Signal Private Messenger
Bringing Encryption to EverybodyBy
Signal is an efficient private messenger app that encrypts voice and text messages, integrates easily into existing interfaces, and places all communications in a single display, making encryption a feature that anyone can use.
Signal is an efficient private messenger app that integrates easily into existing interfaces and places all communications in a single display, making encryption a feature that anyone can use.
Dozens of private messenger apps are available today; however, only one has the endorsement of both Edward Snowden and Bruce Schneier and is recommended by both the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union. That app is Signal Private Messenger, developed by the non-profit Open Whisper Systems for Android, iOS, and desktop environments. These endorsements are the result of not just Signal’s ability to encrypt voice and text messages, but also its ability to integrate into existing interfaces for ease of installation and use.
Signal originated in RedPhone and TextSecure, two proprietary encryption tools for Android developed by Whisper Systems, founded by Moxie Marlinspike and Stuart Anderson. Whisper Systems was bought by Twitter in November 2011, and within half a year, both RedPhone and TextSecure, were released under the third version of the GNU General Public License. A year later, Marlinspike left Twitter to found Open Whisper Systems, which is funded by donations and grants, a neutrality that partially explains the high regard for its products.
Since 2013, Open Whisper Systems has merged RedPhone and TextSecure into a single application, adding encrypted group chat and gradually developing Android and iOS versions with comparable feature sets. Recently, it released a beta version of Signal Desktop in the form of a Chrome app. So far, the desktop version, compared with the other versions, has a simplified feature set lacking password protection, for example. However, when linked to a mobile device, Signal Desktop provides centralized storage, as well as the increased usability of a mouse and a full-size keyboard.
Signal is designed as a drop-in replacement for both for voice and text messaging apps (Figure 1). Although voice and text messages use separate protocols, from the perspective of users, the two are treated almost identically, and both are free of cost. Contacts are added from a device’s Contact app into Signal, with encryption keys stored locally.
Calls in Signal are routed through Open Whisper Systems’ servers, which handles the exchange of public keys without the need of input from users. Unlike the popular Pretty Good Privacy (PGP), Signal’s protocols switch encryption keys regularly, making conversations harder to crack. Although such encryption keys are ordinarily called fingerprints, Signal refers to them as safety numbers – presumably to replace the often obscure jargon with a more user-friendly term. Users can manually approve and verify safety numbers, either visually or through a QR code, but Signal can still function without these steps.
Additionally, users can manually delete messages or set times when they will be deleted automatically. Signal and its database can also be protected with a passphrase.
What is noticeable about all Signal’s operations is how much they are hidden by default. In most encryption implementations, encrypting and decrypting are additional steps, and these complications probably deter many from using them regularly. By contrast, encryption in Signal is invisible to users unless they specifically change the settings. From the interface, using Signal appears no more complicated than unencrypted messaging – a claim that few other messaging systens can make, although Signal protocols have been widely borrowed, including in CyanogenMod and Facebook Messenger.
Signal requires installation on an Android or iOS phone. Tablets are not currently supported. For convenience, you can also install Signal Desktop, although it is not necessary for using Signal and cannot operate on its own.
Installing on an Android phone (Figure 2) is only slightly more complicated than installing any app in the Google Play Store. However, if necessary, you can follow the EFF’s instructions. Similar instructions are available for installing to iOS devices from the Apple App store. Unlike most Android apps, it requires access to almost all aspects of your phone, which for any other app might be a security risk.
Once Signal installs, enter your country and phone number and click the Register button. After you re-enter this information to ensure accuracy, Signal verifies your number and sends you a confirmation text.
The installer then asks if you want to make Signal your default messaging app and imports your existing contacts if you accept. Your phone’s default app will probably warn of dire consequences if you do so, but you can still use the original app if necessary, so this warning can be safely ignored. In fact, since Signal displays both voice and text messages for which you have a phone number in a single list, if anything, switching to Signal is a general convenience. Besides, if a listing is not Signal-enabled, Signal still lets you exchange uncrypted messages with it, so there is really no reason to be concerned about the replacement.
