Signal (messenger)

from Wikipedia, the free encyclopedia
signal

Signal ultramarine icon.png
Screenshot Signal.png
Non-profit and free messenger
Basic data

developer Signal Foundation
Publishing year 29th July 2014
Current  version 4.66.5 ( Android )
July 16, 2020

3.14.2 ( iOS )
August 19, 2020

1.34.5 (desktop)
August 15, 2020

operating system Android , iOS , Windows , macOS , Linux (64-bit)
programming language Java (Android client and server), Swift and Objective-C (iOS client), JavaScript (desktop client)
category Instant messaging , IP telephony , video telephony
License GPLv3 (clients),
AGPLv3  (server)
German speaking Yes
signal.org

Signal is a free , encrypting messenger . It is best known for its data economy and end-to-end encryption and is therefore often recommended by security experts and data protection organizations.

The "zero knowledge principle" is used to implement data economy: Operators should not have any information about who is talking to whom, when, and about what. Technically, this goal is achieved through several functions:

  • Due to the end-to-end encryption, the content of the message can neither be viewed by the operators nor by third parties.
  • The user's phone book is not loaded onto the operator's server in plain text. Instead, only hash values ​​of the numbers are compared. This process is also to be shielded by a second encryption layer in the future.
  • Since Signal encrypts the sender address before a message is sent, it is not possible to reconstruct who is communicating with whom, even when the exchanged messages are tapped.
  • The user profiles, consisting of name and photo, are encrypted and therefore cannot be viewed by the operator, but only by the conversation partners themselves.

Signal is developed and operated by the non-profit Signal Foundation. The aim of the foundation is to ensure the free exchange of opinions for all people in a protected private sphere. For this purpose, the service is financed purely by donations, so that it is only obliged to the users and does not have to collect content or metadata for commercial use. In 2018, the foundation received start-up capital of US $ 50 million from WhatsApp founder Brian Acton .

The Signal app is available for Android and iOS , the desktop version for Windows , macOS and Linux , there is no web version. The desktop version requires installation on a smartphone and does not support video telephony. The free signal protocol , which is classified as safe by security experts, is used to encrypt messages . Calls are also encrypted using the signal protocol, encoded with Opus and transported with RTP .

features

General

The declared goal of the developers is to create programs that enable secure, encrypted communication and are as easy to use as programs that transmit their data unencrypted. The apps should not burden the user with complicated settings and also enable safe communication for people who do not want or cannot deal with the technical background.

The application automatically encrypts conversations with other registered Signal users. Signal enables the encrypted sending of text messages, documents, photos, videos, contact information one to one or in group messages.

In contrast to open chat protocols , the signal protocol is not interoperable . It is not possible to participate in signal chats from your own servers or other messengers. However, with OMEMO an open protocol has been published that includes signal cryptography.

Encryption

The encryption offers the following properties:

  • End-to-end encryption means that the operator also has no access to the content of messages sent with Signal.
  • Perfect Forward Secrecy means that even if a user's secret personal long-term key becomes known, previous messages cannot be decrypted. This is because a separate temporary key is generated for each message from the long-term key, which is discarded after transmission.
  • Authentication using key fingerprints that can be photographed allows users to verify that they are really only communicating with the person who is intended to receive the messages. This means that man-in-the-middle attacks can be ruled out.
  • Credible deniability protects users (e.g. in repressive regimes) from having a specific message ascribed to them. Since the authorship of messages cannot be traced, the source protection is preserved.
  • Encrypted user profiles allow user photos and names to be transferred between users without the operator being able to see them.
  • View-Once allows users to send media files that the recipient can only open once, after which the file will delete itself. Signal introduced this function in its 2019 beta version.

In addition to these measures for transport encryption, Signal encrypts the data stored on the smartphone using SQLCipher in both the iOS and Android versions .

safety

The complete source code of the Signal clients and the server is publicly available on GitHub . This is only the case with very few applications in this branch and allows interested persons and organizations to examine the code and verify its secure functionality. Advanced users also have the option of compiling their own versions of the application and comparing them with the version distributed by the operator.

