
The New TextSecure: Privacy Beyond SMS - dmix
https://whispersystems.org/blog/the-new-textsecure/
======
tptacek
Would kill for the desktop version of this. This team is the gold standard of
cryptographically secured messaging; what Colin Percival's Tarsnap is for
backup, Whisper is for communications.

Congrats on the new release.

~~~
dmix
Telegram got 6+ million downloads in the first week:
[https://twitter.com/telegram/status/437743435395514368](https://twitter.com/telegram/status/437743435395514368)

While TextSecure still only has 100k+ installs on Android:
[https://play.google.com/store/apps/details?id=org.thoughtcri...](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en)

Despite Telegrams known crypto failures:
[http://www.reddit.com/r/Android/comments/1yrv46/after_gettin...](http://www.reddit.com/r/Android/comments/1yrv46/after_getting_18_million_new_users_in_just_one/cfn9wro)

Hopefully iOS and Desktop clients help TextSecure take off and beat out the
weak crypto apps. Multi-platform is critical these days for messaging apps.

~~~
eps
Apples to oranges.

Telegram's been around close to a year or so now. They are an established
mainstream app and they look like an obvious "WhatsApp replacement" if one is
looking for one. Far fewer people are looking for a secure IM app _per se_ ,
so your numbers aren't really that surprising. Regrettably, unwashed gray
masses don't give a flying f#ck about _quality_ of the crypto, so TS doing
crypto _better_ is not a tangible conversion benefit.

~~~
rjzzleep
i actually think the sign up process of textsecure is more obvious than
telegrams.

but i found that use it to transparently send sms when needed super confusing
to people.

people don't want to use sms. if they did they would just use that instead.

in cyanogenmod it's even more confusing. cyanogenmod integrated it to their
base system, but you have no way of knowing if the text message you just sent
is really encrypted or not (unless the other party tells you since he's
running textsecure), i'm guessing/hoping that'll improve though

------
rdl
This is probably the most optimistic thing in security in the past year. Thank
you!

It's still tricky to get security due to the platforms on which software runs,
but now users can make reasonable choices about which platforms to trust, and
by not tying your messaging application to hardware with a black-box baseband,
users actually have a decent chance.

Hopefully there will be more progress on baseband-less mobile devices and
reasonable networks for those users.

------
apayan
Will there eventually be support for using your email address as your
identifier instead of a telephone number?

In a world of IP connected devices, the need to tether your self to the
telecom cartel for an identifier is outdated. It would be ideal if future
versions of TextSecure let you log in with just your email and then you could
run the app on your tablet, desktop or any other devices without a SIM.

~~~
ape4
Is there an country code for the internet?

~~~
ultramancool
Just put 0s till you fill the text box, they'll know what you mean.

------
petsounds
Whisper Systems' headquarters is located in San Francisco, according to
[http://en.wikipedia.org/wiki/Whisper_Systems](http://en.wikipedia.org/wiki/Whisper_Systems)

Doesn't that make them susceptible to a search warrant forcing them to give up
the private keys (or equivalent) to TextSecure, ala Lavabit?

~~~
sigil
Yes it would make them susceptible...if, like Lavabit, they actually held
private keys that secured your communications. They don't.

While I have the utmost admiration for Levison's stand, the fact that Lavabit
held centralized private keys for its users was a very bad technical and
security decision. Moxie has more about this here [1].

Now some may be wondering, what's to stop Whisper Systems from backdooring
TextSecure by court order? In a word, this: [2]. The TextSecure client is open
source. Not only can the community scan the source for something suspicious,
but we can build and verify the binaries ourselves.

[1] [http://www.thoughtcrime.org/blog/lavabit-
critique/](http://www.thoughtcrime.org/blog/lavabit-critique/)

[2]
[https://github.com/WhisperSystems/TextSecure/](https://github.com/WhisperSystems/TextSecure/)

~~~
georgemcbay
The fact that the app is open source is nice, but realistically speaking very
few users will build their own copy from source over just downloading an
existing binary from Google Play or the Apple App Store. Nothing (but garden
variety trust in the source of the binaries) is stopping a situation where
there is a clean open source version and then a version with a backdoor built
into binaries submitted to the app stores.

And even if you are one of those paranoid users who builds from source, a
backdoored central build could still impact you personally unless you're sure
everyone you are messaging has also built their own from clean source.

Personally I wouldn't worry too much about this scenario playing out, but I
don't see that the client being OSS really buys you much safety practically
speaking.

