In the 90s, it became legal in the US to use end-to-end encryption with high resistance to hacking. Okay.
Mankind has been allowed to have secrets on the internet. I don’t know about you, but when I discuss with my girlfriends what kind of panties to buy, I speak in whispers. I don’t care how that information is used by anyone, I care that it’s not used by anyone at all.
Whisper is the root of my article today, we will talk about Open Whisper systems and their latest development Signal.
It all started a couple of days ago when I wondered about the XMPP protocol in general. No, friends, Jabber with OTR won’t die for another couple of years until quantum computers are adopted by the authorities. On the one hand, a new protocol will come out for XMPP as well, but I think not.
Jabber has pretty poor functionality and it seems, yes, you can write through it, put smiley faces I doubt that anyone uses it for file transfer. You will say, if you want encrypted calls put ZRTP, files are transferred via obscure file exchange, encrypted 7z/rar archives, notes/mail use PGP. Too much. A lot. Xmpp, IRC, DNS, SMTP left in the 90’s, kind of a time loop, we need to move on, make things more productive.
I won’t dance around much, let’s get to the review.
Signal is a new, not yet too popular E2EE (end-to-end encryption) messenger, simply put a killer app guys. Reminds me of my unloved Whatsapp (note. Whatsapp recently switched to Signal protocols, but their app still remains closed source) and I believe messengers are the future, they are like social networks which are created from your phone books you choose what to send and to whom, you are not forced to use your real name (like VK or facebook, which successfully sell user data), use your phone, you can be blocked by those who don’t want to read your messages, but no one can restrict you from using Signal in general and impose what to say is good and what is bad. Speak, write, exchange files. And don’t think that anybody except you and your Pudding know what you’ll do tomorrow provided you decide what you’ll do tomorrow X).
Advantages over Jabber: 1. More decryption-resistant open source protocol based on OTR. Signal uses Curve25519, AES-256, HMAC-SHA256 protocols. The keys are stored under an additional encryption layer and are only on your device. 2. Self-removing messages. No traces are left on the servers, neither you nor your interlocutor. 3. Robust call encryption protocol. With each call you see two words, to verify the encryption you just need to name one of the two words and your interlocutor the second, if the conversation is intercepted the words will be different. 4. Full encryption of group conversations, also self-deleted messages are supported. 5. Easy encrypted file exchange. 6. Securely sync e-mails on PC and phone. 7. When you use OTR service, both you and your friend must be online, otherwise message will not be delivered. There is no such need in signal.
Advantages over Whatsapp, Telegram with secret chats and Wickr: 1. Two words open source (doesn’t apply to telegram). The open source code of the application itself, company servers and the encryption protocols it offers. Whatsapp and Wickr can’t offer such, so all this encryption in their applications can be fictitious. You can understand when video card manufacturers don’t want to open the code, but messenger? What kind of super crypto-nano-militaristic technology do they have in there that will destroy the world if opened? I don’t know. Signal source code can be rewritten and use a single server from russian with love. 2. Easy to install on Windows PC, MacOS, Linux again syncing correspondence. Telegram has problems with desktop application so far and there are no calls there. Signal, though, requires chrome to install on desktop client, but it can be replaced by the same SRWare Iron or Chromium which offer us open source 3.
About encryption. Any of your information, files, contacts are transmitted to the signal servers in encrypted form and then sent to the interlocutor. It allows to exchange encrypted data when one of the parties is offline. The message is encrypted on your device and then transmitted in the encrypted form to the signal servers. When your interlocutor appears online the encrypted data packet is transmitted to your interlocutor who decrypts the message.
By the way, the Signal encryption protocol is based on OTR. Why not PGP? Pretty good privacy? Maybe, but just for few years With PGP the keys are permanent, scoundrels can store your encrypted messages for years, but one day they will get your key and all your messages will be read, both old and new. This is why PGP is mostly used in asynchronous messaging, memos, e-mails and so on. OTR operates on the principle of ephemeral key exchange for each session, so there is no such a problem do not decrypt now, goodbye. Signal developers went one step further; one correspondence session can be damn long and store a lot of information, so Signal uses a new key for each message. This is not the only advantage of Signal protocol over OTR you can read more on the developer’s website.
Could a story like Lavabit or Truecrypt happen to Signal developers? National security sheets are not magic (NSLs). This issue was discussed at DEF CON 24. Oh and by the way, you can check yourself or the binary code from google play is the same as you get from the source code on Github (note the site where the source code of the application is published), how to do it here
Signal for the phone asks for Google Apps? Yes, it does. They are only used to deliver notifications in the Android environment, If you are horrified by the word Google, you can install microG on your Cyanogenmod (note Android firmware with fully open source), but I was part of a discussion on this topic and it was concluded that by replacing Google apps with third-party apps, you are opening your device as a whole to a host of other vulnerabilities. Gapps are not a virus, by setting up the app properly it won’t collect information about you.
Oh, yeah, here we go. the request was from the authorities to Open Whisper Systems. They provided the court with everything they had 2 phone numbers and nothing else, because nothing else not . was recorded as a whole. The left SIM card solves that issue.
To register in Signal you need to receive a call, sms activation from a third party phone will not work. It is not obligatory to use your phone for registration and you can also install Genymotion Virtual Machine and create your own Android phone. It’s true with this approach it will be a bit difficult to activate the application on your PC, but I was able to (note, you can use your PC’s webcam in Genymotion to sync with your PC when activating).
The only thing missing from Signal is the option to sign up with a good old fashioned username and password.
This article is written to encourage our community to switch to signal. It will become more convenient, safer and more productive. (c) Harley Quinn X)
Yes, and the last thing Edward Snowden recommends Signal.