In October 2014, scientists at the Ruhr-Universität Bochum published an analysis of the protocol, which was then still called the TextSecure protocol: In addition to a few other points, they also discovered a previously unknown vulnerability (key-share attack), but came to the conclusion that the Protocol be safe.

In October 2016, a research group from the University of Oxford , Queensland University of Technology and McMaster University formally analyzed the signal protocol. According to the company, it is the first academic analysis of its kind for the product. According to the research results, the signal protocol is secure and meets requirements such as forward secrecy .

In January 2018, security researchers at the Ruhr University Bochum discovered, among other things, a theoretical gap in the conception of group chats in a further analysis. An attacker who knows the group ID and telephone number of a group member can add himself to this group and read the messages that are actually encrypted. However, all other group members would be notified of the newcomer.

As with the majority of competing products, a telephone number is required to use Signal. The makers of Signal are aware of the fact that part of the anonymity is lost as a result. For them, however, the advantage predominates, as users can easily and conveniently find each other as contacts in the app using their phone numbers. In order to guarantee anonymity, Signal never sends telephone numbers to the server for comparison, only their mathematical fingerprint (hash value). In addition, this comparison is only carried out in an encrypted main memory of the server that is not accessible to third parties . Ultimately, the operator's goal is not to have any knowledge of who is communicating with whom, when and about what.

The Android app uses the Google Cloud Messaging (GCM) push service . This is used to wake up the mobile device when there are new messages and to signal the presence of a new message to the user; however, it does not convey the content or sender. Theoretically, Google could therefore see who received a message and when, but not from whom or with what content. This criticism was responded to in February 2017, and push notifications based on WebSocket were also introduced, which do not require the Google service.

Although the code for the server platform is publicly available, which would make federation possible in principle, the operators have spoken out against it, as federation deprives them of the flexibility to quickly and comprehensively adapt the platform and thus leads to a strong development slowdown, as with Mail and XMPP . It is true that everyone could operate their own signal server and thus their own signal service, but its users would then be unable to communicate with those of the official service.

The abolition of SMS and MMS encryption from version 2.7 in the spring of 2015 has been criticized by various parties who valued this function.

Circumvention of censorship

Signal uses so-called domain fronting to circumvent censorship , based on Server Name Indication (SNI) and Transport Layer Security (TLS), which aims to disguise the actual end point of a communication. Here, several different and encrypted services in different domains share a physical server access under one IP address, for example on the TCP port 443 used for https. Due to the encryption used in the context of TLS, it is not possible to distinguish from the outside which service is involved is contacted. Due to their popularity, accesses like https can usually not be switched off so easily without causing extensive disruptions. Since Google services are very popular around the world, Signal decided to use domain fronting in conjunction with Google services. This function must be activated by users in the app settings.

On 17./18. December 2016, Signal was blocked in Egypt . A few days later, a new version was published that implemented domain fronting to circumvent censorship. Because of the US sanctions against Iran, Google services are not available there, which is why domain fronting does not work in relation to Google. Edward Snowden then criticized the US sanctions policy on this point and urged US politicians to make the Google services and thus Signal available in Iran.

However, some providers such as Amazon Web Services (AWS) do not allow domain fronting on their servers.

financing

The project is financed by an unknown number of partly private donations through the Freedom of the Press Foundation . Also known are larger grants from the Knight Foundation and the Shuttleworth Foundation. Since 2013 got Moxie Marlinspike money from the Open Technology Fund of Radio Free Asia , funded by the USAGM , have been promoted over the similar past projects such. B. the anonymization software Tor and the messenger Cryptocat . Ian Schuler, a member of the Truman National Security Project and then manager of the State Department's Internet Freedom Programs , then under Hillary Clinton mediated the approval of the payments . WhatsApp co-founder Brian Acton founded the Signal Foundation in 2018 and invested $ 50 million. That was the first major investment in the project. The money was to be used, among other things, to improve the quality of voice messages.

history

Security researcher Moxie Marlinspike and robotics scientist Stuart Andersen founded Whisper Systems in 2010 . In addition to the publication of TextSecure in May 2010, RedPhone , an application for encrypted voice telephony, was developed. Whisper Systems also developed a firewall and other utilities to encrypt other types of data as well. RedPhone and TextSecure played a role in protesting communications during the rise of the Arab Spring .

