Jump to content

User:Asr/SMSSecure: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Asr (talk | contribs)
256 edits
Asr (talk | contribs)
256 edits
Line 59: Line 59:
Because TextSecure implements instant messaging via Google Cloud Messaging (push) or Cyanogen WhisperPush<ref name=whisper1 />. The goal of SMSsecure team is to build an app which could be totally independant from google services<ref name="readme1" />, which is not be TextSecure because of this Cloud Messaging dependancy.
Because TextSecure implements instant messaging via Google Cloud Messaging (push) or Cyanogen WhisperPush<ref name=whisper1 />. The goal of SMSsecure team is to build an app which could be totally independant from google services<ref name="readme1" />, which is not be TextSecure because of this Cloud Messaging dependancy.
implemented regarding message centralization and uses google APIs, SMSsecure is more private and less platform dependant than TextSecure<ref name="korben1" />.
implemented regarding message centralization and uses google APIs, SMSsecure is more private and less platform dependant than TextSecure<ref name="korben1" />.
==Security==
On July, 27 2015, a security leak in a google android library "" has been publicly announced, which leads users to audit their MMS/SMS applications. SMSSecure is not concerned by this security alert<ref name="stagefright1">https://lists.riseup.net/www/arc/whispersystems/2015-07/msg00084.html</ref><ref name="zdnet1">http://www.zdnet.fr/actualites/stagefright-un-simple-mms-pour-controler-95-des-smartphones-android-39822978.htm</ref>.


==Licensing==
==Licensing==

Revision as of 07:13, 30 July 2015

Asr/SMSSecure
Original author(s)Moxie Marlinspike
and Stuart Anderson
(Whisper Systems)
Developer(s)SMSSecure
Initial releaseMarch 2015 (2015-03)
Written inJava
Operating systemAndroid
TypeEncrypted SMS/MMS messaging
Websitesmssecure.org

SMSSecure is a fork of TextSecure, both advanced free and open-source encrypted messaging applications for Android which use the TextSecure encryption protocol. This protocol enables the secure transmission of SMS and MMS messages to other SMSSecure users. Users can independently verify the identity of their correspondents by comparing key fingerprints out-of-band or by scanning QR codes in person. The Android application can function as a drop-in replacement for Android's native messaging application. The local message database can be encrypted with a passphrase.

SMSSecure implements TextSecure's instant messaging protocol [1] with no instant messaging features, and therefore can be used to communicate with TextSecure, WhisperPush, or Signal users, but with feature limitations. SMSSecure is developed by the SMSSecure team.

History

TextSecure

Whisper Systems and Twitter (2010–2011)

TextSecure started as an application for sending and receiving encrypted SMS messages.[2] Its beta version was first launched in May 2010 by Whisper Systems,[3] a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson.[4][5] In addition to launching TextSecure, Whisper Systems produced a firewall, tools for encrypting other forms of data, and RedPhone, an application that provides encrypted voice calls.[6][4] All of these were proprietary enterprise mobile security software.

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company.[7] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[8]

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.[4][9][10][11] RedPhone was also released under the same license in July 2012.[12] Marlinspike later left Twitter and founded Open Whisper Systems[13] as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[14]

Open Whisper Systems (2013–2015)

Open Whisper Systems' website was launched in January 2013.[14] Open Whisper Systems started working to bring TextSecure to iOS in March 2013.[15][16]

In February 2014, Open Whisper Systems updated their protocol to version 2, adding group chat and push messaging capabilities.[15][17] Toward the end of July 2014, Open Whisper Systems announced plans to unify its RedPhone and TextSecure applications as Signal.[18] This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client.[19] Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.[13][20]

In March 2015, Open Whisper Systems released Signal 2.0 with support for TextSecure private messaging on iOS.[21][22] Later that month, Open Whisper Systems ended support for sending and receiving encrypted SMS/MMS messages on Android. As of version 2.7.0, TextSecure only supports sending and receiving encrypted messages via the data channel. Reasons for this included:[2]

  • Complications with the SMS encryption procedure: Users needed to manually initiate a "key exchange", which required a full round trip before any messages could be exchanged. In addition to this, users could not always be sure whether the receiver could receive encrypted SMS/MMS messages or not.
  • Compatibility issues with iOS: Not possible to send or receive encrypted SMS/MMS messages on iOS due to the lack of APIs.
  • The large amounts of metadata that inevitably arise and are uncontrollable when using SMS/MMS for the transportation of messages.
  • Focus on software development: Maintaining SMS/MMS encryption and dealing with edge cases took up valuable resources and inhibited the development of the software.

Forking

Open Whisper Systems' abandonment of SMS/MMS encryption prompted some users to create SMSSecure as a fork.[23]

Features

SMSSecure allows users to send encrypted text messages to other TextSecure, Signal or SMSSecure users with smartphones running Android. SMSSecure also allows users to exchange unencrypted SMS and MMS messages with people who do not have SMSSecure.

