Jump to content

TextSecure

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dodi 8238 (talk | contribs) at 20:52, 16 December 2014 (fixed ref). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

TextSecure
Original author(s)Moxie Marlinspike, Stuart Anderson (Whisper Systems)
Developer(s)Open WhisperSystems
Initial releaseMay 2010 (2010-05)[1]
Repository
Written inJava (client and server)
Operating systemAndroid
Size8.35 MB
Available in32 languages[2]
TypeEncrypted instant messaging and text messaging
LicenseGPLv3 (client),[3] AGPLv3 (server)[4]
Websitewhispersystems.org

TextSecure is an open source encrypted messaging application for Android.[3][5] TextSecure can be used to send and receive end-to-end encrypted SMS, MMS, and instant messages.[6] By default, the application encrypts the message database on the user's device and uses end-to-end encryption to secure all messages that are sent to other TextSecure users.[5][7][8]

TextSecure is developed by Open WhisperSystems and is released under the GPLv3 license.[3]

History

May 2010 – February 2014

Security researcher Moxie Marlinspike and roboticist Stuart Anderson co-founded Whisper Systems in 2010.[9][10] In addition to launching TextSecure in May 2010, Whisper Systems produced RedPhone, an application that provides encrypted voice calls.[1] They also developed a firewall and tools for encrypting other forms of data.[9] RedPhone and TextSecure played a role in protester communications during the Arab Spring uprisings.[11]

On 28 November 2011, Twitter announced that it had acquired Whisper Systems for an undisclosed amount.[12] Shortly after the acquisition, Whisper Systems' RedPhone service was made unavailable,[13] though it was later released as free and open source software in July 2012. Some have criticized this removal, arguing that it was "specifically targeted [to help] people under repressive regimes" and that it left people like the Egyptians in "a dangerous position" during the events of the 2011 Egyptian revolution.[14]

Whisper Systems' TextSecure software was released as free and open source software about a month after the acquisition by Twitter.[9][15] The software has since been under open development by the community and has seen a number of new releases based on that open development. The project for this continued work was named Open WhisperSystems.[16]

Open WhisperSystems has been working to bring TextSecure to iOS since March 2013.[6][17][18]

In October 2014, researchers published a protocol analysis of TextSecure.[19] Among other findings, they presented an Unknown Key-Share Attack on the protocol, but in general, they found that the encrypted chat client is secure.[20]

Reception and impact

In September 2013, it was announced that the TextSecure protocol had successfully been integrated into CyanogenMod, growing its user base.[21][22][23]

In his keynote speech at SXSW 2014, NSA leaker Edward Snowden praised Open WhisperSystems' applications for their ease-of-use.[24][25]

In October 2014, Electronic Frontier Foundation (EFF) included TextSecure in their updated surveillance self-defense guide.[26] In November 2014, TextSecure received a top rating on the EFF's secure messaging scorecard, along with "ChatSecure + Orbot", Cryptocat, RedPhone, Silent Phone, and Silent Text.[27][28]

On November 18, 2014, Open WhisperSystems announced a partnership with WhatsApp to provide end-to-end encryption by incorporating the TextSecure protocol.[29] As of 21 November 2014, only the latest version for Android is alleged to include the encryption, and only for text messaging, excluding group chats, and media.[30] WhatsApp confirmed the partnership to reporters, but there was no announcement or documentation about the encryption feature on the official website, and further requests for comment were declined.[31]

Features

The application prevents screenshots of conversations by default. This is a privacy feature.

TextSecure allows users to send text messages, documents, photos, videos, contact information, and group messages over Wi-Fi, 3G or LTE to other TextSecure users, thus providing an alternative to text messaging for users with smartphones running Android 2.3 or later.

TextSecure can use SMS/MMS to communicate with non-TextSecure users. Messages that have been sent via SMS/MMS and messages that have been sent via the user's data connection can be distinguished by color. Green text bubbles indicate SMS-based communication and blue text bubbles indicate communication over a data connection.

By default, TextSecure will send the messages over the user's data connection if possible.[7][8] This means that if the user sends a message to another registered TextSecure user, there is no SMS charge associated with the message. It is merely treated as an additional data transfer. If the data connection is unavailable, the application will fall back to using SMS/MMS to transport the message.[7][32]

The application will automatically encrypt all conversations held with other registered TextSecure users. In the user interface, encrypted messages are denoted by a lock icon. Media and other attachments are encrypted in the same way as other messages.

