How Signal does security right.

Off the Beat: Bruce Byfield's Blog
A couple of weeks ago, I was writing about Echo Whisper Systems' Signal, which encrypts voice and text messages for Android and iOS phones. Signal is an essential privacy tool, and has become a standard part of my installations. However, as I started using it, I quickly realized that Signal not only offers some useful functions, but is also a rare example of security added so that average users will actually use it.
In these days of anxiety, new security and privacy apps are popping up every few days. Most of them, however, do little to integrate into the desktop. All too typically, especially with distributions, they install a bunch of utilities, then leave users to figure them out for themselves. Many even offer several tools for the same purpose, with no hint about which is most appropriate for which circumstances. These apps may be suitable for expert users, but they fail to encourage new users to take precautions because they are too obscure and inconvenient.
Signal, by contrast, isn't like that. Unlike most of its rivals, Signal does just about everything to make itself no more complicated to use that a productivity app. For example:
1. Seamless integration: Signal is a drop-in replacement for your phone's existing apps. The phone may give scary warnings about the danger when you make the switch, but in my experience the replacement is seamless. The import of contacts takes a single step, and a single icon indicates when a conversation is encrypted. Similarly, although all parties must have Signal installed for an encrypted exchange, you can still use Signal to hold an unencrypted conversation.
2. Invisible operation: Many security and privacy applications require extra steps to use. Signal, though, hides the exchange of keys from users, making encrypted messages no more difficult than a regular one. This seems a necessary and much-needed feature to encourage users to practice security and privacy.
3. Signal Desktop: The desktop is optional, and in its current beta form, less complete than the phone interface. All the same, if you are using your phone near a laptop or a workstation, it offers the benefit of a larger screen and a full-sized keyboard. If, like me, you are often frustrated at how slow and error-prone texting from a phone can be, the desktop will come as much longed-for relief.
4. A lack of jargon: For example, instead of talking about encryption fingerprints, whose meaning is obscure and misleading for non-experts, Signal talks about safety numbers. Although such language is a break from security tradition, it goes a long way to demystifying security issues.
5. Clear, concise documentation for installation and basic use, including screen shots: Information could be added about less routine tasks, such as setting an expiry date on a message, but, once average users are up and running, they should be able to figure out the rest with a little experimentation.
6. Use of QR codes for verification: To most people, QR codes are a fancy way to link to a company web site that lurks in the bottom corner of apps. Signal, though, has actually made them usefl. It uses QR codes as a quick and simple way to verify links between users or a phone and Signal Desktop. As a bonus, QR codes are unreadable to humans, adding another level of encryption.
7. An improvement over existing apps: Even without encryption, Signal is better than the existing Android apps it replaces. Improvements include color coding of contacts, audio, and graphic attachments with a search function). In addition, Signal also does a better job of identifying where you are in the interface and what you are doing.
Here and there, these features could use enhancement. And perhaps not all of them are suitable for every security and privacy app. Still, Signal's designers have has grasped what many designers have not: The fact of security and privacy are not enough by themselves to encourage the use of an application, no matter how powerful.
As I have said many times, in a choice between convenience and security, convenience wins almost every time, no matter what the long-term consequences. What Echo Whisper Systems has realized is that for an encryption app to have any hope of being used, it must be at least as easy as an encryption-less equivalent.
Personally, I would like to see a bit more documentation built in, and the option for more advanced users to view what Signal is doing. But such minor points aside, Echo Whisper Systems is definitely heading in the right direction -- not just functionally, but in design as well. If only other developers take the time to learn from it, then one day security and privacy might be practiced as often as they are talked about.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
The GNU Project Celebrates Its 40th Birthday
September 27 marks the 40th anniversary of the GNU Project, and it was celebrated with a hacker meeting in Biel/Bienne, Switzerland.
-
Linux Kernel Reducing Long-Term Support
LTS support for the Linux kernel is about to undergo some serious changes that will have a considerable impact on the future.
-
Fedora 39 Beta Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.