Signal (software)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Signal
Signal Blue Icon.png
Developer(s) Open Whisper Systems and contributors
Initial release July 29, 2014 (2014-07-29)[1][2]
Stable release

Android 4.26.2 (September 26, 2018; 17 days ago (2018-09-26)[3]) [±]
iOS 2.29.3 (September 18, 2018; 25 days ago (2018-09-18)[4]) [±]

Desktop 1.16.2 (September 21, 2018; 22 days ago (2018-09-21)[5]) [±]
Preview release Desktop 1.17.0-beta.1 (October 3, 2018; 10 days ago (2018-10-03)[6]) [±]
Repository Edit this at Wikidata
Platform
Available in 31 languages
Type Encrypted voice calling, video calling and instant messaging
License
Website signal.org

Signal is an encrypted communications app for Android and iOS. A desktop version is also available for Linux, Windows, and macOS. It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos, and make one-to-one voice and video calls.

Signal uses standard cellular mobile numbers as identifiers, and uses end-to-end encryption to secure all communications to other Signal users. The applications include mechanisms by which users can independently verify the identity of their messaging correspondents and the integrity of the data channel.

The Android version of Signal can optionally also function as an SMS app.

Signal is developed by Open Whisper Systems. The clients are published as free and open-source software under the GPLv3 license. The server code is published under the AGPLv3 license. In February 2018, the non-profit Signal Foundation was launched with an initial funding of $50 million.

History[edit]

2010–2013: Origins[edit]

Signal is the successor of the RedPhone encrypted voice calling app and the TextSecure encrypted texting program. The beta versions of RedPhone and TextSecure were first launched in May 2010 by Whisper Systems,[12] a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson.[13][14] Whisper Systems also produced a firewall and tools for encrypting other forms of data.[13][15] All of these were proprietary enterprise mobile security software and were only available for Android.

In November 2011, Whisper Systems announced that it had been acquired by Twitter. The financial terms of the deal were not disclosed by either company.[16] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security".[17] Shortly after the acquisition, Whisper Systems' RedPhone service was made unavailable.[18] Some criticized the removal, arguing that the software was "specifically targeted [to help] people under repressive regimes" and that it left people like the Egyptians in "a dangerous position" during the events of the 2011 Egyptian revolution.[19]

Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011.[13][20][21][22] RedPhone was also released under the same license in July 2012.[23] Marlinspike later left Twitter and founded Open Whisper Systems as a collaborative Open Source project for the continued development of TextSecure and RedPhone.[1][24]

2013–present: Open Whisper Systems[edit]

A timeline of the development of Signal. a) Addition of encrypted group chat and instant messaging capabilities to TextSecure. b) End of encrypted SMS/MMS messaging in TextSecure, which prompted the creation of a fork. c) RedPhone was merged into TextSecure on Android and the app was renamed as Signal. d) Signal for iOS was launched as a RedPhone counterpart for iOS. e) Addition of encrypted group chat and instant messaging capabilities to the iOS version of Signal.

Open Whisper Systems' website was launched in January 2013.[24]

In February 2014, Open Whisper Systems introduced the second version of their TextSecure Protocol (now Signal Protocol), which added end-to-end encrypted group chat and instant messaging capabilities to TextSecure.[25] Toward the end of July 2014, they announced plans to unify the RedPhone and TextSecure applications as Signal.[26] This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client.[26] Signal was the first iOS app to enable easy, strongly encrypted voice calls for free.[1][27] TextSecure compatibility was added to the iOS application in March 2015.[28][29]

From its launch in May 2010[12] until March 2015, the Android version of Signal (then called TextSecure) included support for encrypted SMS/MMS messaging.[30] From version 2.7.0 onward, the Android application only supported sending and receiving encrypted messages via the data channel.[31] Reasons for this included security flaws of SMS/MMS and problems with the key exchange.[31] Open Whisper Systems' abandonment of SMS/MMS encryption prompted some users to create a fork named Silence (initially called SMSSecure[32]) that is meant solely for the exchange of encrypted SMS and MMS messages.[33][34]

In November 2015, the TextSecure and RedPhone applications on Android were merged to become Signal for Android.[35] A month later, Open Whisper Systems announced Signal Desktop, a Chrome app that could link with a Signal mobile client.[36] At launch, the app could only be linked with the Android version of Signal.[37] On September 26, 2016, Open Whisper Systems announced that Signal Desktop could now be linked with the iOS version of Signal as well.[38] On October 31, 2017, Open Whisper Systems announced that the Chrome app was deprecated.[7] At the same time, they announced the release of a standalone desktop client (based on the Electron framework[10]) for Windows, MacOS and certain Linux distributions.[7][39]

The Android client's logo from February 2015 to March 2017.