~~~
rtfeldman
This is true, but at least it lets a small group of people do the verification
work and post in a public place if the publicly distributed binary stops
matching up with the one built from source.

~~~
georgemcbay
Yeah, but you have to trust that someone (who is really independent and not in
on the backdoor) is actually doing that. Also, the fact that all binaries
distributed through mobile stores have to be signed with a private key makes
this a more difficult proposition with mobile software than it is with desktop
software. (Unlike desktop EXEs you can't just hash the resulting binaries).

I supposed you could pull apart the container format (apk or ipa) and compare
the .class files (Assuming Java, I haven't looked at this software so I don't
know if it is standard Android or a lot of NDK stuff) or ObjC object files one
by one to look for discrepancies versus a local build using the same tools...
hopefully someone volunteers to do that and keeps doing it again on each new
release.

~~~
bri3d
The Whisper Systems people and the community are already discussing this
issue, at least for the released Android app:

[https://github.com/WhisperSystems/TextSecure/issues/127](https://github.com/WhisperSystems/TextSecure/issues/127)

For iOS I believe that decrypting the binary and doing an objdump, then
comparing the resulting assembly is a reasonable approach to ensuring that two
builds do the same thing. Comparing objdump results won't protect against
particularly insidious backdoors like those injected through data resources or
binary headers, but in tandem with a source audit should give a fairly
respectable degree of assurance.

This process would be quite easy to automate.

~~~
lawnchair_larry
> _For iOS I believe that decrypting the binary and doing an objdump, then
> comparing the resulting assembly is a reasonable approach to ensuring that
> two builds do the same thing._

Not a chance.

And if someone is doing this, we are well past "particularly insidious".

------
ig1
I think their choice of GPL3 is a mistake; it's premised on the idea that
people will only ever use one app to communicate and it'll be their app.

In reality that's never going to happen; people are always going to use
multiple apps to communicate whether it's via photo sharing apps, games or
something else.

We need a secure messaging infrastructure that transcends single apps - and
that means it needs to be under a licence that can be integrated with both
open source and closed source applications.

It's not just a case of integrating with consumer apps but also business apps.
You want your secure messaging system to be able to connect to every CRM,
help-desk, shopping etc. system and again that requires a more liberal licence
than GPL3.

(Also it's not clear that you can legally distributed a GPL3 app on iOS)

~~~
clarkevans
I think GPLv3 is perfect in this scenario. There's no reason why you can't
integrate it with a proprietary application or distribute it on iOS -- just
purchase a proprietary license exception from the authors.

~~~
ig1
They don't seem to have copyright assignment from third party contributors so
they wouldn't have the legal ability to do that.

~~~
skrebbel
Woa, that's a big big problem, then.

------
higherpurpose
Moxie, it's probably pointless to do it now, but right before or soon after
Whisper is finished, you need to set-up some crowdsourcing of language
localization for Whisper. Doesn't have to be anything complicated. Just
arrange all the text nicely in a txt file and let people download it and then
upload the file for a certain language.

I think localization could give a great boost to Whisper in countries where
English isn't the native language or that well known, and it doesn't cost you
much to do this. But as I said, it's probably best to just wait until Whisper
is finished, if it's coming out this year.

~~~
moxie
We agree that localization is super important. TextSecure is localized into 30
languages already. We use Transifex to crowdsource it:
[https://www.transifex.com/projects/p/textsecure-
official/](https://www.transifex.com/projects/p/textsecure-official/)

------
darklajid
Okay, it seems the server is open source? And the protocol supports
federation? Could I just run my own server and it will just work™ with users
on a different server?

Are you basically presenting me with an option next to xmpp/otr?

