Open Whisper Systems

From Wikipedia, the free encyclopedia
  (Redirected from Open WhisperSystems)
Jump to: navigation, search
This article is about an open-source software project. For the Twitter subsidiary, see Whisper Systems.
Open Whisper Systems
Open WhisperSystems logo.png
Mission statement Our mission is to make private communication simple.[1]
Commercial? No[2]
Type of project Free and open-source software, Encryption software, Mobile software
Products RedPhone, Signal, TextSecure
Location San Francisco, CA
Owner Supported and owned by community[1]
Founder Moxie Marlinspike[3]
Key people Moxie Marlinspike, Christine Corbett Moran, Frederic Jacobs, Jake McGinty, Tyler Reinhard, Lilia Kai, Rhodey Orbits[1][4]
Established 21 January 2013 (2013-01-21)
Funding Grants and donations
Website whispersystems.org

Open Whisper Systems is a nonprofit software group[3] that develops collaborative open source projects with a mission to "make private communication simple".[1] The group was established in 2013 and consists of a small team of dedicated grant-funded developers, as well as a large community of volunteer open source contributors.[1] Open Whisper Systems is funded by a combination of donations and grants, and all of its products are published as free and open-source software under the terms of the GNU General Public License (GPL) version 3.

History[edit]

Background[edit]

Security researcher Moxie Marlinspike and roboticist Stuart Anderson co-founded a startup company called Whisper Systems in 2010.[5][6] The company produced proprietary enterprise mobile security software. Among these were TextSecure and RedPhone.[7] They also developed a firewall and tools for encrypting other forms of data.[5]

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company.[8] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[9] Shortly after the acquisition, Whisper Systems' RedPhone service was made unavailable.[10] Some criticized the removal, arguing that the software was "specifically targeted [to help] people under repressive regimes" and that it left people like the Egyptians in "a dangerous position" during the events of the 2011 Egyptian revolution.[11]

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.[5][12][13][14] RedPhone was also released under the same license in July 2012.[15] Marlinspike later left Twitter and founded Open Whisper Systems[2] as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[16]

Establishment[edit]

Open Whisper Systems' website was launched in January 2013.[16]

Toward the end of July 2014, Open Whisper Systems announced Flock, a private contact and calendar cloud sync, and plans to unify its RedPhone and TextSecure applications as Signal.[17] These announcements coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client.[18] Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.[2][19]

On November 18, 2014, Open Whisper Systems announced a partnership with WhatsApp to provide end-to-end encryption by incorporating the protocol used in TextSecure into each WhatsApp client platform.[20] Open Whisper Systems asserted that they have already incorporated the protocol into the latest WhatsApp client for Android and that support for other clients, group/media messages, and key verification would be coming soon.[21] WhatsApp confirmed the partnership to reporters, but there was no announcement or documentation about the encryption feature on the official website, and further requests for comment were declined.[22]

In March 2015, Open Whisper Systems released Signal 2.0 with support for TextSecure private messaging on iOS.[23][24]

Funding[edit]

Open Whisper Systems is funded by a combination of donations and grants. The project has received financial support from, among others, the Freedom of the Press Foundation,[25] the Knight Foundation,[26] the Shuttleworth Foundation,[27] and the Open Technology Fund,[28] a U.S. government program that has also funded other privacy projects like the anonymity software Tor and the encrypted instant messaging application Cryptocat.

Open Whisper Systems uses a system called BitHub to distribute small donations appropriately among contributors. The system automatically pays a percentage of Bitcoin funds for every submission to one of Open Whisper Systems' GitHub repositories.[29][19]

Reception[edit]

Former NSA contractor Edward Snowden has endorsed Open Whisper Systems' applications on multiple occasions. In his keynote speech at SXSW in March 2014, he praised TextSecure and RedPhone for their ease-of-use.[30] During an interview with The New Yorker in October 2014, he recommended using "anything from Moxie Marlinspike and Open Whisper Systems".[31] During a remote appearance at an event hosted by Ryerson University and Canadian Journalists for Free Expression in March 2015, Snowden said that Signal is "very good" and that he knew the security model.[32] Asked about encrypted messaging apps during a Reddit AMA in May 2015, he recommended “Signal for iOS, Redphone/TextSecure for Android”.[33][34]

In October 2014, the Electronic Frontier Foundation (EFF) included TextSecure, RedPhone, and Signal in their updated surveillance self-defense guide.[35] In November 2014, all three received top scores on the EFF's secure messaging scorecard, along with Cryptocat, Silent Phone, and Silent Text.[36] They received points for having communications encrypted in transit, having communications encrypted with keys the providers don't have access to (end-to-end encryption), making it possible for users to independently verify their correspondent's identities, having past communications secure if the keys are stolen (forward secrecy), having their code open to independent review (open source), having their security designs well-documented, and having recent independent security audits.[36]

On December 28, 2014, Der Spiegel published slides from an internal NSA presentation dating to June 2012 in which the NSA deemed RedPhone on its own as a "major threat" to its mission, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as "catastrophic," leading to a "near-total loss/lack of insight to target communications, presence..."[37][38]