On October 4, 2016, the American Civil Liberties Union (ACLU) and Open Whisper Systems published a series of documents revealing that OWS had received a subpoena requiring them to provide information associated with two phone numbers for a federal grand jury investigation in the first half of 2016.[40][41][42] Only one of the two phone numbers was registered on Signal, and because of how the service is designed, OWS was only able to provide "the time the user's account had been created and the last time it had connected to the service".[41][40] Along with the subpoena, OWS received a gag order requiring OWS not to tell anyone about the subpoena for one year.[40] OWS approached the ACLU, and they were able to lift part of the gag order after challenging it in court.[40] OWS said it was the first time they had received a subpoena, and that they were committed to treat "any future requests the same way".[42]

In March 2017, Open Whisper Systems transitioned Signal's calling system from RedPhone to WebRTC, also adding the ability to make video calls.[43][44][45]

On February 21, 2018, Moxie Marlinspike and WhatsApp co-founder Brian Acton announced the formation of the Signal Foundation, a 501(c)(3) nonprofit organization whose mission is "to support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous."[46][47] The foundation was started with an initial $50 million in funding from Acton, who had left WhatsApp's parent company Facebook in September 2017.[47] According to the announcement, Acton is the foundation's Executive Chairman and Marlinspike continues as CEO.[46]

Features[edit]

Signal allows users to make voice and video[45] calls to other Signal users on iOS and Android. All calls are made over a Wi-Fi or data connection and (with the exception of data fees) are free of charge, including long distance and international.[27] Signal also allows users to send text messages, files,[48] voice notes, pictures, GIFs,[49] and video messages over a Wi-Fi or data connection to other Signal users on iOS, Android and a desktop app. The apps also support group messaging.

All communications to other Signal users are automatically end-to-end encrypted. The keys that are used to encrypt the user's communications are generated and stored at the endpoints (i.e. by users, not by servers).[50] To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band.[51] The app employs a trust on first use mechanism in order to notify the user if a correspondent's key changes.[51]

On Android, users can opt into making Signal the default SMS/MMS application, allowing them to send and receive unencrypted SMS messages in addition to the standard end-to-end encrypted Signal messages.[25] Users can then use the same application to communicate with contacts who do not have Signal.[25] Sending a message unencrypted is also available as an override between Signal users.[52]

The Android version of Signal allows the user to set a passphrase that encrypts the local message database and the user's encryption keys.[53] This does not encrypt the user's contact database or message timestamps.[53] The user can define a time period after which the application "forgets" the passphrase, providing an additional protection mechanism in case the phone is lost or stolen.[51] On iOS, the local message database is encrypted by the operating system if the user has a passphrase on their lock screen.

Signal also allows users to set timers to messages.[54] After a specified time interval, the messages will be deleted from both the sender's and the receivers' devices.[54] The time interval can be between five seconds and one week long,[54] and the timer begins for each recipient once they have read their copy of the message.[55] The developers have stressed that this is meant to be "a collaborative feature for conversations where all participants want to automate minimalist data hygiene, not for situations where your contact is your adversary".[54][55]

Signal excludes users' messages from non-encrypted cloud backups by default.[56]

Limitations[edit]

Signal requires that the user provides a phone number for verification,[57] eliminating the need for user names or passwords and facilitating contact discovery (see below).[58] This mandatory connection to a phone number (a feature Signal shares with Whatsapp) has been criticized as a "major issue" for privacy-conscious users who are not comfortable with giving out their private phone number, and as creating security risks that arise from the possibility of an attacker taking over a phone number.[58] The option to register with an email address instead of a phone number is a widely requested feature, which as of early 2018 has not been implemented yet.[58][59]

A workaround is to use a secondary phone number.[58] Also, the number does not have to be the same as on the device's SIM card; it can also be a VoIP number[57] or a landline as long as the user can receive the verification code and have a separate device to set up the software. On iOS, a number can only be registered to one device at a time; on Android, different users on the same device can correspond to different numbers.[57][58]

Signal also requires that the primary device be an Android or iOS based smartphone with an Internet connection. A desktop app that can link with a Signal mobile client is also available.[7]

Android specific[edit]

From February 2014[25] to February 2017,[60] Signal's official Android client required the proprietary Google Play Services because the app was dependent on Google's GCM push messaging framework.[61][60] In March 2015, Open Whisper Systems moved to a model of handling Signal's message delivery themselves and only using GCM for a wakeup event.[62] In February 2017, Open Whisper Systems implemented WebSocket support into the client, making it possible for it to be used without Google Play Services.[60]

Usability[edit]

In July 2016, the Internet Society published a user study that assessed the ability of Signal users to detect and deter man-in-the-middle attacks.[63] The study concluded that 21 out of 28 participants failed to correctly compare public key fingerprints in order to verify the identity of other Signal users, and that the majority of these users still believed they had succeeded while in reality they failed.[63] Four months later, Open Whisper Systems updated Signal's user interface to make verifying the identity of other Signal users simpler.[64]

Before version 4.17,[65] the Signal Android client could only make plain text-only backups of the message history, i.e. without media messages.[66][67] On February 26, 2018, Signal added support for "full backup/restore to SD card",[68] and as of version 4.17, users are able to restore their entire message history when switching to a new Android phone.[65] The Signal iOS client does not support exporting or importing the user's messaging history.[69]

Architecture[edit]

Encryption protocols[edit]

Signal messages are encrypted with the Signal Protocol (formerly known as the TextSecure Protocol). The protocol combines the Double Ratchet Algorithm, prekeys, and a Triple Diffie-Hellman (3XDH) handshake.[70] It uses Curve25519, AES-256, and HMAC-SHA256 as primitives.[71] The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.[72] It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material.[72]