~~~
xnyhps
When I looked at it (which is already a couple of months ago), federation
wasn't “just works™”. A new server needed to be explicitly permitted into the
federated network by WhisperSystems. Every server has a full copy of the list
of clients and on which server they are and servers trust other severs
completely when they claim “we serve the user with phone number 555-123456”.

~~~
sschueller
I would think it should be possible to make a decentralized back-end where
servers don't need to be trusted.

~~~
xnyhps
Not if you want it to be “SMS based”, by which I mean: use phone numbers as
identifiers. A server can’t easily prove to another that it serves the user
with a specific phone number. There’s no cryptographic proof possible, there’s
no hostname part like in email. You can verify by sending a text message, but
that gets expensive if you need to do it often.

This is trying to combine 3 points on Zooko's Triangle [1]: You want human-
meaningful names (which phone numbers are, because they map to existing
things), so you have to make a trade-off between decentralization and
security. WhisperSystems opted for security for some reduced decentralization.
For something that’s aiming to replace text messaging, I can’t really blame
them for that choice.

[1] =
[https://en.wikipedia.org/wiki/Zooko%27s_triangle](https://en.wikipedia.org/wiki/Zooko%27s_triangle)

~~~
nly
It's a shame there isn't a standard means to associate keypairs with existing
phone numbers in a way that doesn't involve establishing _new_ trust. A
<your_phone_number_here>.yourcarrier.com DNSSEC secured subdomain provided by
your existing carrier that can be coupled with BrowserID perhaps. All you need
is a cryptographic tie-in, right?

~~~
xnyhps
Getting carriers on board to make a texting replacement? Well, you can dream.
;)

------
jevinskie
I'm very excited to see this for iOS! I never really trusted iMessages but the
most painful part of iMessages is the vendor lock-in. Now I don't have to
worry about the type of device that my friends use.

------
acabal
On my wishlist is some kind of basic Google Voice number integration. Since
messages are encrypted then clearly we can't use the GV web interface, which
is fine, since what interests me is the "one phone number" feature of GV. I've
given out my GV phone number to everyone and they get confused when they get
SMSs from my actual SIM number. But besides that, excellent work as always!

Edit: after browsing some feature requests on their Github repo it looks like
GV makes it difficult/impossible to do this. Too bad.

~~~
harshreality
I thought I read that CyanogenMod had middleware that enabled SMS apps to use
GV number/service, as well as native SMS. Found it [1] (support began in
nightly CM 10.2 builds in early December).

[1] [http://www.cyanogenmod.org/blog/whisperpush-secure-
messaging...](http://www.cyanogenmod.org/blog/whisperpush-secure-messaging-
integration)

~~~
Neff
The CM/GV integration is most likely going away. There was a recent post on
G+[1] that called out May 15th as the end of unauthorized use of Google Voice

> \- Finally, we want to make Google Voice as secure as possible. There are a
> few third-party applications that provide calling and SMS services by making
> unauthorized use of Google Voice. These apps violate our Terms of Service
> and pose a threat to your security, so we’re notifying these app developers
> that they must stop making unauthorized use of Google Voice to run their
> services and transition users by May 15, 2014.

[1]:[https://plus.google.com/u/0/+NikhylSinghal/posts/MjyncJEbzxK](https://plus.google.com/u/0/+NikhylSinghal/posts/MjyncJEbzxK)

------
mike-cardwell
My only concern about this is the lock-in. Has that been considered? What
happens when I decide to stop using TextSecure? Will I need to tell everyone
to delete a key from their phone or something, so messages don't come through
garbled? Will they not come through at all, because they'll attempt to use the
data channel and my phone wont bother even attempting to pick them up anymore?

