
Encrypted messengers: Riot, not Signal, is the future - Borating
http://www.titus-stahl.de/blog/2016/12/21/encrypted-messengers-why-riot-and-not-signal-is-the-future/
======
tptacek
This topic has been beaten to death on HN over the last year (other people can
provide links to discussions, with Moxie participating).

I think something worth keeping in mind is that almost everyone who works in
secure messaging agrees on one thing: that electronic mail is not the future
of secure communication.

There's no fundamental reason why that should be the case. The store-and-
forward model used by SMTP could be made to work for asynchronous secure group
messaging. You can get forward and future security with it. It can
interoperate with existing email addresses. All of that can be made to work.

But it is the case. Email won't be a secure group communication system. The
reason for that is that email is _federated_ and thus permanently mired in the
lowest common denominator of mainstream email clients.

I think reasonable people can disagree about whether it's tractable to create
a federated secure group messaging system with what we know right now. But I
do not think it's reasonable to suggest that the concern (federation = lowest
common denominator security) is invalid. And that's what this piece does.

~~~
ddevault
"non-federated" and "secure" in the same sentence is a joke. Signal's other
problem is Google Play Services which has absolutely no place in a supposedly
secure system.

~~~
ajamesm
Federation concerns availability, not security. "unplug the ethernet and write
plaintext to /dev/null" is extraordinarily secure and 100% decentralized,
though badly unavailable.

~~~
Forbo
It can also affect security depending on what jurisdiction the servers fall
under. Federation means that while it may be illegal to run the service in,
say, China, it can be run elsewhere without those concerns. This is becoming
more apparent with the widespread use of National Security Letters.

~~~
ajamesm
Sorry, am I missing something? It's my understanding that Signal is ETE
encrypted. All an NSL would get you is ciphertext and metadata.

~~~
Forbo
The scenario I'm imagining is that Google and OWS receive NSLs requiring them
to push a modified APK that could do nefarious things.

~~~
haffenloher
This is a common misconception: NSLs are a legal tool that can be used to
extract certain types of information (such as subscriber information and maybe
a little bit of transactional information) that a service provider already has
stored on their servers [0]. However, they cannot be used to force a service
provider to write and deploy code.

[0] NSLs are not magic -
[https://www.youtube.com/watch?v=YN_qVqgRlx4&t=20m16s](https://www.youtube.com/watch?v=YN_qVqgRlx4&t=20m16s)

~~~
Forbo
He mentions "technical assistance orders" but doesn't really elaborate any
more on them. I'm having a difficult time finding any information on these
orders, does anyone else have information on the capability of these orders?

~~~
Forbo
Replying to my own comment, as I found some more information in a Black Hat
talk regarding technical assistance orders:

[https://youtu.be/PX2RjJAfTYg?t=770](https://youtu.be/PX2RjJAfTYg?t=770)

------
mxuribe
Nothing against Signal, But I sure hope matrix-based platforms and clients
(like riot.im) keeping growing. The folks who work on both matrix.org and
riot.im have done so much work in such a short time...not just in developing
the protocol/server/apps...but also in education. They really have helped
people like me to setup our own little home servers (i.e. private
networks)...which ultimately helps the entire federated network. Signal -
while certainly can be setup/hosted by anyone else separate of OpenWhisper -
leaves some to be desired in the actual self-implementation details; just not
enough tutorials out there. (Or maybe its just me?)

~~~
widforss
> Signal - while certainly can be setup/hosted by anyone else separate of
> OpenWhisper - leaves some to be desired in the actual self-implementation
> details; just not enough tutorials out there.

That is the problem at hand, that Signal _does_not_federate_. You could modify
your Signal app to connect to your own server, but then you would not be able
to talk to anybody else.

For the record I prefer usability and walled-garden-security instead of
federation, even though it hurts to admit as a long time FOSS user.