The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and multicast encryption.[72] In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership.[72]

In October 2014, researchers from Ruhr University Bochum published an analysis of the Signal Protocol.[71] Among other findings, they presented an unknown key-share attack on the protocol, but in general, they found that it was secure.[73] In October 2016, researchers from UK’s University of Oxford, Queensland University of Technology in Australia, and Canada’s McMaster University published a formal analysis of the protocol.[74][75] They concluded that the protocol was cryptographically sound.[74][75]

As of August 2018, the Signal Protocol has been implemented into WhatsApp, Facebook Messenger, Skype,[76] and Google Allo,[77] making it possible for the conversations of "more than a billion people worldwide" to be end-to-end encrypted.[78] In Google Allo, Skype and Facebook Messenger, conversations are not encrypted with the Signal Protocol by default; they only offer end-to-end encryption in an optional mode.[56][79][76][80] Google Allo, Skype and Facebook Messenger utilise strong user authentication that the Signal Protocol alone lacks through Google and Microsoft accounts for their default message encryptions.[citation needed] Currently Facebooks Secret Conversation, Allos Incognito Mode and Skypes Private Conversation provide no warning to users of the need to initailly check safety numbers of the end-to-end encryption options.[citation needed]

Up until March 2017, Signal's voice calls were encrypted with SRTP and the ZRTP key-agreement protocol, which was developed by Phil Zimmermann.[1][81] As of March 2017, Signal's voice and video calling functionalities use the app's Signal Protocol channel for authentication instead of ZRTP.[82][43][45]

Authentication[edit]

To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band.[51] The app employs a trust on first use mechanism in order to notify the user if a correspondent's key changes.[51] In 2016, an MIT student project raised concerns about the lack of warnings to users about initial key verification in WhatsApp, saying that an external change like app uninstallation/reinstallation or a device change could leave the system vulnerable to man-in-the-middle attacks and suggested that WhatsApp "add a verification step before session creation to confirm that the connection is authentic."[83] It is unclear if any of the services such as Skype, Allo or Facebook Messenger have taken this advice or mitigated this risk with the existing protocols secure channels.[citation needed] As of August 2018, neither WhatsApp nor Signal have addressed this concern raised by MIT students in 2016.[citation needed]

Servers[edit]

Signal relies on centralized servers that are maintained by Open Whisper Systems. In addition to routing Signal's messages, the servers also facilitate the discovery of contacts who are also registered Signal users and the automatic exchange of users' public keys. By default, Signal's voice and video calls are peer-to-peer.[45] If the caller is not in the receiver's address book, the call is routed through a server in order to hide the users' IP addresses.[45] Open Whisper Systems has set up dozens of servers in more than 10 countries around the world to minimize latency.[1]

Contact discovery[edit]

The servers store registered users' phone numbers, public key material and push tokens which are necessary for setting up calls and transmitting messages.[84] In order to determine which contacts are also Signal users, cryptographic hashes of the user's contact numbers are periodically transmitted to the server.[85] The server then checks to see if those match any of the SHA256 hashes of registered users and tells the client if any matches are found.[85] The hashed numbers are thereafter discarded from the server.[84] In 2014, Moxie Marlinspike wrote that it is easy to calculate a map of all possible hash inputs to hash outputs and reverse the mapping because of the limited preimage space (the set of all possible hash inputs) of phone numbers, and that "practical privacy preserving contact discovery remains an unsolved problem."[86][85] In September 2017, Open Whisper Systems announced that they were working on a way for the Signal client applications to "efficiently and scalably determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service."[87][88]

Metadata[edit]

All client-server communications are protected by TLS.[81][89] Once the server removes this layer of encryption, each message contains the phone number of either the sender or the receiver in plaintext.[86] This metadata could in theory allow the creation of "a detailed overview on when and with whom users communicated".[86] Signal's privacy policy states that these identifiers are only kept on the servers as long as necessary in order to place each call or transmit each message.[84] Open Whisper Systems have asserted that their servers do not keep logs about who called whom and when.[90] In June 2016, Marlinspike told The Intercept that "the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second".[56]

The group messaging mechanism is designed so that the servers do not have access to the membership list, group title, or group icon.[31] Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered.[91][92]

Federation[edit]

Signal's server architecture was federated between December 2013 and February 2016. In December 2013, it was announced that the messaging protocol that is used in Signal had successfully been integrated into the Android-based open-source operating system CyanogenMod.[93][94][95] Since CyanogenMod 11.0, the client logic was contained in a system app called WhisperPush. According to Open Whisper Systems, the Cyanogen team ran their own Signal messaging server for WhisperPush clients, which federated with Open Whisper Systems' Signal server, so that both clients could exchange messages with each other.[95] The WhisperPush source code was available under the GPLv3 license.[96] In February 2016, the CyanogenMod team discontinued WhisperPush and recommended that its users switch to Signal.[97] In May 2016, Moxie Marlinspike wrote that federation with the CyanogenMod servers degraded the user experience and held back development, and that Open Whisper Systems' servers will probably not federate with other servers again.[98]

In May 2016, Signal's lead developer Moxie Marlinspike requested that a third-party client called LibreSignal not use the Signal service or the Signal name.[98] As a result, on 24 May 2016 the LibreSignal project posted that the project was "abandoned".[99]

