
it's the holy grail of encrypted communications!

~~~
ianopolous
I would say the Holy Grail would be fully decentralized without needing
central servers, but this does look cool nonetheless.

~~~
mrbiber
I am very hopeful that Briar
([https://briarproject.org/](https://briarproject.org/)) will achieve this.
They don't use any centralized infrastructure, the app works even when the net
is down, and they have e completely distributed and thus uncensorable forums
and blogs.

~~~
ianopolous
Interesting. Do you know how they handle identity/usernames/contact discovery
without central servers?

~~~
mrbiber
As far as I know, the identity is just a public key. You can add contacts only
by either scanning a qr-code disayed on your contact's phone in person or by
being introduced to each other by a mutual contact, so there is no real need
for discovery. As there are no servers at all (not even federated), this also
means that no one can even enumerate users.

Torsten Grote, one of the projects main developers, explains the technology
behind it in this very nice presentation:
[https://m.youtube.com/watch?v=Dr42vZIoGqM](https://m.youtube.com/watch?v=Dr42vZIoGqM)

~~~
andrewaylett
"No servers" doesn't feel quite right -- no dedicated servers, maybe, but the
project depends on TOR, which has quite a lot of servers. I've not dug into
the source, but I'm expecting each client to be using a TOR hidden service to
allow peer-to-peer connections.

The ability of TOR to allow essentially roaming services like this is a
feature I'm always surprised isn't used more often. And although it's not
something I was ever going to actually get around to, something like Briar has
been on my list of interesting thins to try to do for a while -- I'm really
glad someone else has had a similar thought and been able to run with it :).

------
mtgx
I've been asking for three things from Signal for the past almost two years:

1) desktop app

2) video call support

3) self-deleting messages

Signal finally (sort of) delivered a desktop app, but it still doesn't have
the other two. Wire has the first two, but it's still lacking the last one. I
hope one of them will have all three of these features soon.

~~~
walterbell
This HN comment (22 days ago) says Wire has a prototype of ephemeral messages,
but insufficient demand,
[https://news.ycombinator.com/item?id=12014056](https://news.ycombinator.com/item?id=12014056)

This Twitter comment (5 days ago) says Wire is looking into self-destructing
messages,
[https://twitter.com/wire/status/755078974728970240](https://twitter.com/wire/status/755078974728970240)

------
jalami
Side note, but it's kind of strange that images on their site require cookies
enabled to view. I didn't dig into a reason, I just white-list the sites I
want to use cookies and found it odd that there were big white spaces before
doing so.

~~~
Siimteller
Weird, we'll check it out. Thanks for pointing it out.

------
20andup
I wonder what the business model is?

~~~
computator
They might charge for certain premium services in the future, according to
[https://en.wikipedia.org/wiki/Wire_Swiss#Business_model](https://en.wikipedia.org/wiki/Wire_Swiss#Business_model)

~~~
detaro
If I read the TOS correctly, you are also not allowed to write any kind of
chat bot against it. If the current hype for bots remains, bot access might be
another thing to sell.

~~~
laksjd
That might be hard to enforce given that the open source client will make
creating unofficial bots fairly trivial.

Given that they already have Spotify and giphy integration I'm going to
predict Skype-like monetization with sponsored integrations (e.g. Skype has
those sponsored animated emoji things)

------
_bojan
Didn't see that coming. I think Wire is struggling to get new users and this
move could put them on the map.

~~~
Siimteller
We've actually nicely accelerated user growth this year. Going the OS route
was always the plan, especially given the target audience of hacktavists,
human rights organizations, journalists. Open source is tablestakes to be
taken seriously. It's also just one of the steps towards more transparency.

~~~
zedred
I tried installing it and only had a single contact show up. And it turns out
that contact had long since uninstalled the app (said it was very unreliable),
but the server was still showing her as registered.

From the app store numbers, it looks like Wire is still not even to a million
monthly active users. For a funded app with a large full time staff and
generous marketing budget, that's a pretty terrible sign several years after
launching. I know that the founders are rich, but why would they continue
funding an app that isn't showing adoption?

~~~
walterbell
One privacy advantage of Wire is that it does not force you to upload your
address book to their server.

~~~
zedred
I didn't see that option, but either way the fact remains that even after
several years, nobody is using the app. As a business with a large full time
staff that needs considerable ongoing capital to continue, the numbers do not
bode well for its future.

Maybe being open source will change that, but I can't see it being a
significant factor for the hundreds of millions of users they need to even
begin to catch up. I think they were betting on end to end encryption to save
them, but their biggest competitor launched better end to end encryption by
default before they could.

~~~
walterbell
Surprisingly, the best feature of Wire has been audio quality.
Security/privacy is a welcome bonus.

