If you own an iPhone or Android handset and care about your privacy, there’s no longer much of an excuse not to encrypt every conversation you have. Now a free, zero-learning-curve app exists for both text and voice that can keep those communications fully encrypted, so that no one but the person holding the phone on the other end can decipher your words.
On Monday the open-source encryption software group Open Whisper Systems announced a new upgrade to Signal, its iOS app that enables end-to-end encrypted voice calling. With the update, Signal will end-to-end encrypt text messaging, too. And in WIRED’s testing of that updated all-in-one app, it’s just as idiot-proof as the two most basic, lime-green iPhone communication buttons it replaces.
“The objective is to be a complete, transparent replacement for secure communications,” says Open Whisper Systems founder Moxie Marlinspike. “We want to have a texting and calling experience that’s actually better than the default experience and is also private.”
In fact, the Signal update completes a suite of mobile encryption apps that Marlinspike has been developing for nearly five years. In May of 2010, Marlinspike released Redphone and Textsecure for Android, two apps that enabled end-to-end encrypted voice calls (using VoIP and the ZRTP protocol developed by PGP creator Phil Zimmermann) and text messages. But users of those apps could communicate only with other Redphone and TextSecure users, leaving iPhone users in the cold. Soon after, Marlinspike’s startup Whisper Systems was acquired by Twitter, putting his encryption app work on a two-year hiatus.
Users of the two biggest smartphone operating systems can finally both call and text each other with encryption that foils virtually any eavesdropper.
Marlinspike left Twitter in 2013, and in July of 2014 his newly recreated Open Whisper Systems released Signal, a free voice-calling app that’s interoperable with Redphone. That meant iPhone users could have free, secure voice conversations with their Android owning-friends (and each other). Today’s update includes TextSecure’s functionality, too, so that users of the two biggest smartphone operating systems can finally both call and text each other with encryption that foils virtually any eavesdropper.
Before Signal, the only widely used end-to-end encrypted calling and texting app for iPhone was Silent Circle, which was aimed mostly at corporate users and cost between $13 and $40 a month compared with Signal’s free service.
It’s important to note that Apple’s own iMessage uses end-to-end encryption, too. But the security community has long warned that iMessage’s closed-sourced approach may include vulnerabilities that could allow snooping. Signal, unlike iMessage, lets users check the fingerprints of each others’ keys (with a long press on the user’s contact name) to verify that they’re not sending their messages to some man-in-the-middle who stealthily passes them on to the intended recipient. iMessage doesn’t let you verify those public keys of the people you’re communicating with, potentially leaving you open to man-in-the-middle attacks by Apple or any government agency that forces its cooperation.
“It’s possible that anyone in control of Apple’s servers could intercept your communication without you knowing it,” says Marlinspike. iMessage also lacks a feature built into Signal called “perfect forward secrecy,” which changes the encryption key with every message so that codebreakers would have to crack each one individually.
The best feature of Signal is that despite its heavy security and new texting functionality, it remains just as simple as the iPhone’s default calling and texting apps. Marlinspike says that Open Whisper System’s usability is the focus of most of the group’s efforts. “In many ways the crypto is the easy part,” he told WIRED when Signal launched last year. “The hard part is developing a product that people are actually going to use and want to use.”
Porting TextSecure to the iPhone opens it up to millions more potential users. But it’s already seen impressive adoption on Android: the standalone TextSecure app has been downloaded to about 500,000 Android phones. It also got a boost of about 10 million users when it was integrated as the default texting app in the Cyanogenmod version of Android in late 2013. And it got another gigantic bump last year when Whatsapp turned on TextSecure for its half-billion-plus Android users, in what’s likely the largest end-to-end encrypted messaging system of all time.
With partnerships like those, TextSecure may have the potential to serve as the protocol for practically all encrypted messaging in the mobile era. Now iPhone users are finally invited to the privacy party, too. Better five years late than never.
No comments:
Post a Comment