On November 28, 2011, Twitter announced the purchase of Whisper Systems for an undisclosed sum. Shortly after the acquisition, Whisper Systems RedPhone was decommissioned and later released as free software in July 2012 . Some criticized the removal, arguing that the application was specifically intended to help people within a repressive regime and that the unannounced shutdown endangered people such as the Egyptians during the events of the revolution in Egypt in 2011 .

TextSecure was also released as free software about a month after it was acquired by Twitter . The application has been jointly developed since then, and several publications based on this work have already been approved. The follow-up project was called Open Whisper Systems .

Open Whisper Systems has been working on an iOS version of TextSecure since March 2013 , which was published under the name "Signal".

In September 2013, the successful integration of the TextSecure protocol into the free operating system for mobile devices CyanogenMod from version 11.0 was announced, whereby the user base grew. As of version 13.0, the integration was removed again and support for the service was discontinued on February 1, 2016.

In the opening speech at South by Southwest 2014 , Edward Snowden , who discovered the NSA spying affair, praised Open Whisper Systems' applications for their ease of use.

In June 2014, TextSecure won $ 416,000 in prize money from the Knight Foundation . This should complete the planned iOS app. The iOS app should appear at the end of summer.

On July 29, 2014, Open Whisper Systems released the Signal app for iOS, which initially only supported encrypted telephony. With version 2.0, encrypted text message communication between Signal and TextSecure became possible.

In November 2014 it became known that competitor WhatsApp had built TextSecure encryption into its Android app with the help of the Open Whisper Systems team . An implementation for iOS followed. However, communication between TextSecure and WhatsApp users is not possible. The extent to which this increases data protection for Whatsapp users is controversial.

As of version 2.7, only messages sent over the data connection are encrypted. SMS and MMS are therefore no longer encrypted, unlike in the previous versions. This decision was justified as follows:

  • Complicated procedure for SMS encryption (manual key exchange; status control, whether the recipient can receive encrypted)
  • Compatibility problems with iOS: Encrypted SMS do not work there
  • Large amounts of metadata that inevitably and uncontrollably arise with SMS and MMS
  • Focus on program development: The maintenance of the SMS and MMS encryption with its many small special cases requires valuable resources that hamper the further development of the software.

Version 2.23.2 was released in July 2015. The user had to accept additional authorizations. However, these are not all used yet, but serve future skills, such as B. sending calendar entries or encrypted telephony (Redphone integration).

Version 3.1.1 was released in November 2015. Textsecure was renamed to Signal and now supports encrypted telephony (Redphone integration).

On December 2, 2015, a program version for computers ("desktop version") was presented in the form of a Chrome app. At first it could only be used in conjunction with the Android version, but now it also supports the iOS version. In addition, it was initially in a closed beta phase , in which potential users had to request an invitation before installation. The public beta phase started on April 7, 2016. The Google Chrome app was retired in October 2017, and Signal was released as a standalone program for Windows, macOS, and Linux.

On February 14, 2017, encrypted video telephony was implemented with version 3.29.6 (Android).

In October 2019 it became known that the EU Parliament would not allow the parliamentarians to use signals on the grounds that it was not standard software and that parliamentarians would continue to be referred to WhatsApp. This resulted in complaints as WhatsApp transmits metadata to the Facebook group. The system administrators are currently examining the use of Signal.

As of February 2020, Signal has been the recommended instant messaging application by the European Commission and its staff.

In April 2020, the operators appealed to citizens and decision-makers to reject the proposed Earn IT Act . The law provides that providers can be held liable if they do not give law enforcement authorities an insight into the encrypted communication of users. However, Signal cannot comply with this due to its end-to-end encryption.

Since May 2020, Signal has been offering the option of saving contacts and settings end-to-end encrypted on the servers using a PIN of your choice .

Since May 2020, the iOS version has been able to transfer the entire conversation history when switching devices.