~~~
zedred
Is the audio quality good enough to make hundreds of millions of people switch
from WhatsApp? They've been trying for a few years, and it hasn't happened. I
think open sourcing the apps is probably a last gasp, and we're likely to see
Wire shutting down soon. I've also heard they might be looking for a buyer.

~~~
walterbell
That would be a shame. Skype sold (twice!) for billions of dollars, and the
Wire investors should have access to internal growth metrics to justify a
long-term investment. Like every messaging app that relies on network effects,
some growth is inevitable. I've been steadily adding new contacts, each
installing Wire for the first time.

~~~
zedred
I don't know what kind of internal metrics would be telling a different story
than the external metrics visible to us. The app store data alone is pretty
damning, any growth they've had over the past few years is very slow linear
growth. People don't seem to like the app enough to switch.

You're right, they sold Skype twice, so they're not stupid. They're unlikely
to keep throwing money away when the writing on the wall is this clear, and
word on the street is that they're looking for an exit.

------
pedalpete
I don't get how they can make statements like this "Only Wire offers fully
encrypted calls, video and group chats available on all your devices". Webrtc
is encrypted by default.

~~~
laksjd
The other signal/axolotl protocol based systems currently don't support true
multi device solutions. It's not a limitation of the protocol, after all Wire
is based on it, too, just that Signal/WhatsApp decided not to implement it.

Wire has true multi device support (basically multiple keys per identity)

~~~
moxie
Not sure what you're definition of "true multi device" is, but Signal Desktop
does not do phone routing and functions whether your mobile device has
connectivity or not: [https://whispersystems.org/blog/signal-desktop-
public/](https://whispersystems.org/blog/signal-desktop-public/)

~~~
laksjd
Thanks, I thought it did phone routing, mostly because the Signal FAQ lists
some odd restrictions on multi device usage (e.g. desktop can't be linked to
the iOS app, cannot have iPad and iOS at the same time [1]

[1]: [http://support.whispersystems.org/hc/en-
us/articles/21324092...](http://support.whispersystems.org/hc/en-
us/articles/213240927--Can-I-use-multiple-devices-Why-is-my-device-offline-)

~~~
lorenzhs
That's a limitation of the iOS client. It doesn't support multi-device yet.

------
happyslobro
I found a file that is available as either MIT or GPL. Or is it only available
under a union of the terms of both licenses? An intersection? Who knows,
IANAL. [https://github.com/wireapp/wire-
webapp/blob/0cf9bf4/aws/main...](https://github.com/wireapp/wire-
webapp/blob/0cf9bf4/aws/main.py)

Why do people copy the license all over the place like that?

~~~
belorn
MIT has one condition: _The above copyright notice and this permission notice
shall be included in all copies or substantial portions of the Software._

As the code include this, the author who distribute the code can thus prove in
court that they are compliant with the wishes of the author/s of the MIT
licensed software.

The added GPL means that copies of this specific version also adds additional
conditions that those distributing this version _also_ need to follow. This
mean in practice that they need to follow the GPL license and include the MIT
copyright notice as stated above, in order to follow all the different authors
wishes. Thankfully, MIT and GPL is compatible, so none of the conditions are
contradicting with each other.

~~~
reubano
IANAL but I thought the compatibility was only one way. I.e., you can use MIT
code in a GLP project but you can't do the reverse. My understanding is if you
use GPL code in an MIT project, you have to make your entire project GPL.

~~~
belorn
Yes and no :). The MIT authors can not sue someone for not following GPL, and
the GPL authors can't sue someone for using the MIT licensed code under MIT.

There is one consideration however. One of the GPL license condition says
"must license the entire work under GPL", which mean that in order to legally
distribute the GPL part, the MIT licensed code will be under both GPL and MIT.
As such the patent grant in GPL will cover the whole project for anyone
distributing the GPL included version, and many interpret this condition as
making the entire project GPL. The exception to that view is that a project
can still continue license new code as MIT, and a distributor could simply
remove the GPL parts when they want to use it in a MIT and BSD
only/Proprietary/Patent enforcing situations.

While I have not seen many MIT projects do this in regard to GPL add-ons and
patches, it is the standard model for open core MIT projects to do this in
regard to proprietary add-ons. I would thus not call the existence of optional
GPL patches or add-ons as "make your entire project GPL", unless the
additional code is essential to run the program.

------
redthrow
Why does this Android app require a phone number to sign up?

At least Hangouts lets me use the app without a phone number.