Regardless of whether the messages were sent to another TextSecure user or not, TextSecure can store the messages in an encrypted database on the user's device if the user has a passphrase enabled.[1]

TextSecure also allows users to chat with more than one person at a time. Group chats are automatically encrypted and held over an available data connection if all participants are registered TextSecure users.[6][33]

Open WhisperSystems does not have access to the contents of any messages sent by TextSecure users. Additionally, the complete source code for the TextSecure clients and the TextSecure server is available on GitHub. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by Open WhisperSystems.[34]

Architecture

Encryption

For the encryption of messages sent to other TextSecure users, Open WhisperSystems took the Off the Record (OTR) protocol and made some improvements to the deniability and forward secrecy aspects, and added a mechanism to allow the ephemeral key negotiation to work asynchronously.[35][36][37]

TextSecure uses Curve25519, AES-256, and HMAC-SHA256. The security of these algorithms has been tested over many years of use in hundreds of different applications. Messages sent via TextSecure are end-to-end encrypted, which means that they can only be read by the intended recipients. TextSecure has a built-in function for verifying that the user is communicating with the right person and that no MITM attack has occurred. The keys that are used to encrypt the user's messages are stored on the device alone, and they are protected by an additional layer of encryption if the user has a passphrase enabled.[6][34]

The cryptographic ratchet used in TextSecure ensures that new AES keys are used for every single message, and it provides the application with both forward secrecy and future secrecy properties.[37][38] The TextSecure protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.[34][35][36]

Servers

The software that handles message routing for the TextSecure data channel is called TextSecure-Server. The complete source code of the TextSecure server is available on GitHub under the AGPLv3 license. This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the software and compare it with the software that is used by Open WhisperSystems and others.[4]

Client-server communication is protected by TLS/SSL. Communication is handled by a REST API and push messaging (both Google Cloud Messaging (GCM) and Apple Push Notification Service (APN)).[4] Support for WebSocket has been added.[39]

No contact information is stored on the servers. Hashed contact numbers (with no other accompanying information) are periodically transmitted to the servers in order to determine which contacts are also TextSecure users, but that data is never stored.[4][40]

Open WhisperSystems' server infrastructure is funded through grants and donations they receive. The server-side architecture is federated. The developers hope this will help spread the cost over time. The developers of CyanogenMod already host the servers that handle the traffic for their users. As Open WhisperSystems will launch more clients, their hope is that other stakeholders will take on hosting as well.[41]

Distribution

Following an incident in August 2012, Open WhisperSystems has declined requests to distribute the application through 3rd party sources, such as F-Droid.[42][39]

Open WhisperSystems has acknowledged that this is an important issue for some of TextSecure's users, and have assured that they are working on it. They have, however, chosen to focus on serving the millions of users who have Google Cloud Messaging (GCM) capabilities first. They have invited the community to help them add WebSocket support to TextSecure for Android.[39]