Licensing[edit]

The complete source code of the Signal clients for Android, iOS and desktop is available on GitHub under a free software license.[8][9][10] This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by Open Whisper Systems. In March 2016, Moxie Marlinspike wrote that, apart from some shared libraries that are not compiled with the project build due to a lack of Gradle NDK support, Signal for Android is reproducible.[100]

Signal's servers are also open source.[11] In November 2015, Open Whisper Systems wrote that they did not officially provide support for people to host their own servers.[101]

Distribution[edit]

Signal is officially distributed through the Google Play store, Apple's App Store, and the official website. Applications distributed via Google Play are signed by the developer of the application, and the Android operating system checks that updates are signed with the same key, preventing others from distributing updates that the developer themselves did not sign.[102][103] The same applies to iOS applications that are distributed via Apple's App Store.[104] As of March 2017, Open Whisper Systems provides a way to download the Android version of Signal as a separate APK package binary from their website.[105]

Reception[edit]

In October 2014, the Electronic Frontier Foundation (EFF) included Signal in their updated surveillance self-defense guide.[106] In November 2014, Signal received a perfect score on the EFF's secure messaging scorecard;[50] it received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to (end-to-end encryption), making it possible for users to independently verify their correspondents' identities, having past communications secure if the keys are stolen (forward secrecy), having the code open to independent review (open source), having the security designs well-documented, and having a recent independent security audit.[50] At the time, "ChatSecure + Orbot", Pidgin (with OTR), Silent Phone, and Telegram's optional "secret chats" also received seven out of seven points on the scorecard.[50]

On December 28, 2014, Der Spiegel published slides from an internal NSA presentation dating to June 2012 in which the NSA deemed Signal's encrypted voice calling component (RedPhone) on its own as a "major threat" to its mission, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as "catastrophic", leading to a "near-total loss/lack of insight to target communications, presence..."[107][108]

Former NSA contractor Edward Snowden has endorsed Signal on multiple occasions.[36] In his keynote speech at SXSW in March 2014, he praised Signal's predecessors (TextSecure and RedPhone) for their ease-of-use.[109] During an interview with The New Yorker in October 2014, he recommended using "anything from Moxie Marlinspike and Open Whisper Systems".[110] During a remote appearance at an event hosted by Ryerson University and Canadian Journalists for Free Expression in March 2015, Snowden said that Signal is "very good" and that he knew the security model.[111] Asked about encrypted messaging apps during a Reddit AMA in May 2015, he recommended Signal.[112][113] In November 2015, Snowden tweeted that he used Signal "every day".[35][114]

In September 2015, the American Civil Liberties Union called on officials at the U.S. Capitol to ensure that lawmakers and staff members have secure communications technology.[115] One of the applications that the ACLU recommended in their letter to the Senate Sergeant at Arms and to the House Sergeant at Arms was Signal, writing:

One of the most widely respected encrypted communication apps, Signal, from Open Whisper Systems, has received significant financial support from the U.S. government, has been audited by independent security experts, and is now widely used by computer security professionals, many of the top national security journalists, and public interest advocates. Indeed, members of the ACLU’s own legal department regularly use Signal to make encrypted telephone calls.[116]

In March 2017, Signal was approved by the Sergeant at Arms of the U.S. Senate for use by senators and their staff.[117][118]

Following the 2016 Democratic National Committee email leak, Vanity Fair reported that Marc Elias, the general counsel for Hillary Clinton's presidential campaign, had instructed DNC staffers to exclusively use Signal when saying anything "remotely contentious or disparaging" about Republican presidential nominee Donald Trump.[119][120]

Blocking[edit]

  Countries where Signal's domain fronting is enabled by default
  Countries where Signal is blocked (January 2018)

In December 2016, Egypt blocked access to Signal.[121] In response, Open Whisper Systems added domain fronting to their service.[122] This allows Signal users in a specific country to circumvent censorship by making it look like they are connecting to a different Internet-based service.[122][123] As of October 2017, Signal's domain fronting is enabled by default in Egypt, the United Arab Emirates, Oman and Qatar.[124]

As of January 2018, Signal is blocked in Iran.[125][126] Signal's domain fronting feature relies on the Google App Engine service.[126][125] This does not work in Iran because Google has blocked Iranian access to GAE in order to comply with U.S. sanctions.[125][127]

Developers and funding[edit]

Signal is developed by a software group called Open Whisper Systems.[128] The group is funded by a combination of donations and grants,[129] and all of its products are published as free and open-source software.

