Comparing Messaging Apps

Micah Lee has a nice comparison among Signal, WhatsApp, and Allo.

In this article, I'm going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud ­- and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I'm going to advocate you use Signal whenever you can -­ which actually may not end up being as often as you would like.

EDITED TO ADD (6/25): Don't use Telegram.

Posted on June 23, 2016 at 6:54 AM • 89 Comments

Comments

JamesJune 23, 2016 7:26 AM

I agree with Bruce about Signal - it probably is the best app (in terms of overall security) to use.

However I'm surprised that The Intercept haven't mentioned Telegram. Personally I prefer Telegram as:

- it's UI is much more polished
- you have the ability to send messages which self-destruct
- you can password protect the app
- you can set-up 2SV (if you decide to use 'non-secret' chats)
- there is a good, fully functioning desktop app (PC/Mac/Linux) and web version
- you can chat to people using just a username and not a phone number
- you can cause your Telegram account to delete if not used for certain period of time

(The non-secret chats are still considered secure although you have to trust Telegram more... https://core.telegram.org/techfaq)

The downside? They use their own encryption algorithm (MTProto).
The upside? By offering non-secret chats by default you can use a wide variety of devices.

https://telegram.org/

Dr. I. Needtob AtheJune 23, 2016 7:57 AM

James, I think you meant you agree with Micah Lee. Bruce didn't give his own opinion.

JeroenJune 23, 2016 8:09 AM

"The downside? They use their own encryption algorithm (MTProto)."

Yeah, and that's a dealbreaker for every sane person on the planet which makes it worthless to review the application.

P. EdantJune 23, 2016 8:20 AM

Bruce, you spelled Micah's name wrong.

Sadly, I only know 3 people that use Signal, whereas ~80% of my contacts use WhatsApp. Seems that WhatsApp snuck in first and lots of people are unwilling (or too indifferent) to switch given how many common contacts would be lost.

MattJune 23, 2016 8:55 AM

I am still sad that SIgnal has no duress password option. I currently set mine to keep only the last 10 messages as a poor work arround.

ThothJune 23, 2016 9:22 AM

@Matt
Duress passwords are only useful when the assumption is the hardware is both tamper-resistant and trusted otherwise duress password on an insecure implementation is unlikely to succeed with physical probing of hardware as an easily available option to agencies around the world.

The better option is to assume the messaging application as compromised and have a separate cryptographic encryptor device to feed/side-load the data. This way you can use common messaging applications while having an internally trusted end-to-end channel via the separate cryptographic device.

WJune 23, 2016 9:43 AM

@James

Are you insane?

Telegram backs up all your chat logs to their servers by default as end-to-end encryption isn't the default. Telegram also rolls out custom crypto which a number of vulnerabilities that I'm sure spooks everywhere are well aware of. Why else would spook leaders worldwide keep naming the tool they claim they can't get into over public news outlets?

http://cs.au.dk/~jakjak/master-thesis.pdf

Carl ByoirJune 23, 2016 9:49 AM

Product placements as content. This appears to be fairly common with the Intercept's coverage of tech. Maybe this explains how Pierre Omidyar can afford to maintain his media outlet without advertisements.

The article is the ad. Surprise.

Tech will solve all of your problems or triple your money back! The vendors would never, ever, sell users out with false promises. Because Markets.

http://billmoyers.com/story/smartphone-users-paying-for-own-surveillance/

BrandoJune 23, 2016 10:10 AM

I am not a cyber security expert by any means, however I've done a good amount of research into all these messaging applications secure-messaging protocols and none truly compare to one called RakEM.
- Raketu, the company, has a commercial and a business platform. One called RakEM the commercial one, and the other called SecureHaze.

- I am not comparing each applications UI but merely their secure-messaging protocols.

- RakEM uses an end-to-end transport protocol therefore no government body or hacker can intercept it's communication. It goes straight from device to device no server in the middle.

- Also, unlike the other "secure messaging applications" who use standard 256 AES encryption with their chats, RakEM uses a self mutating encryption key with a length that ranges from 2048 to 4096 bits.

- Cybersecurity Expert John McAfee even endorses RakEM
- https://www.raketu.com/press-releases/press-releases-2016/john-mcafee-trusts-rakem/


Here their explanation about how they compare to the rest of the applications addressed above.

https://www.raketu.com/technology/blogs/rakem-whatsapp/

I hope you find this information useful.

Clive RobinsonJune 23, 2016 10:50 AM

@ W,

You beat me on posting the link to the masters thesis :-( +1 to you.

