Introducing Signal – Updated
Note: this is an updated version of my previous post about Signal.
After the last U.S. presidential election and the repeal of privacy protection laws regarding Internet use, many consumers became interested in keeping their communications private. The phrase “Use Signal” started gaining traction on social media. But what is Signal?
Signal (or to use its full name, Signal Private Messenger) is an encrypted communications app created by Open Whisper Systems. It secures your phone calls, your texts, and your video calls.
Don’t let the word “encrypted” scare you off; Signal isn’t hard to use at all. The interface is very similar to what your phone already has. It seamlessly integrates with your phone’s dialer and its texting function. Turning things on and off is as simple as tapping your screen.
Signal’s origin story begins in May 2010, with a company called Whisper Systems, founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson. Whisper Systems released an Android app called RedPhone, which let its users make encrypted VoIP calls to other RedPhone users. They also released TextSecure, an app that let you send encrypted text messages.
In November 2011, Whisper Systems was acquired by Twitter. RedPhone was taken offline, much to users’ dismay; it was very popular among protesters and activists, especially participants in the Arab Spring protests. But by July 2012, RedPhone and TextSecure were available again, this time as free open-source apps.
In January 2013, Moxie Marlinspike founded Open Whisper Systems, an open-source software project. RedPhone and TextSecure were combined to become Signal; it was released for iOS in July 2014, then for Android in November 2015.
How it works
So, what does that mean in English? Well, to put it simply…
Outside of computers, a ratchet is a mechanical device that’s a wheel with angled teeth paired with a pawl or cog. A ratchet can only move in one direction. In cryptography, a ratchet is a function that only goes one way; unlike algebra, you can’t take the answer and use it to figure out the rest of the formula.
As its name implies, the Double Ratchet Algorithm combines two ratchets: a Diffie Hellman key exchange and a hash function. Messages are encrypted and decrypted with data files called keys. The Double Ratchet Algorithm uses temporary session keys. Stealing one session key won’t let an attacker read any messages sent in the future.
So, imagine unlocking the door to your apartment. Unbeknownst to you, someone has made a copy of your key. You unlock your door, let yourself in, and lock the door behind you. The attacker takes his key, sticks it in the lock…only to find the key won’t budge. The lock has spontaneously changed after you went inside. And will do so every time you use your key.
That is the essence of Signal Protocol.
You will need a phone number to get started, but it doesn’t have to be the same phone number that is attached to your SIM card. Some of you may want Signal for work and professional contacts, while others are worried about making their cell number public. You can sign up for a second phone number, then use it for Signal.
Your second number shouldn’t be a number that you don’t have complete control over, such as a public payphone or a disposable phone number. The best options are Google Voice or a pay-as-you-go cell phone provider. You can sign up for Google Voice through their app, which is available in the Google Play Store and the App Store.
Another option for obtaining a second phone number is to sign up for a pay-as-you-go cell phone provider. This will be easier on an Android phone, since Android devices allow for multiple users and accounts. When you get the second SIM card, turn off your phone, put the second SIM in your phone, and register that number with Signal. Then, turn your phone off and replace it with your original SIM. Make sure that the replacement SIM stays active so that you don’t lose ownership of your second number. If you do, someone else can use it to get their own Signal account and you’ll lose access to yours.
Unfortunately, iPhones can’t use more than one number. Your best bet is to get a separate iPhone and make it a dedicated Signal device. For more details, check out Barton Gellman’s guide “Signal as a Newsroom Dropbox.”
Now that you’ve installed Signal, you can still do all the things you used to do. You can send group texts, attach photos and other files, call and video chat. The difference is that now everything will be kept private.
When you set Signal as your default, you can still communicate with people who don’t have it, even with people on landlines. However, in order to have privacy, everyone on the call or in the conversation will need to have Signal installed. When you text someone who doesn’t have Signal, your texts will have a symbol of an open padlock. When both of you have Signal, there will be a closed padlock in each text bubble.
The ability to take screenshots is disabled by default. You can turn off this setting, but that would probably be counterproductive.
Signal will let you send an invitation to your contacts to install the app; you can even personalize the invite. I recommend doing this, just so your contacts know that they’re not receiving spam.
Once all your friends have joined, you can take group chats to the next level with private group chats. You can give each group its own name and add an unlimited amount of people. All your messages will transmitted over the Internet at no charge.
That said, there is something you should remember about private groups. If, for whatever reason, you want to kick someone out of the group, it’s not enough to simply delete that person. You will need to create a new private group with the remaining members.
new paper shows future secrecy is broken for Signal group chat (since attacker can join a group once they know group ID + member's phone #) https://t.co/VFikH05QXn
— yan (@bcrypt) July 27, 2017
so if you want to keep a group chat confidential from a former member after they leave, create a new group
— yan (@bcrypt) July 27, 2017
Is Signal Broken?
Ever since the infamous Wikileaks Vault 7 dump in March 2017, there has been the erroneous assumption that the CIA has somehow broken Signal and other secure apps like WhatsApp. This was further compounded by a tweet from the New York Times, which they have since deleted and apologized for. This left people wondering if they were now being monitored by government agents.
The real story of Vault 7 was that the CIA allegedly has the ability to install spyware on your phone. Of course, if your smartphone has been infected with some sort of spyware, no amount of encryption software will help you. That sort of situation would be like having someone look over your shoulder as you type.
That said, no security product is 100% unbreakable. At best, you get what are called the six nines – 99.9999% reliability. The strong encryption of today is the weak and useless encryption of tomorrow. Computers become faster and more powerful every day, and security software must change to reflect that.
If there is any danger, it probably won’t come from the app itself. Signal – like many types of encrypted communication software – can hide your messages, but it can’t hide who you’re talking to. This may be all right for the average person, but if you’re being spied on by a government agency or one of their contractors, that alone may be dangerous. But for most of you reading this, that situation doesn’t apply to you.
Security is all about trust. There is some risk involved with trusting your information to a third party, be it Signal or a VPN. The key is finding an entity that is worthy of your trust. As of now, I’d say Signal is worthy of that.