The project receives donations via the Freedom of the Press Foundation,[129][130] which has acted as Open Whisper Systems' fiscal sponsor since December 2016.[131][132] Open Whisper Systems has received grants from the Knight Foundation,[133] the Shuttleworth Foundation,[134] and the Open Technology Fund, a U.S. government funded program that has also supported other privacy projects like the anonymity software Tor and the encrypted instant messaging app Cryptocat.[135]

On February 21, 2018, a nonprofit entity called the Signal Foundation was created with an initial funding of $50 million from WhatsApp co-founder Brian Acton, "to support, accelerate, and broaden Signal’s mission of making private communication accessible and ubiquitous".[46][47] According to the announcement, the Freedom of the Press Foundation has agreed to continue accepting donations on behalf of Signal while the Signal Foundation's non-profit status is pending.[46]

See also[edit]

References[edit]

  1. ^ a b c d e Greenberg, Andy (29 July 2014). "Your iPhone Can Finally Make Free, Encrypted Calls". Wired. Retrieved 18 January 2015.
  2. ^ Marlinspike, Moxie (29 July 2014). "Free, Worldwide, Encrypted Phone Calls for iPhone". Open Whisper Systems. Retrieved 16 January 2017.
  3. ^ Open Whisper Systems (26 September 2018). "Signal – Private Messenger". Google Play. Google. Retrieved 10 October 2018.
  4. ^ Open Whisper Systems (18 September 2018). "Signal - Private Messenger". App Store. Apple. Retrieved 10 October 2018.
  5. ^ Open Whisper Systems (21 September 2018). "Releases - WhisperSystems/Signal-Desktop". GitHub. Retrieved 10 October 2018.
  6. ^ Open Whisper Systems (3 October 2018). "Releases - WhisperSystems/Signal-Desktop". GitHub. Retrieved 9 October 2018.
  7. ^ a b c d e f Nonnenberg, Scott (31 October 2017). "Standalone Signal Desktop". Open Whisper Systems. Retrieved 31 October 2017.
  8. ^ a b Open Whisper Systems. "Signal-iOS". GitHub. Retrieved 14 January 2015.
  9. ^ a b Open Whisper Systems. "Signal-Android". GitHub. Retrieved 5 November 2015.
  10. ^ a b c Open Whisper Systems. "Signal-Desktop". GitHub. Retrieved 7 April 2016.
  11. ^ a b Open Whisper Systems. "Signal-Server". GitHub. Retrieved 21 November 2016.
  12. ^ a b "Announcing the public beta". Whisper Systems. 25 May 2010. Archived from the original on 30 May 2010. Retrieved 22 January 2015.
  13. ^ a b c Garling, Caleb (20 December 2011). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired. Retrieved 21 December 2011.
  14. ^ "Company Overview of Whisper Systems Inc". Bloomberg Businessweek. Retrieved 2014-03-04.
  15. ^ Greenberg, Andy (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28.
  16. ^ Cheredar, Tom (28 November 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21.
  17. ^ Yadron, Danny (9 July 2015). "Moxie Marlinspike: The Coder Who Encrypted Your Texts". The Wall Street Journal. Retrieved 10 July 2015.
  18. ^ Greenberg, Andy (2011-11-28). "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved 2011-12-21.
  19. ^ Garling, Caleb (28 November 2011). "Twitter Buys Some Middle East Moxie | Wired Enterprise". Wired. Retrieved 21 December 2011.
  20. ^ Aniszczyk, Chris (20 December 2011). "The Whispers Are True". The Twitter Developer Blog. Twitter. Archived from the original on 24 October 2014. Retrieved 22 January 2015.
  21. ^ "TextSecure is now Open Source!". Whisper Systems. 20 December 2011. Archived from the original on 6 January 2012. Retrieved 22 January 2015.
  22. ^ Pachal, Pete (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01.
  23. ^ "RedPhone is now Open Source!". Whisper Systems. 18 July 2012. Archived from the original on 31 July 2012. Retrieved 22 January 2015.
  24. ^ a b "A New Home". Open Whisper Systems. 2013-01-21. Retrieved 2014-03-01.
  25. ^ a b c d Donohue, Brian (24 February 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 14 July 2016.
  26. ^ a b Mimoso, Michael (29 July 2014). "New Signal App Brings Encrypted Calling to iPhone". Threatpost.
  27. ^ a b Evans, Jon (29 July 2014). "Talk Private To Me: Free, Worldwide, Encrypted Voice Calls With Signal For iPhone". TechCrunch. AOL.
  28. ^ Lee, Micah (2015-03-02). "You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone". The Intercept. Retrieved 2015-03-03.
  29. ^ Geuss, Megan (2015-03-03). "Now you can easily send (free!) encrypted messages between Android, iOS". Ars Technica. Retrieved 2015-03-03.
  30. ^ Open Whisper Systems (6 March 2015). "Saying goodbye to encrypted SMS/MMS". Retrieved 24 March 2016.
  31. ^ a b c Rottermanner et al. 2015, p. 3