~~~
sliken
I think signal made the right decisions raising the bar for encryption while
maintaining extreme ease of use. Random Joe can click on it on the app store
and chat with anyone in his addressbook that runs signal within a minute or
so, with no expertise whatsoever.

However I see no reason why a similar p2p app couldn't manage similar without
a central server. Trick is cell phones (at least on WAN) do not accept
incoming connection. Additionally apple/android push aren't good for a p2p
transport.

However adding supernodes (like the original skype) that could run on
raspberry pi's, opensource routers, and similar embedded devices might just
bright the gap. After all the cpu, bandwidth, and memory needs for instant
messaging are pretty modest, even for many people sharing a raspberry pi.

~~~
rando444
The idea of supernodes is what got everyone paranoid (with reason) that they
were now able to be spied upon.

------
Perceptes
It should be noted that Riot is just the first Matrix client to support end-
to-end encryption, but there will be more in the future. The thing you want to
bet on is the Matrix protocol, not necessarily Riot. (Although both are a safe
bet since Riot is developed by the same team that built Matrix.)

I'm not part of the Matrix or Riot teams, but I'm convinced enough that Matrix
is a great way forward for modern messaging. I started my own Matrix
homeserver (as well as other Matrix libraries, eventually to include a Matrix
client) written in Rust. If you're interested in Matrix, Rust, or both, I
encourage you to get involved! [https://www.ruma.io/](https://www.ruma.io/)

------
jdp23
Are there any plans to do a security audit on Riot? The useful report by NCC
[1] looks at libolm (which implements the end-to-end encryption) but of course
that's only part of the whole product.

[1] [https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-
en...](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-
security-assessment-released-and-implemented-cross-platform-on-riot-at-last/)

~~~
buzzybee
Note that that report explains that the Double Ratchet E2E algorithm is used
in Matrix, in large part because of the Open Whisper Systems implementation in
Signal and subsequent licensing. So we're looking at an apples-to-apples
comparison, at least with respect to this one piece.

~~~
jdp23
Yes, it seems like a good choice of algorithm. And it seems like the
implementation is also decent - they looked at that as well. It's a useful
report and kudos to Open Technology Fund for funding it and to Matrix for
making it public!

Still, this is only one piece of the overall security of Riot, so I'm still
interested in knowing if there's any work going on looking at the bigger
picture.

------
ifelsehow
> The most important concern is that Signal is a silo [...] you have to
> connect to OpenWhisperSystems servers to communicate with other users.

You can run your own private Signal service with OpenWhisperSystems' tools
[1].

It's also worth noting that Signal - as a protocol - could easily be
federated. (As others have mentioned, Moxie has chimed in on why the _app_ is
centralized [2]).

If confederated messaging is important, why not use the existing Signal
protocol implementations, (including the X3DH key exchange, ratcheting
protocol, etc), which is all F/LOSS, and has already been widely reviewed (as
the article mentions)?

[1] [https://github.com/WhisperSystems/libsignal-service-
java](https://github.com/WhisperSystems/libsignal-service-java)

[2] [https://whispersystems.org/blog/the-ecosystem-is-
moving/](https://whispersystems.org/blog/the-ecosystem-is-moving/)

~~~
stonogo
> You can run your own private Signal service

A distinction without a difference. I use Signal because people use Signal.
People do not use 'the Signal service'. They use OWS's app and OWS's servers
and moxie has explained he will not federate.

The fact that OWS goes to all the effort of creating this excellent protocol,
and then insists on only deploying it to insecure devices (with direct-memory-
access baseband radios) baffles me, but I hope that things move in a saner
direction with time.

The biggest benefit I think OWS has provided is the ability for other
platforms (e.g. Whatsapp) to use their protocols. I daydream about a day when
all these competing messaging services realize they would stand to gain a lot
by federating, but I know it won't happen in my lifetime.

~~~
ajamesm
I'm not a fan of opaque baseband firmwares either, don't get me wrong, but
what's the alternative? Not for the DoD, I mean for union organizers making
$50k a year -- people who aren't going to get murdered by Mossad, but still
need to authenticate and encrypt their communication channels. What device
would you recommend?

