Signal - Increasing popularity

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

alt3rn1ty

Member
Dec 27, 2020
24
8
This has probably been discussed in Security Now! podcast 801 (I haven't downloaded it yet) ..

.. But recently Signal seems to be on the way up, Moxie Marlinspike should be happy.
Source - https://www.wired.com/story/signal-encrypted-messaging-features-mainstream/

Also WhatsApp recently has had a change to T&C's, which has resulted in an upward trend of people downloading Signal or Telegraph instead.
Source - https://www.bbc.co.uk/news/technology-55634139

Facebook have <very> quickly provided a statement to try and allay public fears of Privacy mission creep ..

.. But I think the fast response from facebook is telling in itself.

Speculation: If the "Click agree" population of gullible people had just accepted the new T&Cs, then maybe there would have been even more mission creep. Maybe a lot more people these days are becoming more advanced in their adoption of technology solutions, and have collectively found out that a tool endorsed by Bruce Schneier, which has been audited by experts, and remains open source .. Is probably a good thing despite not being advertised by the major tech monopolies, and regardless of not having a cool name to make them adopt it versus the competition all their mates were previously using.

Interesting times.
 

MatthewVGreene

Bacon is good.
Oct 1, 2020
7
1
Nevada, United States.
Great callout! I have been clearing up a lot of confusion on Twitter. The biggest misconception that people have migrating to Signal is that the believe it to be a social media platform rather than a messaging platform. For better or worse it won't suprise me if in 2 or 3 years, Signal will be able send email from the CLI. (mission creep)
 

alt3rn1ty

Member
Dec 27, 2020
24
8
I would have preferred to use Signal ages ago (sometime after when Steve Gibson gave it some good reviews), but by that time most of the family / friends were using the more popular WhatsApp, so I have been holding out for a "told you so" moment :)

But as it happened, when news spread about the change to T&Cs, me and the immediate family discussed it, and while we were giving the vote on a group chat to migrate to Signal, I got a few messages from the rest of the family and Friends who had already been discussing Signal as an option - Everyone is now migrating.

Fingers crossed that Signal remains forever more my preferred messaging app, and doesn't get pressured from American Law / Gov to break it's encryption. Being donation based, Signal may not have as much financial clout as Whatsapp / Facebook when it comes to legal pressure challenges.
"Signal is an independent nonprofit. We're not tied to any major tech companies, and we can never be acquired by one either. Development is supported by grants and donations from people like you."
I donated. https://signal.org/en/

The situation with WhatsApp is worse than I thought when I posted the OP, I have since watched SN#801, from the show notes :

That was then. The news that the respect for the privacy of WhatsApp's user metadata is being lost has triggered a mass exodus from Facebook's in-house communications platform over to Signal, where NO user metadata is ever collected. Back in 2016, WhatsApp gave users a one-time ability to opt out of having account data turned over to Facebook. But now their updated privacy policy, taking effect next month on February 8th, is changing that. One month from now, users will no longer have that choice. Some of the data that WhatsApp collects includes: ● User phone numbers ● Other people’s phone numbers stored in address books ● Profile names ● Profile pictures ● Location Information ● Transactions And Payments Data ● Device And Connection Information ● Status messages including when a user was last online ● Diagnostic data collected from app logs Yeah... they may not see what you’re saying, but they have and will shortly be using every other last scrap of metadata. Under the new terms, Facebook reserves the right to share collected data across its family of companies. And in some cases, such as when someone uses WhatsApp to interact with third-party businesses, Facebook may also share information with those outside entities. This privacy agreement update is a 180 compared with last year's privacy policy whose enforcement began in July. It states that users are able to choose not to have their WhatsApp account info shared with Facebook to improve the company's ads and products. But under the changes to the policy, users will now be forced to accept sharing their data with Facebook to continue using their account or, as an alternative, delete their accounts.

Bye bye WhatsApp.
 
Last edited:

Roland

New member
Oct 15, 2020
3
1
How long before some 'bad' speech is found on signal and server-provides of signal will be forced to drop signal ?
 

emichael

New member
Jan 15, 2021
2
1
How long before some 'bad' speech is found on signal and server-provides of signal will be forced to drop signal ?
That is the thing. It can't. End-to-end encryption. That means unless I share my end of the conversation, or you share your end of the conversation, no one knows what we are conversing about. There is nothing to be "found on signal".

I would have preferred to use Signal ages ago (sometime after when Steve Gibson gave it some good reviews), ....