  32. ^ BastienLQ (20 April 2016). "Change the name of SMSSecure". GitHub (pull request). SilenceIM. Retrieved 27 August 2016.
  33. ^ "TextSecure-Fork bringt SMS-Verschlüsselung zurück". Heise (in German). 2 April 2015. Retrieved 29 July 2015.
  34. ^ "SMSSecure: TextSecure-Abspaltung belebt SMS-Verschlüsselung wieder". Der Standard (in German). 3 April 2015. Retrieved 1 August 2015.
  35. ^ a b Greenberg, Andy (2 November 2015). "Signal, the Snowden-Approved Crypto App, Comes to Android". Wired. Condé Nast. Retrieved 19 March 2016.
  36. ^ a b Franceschi-Bicchierai, Lorenzo (2 December 2015). "Snowden's Favorite Chat App Is Coming to Your Computer". Motherboard. Vice Media LLC. Retrieved 4 December 2015.
  37. ^ Coldewey, Devin (7 April 2016). "Now's your chance to try Signal's desktop Chrome app". TechCrunch. AOL Inc. Retrieved 5 May 2016.
  38. ^ Marlinspike, Moxie (26 September 2016). "Desktop support comes to Signal for iPhone". Open Whisper Systems. Retrieved 26 September 2016.
  39. ^ Coldewey, Devin (31 October 2017). "Signal escapes the confines of the browser with a standalone desktop app". TechCrunch. Oath Tech Network. Retrieved 31 October 2017.
  40. ^ a b c d Perlroth, Nicole; Benner, Katie (4 October 2016). "Subpoenas and Gag Orders Show Government Overreach, Tech Companies Argue". The New York Times. The New York Times Company. Retrieved 4 October 2016.
  41. ^ a b Kaufman, Brett Max (4 October 2016). "New Documents Reveal Government Effort to Impose Secrecy on Encryption Company" (Blog post). American Civil Liberties Union. Retrieved 4 October 2016.
  42. ^ a b "Grand jury subpoena for Signal user data, Eastern District of Virginia". Open Whisper Systems. 4 October 2016. Retrieved 4 October 2016.
  43. ^ a b Marlinspike, Moxie (14 February 2017). "Video calls for Signal now in public beta". Open Whisper Systems. Retrieved 15 February 2017.
  44. ^ Marlinspike, Moxie (13 March 2017). "Video calls for Signal out of beta". Open Whisper Systems. Retrieved 17 July 2017.
  45. ^ a b c d e Mott, Nathaniel (14 March 2017). "Signal's Encrypted Video Calling For iOS, Android Leaves Beta". Tom's Hardware. Purch Group, Inc. Retrieved 14 March 2017.
  46. ^ a b c d Marlinspike, Moxie; Acton, Brian (21 February 2018). "Signal Foundation". Signal.org. Retrieved 21 February 2018.
  47. ^ a b c Greenberg, Andy (21 February 2018). "WhatsApp Co-Founder Puts $50M Into Signal To Supercharge Encrypted Messaging". Wired. Condé Nast. Retrieved 21 February 2018.
  48. ^ Open Whisper Systems [@whispersystems] (1 May 2017). "Today's Signal release for Android, iOS, and Desktop includes the ability to send arbitrary file types" (Tweet). Retrieved 22 May 2017 – via Twitter.
  49. ^ Lund, Joshua (1 November 2017). "Expanding Signal GIF search". Open Whisper Systems. Retrieved 9 November 2017.
  50. ^ a b c d "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 4 November 2014.
  51. ^ a b c d e Rottermanner et al. 2015, p. 5
  52. ^ https://support.signal.org/hc/en-us/articles/212535548-How-do-I-send-an-insecure-SMS-
  53. ^ a b Rottermanner et al. 2015, p. 9
  54. ^ a b c d Greenberg, Andy (11 October 2016). "Signal, the Cypherpunk App of Choice, Adds Disappearing Messages". Wired. Condé Nast. Retrieved 11 October 2016.
  55. ^ a b Marlinspike, Moxie (11 October 2016). "Disappearing messages for Signal". Open Whisper Systems. Retrieved 11 October 2016.
  56. ^ a b c Lee, Micah (22 June 2016). "Battle of the Secure Messaging Apps: How Signal Beats WhatsApp". The Intercept. First Look Media. Retrieved 6 September 2016.
  57. ^ a b c Kolenkina, Masha (20 November 2015). "Will any phone number work? How do I get a verification number?". Open Whisper Systems. Retrieved 20 December 2015.
  58. ^ a b c d e Lee, Micah (2017-09-28). "How to Use Signal Without Giving Out Your Phone Number". The Intercept. Retrieved 2018-02-25.
  59. ^ "Allow different kinds of identifiers for registration · Issue #1085 · signalapp/Signal-Android". GitHub. Retrieved 2018-02-25.
  60. ^ a b c Marlinspike, Moxie (20 February 2017). "Support for using Signal without Play Services". GitHub. Open Whisper Systems. Retrieved 24 February 2017.
  61. ^ Kolenkina, Masha (25 February 2016). "Why do I need Google Play installed to use Signal? How can I get Signal APK?". Open Whisper Systems. Archived from the original on 2 April 2016. Retrieved 13 October 2016.
  62. ^ Marlinspike, Moxie (6 March 2015). "Saying goodbye to encrypted SMS/MMS". Open Whisper Systems. Retrieved 20 December 2015.
  63. ^ a b Schröder et al. 2016