In June 2020, as part of the protests against the death of George Floyd in the United States, the Messenger was installed over 120,000 times in the United States within a few days.

A beta version for video telephony has also been available in the desktop version since August 2020.

User numbers

Signal is used by 10 million users (as of August 2019), while Whatsapp is used by 1.6 billion and Telegram by 400 million people. According to a study by Apptopia, the growth figures for Signal users are particularly pronounced in countries that are viewed as corrupt.

See also

Web links

Commons : TextSecure  - collection of images, videos and audio files

Individual evidence

  1. Free, Worldwide, Encrypted Phone Calls for iPhone. Retrieved February 9, 2019 .
  2. Installation page for Android. In: Google Play . Retrieved July 17, 2020 .
  3. Preview page for iOS. In: App Store (iOS) . Retrieved July 17, 2020 .
  4. a b Signal download page. Retrieved August 19, 2020 .
  5. Signal-Desktop (Releases) in GitHub. Retrieved July 17, 2020 .
  6. a b Signal Android in GitHub. Accessed June 17, 2017 .
  7. a b Signal-iOS in GitHub. Accessed June 17, 2017 .
  8. Signal-Desktop (License) in GitHub. Accessed June 17, 2017 .
  9. a b Signal Server in GitHub. Retrieved June 29, 2017 .
  10. Now officially: The Messenger Signal is pretty safe. In: Netzpolitik.org. Retrieved March 27, 2018 .
  11. There are too many messengers - and clearly one of the best: Signal. In: The Standard. November 6, 2017, accessed March 27, 2018 .
  12. Secure Messaging Scorecard. Electronic Frontier Foundation, accessed March 27, 2018 .
  13. Ditch All Those Other Messaging Apps: Here's Why You Should Use Signal. In: Wired. Condé Nast, accessed March 27, 2018 .
  14. twitter.com
  15. ^ "Private contact discovery", cf. Crypto-Messenger Signal protects contact data from the server operators. Heise Online, accessed on March 27, 2018 .
  16. "Sealed Sender" see, Signal Blog: Technology preview: Sealed sender for Signal. Retrieved October 31, 2018 .
  17. Crypto-Messenger Signal introduces encrypted user profiles. In: Heise Online. Retrieved March 27, 2018 .
  18. signal.org
  19. ^ Signal Foundation. Retrieved March 27, 2018 .
  20. Crypto Messenger: WhatsApp co-founder invests $ 50 million in Signal Foundation. In: Heise Online. Retrieved March 27, 2018 .
  21. Trevor Perrin: ProtocolV2 ( English ) July 1, 2015. Accessed November 13, 2015.
  22. Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, Douglas Stebila: A Formal Security Analysis of the Signal Messaging Protocol . Ed .: Cryptology ePrint Archive. November 2017 ( https://eprint.iacr.org/2016/1013.pdf Online [PDF; 680 kB ; accessed on January 17, 2019]).
  23. Video calls for Signal now in public beta. Signal Messenger, accessed March 27, 2018 .
  24. t3n.de
  25. Signal Community. Signal Community, accessed March 27, 2018 .
  26. Masha Kolenkina: Is it private? Can I trust it? (No longer available online.) In: whispersystems.org. Archived from the original on June 9, 2017 ; accessed on June 9, 2017 (English). Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / support.whispersystems.org
  27. Frosch, Mainka, Bader, Bergsma, Schwenk, Holz: How Secure is TextSecure? (PDF) HGI , accessed on April 6, 2017 (English).
  28. Darren Pauli: Auditors find encrypted chat client TextSecure is secure. In: theregister.co.uk. November 3, 2014, accessed April 6, 2017 .
  29. a b Arne Arnold, Denise Bergert: Safe Whatsapp alternative: Signal. July 10, 2018, accessed July 15, 2018 .
  30. ^ Cohn-Gordon, Cremers, Dowling, Garratt, Stebila: A Formal Security Analysis of the Signal Messaging Protocol. (PDF) October 2016, accessed on April 6, 2017 (English).
  31. heise Security: WhatsApp and Signal: Researchers describe weaknesses in encrypted group chats .