MarloJune 23, 2016 10:55 AM

Let's take Signal, supposedly the "best" of these. It's also "open source", they say.

The problem is that you have no way of verifying that Signal that you download on the App Store was actually compiled from the source code it's supposed to come from. In other words, no way of doing deterministic builds. This completely defeats the purpose of "open source".

Why do people just believe stuff? Apparently, all an app dev has to do these days is utter a few words - "open source" (Signal), "we now do end-to-end encryption" (WhatsApp) - and people are all happy again. Why?

Wouldn't surprise me at all if the feds have already given WhatsApp permission from the inside to lie about being "end-to-end encrypted" when in fact they're not.

WJune 23, 2016 11:14 AM

@Brando

Peddle your snake oil elsewhere. Your crypto word salad is meaningless.

Clive RobinsonJune 23, 2016 11:17 AM

@ Carl Byoir,

There is an interesting paragraph in the article by Bill Blunden you link to,

    There’s definitely something to be said for old-school methods. They worked just fine pre-internet and they can still work. In fact, old-school tradecraft may turn out to be the Achilles’ heel for security services as they’ve become heavily reliant on signal intelligence to function.

If you read the last sentence again and think back, the US got into the same SigInt / Elint mess back in the days of the U2, and they've never realy been out of it since. They became overly reliant on others for HumInt, and "boots on the ground intel". As a result they got "gamed". By Israel's over the ME with Yellow Cake, and others like the "in waiting" Iraqi National Congress, oh and a diplomats daughter telling of Iraqi troops flinging babies out of incubators so the equipment could be shipped back to Iraqi (turns out she was nowhere close at the time).

Oh and so many others who would sing any old song for US Dollars, in fact a little update on an old saying gives "He who pays the piper, gets to hear what they want to hear". So amongst other nonsense we got Tony Blair PM's dodgy dossiers, not what they should have listened to which was from people realy on the ground such as Hans Blix...

But hey, no real harm done, ISIS are keeping the oil flowing to China...

VidKidJune 23, 2016 11:20 AM

Marlo said "The problem is that you have no way of verifying that Signal that you download on the App Store was actually compiled from the source code it's supposed to come from."

Exactly. I would trust Apple's implementation over these jokers.
(which is not to say I would trust Apple implicitly)

JamesJune 23, 2016 11:28 AM

Thanks Clive Robinson and others.

I'll have a read through the Master's Thesis.

I don't know why (they say for reasons of speed, reliability and large file transfer) they didn't implement the axolotl (signal) ratchet or some other form of tried-and-tested cryptographic protocol but the app itself has some nice features and my use scenario doesn't require me to defend myself against government actors (although extra protection is always nice).

That said we can't really trust WhatsApp (which uses the axolotl ratchet) nor Signal because there's no easy way to decompile the distributed app. I know that Signal is open-source (WhatsApp isn't) but ultimately we have to place our trust somewhere.

The number of side channel attacks against mobiles is astonishing and, like Bruce says, "if the NSA want in, they're in".

I think that practical defences such as 'secret chats' with self-destructing messages serve a useful purpose for most people and correspondingly increases their security.

Clive RobinsonJune 23, 2016 11:30 AM

@ Marlo,

In other words, no way of doing deterministic builds. This completely defeats the purpose of "open source".

en if you could do a "deterministic build" it would still not realy prove anything.

If you think about it all an attacker needs to simply do is what CarrierIQ did with their "test harness". Which is to "shim the IO" that the app works through and just grap the paintext going to the screen driver or comming from the keyboard driver. There are various places it could be done, so even the OS code may show nothing untoward...

blakeJune 23, 2016 11:40 AM

> no government body or hacker can intercept it's communication. It goes straight from device to device no server in the middle.

How - Bluetooth? Wifi? What happens if you're not in the same room, or post code?

Comrade MajorJune 23, 2016 11:54 AM

Use jabber over tor.
Don't use smartphones (they are one big trojan).
Don't use Windows.
Don't use new computers.
Use some good linux distro. Some people recommend Tails, but you are encourage to learn how to make your own distro and learn security stuff.
Its important to understand that no matter how good your "messenger", if OS is compromised - everything is compromised.

https://en.wikipedia.org/wiki/WhatsApp
WhatsApp Inc., based in Mountain View, California, United States, was acquired by Facebook Inc. on February 19, 2014, for approximately US$19.3 billion.[15][16]
So, WhatsApp is a part of Facebook. Facebook is a CIA company.
Obviously WhatsApp is under CALEA act.