  64. ^ Marlinspike, Moxie (17 November 2016). "Safety number updates". Open Whisper Systems. Retrieved 17 July 2017.
  65. ^ a b Kolenkina, Masha. "Restoring messages on Signal Android". Signal.org. Open Whisper Systems. Retrieved 2 April 2018.
  66. ^ "Encrypted backup". Signal Community (Internet forum). Retrieved 2 April 2018.
  67. ^ "Media Not Exporting to XML #1619". GitHub. 17 July 2014. Retrieved 21 December 2017.
  68. ^ Marlinspike, Moxie (26 February 2018). "Support for full backup/restore to sdcard". GitHub. Open Whisper Systems. Retrieved 2 April 2018.
  69. ^ "iOS Import/Export #2542". GitHub. 16 September 2017. Retrieved 2 April 2018.
  70. ^ Unger et al. 2015, p. 241
  71. ^ a b Frosch et al. 2016
  72. ^ a b c d Unger et al. 2015, p. 239
  73. ^ Pauli, Darren. "Auditors find encrypted chat client TextSecure is secure". The Register. Retrieved 4 November 2014.
  74. ^ a b Brook, Chris (10 November 2016). "Signal Audit Reveals Protocol Cryptographically Sound". Threatpost. Kaspersky Lab. Retrieved 11 November 2016.
  75. ^ a b Cohn-Gordon et al. 2016
  76. ^ a b Lund, Joshua (11 January 2018). "Signal partners with Microsoft to bring end-to-end encryption to Skype". Open Whisper Systems. Retrieved 17 January 2018.
  77. ^ Marlinspike, Moxie (18 May 2016). "Open Whisper Systems partners with Google on end-to-end encryption for Allo". Open Whisper Systems. Retrieved 22 August 2018.
  78. ^ "Moxie Marlinspike - 40 under 40". Fortune. Time Inc. 2016. Retrieved 6 October 2016.
  79. ^ Marlinspike, Moxie (8 July 2016). "Facebook Messenger deploys Signal Protocol for end to end encryption". Open Whisper Systems. Retrieved 10 May 2017.
  80. ^ Gebhart, Gennie (3 October 2016). "Google's Allo Sends The Wrong Message About Encryption". Electronic Frontier Foundation. Retrieved 20 August 2018.
  81. ^ a b Marlinspike, Moxie (17 July 2012). "Encryption Protocols". GitHub. Archived from the original on 5 September 2015. Retrieved 8 January 2016.
  82. ^ Greenberg, Andy (14 February 2017). "The Best Encrypted Chat App Now Does Video Calls Too". Wired. Condé Nast. Retrieved 15 February 2017.
  83. ^ Li, Calvin; Sanchez, Daniel; Hua, Sean (2016). "WhatApp Security Paper Analysis" (PDF) (MIT course project). Retrieved 28 August 2018.
  84. ^ a b c "Privacy Policy". Signal Messenger LLC. 25 May 2018. Retrieved 24 June 2018.
  85. ^ a b c Moxie Marlinspike (3 January 2013). "The Difficulty Of Private Contact Discovery". Open Whisper Systems. Retrieved 14 January 2016.
  86. ^ a b c Rottermanner et al. 2015, p. 4
  87. ^ Marlinspike, Moxie (26 September 2017). "Technology preview: Private contact discovery for Signal". Open Whisper Systems. Retrieved 28 September 2017.
  88. ^ Greenberg, Andy (26 September 2017). "Signal Has a Fix for Apps' Contact-Leaking Problem". Wired. Condé Nast. Retrieved 28 September 2017.
  89. ^ Frosch et al. 2016, p. 7
  90. ^ Brandom, Russell (29 July 2014). "Signal brings painless encrypted calling to iOS". The Verge. Retrieved 26 January 2015.
  91. ^ Moxie Marlinspike (5 May 2014). "Private Group Messaging". Open Whisper Systems. Retrieved 2014-07-09.
  92. ^ Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open Whisper Systems. Retrieved 26 February 2014.
  93. ^ Andy Greenberg (2013-12-09). "Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default". Forbes. Retrieved 2014-02-28.
  94. ^ Seth Schoen (2013-12-28). "2013 in Review: Encrypting the Web Takes A Huge Leap Forward". Electronic Frontier Foundation. Retrieved 2014-03-01.
  95. ^ a b Moxie Marlinspike (2013-12-09). "TextSecure, Now With 10 Million More Users". Open Whisper Systems. Retrieved 2014-02-28.
  96. ^ CyanogenMod (Jan 7, 2014). "android_external_whispersystems_WhisperPush". GitHub. Retrieved Mar 26, 2015.
  97. ^ Sinha, Robin (20 January 2016). "CyanogenMod to Shutter WhisperPush Messaging Service on February 1". Gadgets360. NDTV. Retrieved 23 January 2016.
  98. ^ a b Edge, Jake (18 May 2016). "The perils of federated protocols". LWN.net. Retrieved 5 July 2016.
  99. ^ Le Bihan, Michel (24 May 2016). "README.md". GitHub. LibreSignal. Retrieved 6 November 2016.
  100. ^ Marlinspike, Moxie (31 March 2016). "Reproducible Signal builds for Android". Open Whisper Systems. Retrieved 31 March 2016.
  101. ^ Kolenkina, Masha (22 November 2015). "How can I host my own server?". Open Whisper Systems. Archived from the original on 12 April 2016. Retrieved 28 May 2017.
  102. ^ Marlinspike, Moxie (12 February 2013). "moxie0 commented Feb 12, 2013". GitHub. Retrieved 13 October 2016.
  103. ^ "Sign Your App". Android Studio. Google. Retrieved 13 October 2016.