  32. Paul Rösler, Christian Mainka, Jörg Schwenk: More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema . No. 713 , 2017 ( iacr.org ).
  33. Security Issue in Group Chats (SOLVED) .
  34. a b Signal >> Blog >> Technology preview: Private contact discovery for Signal .
  35. heise Security: Crypto-Messenger Signal protects contact data from server operators .
  36. Golem: “Signal can be used immediately without Play Services” , accessed on February 22, 2017.
  37. Please add LibreSignal to f-droid Issue # 37 LibreSignal / LibreSignal. Retrieved November 29, 2018 .
  38. Moxie Marlinspike: The ecosystem is moving. Retrieved November 15, 2016 .
  39. a b Goodbye encrypted SMS blog entry by Whispersystems about the abandonment of encrypted SMS and MMS. Retrieved March 21, 2015
  40. Tomas Rudl: Egypt blocks the crypto messenger signal. In: netzpolitik.org . December 20, 2016. Retrieved March 22, 2017 .
  41. ^ Open Whisper Systems: We've been investigating over the weekend, and have confirmed that Egypt is censoring access to Signal. In: Twitter . December 19, 2016, accessed March 22, 2017 .
  42. Tomas Rudl: Messenger app Signal bypasses the lock in Egypt. In: netzpolitik.org. December 22, 2016. Retrieved March 22, 2017 .
  43. Domain Fronting for Iran Issue # 7311 signalapp / Signal-Android .
  44. Edward Snowden on Twitter .
  45. Amazon threatens to suspend Signal's AWS account over censorship circumvention. Retrieved May 3, 2018 .
  46. Freedom of the Press Foundation: Signal is the premier end-to-end encrypted texting and calling application. Please support them today. Retrieved July 4, 2017 .
  47. ^ Knight Foundation: TextSecure. Retrieved July 4, 2017 .
  48. Open Technology Fund: Privacy enhancing technology ( Memento from November 15, 2016 in the web archive archive.today ) (English).
  49. ^ Open Technology Fund: Open Whisper Systems. Archived from the original on September 5, 2017 ; accessed on July 4, 2017 (English).
  50. a b Danny Yadron: Moxie Marlinspike: The Coder Who Encrypted Your text. (No longer available online.) In: The Wall Street Journal. July 9, 2015, archived from the original on July 12, 2015 ; accessed on March 12, 2020 (English).
  51. ^ Truman National Security Project: Ian Schuler. (No longer available online.) Archived from the original on March 12, 2020 ; accessed on March 12, 2020 (English).
  52. Development Seed: CEO Ian Schuler. (No longer available online.) Archived from the original on March 12, 2020 ; accessed on March 12, 2020 (English).
  53. ^ Joseph Marks: Hillary Clinton: 'Internet freedom' activist? (No longer available online.) In: Politico. August 10, 2015, archived from the original on September 5, 2015 ; accessed on March 12, 2020 (English).
  54. heise online: Crypto Messenger: WhatsApp co-founder invests 50 million dollars in Signal Foundation. Retrieved February 25, 2018 .
  55. a b c Caleb Garling: Twitter Open Sources Its Android Moxie , Wired.com. December 20, 2011. Retrieved November 13, 2015. 
  56. Company Overview of Whisper Systems Inc. . Bloomberg Business Week. Retrieved November 13, 2015.
  57. ^ Andy Greenberg: Android App Aims to Allow Wiretap-Proof Cell Phone Calls. In: Forbes . May 25, 2010. Retrieved March 22, 2017 .
  58. ^ Robert Lemos: An App for Dissidents . MIT Technology Review. February 15, 2011. Retrieved November 13, 2015.
  59. Tom Cheredar: Twitter acquires Android security startup Whisper Systems . VentureBeat. November 28, 2011. Retrieved December 21, 2011.
  60. ^ Andy Greenberg: Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems , Forbes. November 28, 2011. Retrieved December 21, 2011. 
  61. Caleb Garling: Twitter Buys Some Middle East Moxie | Wired Enterprise , Wired.com. November 28, 2011. Retrieved December 21, 2011. 