~~~
voltagex_
Who's the likely threat to union organisers? I suspect a pair-locked iPhone
with Signal or Whatsapp would be more than secure enough.

~~~
ajamesm
The most prominent example would be
[https://en.wikipedia.org/wiki/Jimmy_Hoffa](https://en.wikipedia.org/wiki/Jimmy_Hoffa)

and then the long, storied history of American strike-breaking &c.

~~~
kuschku
Well, either the threat is a private group, then WhatsApp or even Google
Hangouts is secure enough.

Or the threat is a government, then Signal is not secure enough either,
because the US govt can just force Google and OWS to ship modified APKs.

~~~
ajamesm
conflating the specific binary instantiation with the general cryptosystem.
Regardless, depending on your threat model, you can take increasingly {
reasonable | paranoid } precautions like manually compiling and loading
Signal, as it's OSS.

edit: "private group" can encompass a lot, especially in other ecosystems like
Google and FB. If said "private group" adversary is, say, a prominent and
wealthy Silicon Valley businessman and enterprising vampire who collaborates
with fascists, then you can see the potential of compromising someone's
security by coercing Google or Facebook engineers to run you a Hadoop query or
conditionally inject malicious JS.

~~~
kuschku
> like manually compiling and loading Signal, as it's OSS.

Except, I’d have to modify the code, as the current version depends on
Google’s proprietary libs, which I can’t inspect. And I lose half of the
functionality, as RedPhone is also proprietary.

> by coercing Google or Facebook engineers to run you a Hadoop query or
> conditionally inject malicious JS.

The same can be done by coercing OWS engineers to backdoor their services.

And in any case, Signal can start collecting metadata any minute now, and
there’s nothing we could do against it.

~~~
temprature
> And I lose half of the functionality, as RedPhone is also proprietary.

The source code for the Redphone client is here:
[https://github.com/WhisperSystems/Signal-
Android/tree/master...](https://github.com/WhisperSystems/Signal-
Android/tree/master/src/org/thoughtcrime/redphone)

The source code the redphone-audio library is here:
[https://github.com/WhisperSystems/Signal-
Android/tree/master...](https://github.com/WhisperSystems/Signal-
Android/tree/master/jni/redphone)

Stop spreading misinformation.

~~~
kuschku
So it finally got opened? Still doesn’t help me, considering that the Firebase
Messaging library compiled into the client is still proprietary.

I can not build Signal from source today.

------
buzzybee
I believe Riot is the future not because of its security(its attention to such
is a great, great bonus) but because it's positioned itself so well as a
credible successor to IRC.

~~~
NoGravitas
And an open replacement for Slack.

~~~
qznc
Yes. I don't see Signal and Matrix in direct competition, just like WhatsApp
and Slack are not in direct competition. The technology is very similar (main
difference seems to be the size of chat rooms), but the use case and marketing
is very different. Signal/WhatsApp is for casual mobile texting, while
Matrix/Slack is for working.

~~~
Perceptes
I think Riot is a better comparison to Slack than Matrix is. Riot is
essentially the Slack experience built on the Matrix protocol, but Matrix can
certainly work just as well for clients that present a
Signal/WhatsApp/iMessage/SMS-style interface.

------
upofadown
After a recent discussion of the issues with XMPP on mobile, some obvious
questions:

1\. How well does Riot deal with changing network connections? Does it have
problems when a mobile device switches between, say, WiFi and 4G? How well
does it deal with a complete loss of connectivity?

2\. How well does Riot deal with power management on mobile devices? Can it
spend time in the background while getting message alerts while not running
down the battery?

~~~
heavenlyhash
It's really good. I'll vouch for it as someone who has been using the mobile
apps on both platforms, and the web application(s) on the desktop for over a
year now. They're great. Battery isn't a problem; messages NEVER get lost.