When was that? I remember hearing the episode a number of years ago, but I'll be darned if I can find it. I can find episodes where Signal is mentioned as a news item for something or other. But I cannot find the episode where SG took it apart and bestowed a blessing upon it.
 

PHolder

Well-known member
Sep 16, 2020
550
2
268
Ontario, Canada

alt3rn1ty

Member
Dec 27, 2020
24
8
Yep it was 555.

That's when Whatsapp had adopted the Signal Protocol and Steve was extolling its virtues :)

Steve: So of course the big news is the announcement from Open Whisper Systems that they had finished integrating their communications technology into WhatsApp across all platforms. And, I mean, it is multiplatform. And in fact they've just got - they've expanded the beta to the desktop version. It's been in limited beta for a while. It's now available in open beta, so anybody who wants to get the WhatsApp app for their desktop. Now, in their photo on the announcement they show it on a Mac, and I didn't have a chance to dig into which desktops it's supported on. But at least the Mac. So we've sort of been talking about Open Whisper Systems, and of course Moxie has been a topic and aspect of the podcast.



Leo: As has his hair.



Steve: As has his hair and the fact that he likes to sail, for a long time. TextSecure was the name of an earlier messaging app that they had created. And then there was like - there was RedPhone that they had. And then there was Circle. And there have been different efforts. They've also been moving this forward over time. At one point they looked at Off The Record, the OTR protocol, which we've talked about in the past. There was a nice web browser implementation of OTR which provided encrypted point-to-point communications. But there were some problems with the way it worked because it really needed to be online communications. It required real-time interaction between the endpoints for the exchange of keys.
And what the Whisper Systems guys wanted to come up with was something that would allow sort of the text messaging model, that is, where you could send a message to someone who may be offline at the time; and when they came online, then they would be able to receive the message. So it would be queued somewhere until they were able to receive it. And the security challenges of that were significant. So they were, over the course of years - and that's one of the interesting takeaways, is this kind of super-mature technology, which is what I think they have today, doesn't happen overnight. It takes nurturing, and it takes building a few and seeing how they work and thinking about it because it's often difficult to attack something that's just an idea. It really helps to, like, play with it.
And this is why building stuff is so important. That's one of the lessons that I've talked about often is that hobbyists who create something discover stuff they didn't expect to find. And it's because they didn't expect it that it's useful. Even though you don't know it's useful a priori, it turns out once you do it it's like, wow. I didn't think this was going to happen. And that's the point. So as a consequence of them, like, having many previous things, they've got to a point today where I was just enraptured by digging into the details of this protocol. It, too, has been renamed, as has the app. There's no more TextSecure or RedPhone or Circle. Everything is now Signal.
So Signal amalgamates and pulls all of those previous efforts together as the app. And the unpronounceable name of the protocol, Axolotl, A-X-O-L-O-T-L - and isn't he adorable, Leo? Oh, is this the cutest little thing I've ever seen. He's critically endangered and adorable, probably because Disney stole them all, aquatic salamander. And they called it Axolotl because the salamander, as we talked about at the top of the show, has amazing self-healing capabilities. Being a salamander, it can regrow limbs. And the Axolotl protocol has some self-healing properties.
So I'm going to read two things from two different blog posts where they describe stuff, and then I'll get into my own bullet points of the features. So one of their blog postings said: "To continue eliminating confusion and simplifying everything within the Signal ecosystem, we're renaming Axolotl to Signal Protocol. The implementations have been renamed, so there are open source Signal Protocol libraries available for C, Objective C, Java, and JavaScript in our GitHub repository." So everything I'm going to talk about is also, not only well vetted, but open source, encouraging this to be the messaging protocol of record. They continue: "These have been making their way into an increasing number of communication apps" - as well they should, I say. "And," they write, "we're excited for the future of the Signal Protocol as it continues to spread."
And then in one paragraph from a different posting they said:
"As of today" - and that's this most recent one of last week - "the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end-to-end encryption for every message they send and every WhatsApp call they make when communicating with each other. This includes all the benefits of the Signal Protocol - a modern, open source, forward secure, strong encryption protocol for asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible."



~SNIP~



Steve: Right. Anyway, WhatsApp is a beautiful piece of work. Hats off to these guys. We have now what should be an industry standard messaging solution in Signal - open source, cross-platform, multi-language libraries available. There's just no excuse for anyone to do anything else. They nailed it.