~~~
walterbell
You can register with just an email, using a desktop web browser at
[http://app.wire.com](http://app.wire.com), then use that account to login on
mobile. Unclear why it's not possible to register a new email-only account
from the mobile app.

~~~
Siimteller
We had this, was confusing UX. Considering bringing it back.

------
sanjeetsuhag
Can anyone explain to me why they use an UpsideDownTableViewController ?

~~~
philo23
From memory, the easiest way to have the "top" of a table view at the bottom
of the screen (like in Messages, so the latest message bubble appears at the
bottom) is to flip the table view upside down using an affineTransform and
then also flip each cell in the table view upside down as well (so the cell is
the right way up again).

This means you can insert new rows (message bubbles) at index 0 and they'll
appear at the bottom, which makes it considerably easiest to add new messages.

------
stemuk
I wonder how they encrypted their chat on the web client. Scince the Signal
protocol is kind of the gold standard right now, probably their solution might
in the end be the better one.

~~~
niftich
They use a Rust library [1] they wrote for the Axolotl protocol, which is the
old name for the Signal protocol before it was renamed [2]. They refer to
their implementation as 'Proteus'.

[1] [https://github.com/wireapp/proteus](https://github.com/wireapp/proteus)

[2] [https://whispersystems.org/blog/signal-inside-and-
out/](https://whispersystems.org/blog/signal-inside-and-out/)

EDIT: Their webapp is written in Coffeescript, including their cryptography
functions used in said webapp [3].

[3] [https://github.com/wireapp/wire-
webapp/search?q=proteus&type...](https://github.com/wireapp/wire-
webapp/search?q=proteus&type=Code)

~~~
moxie
Wire does not use Signal Protocol. They used some of our code, but created a
protocol of their own devising that we do not recommend.

We renamed the Axolotl ratchet and Axolotl protocol because there was a lot of
confusion around what it meant to say "Axolotl." Some people who continue to
use the term "Axolotl" do so because they seek to benefit from that confusion.

It is great that Wire has finally open sourced their software. They have been
advertising themselves as open source for the past two years, though, so I
guess they weren't really able to make an announcement about this.

~~~
niftich
That confusion definitely worked on me. This clarifies a lot, thanks!

------
maxpert
Good to see people using Rust in production :)

------
mrmondo
Sorry if I've missed it somewhere but I'm looking for some independent,
transparent reports on its security implementation. I was wondering if anyone
could help me with finding this - or if perhaps they haven't been done I guess
that would answer my question?

------
aleken
Otto is my new best friend. I cannot see any information about a bot API on
their site though...

~~~
Siimteller
There's no not API available. We've been experimenting with a few internal
bots (Otto is the most prominent) but that's the extent of it for now.

------
iamleppert
I wish they would have preserved the commit history. Future note to those open
sourcing projects:

Preserve the commit history! It's very useful! Even if it takes more effort to
review the history and remove stuff that you're not allowed to show or
whatever.

------
yetii
Android client uses Scala - might be changer for Scala on Android

~~~
premium-concern
Why?

------
arthurk
Is there a way to download the OSX app without the Mac App Store?

~~~
stephenr
Why, because a sandboxed app guaranteed to be from the author you think it's
from is just too good a thing, and you prefer the heady rush of getting
bombarded with MacUpdate spam when you get your apps?

Fine, some developers don't want to use the MAS. Their choice. I don't
understand users not wanting to use it. It's the simplest possible way to
install an app and get automatic updates for those apps.

~~~
y7
What MacUpdate spam?

Not using the Mac App Store gives you more control over your apps. It allows
you to distribute apps to OSX machines without an internet connection, it
allows you to rollback versions or choose not to update, etc.

~~~
stephenr
> What MacUpdate spam?

It took me a year and threats to file complaints with the FTC&FCC to get
unsubscribed from their bullshit emails. That's what spam.

> It allows you to distribute apps to OSX machines without an internet
> connection

This seems like a pretty rare situation these days, but even in that
situation, if those machines can be given internet access _once_ to authorise
them (e.g. via a phone hotspot) you can just copy the .app bundles.

> it allows you to rollback versions or choose not to update

The Mac App store doesn't force you to update either. Admittedly it doesn't
allow rollbacks, but you can always restore from a backup and then choose not
to update. You _do_ have backups right?

------
vasili111
Where is Windows client source code?

~~~
Siimteller
It's all on GuyHub. Our windows client is webapp in Electron wrapper so that's
what you're looking for.

~~~
Siimteller
Darn autocorrect. That's Github, of course.

------
07
Hmm, seems interesting.