I actually came to matrix after trying to write an XMPP client, believe it or
not. The matrix protocol is WAY better equipped for the future than XMPP is:
it simply has the core designs necessary to make it federate _well_ and do
message sync _without losses_. (XMPP doesn't. (Unless you count a half-dozen
XEPs, none of which are reliably implemented in all clients. But we're getting
increasingly parenthetical here; by comparison, matrix Just Works.))

~~~
tacoman
I've been using Vector/Riot using the Android version in F-Droid on Blackberry
10 for 6-9 months, connecting to my own server on my DSL. I haven't noticed a
single issue with battery or lost messages.

------
evolve2k
The permissions Signal asks for do seem excessive (both on iPhone and even
more so on Android).

Can anyone justify why they are necessary?

~~~
stephengillie
Developers who are unfamiliar with the Intents system? That's a common reason
for applications requiring a laundry list of permissions.

[http://stackoverflow.com/questions/6578051/what-is-an-
intent...](http://stackoverflow.com/questions/6578051/what-is-an-intent-in-
android)

~~~
Forbo
The developers have feature justifications for every permission requested:
[https://support.whispersystems.org/hc/en-
us/articles/2125358...](https://support.whispersystems.org/hc/en-
us/articles/212535858-What-are-all-these-permissions-)

Edit: Reading your link now, as I didn't see it before I made my comment. Was
that added in as an edit?

~~~
stephengillie
These are the justifications of developers who are unfamiliar with the Intent
system. Were I unaware of Intent, I would make the same design decisions.

~~~
wybiral
I agree. Mostly because they're asking for all of those permissions
prematurely.

What if I never want to share my location, take pictures, or send files?

And then some things, like calendar access, aren't even used right now.

~~~
haffenloher
> What if I never want to share my location, take pictures, or send files?

Don't use these features and / or disable the corresponding permissions.

~~~
wybiral
I get that. I'm just saying that it wouldn't look as bad if they just didn't
ask for the permissions upfront.

If I'm about to take a picture for the first time using it then I'll
understand it asking for camera access.

------
acqq
> Riot is based on the so-called Matrix protocol which is a federated protocol

> In addition, people are writing alternative clients to access the
> Matrix/Riot network, implementing their favorite features and workflows. As
> users can vote with their feet for their own interests and choose providers
> and apps of their liking

Can I run my own network which is not part of other networks (i.e. not
"federated")? Can I tell somebody "call with your Riot client 'acqq at server
ip nnnnnn' and we can talk"?

~~~
NoGravitas
I believe so, yes. If not with the standard homeserver (synapse), than with a
custom homeserver.

~~~
acqq
Note: my question is, with a plain client, downloadable from the app store,
not with some special custom build of the client.

Also, how puringpanda's question fits to your claim?

[https://news.ycombinator.com/item?id=13239925](https://news.ycombinator.com/item?id=13239925)

~~~
NoGravitas
You can connect to any homeserver with the default client; it's not tied to
the default homeserver.

If I understand puringpanda's question, the idea is that your domain and your
homeserver are seized, but you have contacts on other homeservers. At this
point, it's just like losing your email server. You lose your existing ID, and
probably your message history, but you can reach your contacts from a new ID
you create someplace else.

------
sliken
Wow, riot has a ways to go. With signal you install it from the app store, it
creates an icon, you click on it. Similar for the desktop client, go to the
chrome app store, click on it, and it tells you to use your phone to scan a
barcode.

In both cases you can start chatting with any signal user in your address book
in a minute or so, no expertise (other than using an app store) needed.

Tracked down the [http://riot.im](http://riot.im), it has a "try now button",
that just scrolls you to the top. Didn't see any way to actually try it.

I tried the ubuntu app, they make you manually create your own
/etc/apt/sources.list.d, from only the base URL. Then you have to know how to
add the pgp key. Then apt-get update, apt-get install riot-web. Then...
nothing. Nothing called riot or riot-web in the path. Thought maybe there
would be a daemon running (it's called riot-web afterall). Can't find any
processes running, nothing listening on a new socket. I track down
/var/lib/dpkg/info/riot-web.list, look through the list and find they dropped
a dir in /opt. So I run /opt/Riot/riot-web.