  104. ^ "About Code Signing". Apple Developer. Apple. 13 September 2016. Retrieved 13 October 2016.
  105. ^ "Signal Android APK". Open Whisper Systems. Retrieved 14 March 2017.
  106. ^ "Surveillance Self-Defense. Communicating with Others". Electronic Frontier Foundation. 2014-10-23.
  107. ^ SPIEGEL Staff (28 December 2014). "Prying Eyes: Inside the NSA's War on Internet Security". Der Spiegel. Retrieved 23 January 2015.
  108. ^ "Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not" (PDF). Der Spiegel. 28 December 2014. Retrieved 23 January 2015.
  109. ^ Eddy, Max (11 March 2014). "Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff". PC Magazine: SecurityWatch. Retrieved 2014-03-16.
  110. ^ "The Virtual Interview: Edward Snowden - The New Yorker Festival". YouTube. The New Yorker. 11 October 2014. Retrieved 24 May 2015.
  111. ^ Cameron, Dell (6 March 2015). "Edward Snowden tells you what encrypted messaging apps you should use". The Daily Dot. Retrieved 24 May 2015.
  112. ^ Yuhas, Alan (21 May 2015). "NSA surveillance powers on the brink as pressure mounts on Senate bill – as it happened". The Guardian. Retrieved 24 May 2015.
  113. ^ Beauchamp, Zack (21 May 2015). "The 9 best moments from Edward Snowden's Reddit Q&A". Vox Media. Retrieved 24 May 2015.
  114. ^ Barrett, Brian (25 February 2016). "Apple Hires Lead Dev of Snowden's Favorite Messaging App". Wired. Condé Nast. Retrieved 2 March 2016.
  115. ^ Nakashima, Ellen (22 September 2015). "ACLU calls for encryption on Capitol Hill". The Washington Post. Nash Holdings LLC. Retrieved 22 September 2015.
  116. ^ Macleod-Ball, Michael W.; Rottman, Gabe; Soghoian, Christopher (22 September 2015). "The Civil Liberties Implications of Insecure Congressional Communications and the Need for Encryption" (PDF). Washington, DC: American Civil Liberties Union. pp. 5–6. Retrieved 22 September 2015.
  117. ^ Whittaker, Zack (16 May 2017). "In encryption push, Senate staff can now use Signal for secure messaging". ZDNet. CBS Interactive. Retrieved 20 July 2017.
  118. ^ Wyden, Ron (9 May 2017). "Ron Wyden letter on Signal encrypted messaging". Documentcloud. Zack Whittaker, ZDNet. Retrieved 20 July 2017.
  119. ^ Bilton, Nick (26 August 2016). "How the Clinton Campaign Is Foiling the Kremlin". Vanity Fair. Condé Nast. Retrieved 1 September 2016.
  120. ^ Blake, Andrew (27 August 2016). "Democrats warned to use encryption weeks before email leaks". The Washington Times. The Washington Times, LLC. Retrieved 1 September 2016.
  121. ^ Cox, Joseph (19 December 2016). "Signal Claims Egypt Is Blocking Access to Encrypted Messaging App". Motherboard. Vice Media LLC. Retrieved 20 July 2017.
  122. ^ a b Marlinspike, Moxie (21 December 2016). "Doodles, stickers, and censorship circumvention for Signal Android". Open Whisper Systems. Retrieved 20 July 2017.
  123. ^ Greenberg, Andy (21 December 2016). "Encryption App 'Signal' Fights Censorship with a Clever Workaround". Wired. Condé Nast. Retrieved 20 July 2017.
  124. ^ "SignalServiceNetworkAccess.java". GitHub. Open Whisper Systems. Retrieved 5 October 2017.
  125. ^ a b c Frenkel, Sheera (2 January 2018). "Iranian Authorities Block Access to Social Media Tools". The New York Times. Retrieved 15 January 2018.
  126. ^ a b "Domain Fronting for Iran #7311". GitHub. 1 January 2018. Retrieved 15 January 2018.
  127. ^ Brandom, Russell (2 January 2018). "Iran blocks encrypted messaging apps amid nationwide protests". The Verge. Vox Media. Retrieved 23 March 2018.
  128. ^ Franceschi-Bicchierai, Lorenzo (18 November 2014). "WhatsApp messages now have Snowden-approved encryption on Android". Mashable. Retrieved 23 January 2015.
  129. ^ a b O'Neill, Patrick (3 January 2017). "How Tor and Signal can maintain the fight for freedom in Trump's America". CyberScoop. Scoop News Group. Retrieved 16 September 2017.
  130. ^ Kolenkina, Masha. "How can I donate?". Signal Support Center. Open Whisper Systems. Retrieved 31 January 2018.
  131. ^ Timm, Trevor (8 December 2016). "Freedom of the Press Foundation's new look, and our plans to protect press freedom for 2017". Freedom of the Press Foundation. Retrieved 25 January 2017.
  132. ^ "Signal". Freedom of the Press Foundation. Retrieved 31 January 2018.
  133. ^ "TextSecure". Knight Foundation. Retrieved 5 January 2015.
  134. ^ "Moxie Marlinspike". Shuttleworth Foundation. Archived from the original on 15 November 2016. Retrieved 14 January 2015.
  135. ^ "Open Whisper Systems". Open Technology Fund. Retrieved 26 December 2015.

Bibliography[edit]

External links[edit]