Signal, the end-to-end encrypted mobile application for text and voice, has arrived on the desktop in beta form. The app was formerly known as TextSecure on Android, providing end-to-end encrypted messages, before it merged with RedPhone, an app for end-to-end encrypted voice calls.
Community Validation
Signal is considered by many cryptography experts, as well as Edward Snowden himself, as the state of the art in encrypted mobile communications. Partially that's because of the reputable cryptographers behind it, but it's also because of the quality of the protocol design, as well as its implementation. Back in 2013, Johns Hopkins professor Matthew Green wrote a blog post saying that “after reading Moxie’s RedPhone code the first time, I literally discovered a line of drool running down my face. It’s really nice.”
At the heart of its end-to-end encryption is the Axolotl protocol. It has already been adopted by Silent Circle’s Silent Phone app; by Pond, a modern Tor-only email-like protocol written by Adam Langley, one of Google’s top security engineers; ChatSecure; and soon, the new Cryptocat.
Signal is also among the few tools for journalists supported by the Freedom of the Press Foundation, which also supports Tor, TAILS, LEAP (secure email system), and SecureDrop. The Signal team is also supported by the Knight Foundation, another foundation for journalists, and the Shuttleworth Foundation.
Modern Cryptography
Roughly speaking, Axolotl is an enhanced version of OTR (Off The Record), the popular end-to-end protocol for messaging apps of the past decade, which received the ability to do asynchronous communications (people can leave you messages while you’re offline), and end-to-end group chat capability.
Moxie Marlinspike, the founder of Open Whisper Systems and creator of TextSecure and RedPhone, said he’s been working with Whatsapp to implement Axolotl, as well. However, so far Whatsapp hasn’t made any public statements about using it, nor has it added any option to authenticate that end-to-end encryption between users. That means that even if the Axolotl protocol has been silently implemented in Whatsapp, it could be just as easily removed without the users knowing about it.
For end-to-end voice encryption, Signal uses ZRTP, a protocol standardized a few years back at the IETF by Phil Zimmermann, the creator of PGP and co-founder of Silent Circle.
Unlike many other apps that don’t use Axolotl (or OTR even), Signal is able to encrypt all messages end-to-end by default, whether they are between two or more individuals. Other apps such as Telegram, Line or KaKaoTalk have only opt-in end-to-end encryption, and it works only for one-on-one conversations. As most people rarely change their default settings, the vast majority of communications aren’t strongly encrypted with these apps. All of these apps could also implement Axolotl without major (if any) changes to how the users can use those apps.
Features And Access
One of the major impediments for higher adoption of Signal has been its lack of a desktop application, which is being introduced today in beta. The desktop app is actually a Chrome app, which should work on Windows, Mac OS X and Linux. Chrome apps are easier to write than Firefox add-ons, and they are also more secure thanks to the strong sandboxing model Chrome has. That’s also why Cryptocat was only ever released for Chrome. Once Firefox (and possibly Microsoft's Edge) adopt the standardized Chrome-like WebExtensions API, it should be easier to write a similar extension across all the major browsers.
The Signal Desktop app also works only with Android for now and doesn’t support voice calls. However, both iOS and voice support should be added soon. Once those are added, it should be much easier for Signal to become a replacement not just of Whatsapp or Facebook Messenger, but also of Hangouts or Skype, especially if it adds video-calling support sometime in the future.
For now, access seems to be provided through some kind of invitation system, where if you get more people to sign up, you get your own invitation sooner. This doesn’t seem ideal for those who want to try it right away, but building buzz for the app may be just as important as the app’s quality. If few people know about it and use it, then it’s almost irrelevant if it’s the most secure app in the world.
To get your own invitation, go to the Open Whisper Systems page and join the beta program.
______________________________________________________________________
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
