COMSEC: Signal Private Messenger

COMSEC: Signal Private Messenger

Signal Private Messenger is a free application, and my new favorite encrypted communication solution.  Signal supports both voice and instant messaging (texting) in a single app.  It is incredibly easy to use, and convince others to use.  There is no complicated setup and no username or password to create and remember.  This app is incredibly intuitive and resembles native phone and texting applications.

Signal uses your phone’s Wi-Fi or data connection.  Signal has replaced the legacy RedPhone and TextSecure apps for Android and merged them into a single platform.  To use Signal Private Messenger simply install the application.  You will be prompted to enter your telephone number for verification.  I have successfully used a Google Voice number for this, even though Signal specifically warns that GV numbers will not work.  Full disclosure: I have also seen GV numbers fail.  This is the ONLY reason for which I use a Google Voice number.  I have no problem with this because the number is only used as an identifier and no data is sent though Google after the initial verification message.  The app will verify the number by sending you a code that you must enter into the application.  No other personal information is required or requested.

Signal

If you allow Signal Private Messenger to access your contacts it will identify the ones who have Signal installed.  There is one slight downside to the way Signal identifies its users: in order for others to contact you via Signal they must have the telephone number you used to register the app in their contacts.  This requires that you give out this number to others with whom you wish to use Signal.  For this reason I recommend setting up a Google Voice number that is used only for Signal, and giving that number out to friend, family, and business contacts that are likely to use Signal (or be persuaded to), rather than giving out your real phone number.  I will post in the future about why giving out your real phone number may be a bad idea.

Signal’s interface is almost disconcertingly simple.  Tapping the “+” icon in the upper right of the interface a list of your contacts who have Signal installed.  Tapping one of these contacts will open a new message to that contact.  From there you can send a text message, photo, or video, or type the handset icon to initiate a voice call.  In the search bar on this screen you may input a telephone number, which Signal will then search to see if the number has the app installed.  Once a call is initiated a more typical phone interface is displayed with some standard phone options to mute the call or use the phone’s speaker.

The call interface will also display two random words.  The words displayed will change with each voice call but should match on both handsets involved in the call.  These words are used to ensure the call is not being tampered with by a man-in-the-middle.  If an attacker were to successfully get in the middle of a call each phone would display different authentication words.  This is becasue each handset would establish a key with the attacker rather than the intended recipeint’s handset .  I recommend ALWAYS validating these words at the beginning of each conversation made over Signal.  This is especially important before engaging in sensitive communications.  The messaging portion of the application is likewise incredibly simple.  Messages are composed and set like they are in any other messaging application.  Attaching a file is as simple as tapping the paperclip icon beside the compose pane.  Signal also supports group messaging.

Signal is one of the best privacy-enhancing applications available (especially considering its cost) and I strongly encourage its use.  It’s encryption utilizes the “axolotl ratchet”, a system of perfect forward secrecy.  Perfect forward secrecy means that each message is encrypted with a unique, ephemeral key.  If one message is decrypted it has no impact on the others since each has a unique key.

As pointed out by the grugq, however, Signal does leak a great deal of metadata about you.  This includes your contact list, who you talk to, and the frequency with which you talk to them.  This metadata is certainly no worse than that generated by your normal telephone conversations.   It is also not any worse than that created by other encrypted messaging applications.  For this reason it may not be suitable for defeating certain threat models.  For encrypting your day-to-day comms that would otherwise be made through insecure means, Signal is a major upgrade.  Signal is funded by donations and grants, and much of the work in developing and maintaining the app is done by volunteers.

Signal Private Messenger is free and available in the App Store and on Google Play.  For more information on Signal visit https://whispersystems.org/blog/signal/.

2 thoughts on “COMSEC: Signal Private Messenger

Leave a Reply

Your email address will not be published.