See also

References

  1. ^ a b c Andy Greenberg (2010-05-25). "Android App Aims to Allow Wiretap-Proof Cell Phone Calls". Forbes. Retrieved 2014-02-28.
  2. ^ "List of languages supported by TextSecure". Retrieved 15 March 2014.
  3. ^ a b c "TextSecure on GitHub". Retrieved 26 February 2014.
  4. ^ a b c d "TextSecure-Server on GitHub". Retrieved 2 March 2014.
  5. ^ a b Molly Wood (19 February 2014). "Privacy Please: Tools to Shield Your Smartphone". The New York Times. Retrieved 26 February 2014.
  6. ^ a b c d DJ Pangburn (3 March 2014). "TextSecure Is the Easiest Encryption App To Use (So Far)". Motherboard. Retrieved 14 March 2014.
  7. ^ a b c Moxie Marlinspike (24 February 2014). "The New TextSecure: Privacy Beyond SMS". Open WhisperSystems. Retrieved 26 February 2014.
  8. ^ a b Martin Brinkmann (24 February 2014). "TextSecure is an open source messaging app with strong security features". Ghacks Technology News. Retrieved 26 February 2014.
  9. ^ a b c Garling, Caleb (2011-12-20). "Twitter Open Sources Its Android Moxie | Wired Enterprise". Wired.com. Retrieved 2011-12-21.
  10. ^ "Company Overview of Whisper Systems Inc". Bloomberg Businessweek. Retrieved 2014-03-04.
  11. ^ Robert Lemos (2011-02-15). "An App for Dissidents". MIT Technology Review. Retrieved 2014-03-07.
  12. ^ Tom Cheredar (November 28, 2011). "Twitter acquires Android security startup Whisper Systems". VentureBeat. Retrieved 2011-12-21.
  13. ^ Andy Greenberg (2011-11-28). "Twitter Acquires Moxie Marlinspike's Encryption Startup Whisper Systems". Forbes. Retrieved 2011-12-21.
  14. ^ Garling, Caleb (2011-11-28). "Twitter Buys Some Middle East Moxie | Wired Enterprise". Wired.com. Retrieved 2011-12-21.
  15. ^ Pete Pachal (2011-12-20). "Twitter Takes TextSecure, Texting App for Dissidents, Open Source". Mashable. Retrieved 2014-03-01.
  16. ^ "A New Home". Open WhisperSystems. 2013-01-21. Retrieved 2014-03-01.
  17. ^ Brian Donohue (Feb 24, 2014). "TextSecure Sheds SMS in Latest Version". Threatpost. Retrieved 2014-03-01.
  18. ^ Christine Corbett (Mar 27, 2013). "Sure!". Open WhisperSystems. Retrieved 2014-03-16.
  19. ^ "How Secure is TextSecure?" (PDF). Retrieved 4 November 2014.
  20. ^ Pauli, Darren. "Auditors find encrypted chat client TextSecure is secure". www.theregister.co.uk. Retrieved 4 November 2014.
  21. ^ Andy Greenberg (2013-12-09). "Ten Million More Android Users' Text Messages Will Soon Be Encrypted By Default". Forbes. Retrieved 2014-02-28.
  22. ^ Seth Schoen (2013-12-28). "2013 in Review: Encrypting the Web Takes A Huge Leap Forward". Electronic Frontier Foundation. Retrieved 2014-03-01.
  23. ^ Moxie Marlinspike (2013-12-09). "TextSecure, Now With 10 Million More Users". Open WhisperSystems. Retrieved 2014-02-28.
  24. ^ Max Eddy (Mar 11, 2014). "Snowden to SXSW: Here's How To Keep The NSA Out Of Your Stuff". PC Magazine: SecurityWatch. Retrieved 2014-03-16.
  25. ^ Hanno Böck (Mar 11, 2014). "Snowden empfiehlt Textsecure und Redphone" (in German). Golem.de. Retrieved 2014-03-16.
  26. ^ "Surveillance Self-Defense. Communicating with Others". Electronic Frontier Foundation. 2014-10-23.
  27. ^ "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 2014-11-04.
  28. ^ Stephanie Mlot (2014-11-18). "WhatsApp Rolling Out End-to-End Encryption". PC Magazine. Retrieved 2014-11-24.
  29. ^ Jon Evans (2014-11-18). "WhatsApp Partners With Open WhisperSystems To End-To-End Encrypt Billions Of Messages A Day". TechCrunch. Retrieved 2014-11-19.
  30. ^ "Open Whisper Systems partners with WhatsApp to provide end-to-end encryption". Open WhisperSystems. November 18, 2014. Retrieved November 18, 2014.
  31. ^ "Facebook's messaging service WhatsApp gets a security boost". Forbes. 18 Nov 2014. Retrieved 21 Nov 2014.
  32. ^ Dean Takahashi (July 29, 2010). "How to hide yourself from Google and cell phone carriers". VentureBeat. Retrieved 2014-02-28.
  33. ^ Moxie Marlinspike (May 5, 2014). "Private Group Messaging". Open WhisperSystems. Retrieved 2014-07-09.
  34. ^ a b c Open WhisperSystems. "Is it secure? Can I trust it?". Retrieved 2014-03-13.
  35. ^ a b Moxie Marlinspike (July 27, 2013). "Simplifying OTR Deniability". Open WhisperSystems. Retrieved 2014-03-01.
  36. ^ a b Moxie Marlinspike (Aug 22, 2013). "Forward Secrecy for Asynchronous Messages". Open WhisperSystems. Retrieved 2014-03-01.
  37. ^ a b Moxie Marlinspike (Nov 26, 2013). "Advanced Cryptographic Ratcheting". Open WhisperSystems. Retrieved 2014-03-01.
  38. ^ "The Axolotl Ratchet Wiki on GitHub". Retrieved 2014-03-14.
  39. ^ a b c Open WhisperSystems (18 March 2014). "Why do I need Google Play installed to use TextSecure on Android?". Retrieved 13 March 2014.
  40. ^ Moxie Marlinspike (3 Jan 2013). "The Difficulty Of Private Contact Discovery". Retrieved 25 Mar 2014.
  41. ^ Moxie Marlinspike (Mar 11, 2014). "How is openwhispersystems paying for the its server costs?". Open WhisperSystems. Retrieved 16 March 2014.
  42. ^ "Issue #127 on GitHub". Retrieved 2014-03-14.

External links

Wikimedia Commons has media related to TextSecure.
Retrieved from "https://en.wikipedia.org/w/index.php?title=TextSecure&oldid=638402768"