I snipped a big chunk out of the conversation there where Steve goes into ephemeral keys etc, but you know where the source is if you want to read it all :)


PS if anyone wants to find anything in Securiity Now! Podcasts, got to Steve's site, Services drop down, click Security Now!, and then use the Search bar at the top right of the screen ..


.. All the transcripts are there and keyword searchable.
 
Last edited:

PHolder

Well-known member
Sep 16, 2020
550
2
268
Ontario, Canada
Relatedly, Signal is current experiencing some sort of an outage (2021-Jan-15). I believe it's basically the demand is exceeding their ability to supply service as so many new users on-board: i.e. growing pains.
 

alt3rn1ty

Member
Dec 27, 2020
24
8
Yes they need more servers and probably Load Balancing, at the moment I have a notification on my IPhone Signal App saying "Signal is experiencing technical difficulties. We are working hard to restore service as quickly as possible". Earlier today it was fine .. I think demand just outstripped supply again :). Give it a few days.

@emichael Another interesting episode on the subject of Signal was #694, where the Australians wanted to introduce a bill encouraging software developers to provide a back door for encryption, again its another case of legal / political beagles dont get that encryption with a back door is broken encryption, and any real bad actors will just use another app pulling from open source encryption without a back door anyway.

Steve: Yeah, yeah. Meanwhile, we have - I love the title of this post. This was from Joshua Lund, who is a sysadmin, programmer, privacy enthusiastic, security fan, writer, occasional cyclist, and one of the Signal developers, who posted at Signal.org last week. The title of his posting was "Setback in the Outback." And I lightly edited what he wrote for the podcast.

He said: "Like many others, we have been following the latest developments in Australia related to the Assistance and Access bill with a growing sense of frustration. The widespread adoption of strong cryptography and end-to-end encryption has given people around the world the ability to protect their personal information and communicate securely. Life is increasingly lived online, and the everyday actions of billions of people depend on this foundation remaining strong. Attempting," he writes, "to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development.

"More than eight years have passed since we released the public beta of what is now known as Signal. Throughout the entire development process, the project has faced resistance from people who struggle to understand end-to-end encryption or who seek to weaken its effects. This is not a new dynamic." He says, in a paragraph by itself: "We can't include a backdoor in Signal, but that isn't a new dynamic either.

"By design, Signal does not have a record of your contacts, your social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars. The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don't even have access to who is messaging whom.

"Everything we do is open source, and anyone is free to verify or examine the code for each release. Reproducible builds" - which is not easy, by the way - "and other readily accessible binary comparisons make it possible to ensure the code we distribute is what is actually running on users' devices. People often use Signal to share secrets with their friends, but we can't hide secrets in our software.

"Everyone benefits from these design choices, including Australian politicians. For instance, it has been widely reported that Malcolm Turnbull, the 29th Prime Minister of Australia, is a Signal user. He isn't alone. Members of government everywhere use Signal. Even if we disagree with Christian Porter, we would never be able to access his Signal messages, regardless of whether the request comes from his own government or any other government.

"Although we can't include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself. Historically, this strategy hasn't worked very well. Whenever services get blocked, users quickly adopt VPNs or other network obfuscation techniques to route around the restrictions. If a country decided to apply pressure on Apple or Google to remove certain apps from their regional stores, switching to a different region is trivial on both Android and iOS, and popular apps are widely mirrored across the Internet. Some of them can even be downloaded directly from their official website.

"One of the myriad ways that the 'Assistance and Access' [in quotes] bill is particularly terrible," he writes, "lies in its potential to isolate Australians from the services that they depend on and use every day. Over time, users may find that a growing number of apps no longer behave as expected. New apps might never launch in Australia at all."

He finishes: "Technology organizations looking to open offices in a new country could decide that AEST (Australian Eastern Standard Time) isn't such a great time zone after all. As remote work continues to become more prevalent, will companies start saying 'goodbye,'" he writes, "instead of 'g'day' to applicants from Australia, who are unable to sufficiently secure and encrypt their corporate communications?" He says: "This doesn't seem like smart politics, but nothing about this bill seems particularly smart. We remain committed to fighting mass surveillance worldwide. We encourage users in Australia to reach out to their representatives and express their opposition to the Assistance and Access Bill." And it's interesting. I looked around for other reaction to that, and haven't so far found anything.


Leo: 1Password posted a blog post. ProtonMail posted a blog post.

Steve: Good.

Leo: So a number of people have responded. I hope LastPass will say something. But it does raise some questions in my mind. So I have some questions for you.

Steve: Okay.

Leo: About this law, the Triple A law, which hasn't yet gone into effect. I think it doesn't go into effect till next year.