Active projects[edit]

AxolotlKit[edit]

AxolotlKit is a free implementation of the Axolotl encryption protocol. It is designed to be a drop-in library that can be easily integrated into existing projects. The implementation is written in Objective-C and is publisher under the GPLv2 license.[39]

BitHub[edit]

BitHub is a service that will automatically pay a percentage of Bitcoin funds for every submission to a GitHub repository.[40]

Flock[edit]

Flock is a service that syncs calendar and contact information on Android devices. Users have the ability to host their own server. The software is published under the GPLv3 license.[41]

RedPhone[edit]

RedPhone

RedPhone is a free and open-source encrypted voice calling application for Android. RedPhone integrates with the system dialer to provide a frictionless call experience, but uses ZRTP to set up an end-to-end encrypted VoIP channel for the actual call. RedPhone was designed specifically for mobile devices, using audio codecs and buffer algorithms tuned to the characteristics of mobile networks, and uses push notifications to preserve the user's device's battery life while still remaining responsive.[42] RedPhone calls are compatible with Signal calls on iOS.[2] All calls are made over a Wi-Fi or data connection and are free of charge, including long distance and international.[19]

All RedPhone calls to other RedPhone users and to Signal users are automatically end-to-end encrypted. The keys that are used to encrypt the user's communications are generated and stored at the endpoints (i.e. by users, not by servers). The encryption implements forward secrecy.[36]

RedPhone and Signal have a built-in mechanism for verifying that no man-in-the-middle attack has occurred. During a call, the apps display two words (selected from the PGP word list) on the screen. If the words match on both ends of the call, the call is secure.[19][43]

The software is published under the GPLv3 license.[42]

Signal[edit]

Main article: Signal (software)
Signal

Signal is a free and open-source encrypted voice calling and instant messaging application for iOS. Signal communications are compatible with RedPhone and TextSecure on Android. It uses end-to-end encryption with forward secrecy and deniable authentication to secure all communications to Signal, RedPhone, and TextSecure users.[24][36]

Open Whisper Systems has set up dozens of servers to handle the encrypted calls in more than 10 countries around the world to minimize latency.[2]

The software is published under the GPLv3 license.[44]

TextSecure[edit]

Main article: TextSecure
TextSecure

TextSecure is a free and open-source encrypted messaging application for Android.[45][46] TextSecure can be used to send and receive SMS, MMS, and instant messages.[47] TextSecure instant messages are compatible with Signal messages on iOS. It uses end-to-end encryption with forward secrecy and deniable authentication to secure all instant messages to TextSecure and Signal users.[46][48][49][36]

The software is published under the GPLv3 license.[45]

TextSecure-Server[edit]

TextSecure-Server is the software that handles message routing for the TextSecure data channel.

Client-server communication is protected by TLS.[50] Communication is handled by a REST API and push messaging (both GCM and APN).[51] Support for WebSocket has been added.[52]

The software is published under the AGPLv3 license.[51]

See also[edit]

References[edit]