What if I lose my phone and get my provider to send me a replacement? I guess
I wont be able to read the incoming texts anymore? If some auto-negotiation
takes place to change my key, then isn't that exposing a trivial MITM? Would I
be alerted of such a key change?

~~~
mayneack
I had this happen to me - where someone I was messaging stopped using it
without telling me. One message came through as garbled, but then there's an
easy way to "end secure session" and new messages go through in plaintext. For
switching between textsecure phones, I just re-initiated a key exchange. This
was months ago, so it may have changed

------
iamsalman
A few things we should be looking very critically in secure messaging apps
are:

1\. How are keys generated? PseudoRandomGenerator() used? What sort? This is
one of the key break-in areas into a crypto framework.

2\. Software based crypto used? It's prone to channel attacks where another
app maybe inspecting the memory.

3\. How are keys shared?

4\. How are keys stored?

"Security" would just be illusion, a flawed insurance policy if these aspects
are not properly catered for. There's a reason why hardware crypto exists.

The weakest link in any security system is the "key". Does not matter how
strong the crypto algorithm is as long as key management is not rock solid.

------
firloop
Even as an Android user, I'm anticipating the iPhone release as the idea of a
cross-platform iMessage replacement (seamless SMS/IM) that's also secure and
open source is _very_ exciting to me.

------
dublinben
I'd really like to try their new app, but they only distribute it through
Google Play. That excludes an awful lot of their potential users, especially
those who most care about privacy.

~~~
aw3c2
See
[https://github.com/WhisperSystems/TextSecure/issues/127](https://github.com/WhisperSystems/TextSecure/issues/127)
for a detailed discussion why.

You can built it yourself.

~~~
dublinben
Telling users without Google Play to "just build it yourself" is arrogant an
unacceptable. I find Moxie's response to this criticism arrogant and
condescending. This is a major reason why I'm not using TextSecure, even
though I would like to be.

~~~
lern_too_spel
He gave sound reasons why building it yourself is currently the only secure
distribution method outside the Play Store.

I didn't find his tone to be arrogant at all. You're conflating arrogance with
correctness, and though many people on the internet use both simultaneously,
they are two separate things.

------
13throwaway
Who is paying for the servers this runs on?

~~~
aet
NSA/CIA/etc..

~~~
ZoFreX
Like all sensible crypto systems it doesn't matter if the server is
compromised, encryption is done client-side. The project is open-source, so
you can verify this for yourself.

~~~
aet
Bad joke, consider it withdrawn.

------
zx2c4
I'd like to see OTR implement some of the groupchat enhancements of this, or
at least see a TextSecure implementation for the desktop.

~~~
moxie
We are also interested in a TextSecure implementation for the desktop!

Right now the protocol includes multi-device support, so the foundation is
there for developing desktop and tablet apps that work seamlessly in
conjunction with your phone. Our first desktop implementation is likely going
to be a browser extension, feel free to jump in and get involved with that if
you'd like.

~~~
neumann
How does multi-device implementation work (for the layman).

Are the messages only delivered to the 'logged in' clients? So if I am logged
in on the desktop my message exchanges are also sent to the phone client? But
any messages I send/receive from my phone while logged out of my desktop are
synced through the server on login?

------
xmr
Why will anyone trust something based/developed in the USA related to
security? It's a compromised jurisdiction. For anyone creating security
products who wants to be credible will need to be based somewhere that
respects privacy.

~~~
jlund
Every single US citizen is complicit? Man, I would hate to be this jaded. Some
of us are fighting against mass surveillance as hard as we possibly can.

This is as silly as saying that all of the people who live in North Korea are
brutal dictators.

~~~
icebraining
That's not what xmr claimed; what was said is that the US is a compromised
jurisdiction, and of course everyone developing something in the US is subject
to that jurisdiction.

It was never implied in xmr's post that every US citizen supports mass
surveillance, only that they may be legally forced to participate in it.

------
ilitirit
I belong to a WhatsApp group for common interests. I was about to recommend to
everyone to switch over to TextSecure, but then I realized not everyone has an
Android. This app would really benefit from a J2ME version like WhatsApp IMO.

------
petermonsson
Did they solve the private contact discovery problem and if yes, how did it
go? It sounded really interesting.

------
scott_karana
Way more appealing because of dumping SMS. :)

Also a beautiful UI, and I can't wait for the iOS versions.

Good work, Whisper Systems!

------
orblivion
Could somebody explain why it was tied to SMS in the first place? And given
that, why it's trying to undo its connection to SMS?

Separately, what's the difference between this and OTR? Is it just trying to
just be a better OTR (and I support this endeavor, competing OTR connections
over one chat channel creates a hassle). And as such, why is it only on
Android, you could just as well write a Pidgin plugin right?