Messages sent with SMSSecure may be encrypted as soon as the users sent a private session request. This features differs from the regular use of TextSecure and Signals using TextSecure protocol v2, which centralises the users in a directory server, and therefore is able to automatically start an ciphered session via Google Cloud Messaging[24], without requesting it to the user. When the private session started, any sent messagge is automatically end-to-end encrypted, which means that they can only be read by the intended recipients. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled. In the user interface, encrypted messages are denoted by a lock icon.

SMSSecure has a built-in function for verifying that the user is communicating with the right person and that no man-in-the-middle attack has occurred. This verification can be done by comparing key fingerprints out-of-band. Users can also scan each other's personal QR codes.

Privacy concerns

Because TextSecure implements instant messaging via Google Cloud Messaging (push) or Cyanogen WhisperPush[25]. The goal of SMSsecure team is to build an app which could be totally independant from google services[26], which is not be TextSecure because of this Cloud Messaging dependancy. 

implemented regarding message centralization and uses google APIs, SMSsecure is more private and less platform dependant than TextSecure[27].

Security

On July, 27 2015, a security leak in a google android library "" has been publicly announced, which leads users to audit their MMS/SMS applications. SMSSecure is not concerned by this security alert[28][29].

Licensing

The complete source code of SMSSecure is available on GitHub under a free software license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copy of the application and compare it with the version that is distributed by SMSSecure.

Distribution

SMSSecure is available through Google Play, F-Droid and Amazon Apps.[30][failed verification]

See also

References

  1. ^ https://github.com/SMSSecure/SMSSecure/blob/master/README.md
  2. ^ a b Open Whisper Systems (6 March 2015). "Saying goodbye to encrypted SMS/MMS". Retrieved 22 March 2015.
  3. ^ "Announcing the public beta". Whisper Systems. 25 May 2010. Archived from the original on 30 May 2010. Retrieved 22 January 2015.
  4. ^ a b c Garling, Caleb (2011-12-20). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired. Retrieved 2011-12-21.
  5. ^ "Company Overview of Whisper Systems Inc". Bloomberg Businessweek. Retrieved 2014-03-04.
  6. ^ Andy Greenberg (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28.
  7. ^ Tom Cheredar (November 28, 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21.
  8. ^ Yadron, Danny (9 July 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Retrieved 10 July 2015.
  9. ^ Chris Aniszczyk (20 December 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on 24 October 2014. Retrieved 22 January 2015.
  10. ^ "TextSecure is now Open Source!". Whisper Systems. 20 December 2011. Archived from the original on 6 January 2012. Retrieved 22 January 2015.
  11. ^ Pete Pachal (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01.
  12. ^ "RedPhone is now Open Source!". Whisper Systems. 18 July 2012. Archived from the original on 31 July 2012. Retrieved 22 January 2015.
  13. ^ a b Andy Greenberg (29 July 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved 18 January 2015.
  14. ^ a b "A New Home". Open Whisper Systems. 21 January 2013. Retrieved 23 January 2015.
  15. ^ a b Brian Donohue (Feb 24, 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 2014-03-01.
  16. ^ Christine Corbett (27 March 2013). "Sure!". Open Whisper Systems. Retrieved 2014-03-16.
  17. ^ Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open Whisper Systems. Retrieved 26 February 2014.
  18. ^ "Free, Worldwide, Encrypted Phone Calls for iPhone". Open Whisper Systems. 29 July 2014.
  19. ^ Michael Mimoso (29 July 2014). "New Signal App Brings Encrypted Calling to iPhone". Threatpost.
  20. ^ Jon Evans (29 July 2014). "Talk Private To Me: Free, Worldwide, Encrypted Voice Calls With Signal For iPhone". TechCrunch. AOL.
  21. ^ Micah Lee (2015-03-02). "You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone". The Intercept. Retrieved 2015-03-03.
  22. ^ Megan Geuss (2015-03-03). "Now you can easily send (free!) encrypted messages between Android, iOS". Ars Technica. Retrieved 2015-03-03.
  23. ^ "TextSecure-Fork bringt SMS-Verschlüsselung zurück". Heise (in German). 2 April 2015. Retrieved 29 July 2015.
  24. ^ http://linuxfr.org/news/smssecure-les-sms-et-mms-chiffres-sur-android-ce-n-est-pas-fini
  25. ^ The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. https://whispersystems.org/blog/cyanogen-integration/
  26. ^ SMSSecure focuses on SMS and MMS. This fork aims to: Keep SMS/MMS encryption ; Drop Google services dependencies (push messages are not available in SMSSecure). [1]
  27. ^ SMSSecure est libre (sous licence GPL), ne dépend d'aucun serveur tiers, ne repose pas sur les API et services de Google et utilise un chiffrement de 256 bits. [2]
  28. ^ https://lists.riseup.net/www/arc/whispersystems/2015-07/msg00084.html
  29. ^ http://www.zdnet.fr/actualites/stagefright-un-simple-mms-pour-controler-95-des-smartphones-android-39822978.htm
  30. ^ http://www.slate.fr/story/101631/internet-hyper-prudent
Retrieved from "https://en.wikipedia.org/w/index.php?title=User:Asr/SMSSecure&oldid=673751473"