

RedPhone is now Open Source - dpeck
http://www.whispersys.com/redphone-now-open-source.html

======
rdtsc
Prepare to be harassed by governments (including US) for releasing this. As
soon as some activist uses this they will come after you. As soon as a
criminal uses it, they will have a smear campaign ready to denounce this
effort as 'aiding terrorist' or 'child abusers'.

See what they did and do with Jacob Appelbaum

~~~
epoxyhockey
It appears that moxie has already been heavily harassed by the US gov for
unknown reasons, prior to this software release. So, I'm not really sure he
will be that concerned with your warning.

While Tor and RedPhone might be considered to be in the same class of consumer
security software, I don't think it's fair to draw comparisons to Appelbaum.

------
tjohns
I'm curious... how does this app handle secure key exchange?

There doesn't seem to be any details on the app's website.

~~~
EthanHeilman
RedPhone uses a really interesting system. The first time you initiate a call
with someone redphone displays a word that is based on the keys exchanged.
Each user talks about the word and confirms they got the same word, thereby
verifying that there is no man in the middle.

The assumption is that it is hard for an attacker to forge and inject a
believable conversation into an ongoing real time conversation.

This is call SAS or Short Authenticated Strings and I believe it was
introduced in the paper 'Secure Communications over Insecure Channels Based on
Short Authenticated Strings' (the pdf can be found off of google). You can
read about it here: <http://en.wikipedia.org/wiki/ZRTP#Authentication>

~~~
EthanHeilman
Source code for how the words are generated can be found here.
[https://github.com/WhisperSystems/RedPhone/blob/master/src/o...](https://github.com/WhisperSystems/RedPhone/blob/master/src/org/thoughtcrime/redphone/crypto/zrtp/SASCalculator.java)

------
jff
The comments on the Play Store page are just precious. The best one is this
"Dave - 1 star - You people are retards. You can not place an end to end fone
[sic] call with this. It will go through towers enabling anybody on the right
frequency to hear"

~~~
moxie
Maybe you and I just haven't found the right frequency yet. =)

------
oldgregg
Encryption and anonymity is going to be THE issue of the next 20 years.

~~~
mtgx
As money is becoming completely digital and completely tracked, digital
anonymous money will also be on the rise, be that Bitcoin or something else.

------
zentrus
This looks to be just the client. Even though it is an "end-to-end" solution,
you still need a RedPhone server. Am I wrong here?

~~~
epoxyhockey
From browsing the source and referencing the architecture section of the wiki
(
[https://github.com/WhisperSystems/RedPhone/wiki/Architecture...](https://github.com/WhisperSystems/RedPhone/wiki/Architecture-
Overview) ), there is a RedPhone master server
(master.whispersystems.org:31337) and a relay server
(relay.whispersystems.org:31337) that the phone will use during the course of
all phone calls.

Apparently, most cell phone network providers disallow direct peer-to-peer
communication, thus the relay server is necessary to complete this kind of
encrypted call. All of your encrypted voice data will pass through the relay
server, so there isn't going to be much privacy in terms of _who_ you are
talking to at what times, but the contents of your voice call won't be
revealed.

~~~
justincormack
Most phone networks are behind NAT too, so you need something to relay
through.

------
durin42
I tried installing the existing binary from the market, but I'm not seeing it.
Has anyone else been able to play with RedPhone?

~~~
moxie
I submitted the OSS build to the "Play Store" about 30 minutes ago, but it's
still not visible. Seems like a caching bug in Google's stuff.

~~~
pasbesoin
Although it bends HN etiquette, I want to go beyond just an upvote to say
"thank you very much" for this.