Google's Allo is same shit.

Comrade MajorJune 23, 2016 12:18 PM

Jabber+OTR of course.

Signal:
https://en.wikipedia.org/wiki/Signal_(software)
Signal is developed by Open Whisper Systems and is published under the GPLv3 license.

Open Whisper Systems:
https://en.wikipedia.org/wiki/Open_Whisper_Systems

Open Whisper Systems (informally abbreviated OWS[4]) is a nonprofit software group that was founded by Moxie Marlinspike in 2013.
...
Location: San Francisco, CA

Nuff said.

And yes, telegram
1)saving metadata
2)don't encrypt message by default
3)and if you enable msg encryption - can do MitM
4)plus, if you enable encryption - you will draw attention to yourself.

;===
Use public wifi or crack private wifi to access tor network.

YosepJune 23, 2016 12:21 PM

@Marlo & @VidKid & @James:

Then compile it yourself. You can get the source from GitHub and compile your own app. Your grievances are more with App Stores than with Signal or WhatsApp.

@James:

You misunderstand the threat model Signal and WhatsApp are protecting against. They're protecting against mass, passive surveillance. This includes from the NSA.

They don't make much effort to protect against active attacks of which there's too many options available to a nation state actor to bother trying to protect against.

To everyone:

Recognize the security of the applications for what they are. Recognize what they do and don't protect against.

MattJune 23, 2016 12:47 PM

@Thoth

So since it won't be perfect don't even implement it? The main purpose of a duress password is to appear to comply without actually revealing the protected info and should be a standard feature. Sometime "I forgot the password" or 5th amendment protections are not available. This is useful in many situations against non nation state adversaries. What are your thoughts on truecrypt's hidden containers? If the underlying hardware is not trusted what stops a screen recorder or keylogger?

Mr. HatJune 23, 2016 12:57 PM

I am beginning to think that Alcoa has been corrupted bu the Intelligence Community. My hat seems to be leaking my thoughts and I keep getting signals that the foil should have blocked.

How can they build back doors into aluminum foil??

rJune 23, 2016 1:29 PM

@Mr. Hat,

I believe by not including an insulating layer between the foil and your sweaty head.

Those who are balding are all likelihood particularly vulnerable?

hawk June 23, 2016 1:52 PM

@Jeroen

Can you name one encryption algorithm that wasn't invented by somebody? What do you mean by "their own?"

Comrade MajorJune 23, 2016 1:58 PM

You might consider not using tor at all. As some researcher said, it draws attention to you like to "transgender camel in Mongol deserts" (or something like that).
Instead, use free wifi spots + vpn, or just wifi without vpn.

Also consider using a long-range wifi antenna.

I remember this article https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/
Edward Snowden recommends to use Signal, but forgets to mention not to use smartphones. Interesting, isn't it?

AnuraJune 23, 2016 2:19 PM

@hawk

If you are going to design a protocol, you should include security proofs to show that it is secure as long as the underlying key exchange/signature/encryption/MAC/hash algorithms cannot be broken, and then use well-known, and thoroughly vetted cryptographic algorithms for those components. If you can't actually do those security proofs, then you shouldn't be designing your own algorithm. Well, it turns out that the protocol is not very sound as Jakobsen's thesis details.

Jakub NarębskiJune 23, 2016 2:39 PM

There is something called OMEMO (see e.g. http://lwn.net/Articles/691315/), implemented as an extension to the XMPP IM protocol, with design being an extension of OTR (Off-the-Record) protocol, borrowing from Double Ratchet / Axolotl Ratchet that Signal uses, but without need for centralized server (unlike Signal).

Available among others in Conversations (Android)... and I think that's it for now for mobile.

AnuraJune 23, 2016 3:19 PM

@Brandon

- RakEM uses an end-to-end transport protocol therefore no government body or hacker can intercept it's communication. It goes straight from device to device no server in the middle.

I assume this means that they found a way to connect two devices using a wormhole so that there is no space between them? How does it guarantee that the wormhole is connected to the correct device, and not a malicious device that forwards messages transparently through it's own wormhole connection with the intended device?

Regardless of the security, that's a pretty amazing leap forward in technology. I'm skeptical however, in that they don't mention it requiring hardware. I would have assumed that that sort of technology would require projecting some sort of inverse tachyon beam at a quantum flux in subspace to create the wormhole.