  1. ^ a b c d e Open Whisper Systems. "Open Whisper Systems". Retrieved 2015-05-01. 
  2. ^ a b c d e Andy Greenberg (29 July 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved 18 January 2015. 
  3. ^ a b Franceschi-Bicchierai, Lorenzo (18 November 2014). "WhatsApp messages now have Snowden-approved encryption on Android". Mashable. Retrieved 23 January 2015. 
  4. ^ Open Whisper Systems. "People". GitHub. Retrieved 24 January 2015. 
  5. ^ a b c Garling, Caleb (2011-12-20). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired.com. Retrieved 2011-12-21. 
  6. ^ "Company Overview of Whisper Systems Inc.". Bloomberg Businessweek. Retrieved 2014-03-04. 
  7. ^ Andy Greenberg (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28. 
  8. ^ Tom Cheredar (November 28, 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21. 
  9. ^ Yadron, Danny (9 July 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Retrieved 10 July 2015. 
  10. ^ Andy Greenberg (2011-11-28). "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved 2011-12-21. 
  11. ^ Garling, Caleb (2011-11-28). "Twitter Buys Some Middle East Moxie | Wired Enterprise". Wired.com. Retrieved 2011-12-21. 
  12. ^ Chris Aniszczyk (20 December 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on 24 October 2014. Retrieved 22 January 2015. 
  13. ^ "TextSecure is now Open Source!". Whisper Systems. 20 December 2011. Archived from the original on 6 January 2012. Retrieved 22 January 2015. 
  14. ^ Pete Pachal (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01. 
  15. ^ "RedPhone is now Open Source!". Whisper Systems. 18 July 2012. Archived from the original on 31 July 2012. Retrieved 22 January 2015. 
  16. ^ a b "A New Home". Open Whisper Systems. 2013-01-21. Retrieved 2014-03-01. 
  17. ^ "Free, Worldwide, Encrypted Phone Calls for iPhone". Open Whisper Systems. 29 July 2014. 
  18. ^ Michael Mimoso (29 July 2014). "New Signal App Brings Encrypted Calling to iPhone". Threatpost. 
  19. ^ a b c d Jon Evans (29 July 2014). "Talk Private To Me: Free, Worldwide, Encrypted Voice Calls With Signal For iPhone". TechCrunch. AOL. 
  20. ^ Jon Evans (2014-11-18). "WhatsApp Partners With Open Whisper Systems To End-To-End Encrypt Billions Of Messages A Day". TechCrunch. Retrieved 2014-11-19. 
  21. ^ "Open Whisper Systems partners with WhatsApp to provide end-to-end encryption". Open Whisper Systems. November 18, 2014. Retrieved November 18, 2014. 
  22. ^ "Facebook’s messaging service WhatsApp gets a security boost". Forbes. 18 Nov 2014. Retrieved 21 Nov 2014. 
  23. ^ Micah Lee (2015-03-02). "You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone". The Intercept. Retrieved 2015-03-03. 
  24. ^ a b Megan Geuss (2015-03-03). "Now you can easily send (free!) encrypted messages between Android, iOS". Ars Technica. Retrieved 2015-03-04. 
  25. ^ "Donate to Support Encryption Tools for Journalists". Freedom of the Press Foundation. Retrieved 19 May 2015. 
  26. ^ "TextSecure". Knight Foundation. Retrieved 5 January 2015. 
  27. ^ "Moxie Marlinspike". Shuttleworth Foundation. Retrieved 14 January 2015. 
  28. ^ "Open Whisper Systems". Open Technology Fund. Retrieved 19 May 2015. 
  29. ^ Marlinspike, Moxie (16 December 2013). "BitHub = Bitcoin + GitHub. An experiment in funding privacy OSS.". Open Whisper Systems. Retrieved 23 January 2015. 
  30. ^ Max Eddy (11 March 2014). "Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff". PC Magazine: SecurityWatch. Retrieved 2014-03-16. 
  31. ^ "The Virtual Interview: Edward Snowden - The New Yorker Festival". YouTube. The New Yorker. Oct 11, 2014. Retrieved May 24, 2015. 
  32. ^ Dell Cameron (Mar 6, 2015). "Edward Snowden tells you what encrypted messaging apps you should use". The Daily Dot. Retrieved May 24, 2015. 
  33. ^ Alan Yuhas (May 21, 2015). "NSA surveillance powers on the brink as pressure mounts on Senate bill – as it happened". The Guardian. Retrieved May 24, 2015. 
  34. ^ Zack Beauchamp (May 21, 2015). "The 9 best moments from Edward Snowden's Reddit Q&A". Vox Media. Retrieved May 24, 2015. 
  35. ^ "Surveillance Self-Defense. Communicating with Others". Electronic Frontier Foundation. 2014-10-23. 
  36. ^ a b c d e "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 2014-11-04. 
  37. ^ SPIEGEL Staff (28 December 2014). "Prying Eyes: Inside the NSA's War on Internet Security". Der Spiegel. Retrieved 23 January 2015. 
  38. ^ "Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not" (PDF). Der Spiegel. 28 December 2014. Retrieved 23 January 2015. 
  39. ^ Open Whisper Systems. "AxolotlKit". GitHub. Retrieved 1 April 2015. 
  40. ^ Open Whisper Systems. "BitHub". GitHub. Retrieved 14 January 2015. 
  41. ^ Open Whisper Systems. "Flock". GitHub. Retrieved 14 January 2015. 
  42. ^ a b Open Whisper Systems. "RedPhone". GitHub. Retrieved 14 January 2015. 
  43. ^ "Exactly how does Zfone and ZRTP protect against a man-in-the-middle (MiTM) attack?". The Zfone Project. Retrieved 25 January 2015. 
  44. ^ Open Whisper Systems. "Signal-iOS". GitHub. Retrieved 14 January 2015. 
  45. ^ a b Open Whisper Systems. "TextSecure". GitHub. Retrieved 26 February 2014. 
  46. ^ a b Molly Wood (19 February 2014). "Privacy Please: Tools to Shield Your Smartphone". The New York Times. Retrieved 26 February 2014. 
  47. ^ DJ Pangburn (3 March 2014). "TextSecure Is the Easiest Encryption App To Use (So Far)". Motherboard. Retrieved 14 March 2014. 
  48. ^ Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open Whisper Systems. Retrieved 26 February 2014. 
  49. ^ Martin Brinkmann (24 February 2014). "TextSecure is an open source messaging app with strong security features". Ghacks Technology News. Retrieved 26 February 2014. 
  50. ^ Frosch, Tilman; Mainka, Christian; Bader, Christoph; Bergsma, Florian; Schwenk, Jörg; Holz, Thorsten. "How Secure is TextSecure?" (PDF). Horst Görtz Institute for IT Security, Ruhr University Bochum. Retrieved 4 November 2014. 
  51. ^ a b Open Whisper Systems. "TextSecure-Server". GitHub. Retrieved 22 April 2015. 
  52. ^ Open Whisper Systems. "Why do I need Google Play installed to use TextSecure on Android?". Retrieved 2014-03-13. 

External links[edit]