How Signal does security right.
Off the Beat: Bruce Byfield's Blog
A couple of weeks ago, I was writing about Echo Whisper Systems' Signal, which encrypts voice and text messages for Android and iOS phones. Signal is an essential privacy tool, and has become a standard part of my installations. However, as I started using it, I quickly realized that Signal not only offers some useful functions, but is also a rare example of security added so that average users will actually use it.
In these days of anxiety, new security and privacy apps are popping up every few days. Most of them, however, do little to integrate into the desktop. All too typically, especially with distributions, they install a bunch of utilities, then leave users to figure them out for themselves. Many even offer several tools for the same purpose, with no hint about which is most appropriate for which circumstances. These apps may be suitable for expert users, but they fail to encourage new users to take precautions because they are too obscure and inconvenient.
Signal, by contrast, isn't like that. Unlike most of its rivals, Signal does just about everything to make itself no more complicated to use that a productivity app. For example:
1. Seamless integration: Signal is a drop-in replacement for your phone's existing apps. The phone may give scary warnings about the danger when you make the switch, but in my experience the replacement is seamless. The import of contacts takes a single step, and a single icon indicates when a conversation is encrypted. Similarly, although all parties must have Signal installed for an encrypted exchange, you can still use Signal to hold an unencrypted conversation.
2. Invisible operation: Many security and privacy applications require extra steps to use. Signal, though, hides the exchange of keys from users, making encrypted messages no more difficult than a regular one. This seems a necessary and much-needed feature to encourage users to practice security and privacy.
3. Signal Desktop: The desktop is optional, and in its current beta form, less complete than the phone interface. All the same, if you are using your phone near a laptop or a workstation, it offers the benefit of a larger screen and a full-sized keyboard. If, like me, you are often frustrated at how slow and error-prone texting from a phone can be, the desktop will come as much longed-for relief.
4. A lack of jargon: For example, instead of talking about encryption fingerprints, whose meaning is obscure and misleading for non-experts, Signal talks about safety numbers. Although such language is a break from security tradition, it goes a long way to demystifying security issues.
5. Clear, concise documentation for installation and basic use, including screen shots: Information could be added about less routine tasks, such as setting an expiry date on a message, but, once average users are up and running, they should be able to figure out the rest with a little experimentation.
6. Use of QR codes for verification: To most people, QR codes are a fancy way to link to a company web site that lurks in the bottom corner of apps. Signal, though, has actually made them usefl. It uses QR codes as a quick and simple way to verify links between users or a phone and Signal Desktop. As a bonus, QR codes are unreadable to humans, adding another level of encryption.
7. An improvement over existing apps: Even without encryption, Signal is better than the existing Android apps it replaces. Improvements include color coding of contacts, audio, and graphic attachments with a search function). In addition, Signal also does a better job of identifying where you are in the interface and what you are doing.
Here and there, these features could use enhancement. And perhaps not all of them are suitable for every security and privacy app. Still, Signal's designers have has grasped what many designers have not: The fact of security and privacy are not enough by themselves to encourage the use of an application, no matter how powerful.
As I have said many times, in a choice between convenience and security, convenience wins almost every time, no matter what the long-term consequences. What Echo Whisper Systems has realized is that for an encryption app to have any hope of being used, it must be at least as easy as an encryption-less equivalent.
Personally, I would like to see a bit more documentation built in, and the option for more advanced users to view what Signal is doing. But such minor points aside, Echo Whisper Systems is definitely heading in the right direction -- not just functionally, but in design as well. If only other developers take the time to learn from it, then one day security and privacy might be practiced as often as they are talked about.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.