YosepJune 23, 2016 4:33 PM

@hawk

Them rolling "their own" crypto means it hasn't gone through any of the vetting processes used to establish public trust in established crypto systems.

This is something typically done by Math PhD's who don't actually understand real-world attacks and end up making very amateur mistakes in rolling their own custom crypto.

So a common discriminator to determine what is untrustworthy crypto is custom-made whose proofs haven't been peer-reviewed (assuming any proofs have been published) and is being used in a real-world context.


@Comrade Major

Because being told not to use a useful product is tantamount to saying "the only way to protect yourself is to do an attacker's job for them - prevent any and all use of the tool".

As for the rest of your recommendations, that's also unworkable and isn't ground in the understanding that people will not give up a useful tool because magicians say "Ghosts can haunt you from your eternally cursed artifacts! You may not notice the haunting, but it's really easy for ghosts to haunt you if they wanted to!"

ThothJune 23, 2016 6:29 PM

@Matt
A simple thing like @Clive Robinson mentions about shimming the screen or I/O drivers (a.k.a key/screen logging) is a real threat. Those of us here who recommend higher assurance security (me, @Nick P, @Clive Robinson et. al.) would recommend for a separate the encryptor on another device for a long time on this blog across many posts and comments.

Truecrypt and many other software-only protection are pretty powerless when an adversary is going to be able to listen to the memory, processes, I/O and all that stuff without needing to crack a single encryption. Why bother the tough job of figuring the cryptanalysis when it is cheaper to backdoor or poison the computer.

Trusted hardware is difficult as well and it really depends on who you want to protect against and the levels of protection you need. The main reason being nation state control of hardware supply chain and manufacturing. A good example is do you trust Intel despite it selling itself with Trusted Execution Technology on the security side but it also includes Intel ME on the same silicon ?

I use Truecrypt while knowingly the protection are highly limited and thus I do not waste time on hidden volume. There are researches on the hidden volumes for Truecrypt on the web. How many people are good at faking the external volume and when a real adversary comes along they can hold themselves and their lies properly without breaking down or leaking and what if you need to make multiple encrypted containers with their own hidden volumes to hide large content that have been broken into multiple fragments, you need to invent something to say per container.

Security is difficult. Nothing is going to stop screen or key loggers in their soft or hard form. You need a separate device you can trust to do the critical functions. Even the known tricks of self-shuffling keyboard inputs to exotic defensive measure to prevent screen scraping deployed by Snapchat and other chat applications can turn useless if you can bypass the higher levels of security in the stack (i.e. application sandboxing in Android) and start attacking the lower level stuff like memory access, driver manipulation, firmware images and so on.

Even with the use of Signal, not only are you a walking target screaming for attention because you are using an encryption chat application, you have doubts whether the Google Play Store or App Store is loading an unaltered and correct binary.

Better advise would still be to use a common chat application that at least uses TLS as an obfuscation (e.g. Google Talk/Jabber over TLS) and then use an external hardware to do the actual crypto stuff (layered boxes approach).

YosepJune 23, 2016 7:42 PM

@Thoth

Your advice on chat applications is nonsense. Signal is *not* marketed for criminals nor is it seen as screaming for attention.

Even more - you advocate for using *Google Talk*? I'm assuming you mean its successor, Google Hangouts. Which you effectively advocate for sending a plaintext transcript of all your communications to Google which is constantly parsed by them and/or NatSec types for evidence of marketability and/or subjective evil-of-the-day.

And what is the utility of using external boxes for crypto when a plaintext transcript of all your communications is already available to both Google and the NSA and who knows how many other institutions?

And Jabber isn't inherently secure. I don't know why you'd assert otherwise.

rJune 23, 2016 8:47 PM

@Yosep,

I believe, as he's not the only person specifically mentioning jabber impl's.

That he means using Google/Jabber as a tunnel in his second suggestion with e2e 'externals' and GOOG in the middle.

For the most part in such a setup there will be no plaintext transfer, Clive and Thoth speak of shims OR HOOKS those are very real problems and 'local' decryption/viewing is vulnerable to such behaviour.

More to the point, decryption and local viewing are vulnerable to the Van Eck? attack (at least where CRT's were concerned) and for any real assurances please understand that even when software is not bugged or buggy the underlying hardware is appearently vulnerable to various quirks in the laws of physics.

Van Eck is an analog leak, we routinely hear of digital (per bit reconstruction) leaks via audio, thermal, RF etc.