At this point, Signal is ready to use. However, you might choose to install Signal Desktop, which is not capable of sending messages by itself but offers the convenience of a larger screen and the use of a mouse.
Signal Desktop is available as a Chrome app. So far, at least, it does not run on any web browser except Chrome or Chromium, although it can be used with other Android or iOS phones.
Signal Desktop is installed via a wizard (Figure 3). At the end of the installation, the wizard displays a QR code (Figure 4). For Signal Desktop to function, you must link it by selecting on a device Setting | Linked devices from the menu in the upper right corner, then scanning the QR code that displays from your phone. When the desktop recognizes the QR code, encryption keys are generated for communication between the phone and the desktop. If you add or delete contacts when using the linked phone without Signal Desktop, the next time you use it, select Settings | Contact | Import Now to resync.
Whether you are using the desktop or a phone, Signal is much the same. The main differences are that the desktop has fewer settings and, in the beta version, has three restrictions: It can delete but not add contacts, shows only contacts with which you have interacted, and can only place a call with phone or voice if you have already done so at least once from the linked phone.
On a linked phone, you can still use the original apps for contacts and phone calls without using Signal, but any missed messages from Signal display in them. Additionally, the phone has options for setting notifications. On both the desktop and the phone, you should add a passphrase to Signal – after all, it hardly makes sense to go to the trouble of setting up encryption, then having encrypted messages accessible to anyone who reaches your desktop. Start Signal Desktop from the Apps icon in the upper left corner of the browser.
To communicate, either click the phone icon in the title bar of a contact or use the text field at the bottom of the screen. You can also add an image or audio file, a shot from the camera, your location, or another contact to a message by selecting the paper clip at the bottom right of the screen.
If the phone number you are contacting is not already Signal-enabled, you can still send to it. However, when you call unenabled numbers, an option displays below the title bar that gives you an option to invite your contact to join Signal. In any other app, this option might seem like blatant opportunism, but because all parties in a conversation need to use Signal for encryption, in this case, the advertising seems forgivable.
From each contact, you can also manage your exchanges using the menu at the upper right in the title bar. As you might expect, you can delete the log of your exchanges or change the color-coding for the contact. More unusually, you can set the time from the present that the log expires, display all exchanged images, or verify safety numbers with the link provided (Figure 5). Should a contact become a nuisance, another option is to block them via the Conversation settings submenu.
An Example for Security
Signal does have a few limitations. In particular, contacts must have a phone number, not just an email address. Perhaps the most serious limitation is that it must run on specific equipment and operating systems. However, given that the necessary conditions, hardware, and software are readily available, these limitations are mostly matters of preference and are seldom a barrier to using Signal.
The greatest barrier is undoubtedly convincing others to use it, and even that is changing with the current political and social climates.
Even so, Signal is gaining popularity with a speed that few comparable apps can match. I suspect that the secret of its success is that it hides the complexity of encryption from users who simply want its services. Just as importantly, even without encryption, Signal is an efficient messenger, replacing pre-installed apps without a problem, and placing all communications in a single display. Through these tactics, Signal makes encryption a feature that anyone can use – and, in doing so, sets an example for the entire industry.
The bug was introduced back in 2009 and has been lurking around all this time.
The new release deprecates the sshd_config UsePrivilegeSeparation option.
Lives on as a community project
Five new systems join Dell XPS 13 Developer Edition that come with Ubuntu pre-installed.
The Skype Linux client now has almost the same capabilities that it enjoys on other platforms.
At CeBIT 2017, OpenStack Day will offer a wide range of lectures and discussions.
A major setback for the Linux desktop.
Improved support for GPU in virtualization.
News site for the openSUSE community falls victim to a Wordpress exploit.
The source code is available online.