Steve: Until Parliament meets at the beginning of 2019, yes.

Leo: And so there's some chance that maybe they'll change it or retract it. And we don't know how strongly, assiduously it'll be enforced. But it says, essentially, that anybody who provides encrypted services must be able to provide unencrypted cleartext versions for law enforcement if they ask.

Steve: Yup.

Leo: Which means Signal provides encrypted services. ProtonMail provides encrypted services. LastPass and 1Password provide encrypted services. It sounds like they'd have to, you know, LastPass, we just did the ad, says we don't ever have access to your vault. Only you do.

Steve: We absolutely know for a fact that they don't.

Leo: Yeah. It's trust, what you call "trust no one," end to end. Or another way to put it is end-to-end encryption. So the question is, does that mean they have to then modify their code to sell it in Australia, so that when requested they can provide cleartext? And it's my understanding that it does.

Steve: So one interesting thing that I - because I've been thinking about this for the last week. One of the ways the world has evolved is that applications no longer talk to the hardware directly. They talk to an API which the operating system publishes. So it could be, you know, we've often talked about this idea of accessing communications either before they're encrypted or after they're decrypted. Well, there is a common place where the keyboard API exists. The video API, the screen output API, and that's this OS layer.
And so it could be, I mean, I don't know, we don't know how this is going to evolve. But it could be that Android and iOS themselves could provide a pre-encryption and post-decryption interface because, after all, as we've often said, I mean, the user is entering plaintext into their keyboard, and they are viewing plaintext on their screen. That plaintext transits from the encrypted tunnel through the operating system after it's been decrypted.

So what we may end up with is a general design which would - the advantage, first of all, it means that our phones do have this - our operating systems have a designed-in monitoring facility. It isn't a backdoor into any of the encryption. It doesn't weaken any of the encryption. It just gets to it before it's been encrypted or decrypted, much like the user, typing on their keyboard, like a keystroke monitor. And so that's a means by which a universal solution could be found.


Leo: With the cooperation of Google and Apple.

Steve: With the cooperation of the operating system.

Leo: Actually, it wouldn't even be Google. It would have to be the manufacturer because Samsung would have to say, okay, we'll do that. Yeah.

Steve: Right, right.

Leo: And what we don't know is, yes, that would be a solution, but that would require Australian law enforcement to know and do it, as opposed to going to Signal and saying, no, you've got to do it.

Steve: Well, and then there's also the question of storage; right? Because, for example, we know in a point-to-point system there is some storage of received messages at the receiving end. But there's no central storage of prior messages by the provider. I mean, basically, Signal is providing a system that allows two people to interchange messages securely. The only storage occurs in the message stream at each end. So, for example, there doesn't exist, it's not like they don't want to provide it in the case of Signal's being able to provide past message traffic. It doesn't exist anywhere in a third location. So, as I said, I really think...

Leo: But wouldn't they have to - couldn't they be forced to rewrite Signal to provide that?

Steve: Well, yes. And what was...

Leo: That's the question. And what are the penalties? We don't know what that is.

Steve: And we sort of heard Signal's...

Leo: We just pull out of Australia. We wouldn't do it.

Steve: Exactly. If you guys don't want to allow security, we're about security. We are not going to compromise our security. If you don't want access to Signal, I mean, if the only way you'll allow us to be there is breaking encryption, we're just not...

Leo: Bye-bye.

Steve: We're just going to say no.

There have been other episodes in between #555 and #694 mentioning Signal, but those are the outstanding ones for me.
 
Last edited:

pmikep

Well-known member
Dec 26, 2020
57
8
I'm a bit more cynical and am guessing Signal is under attack. (Our govt would never do that, right Edward Snowden?)

Time will tell.
 

alt3rn1ty

Member
Dec 27, 2020
24
8
If your machine is compromised with malware then someone could virtually be looking over your shoulder so to speak. Maybe one day when Quantum Computers are a viable threat that will end encryption being private ... Until then anyone interested in looking at me sending "I love you and want to bite your bum" to the missus is a bit of a tall order :)
 

emichael

New member
Jan 15, 2021
2
1
...


.. All the transcripts are there and keyword searchable.
Thanks! That is what I was looking for. I did search, but I didn't remember Signal was discussed in the context of WhatsApp - so I discounted that one and kept looking. Appreciate the nudge in the right direction...I've got a Signal skeptic I am trying to convert with SG's technical analysis.
 
  • Haha
Reactions: alt3rn1ty