The only reason why I would avoid using google, unless transfering plaintext+encrypted docs WITH relatively benign plaintext is that passing 100% encrypted data would raise hairs on Mr Commie's back.

If Jabber isn't inherently secure, what is?

zJune 23, 2016 9:15 PM

I like Signal the best, but it is very difficult to find anyone who uses it. I have to convince each person I want to talk to to use Signal. This is hard, because it offers no benefits to "normal" people beyond some vague notion of privacy that most don't understand and many simply don't care about. It's hard to convince the average college-aged girl that she should install this different app because of things called ephemeral keys, and Diffie-Hellman, and AES. More importantly, my friends can only use it to communicate with me, unless they convince their friends to use it. Nobody is going to install an app just to talk to one person, especially to someone as boring as me;). Thus they are faced with this same problem I have and it just snowballs from there.

The great thing about WhatsApp is that people already use it. The best thing that Signal has done is show that end-to-end encryption can be done in a user friendly way, which is probably went a long way towards getting WhatsApp to do it too.

R3LLiMJune 23, 2016 9:58 PM

What do you think about the messenger program Wickr? Is that safe to use and how good is it?

OnionJune 24, 2016 12:07 AM

https://moxie.org/blog/telegram-crypto-challenge/

Moxie Marlinspike (hello if you are reading!!) wrote the above about Telgram, and I believe has commented further elsewhere.

For those who don't know, he was the primary author for Signal and apparently the primary responsible party for the very recent WhatsApp encryption (already discussed on this blog)

The Electronic Frontier Federation had a scorecard for secure messenging apps, comparing them all - Whatsapp was about 2 out of 8 until their recent encryption upgrade - but they have this new message as below:

https://www.eff.org/secure-messaging-scorecard


here are the Guardian Project private messenger apps amongst other vital tools

https://guardianproject.info/apps/

ThothJune 24, 2016 1:10 AM

@Yosep
If you use Signal or known protocols for secure messaging, everyone observing from the network would see the headers indicating what protocols you use. This will give your intention away and you bet NSA et. al. would delegate additional resources to you because you used secure E2E messaging.

If you use a TLS/Jabber (i.e. Google Hangouts or just Jabber with TLS), you use it as an obfuscation tunnel.

If you have been reading my other posts carefully before commenting where I advocate separate device encryption, the next step is use an external encryptor to encrypt the message and feed into the TLS-based obfuscation tunnel thus the Box-in-a-box technique thus making smartphone screen capping or keylogging even harder.

Security isn't about how strong that encryption you use. It has more exposed surfaces than we thought. Sexure hardware, physical separation of functions, obfuscation of intentions and trying to scrub out network traces are but a few tricks in the bag for higher assurance security.

WhatsApp, Signal, Allo, Telegram... any common "secure" messaging app you can think of do not take into consideration the bigger attack surfaces and leave the responsibility for users. Most people simply use them out of lack of choice or ignorance.

Using TOR to route traffic is also a bad option if anyone have heard of TOR tuennling for chat applications as it attracts attention which you are attempting to avoid. Most agencies relate the use of TOR or some outright encryption (i.e. Signal) as evading surveillance and that screams for attention. Better off use TLS as obfuscation tunnel since TLS is commonly deployed and blunts their suspicion.

WinterJune 24, 2016 2:43 AM

@Clive
"If you think about it all an attacker needs to simply do is what CarrierIQ did with their "test harness". Which is to "shim the IO" that the app works through and just grap the paintext going to the screen driver or comming from the keyboard driver."

But that holds for ALL digital security measures. If you cannot control the hardware, the network, and ALL software, there is no solution. At least I have not seen such a solution.

But that is not the threat model Signal tries to counter. That is interception and eavesdropping en route. If you are personally targeted by someone with a budget, you are toast anyway (e.g., with rubber hose cryptanalysis and thermorectal password extraction).

Clive RobinsonJune 24, 2016 6:50 AM

@ Winter,

If you cannot control the hardware, the network, and ALL software, there is no solution. At least I have not seen such a solution.

Yes there is, and it's been well known for a long time. You are just making the "in end point device" assumption, you need to see things a different way.

Split what you are doing into logical steps and blocks, then work out where you are going to put your security break point in between trusted and untrusted.

As both you and I consider the communications end point devices and all points in between compromised, they are by definition untrusted. Thus you don't do any security operations with them and you place the security break point outside of them.

You then do your security functions (authentication, encryption etc) in a device that is sufficiently trusted. Which could be an energy-gapped computer, gapped encryption device or even pencil and paper hand cipher. As long as the security break point is properly mediated you have the basis on which a secure system can be built.