It worked, not exactly the kind of thing I'd ask random
friends/family/colleagues to do though.

------
PurgingPanda
Does anyone know if they are planning to add a way to change home server. If
they take your domain (With your Matrix server on it), you have no way of
communicating with other people over riot anymore.

~~~
uabstraction
There are plans to support 3rd party identification (such as an E-Mail address
or a phone number) and use that as a basis for looking up users across the
network, but I don't think it is currently useable. Account migration was
brought up recently in the chat room, but it is not defined anywhere in the
spec or reference implementations AFAIK. I agree that these are both important
features, but I wouldn't worry too much about them unless they are left out of
the 1.0 spec.

In the meantime, it's not like you can migrate your Signal, Telegram,
iMessage, or even Gmail/Hotmail accounts. I think Matrix needs a few more
client/server implementations before the spec can't truly be set in stone.

~~~
Arathorn
Email identifiers work fine today, actually. They don't solve the problem of
migrating accounts, but at least they abstract the discovery process away, as
you say.

MSISDN (phone number) identifiers landed on the backend this afternoon;
implementation in the Riot clients will be coming very shortly.

------
hkt
Hear hear. Down with silos.

I just hope matrix ends up working better than xmpp.

------
exstudent2
A question I've had about Signal is what is stopping Apple from modifying and
rebuilding the source with a backdoor in it? Is this technically possible
(seems like it would be since they control distribution of the binary to
devices)? The article is correct in stating that web based chat is inherently
insecure but it seems all iOS apps are also inherently insecure. I'm by no
means an expert though so would love to hear from someone with more knowledge.

EDIT: Thank you for the responses! It pretty much confirms what I thought;
Apple _could_ access your communication (either through keylogging at the OS
level or backdooring Signal) but this solution is better than everyone use
plain text communication. I personally would not trust Apple with my life if I
needed that level of protection but maybe that's not the main use case for
Signal.

~~~
cguess
Technically? There's nothing stopping them. For that matter, there's no
stopping Google from doing the same. There's also no stopping Apple from
patching LLVM so that only patched versions of OpenSSL are ever compiled
against. The question is how paranoid are you and what is your threat model?

We have to trust someone, eventually. This is especially true for the 99% of
the population who doesn't have the skill to compile source themselves (nor
should they have to).

~~~
iagreeentirely
Just in case nobody has gotten to enjoy this gem:

[http://wiki.c2.com/?TheKenThompsonHack](http://wiki.c2.com/?TheKenThompsonHack)

Ken describes how he injected a virus into a compiler. Not only did his
compiler know it was compiling the login function and inject a backdoor, but
it also knew when it was compiling itself and injected the backdoor generator
into the compiler it was creating. The source code for the compiler thereafter
contains no evidence of either virus.

~~~
Sanddancer
Which is why standardization is just as important, if not moreso, than
openness in making sure things stay secure. Such an attack is made a lot more
difficult if you have a second toolchain you can use to verify things, and
even moreso if you have a third.

------
danjoc
Riot? Can we talk about the edgy names? Think about how much differently
history might have been if Napster was named Library of Alexandria.

"According to Galen, any books found on ships that came into port were taken
to the library, and were listed as 'books of the ships'. Official scribes then
copied these writings; the originals were kept in the library, and the copies
delivered to the owners."

[https://en.wikipedia.org/wiki/Library_of_Alexandria](https://en.wikipedia.org/wiki/Library_of_Alexandria)

Sounds like Napster, yes? Think about how much harder it would be for Congress
to pass laws shutting down the digital equivalent to a library sharing the
world's music.

But no. We get names like Riot, and Felony
([https://github.com/henryboldi/felony](https://github.com/henryboldi/felony)).
Congress sends you a "Thank you" every time you put an edgy name on something
disruptive.

------
RodericDay
> If OpenWhisperSystems adopts any policy that goes against users’ interests
> in the future, users cannot switch providers without losing all their
> contacts.

Is this correct? I've never bothered looking it up, but Signal was connecting
me with people in my phone's address-book.