  62. Pete Pachal: Twitter Takes TextSecure, Texting App for Dissidents, Open Source. In: Mashable . December 20, 2011, accessed March 17, 2017 .
  63. Moxie Marlinspike (moxie0): A New Home. In: whispersystems.org. January 21, 2013, accessed March 17, 2017 .
  64. DJ Pangburn: TextSecure Is the Easiest Encryption App To Use (So Far) ( Memento of March 7, 2014 in the Internet Archive ) (English).
  65. ^ Brian Donohue: TextSecure Sheds SMS in Latest Version. In: threatpost.com. The Kaspersky Lab Security News Service, February 24, 2014, accessed April 2, 2017 .
  66. Christine Corbett: Sure! . Open Whisper Systems. March 27, 2013. Retrieved March 16, 2014.
  67. Andy Greenberg: Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default , Forbes. December 9, 2013. Retrieved February 28, 2014. 
  68. Seth Schoen: 2013 in Review: Encrypting the Web Takes A Huge Leap Forward , Electronic Frontier Foundation. December 28, 2013. Retrieved March 1, 2014. 
  69. Moxie Marlinspike (moxie0): TextSecure, Now With 10 Million More Users. In: whispersystems.org. December 9, 2013, accessed March 17, 2017 .
  70. ciwrl: Whisper Push - End of Life , CyanogenMod. January 19, 2016. Archived from the original on February 19, 2016. Retrieved on April 8, 2016. 
  71. Max Eddy: Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff. In: PC Magazine . March 11, 2014, accessed March 22, 2017 .
  72. Hanno Böck: Snowden recommends Textsecure and Redphone. In: Golem.de . March 11, 2014, accessed March 22, 2017 .
  73. ^ TextSecure: Simple Private Communication For Everyone , NewsChallenge. Retrieved July 27, 2014. 
  74. Open Whisper Systems is coming to iPhone! , Open Whisper Systems. Retrieved July 27, 2014. 
  75. Signal >> Blog >> WhatsApp's Signal Protocol integration is now complete. Retrieved May 12, 2018 .
  76. Whatsapp takes over encryption from Textsecure on Golem.de , last accessed on December 12, 2014
  77. Developer: Facebook can view WhatsApp chats - despite end-to-end encryption , from April 13, 2018
  78. Just Signal blog entry from Whispersystems renaming to Signal. Retrieved November 3, 2015
  79. Signal Desktop. December 5, 2015, accessed January 20, 2016 .
  80. Signal Desktop beta now publicly available. April 7, 2016, accessed April 8, 2016 .
  81. Standalone Signal Desktop. October 31, 2017, accessed February 19, 2018 .
  82. Open Whisper App Signal: Encrypted video calls for Android. it-times.de, February 19, 2017, accessed on February 19, 2017 .
  83. EU Parliament does not allow MPs to install a signal from October 7, 2019, accessed on December 13, 2019.
  84. heise online: EU Parliament recommends Jabber instead of WhatsApp and checks signal. Retrieved December 17, 2019 .
  85. Laurens Cerulus: EU Commission to staff: Switch to Signal messaging app. In: Politico . February 20, 2020, accessed March 5, 2020 .
  86. Signal: Encrypted Messenger threatens to withdraw from the USA in the standard from April 12, 2020, accessed on April 13, 2020.
  87. Original blog post
  88. Axel Kannenberg: Messenger Signal introduces PIN for easier device change. In: heise online. Heise Medien, May 20, 2020, accessed on May 21, 2020 .
  89. US protests cause a storm of users on encrypted messenger signal in the standard from June 5, 2020, accessed on June 5, 2020.
  90. Signal: Desktop version of the messenger receives video call function on computer image from August 14, 2020, accessed on August 19, 2020
  91. Signal Private Messenger. Retrieved December 15, 2019 (American English).
  92. 400 Million Users, 20,000 Stickers, Quizzes 2.0 and € 400K for Creators of Educational Tests. Telegram, accessed April 25, 2020 .
  93. ^ Matthew Hughes: Signal and Telegram are growing rapidly in countries with corruption problems. January 23, 2018. Retrieved December 15, 2019 (American English).