~~~
higherpurpose
This article should explain why it's better than OTR:

[https://whispersystems.org/blog/advanced-
ratcheting/](https://whispersystems.org/blog/advanced-ratcheting/)

------
zoowar
The TextSecure server is AGPL. Take that Telegram!

~~~
darklajid
That very well might be the case, but you cannot host it yourself it seems (as
stated elsewhere in this thread, federation really isn't supported).

So you have to hope that the server you're talking to hosts the code that
you're looking at.

Do I think Moxie etc are evil? Not necessarily. But the open source server
doesn't help _me_ one bit here, unfortunately.

~~~
ZoFreX
> So you have to hope that the server you're talking to hosts the code that
> you're looking at.

What could a malicious server do?

------
Raphael
Great inspiration from Google Hangouts on integration of SMS and non-SMS,
visual design, and even the icon. Exciting release!

~~~
mkesper
Hangout eating SMS was really nasty. And trivial to enable, too. :(

------
mseri
How does it compare with Telegram
([https://telegram.org](https://telegram.org))?

------
trurl42
I have been able to compile it myself, so I could install it on my tablet.

You can register an Account using any phone number. Just wait until the SMS
verification fails, you then have the option to request an automated call, and
get a verification code that way.

So far it seems like it's working.

------
jokull
As far as I can tell Telegram doesn’t have end-to-end encrypted group chat.
This looks really good!

------
herbig
I installed this and the calling app Redphone. Installation and integration
was quick and seamless, they simply replace the default text/calling
applications and have a much better design anyway.

I'm wondering, why NOT use this over the default applications?

------
virtualritz
As soon as the iOS version is out, everyone in this forum should advertise and
really /push/ this to all their friends via FB, twitter, PM -- whatever.

Or just by plain asking them to install it, next time you bump into them in
meatspace.

Even better: throw a crypto party.

~~~
runiq
For those of us with a high number of Android users in their circle, we should
probably try to advertise sooner, so we can (potentially) make use of the
inertia.

~~~
danieldk
Or since most people who did switch after the WhatsApp announcement already
switched to Telegram or Threema and are not very likely to switch again, push
these vendors to improve (Telegram) or open (Threema) their architectures.

------
huhtenberg
> Does the padlock mean our messages are already encrypted?

If so, why is the padlock open? :)

~~~
forgottenpass
The chat is referring to the padlock icons on messages, which are closed.

The open padlock in the notification bar means that your passphrase is
currently cached and anyone that picks up your phone can read your text secure
messages. How frequently your phassphrase gets flushed and must be re-entered
is a user setting.

~~~
nacs
Theres some irony in your mentioning having to reenter passphrases and your
username being "forgottenpass" :)

------
junto
Based on the old adage that 'if you aren't paying for it, you're the product',
where do I find the pricing model for TextSecure?

Are there plans to charge? If so, how much and when? If not, why is it free?

------
jagermo
Damn. I wish this was native on the blackberry. I could emulate it, but SMS
support wouldn't work - and I am not sure if emulating a secure system really
is the way to go.

~~~
deft
Totally, really wish BlackBerry could have an app like this. At least the new
iMessage like part would be possible.

~~~
frrp
I am going to test it on BlackBerry 10 anyway. Should make at least a good
WhatsApp replacement.

------
rdl
The biggest weakness of this kind of app is it still exposes lots of
interesting data for traffic analysis. It's a huge improvement over what we
have today, but I'd really like something where you can't see who is talking
with whom (when, how frequently, etc.), as well as can't read the content.

Unfortunately doing this with mobile is _really_ hard, due to bandwidth and
power. agl's Pond is probably the best effort in the space so far.