~~~
NoGravitas
It's semi-correct? You don't lose your contacts, as they're still stored in
your phone's address book. But all of your contacts will have to jump ship at
the same time as you, to the same silo. And your old contacts will only still
be usable if the new silo also uses phone numbers as userids.

On Matrix/Riot, userids are federated in the same way as emails. So when you
change providers, your userid changes, but your contacts' stay the same, and
you can still connect with them from your new provider.

------
rahrahrah
I have the impression that Signal by now has such a great brand name that mere
technical objections won't affect its growth for a very long time.

~~~
majewsky
I wonder if the name of Riot will be a hindrance for widespread adoption. Most
people don't like riots.

~~~
mundo
I actually just learned today that Riot (the IM app) is not related to Riot
(makers of hugely popular video game League of Legends). I thought the
occasional mentions I was seeing of "Riot chat" meant that LoL's mobile chat
client was gaining traction among people who don't play the game.

------
rahrahrah
The question I would ask is: given the list of capabilities presented in this
post, is there even any difference between Riot and e-mail? Or are you
reinventing the wheel?

~~~
buzzybee
Riot is most comparable to Slack or Discord. It has chat rooms. It supports
voice, image posts, file transfer, etc. It stores conversation history. You
can private message people.

Matrix is a generalized protocol for decentralized and federated
communications; it's agnostic to the application layer provided by Riot.
Something Matrix doesn't have, but is on the issue backlog, is support for
email-esque thread contexts. [0]

[0] [https://github.com/matrix-org/matrix-
doc/issues/492](https://github.com/matrix-org/matrix-doc/issues/492)

~~~
NoGravitas
I would love to see an email - like application implemented on top of Matrix.

~~~
Arathorn
we're working on it :>

------
mtgx
I support good alternatives to Signal that also have other goals in mind.
Signal's goal is to become basically as mainstream as Whatsapp is, and to get
there it needs to make a few compromises for usability's sake.

Whatsapp has already backtracked on some major privacy promises, and who's to
say it won't backtrack on the end-to-end encryption support eventually, after
everyone is baited and switched to it? Or worse, it could start to decrypt E2E
communications in secret for governments.

So we need a "mainstream" alternative that's actually trustworthy and can at
least protect the security of the communications, if not the relationships
between users.

However, I support applications that aim to offer even better privacy and
security compared to Signal, that are aimed at more opsec-sensitive targets,
such as journalists. Signal may be the best tool journalists have right now,
but it's probably not the best one they could have, as it doesn't do a great
job at protecting sources. Perhaps Ricochet or the Tor Messenger may be better
for that.

What I'm worried about though is that even if these apps offer better
security/privacy features, the various federated applications that use an E2EE
protocol may not have too much of a security mindset. For instance, sure, Riot
may adopt a better protocol, but is Riot itself using all modern security best
practices? Can we trust the Riot developers just as much as we do the OWS
developers? etc

Finally, I'd much rather see Signal become a P2P application than a federated
one, if that would even be possible.

~~~
sliken
Trick to p2p is that generally you have to accept incoming connections for it
to work. In signals case that's the signal servers.

Originally skype did this, skype users with a good network connection, good
uptime, and who accepted incoming connections could self promote themselves to
a supernode. This allowed async messaging for others, helped introduce peers
who couldn't talk directly because of IP Masq/NAT etc.

So it's possible that signal could write a small application that could be a
supernode. Ideally it could run on a Raspberry Pi, Plug computer, or even any
of the numerous opensource routers. What way your battery sensitive phone
wouldn't get run down by participating in a DHT or similar, but your raspberry
pi could act like your inbox and facilitate incoming and outgoing messages.