~~~
r0muald
> exposes lots of interesting data

[[citation needed]]

Is there an in-depth analysis of what data is exposed with the current
protocol?

------
tete
This is extremely cool. One there is a desktop version, Pidgin or Web I won't
stop until everyone switched over. :)

------
angelohuang
Multi-platform support is top priority for any messenger app today. This is my
personal experience from working on an enterprise messenger recently.
[http://peer.im](http://peer.im)

~~~
cylinder
This looks exciting. When can I try it?

~~~
angelohuang
Let me know your @ address. I will send an invite to you after our new UI is
online (~1 or 2 weeks).

~~~
cylinder
Signed up for an invite on your site; looking forward to it.

------
acqq
Where can I read how they do that? Some protocol explanation please!

~~~
higherpurpose
There are some links in the article. Granted you could've easily missed them
since the color is some washed out grey. Moxie should consider making the
links a more visible color.

~~~
acqq
Thanks. Now I tried to follow the links and I still don't understand how they
managed to achieve that "The new TextSecure protocol doesn't require a round
trip key exchange process."

I'd still like to know how actually their solution protects from MITM.

~~~
jlund
You can read about the key exchange here. "Prekeys" are an extremely clever
idea: [https://whispersystems.org/blog/asynchronous-
security/](https://whispersystems.org/blog/asynchronous-security/)

Fingerprint verification protects against MITM attacks. The application
provides a nice interface where two users can scan a QR code to easily compare
fingerprints. A hexadecimal fingerprint is also readily accessible.

~~~
acqq
It looks that the prekeys are stored on a server. How is the existence of the
prekeys on the server (which can be compromised) not an issue?

~~~
robryk
Prekeys are prerecorded responses to connection initiation: in the alternative
world with no prekeys this is what you'd get when you've opened a connection.

------
classicsnoot
Buckle up for a n00b query: is this going to be pushed as an update, or do i
need to un-install/re-install?

~~~
aw3c2
It's a simple update.

------
gcv
Will the iOS version require a jailbreak? Not sure how it can seamlessly
handle plain SMS/MMS otherwise.

------
hepek
This update broke my working TextSecure this morning. Couldn't access my
messages. Had to reinstall. :(

------
miclill
Thank you for your hard work on this! \--- The sms fallback option is greyed
out for me. Any clues why?

~~~
ThatGeoGuy
This would be because the app is your default messaging app (Android 4.4+). If
you want to remove SMS fallback, you need to set another app to act as your
default SMS app.

There is actually an issue on github open about this:
[https://github.com/WhisperSystems/TextSecure/issues/639](https://github.com/WhisperSystems/TextSecure/issues/639)

------
rnovak
Are pull requests encouraged/looked at? Wouldn't mind contributing to such a
worthy cause

~~~
higherpurpose
Yes. Read the bottom of the article.

------
codelucas
I am confused, why is there so much talk about WhatsApp replacements recently?

~~~
Raphael
It's appealing to some to have messaging that doesn't funnel into a major data
harvester. Facebook just acquired WhatsApp.

~~~
tabel
Whisper systems is owned by Twitter. I'm not sure how it's privacy record
compares to that of Facebook.

~~~
ThatGeoGuy
In this case TextSecure has end-to-end encryption, and supposedly even hides
metadata when using the push service (which is hosted on Google Push
Framework). Feel free to check the source yourself, or take Moxie's word on
it, but I think their "track record" is a bit cleaner overall, regardless of
the acquisition of WhisperSystems by Twitter.

------
aaronmarks
Very excited for the iOS version! Will install immediately

------
MWil
Doesn't work with Google Voice :(

Just my luck!

------
pspeter3
How does this compare with Hemlis [https://heml.is](https://heml.is)

~~~
devcpp
It is released and 100% open source, unlike Hemlis, which is still under
development behind closed doors and will be opened "as much as possible"
(which tells us nothing about implementations, code quality, privacy features,
openness or license).

~~~
cgag
Yeah, I can't see any reason to trust Hemlis.