PutzAppJune 24, 2016 9:35 AM

I've come to expect idiots to pop up and sing about how trustworthy and secure telegram is across most of the internet and in the real world, despite all evidence to the contrary, but to see so many here doing the same made me incredibly sad. Either telegram has some PR people 'managing their reputation' here, or many of you are incredibly foolish and misinformed.


Also, nobody in their right mind would use "allo". Best case scenario, even ignoring the obvious privacy issues, you're letting Google decide what you should be saying to people and essentially insert advertisements into your conversations? What the fuck?


As for whatsapp, I've grown increasingly frustrated with the fact that many of the same people who (correctly) pointed out that metadata is dangerous when governments started with the "it's just metadata" line, seem to be intentionally ignoring Facebook's hoovering of metadata via whatsapp for some ($$$) reason.

ReezgJune 25, 2016 3:12 AM

@r

Using that setup *would* be a gigantic glaring flag of you trying to hide something, wouldn't it? Trying to use garbled text on otherwise ungarbled platform would stick out like a sore thumb.

ReezgJune 25, 2016 3:23 AM

@Thoth

Active attacks are expensive. There's no way the NSA would use them on everyone and anyone that uses Signal. Given that it's advertised primarily for privacy and that it is explicitly stated that it does *not* protect against Nation States, it's ridiculous to think that it's a particularly suspicious tool.

You seem to have the entire game of avoiding surveillance completely backwards. You have this notion that using certain services like Signal or Tor will result in active attacks against you.

Instead, you advocate for using services where your communication's metadata can be more actively tracked. You advocate against end-to-end and advocate for MitM being able to monitor and record your ciphertext.

If I didn't know any better, I'd say you're a shill given how hard you're advocating for people to use services that would auto-record your ciphertext for you while gathering metadata that would be all-but-unavailable for Feds doing passive snooping.


Your advice has been almost entirely destructive.

ThothJune 25, 2016 7:46 AM

@Reezg
What makes you think Govt Agencies are not picking off anyone using TOR or remotely suspected of trying to "make life difficult for Govt" ?

Computer Network Exploitation have grown sophisticated and State funded groups with the blessing and technological transfers are growing. Look at the Military-Industrial-Government complex and it's advances and growth. It wouldn't be difficult to implant massive amounts of persistent malware (looking at the poor state of security for Android) into every Android device and compromise them.

You seem also not to understand what I am talking about and not bothered to read and ask and simply jump to conclusions.

What I propose can be simply put in the following steps:
1.) Setup a separate PC with OpenBSD or something secure and hardened as your encryptor.

2.) Copy the ciphertext to the sending device (TLS/Jabber, Google Hangouts or even Signal if you want so badly) and send the ciphertext.

3.) Upon receiving ciphertext, copy and paste it into the separate device to decrypt the message.

4.) Rinse and repeat step 1 to 3.

What are the rationales behind using TLS for obfuscation:
1.) TLS/Jabber or Google Hangouts use TLS and XMPP protocol which are Open Source and can be easily verified.

2.) The TLS is only used as an exterior tunnel where you send your separately encrypted ciphertext through the TLS tunnel established by either TLS/Jabber or Google Hangouts.

3.) If you don't trust Google via Google Hangouts, I did mention TLS/Jabber and there are multiple TLS/Jabber services to be used as your first layer exterior tunnel.

4.) Defense should not be relied on the TLS tunnel and it's only duty is to obfuscate your traffic. The strength of your encryption done on a separated device. This creates a "Box-in-a-box" effect where if the TLS happens to fail or the server admins are forced to show your chat records, you have the internal and actual security layer of the separately enciphered chat.

5.) Agencies have been known to figure who is who in TOR network and map the TOR network. An example is FBI hired Carniege Mellon university to probe TOR. FBI have also managed to bring down Silk Road despite it being a TOR hidden service.

6.) Signal like any other messaging apps have it's own protocols and headers. These headers marking that the message is secured by Signal would immediately be noticed on packet inspection. This may trigger suspicion if you live in many of the authoritarian countries like China, Russia, Singapore, Malaysia, Britain ...etc... that have attempted to regulate free speech and also cryptographic strength attempts. USA can be added to the list of non-free speech country as well.

7.) Most usage of Signal does not include any form of obfuscation layer to attempt to hide the message protocol signatures and headers.

8.) Due to TLS being a common Internet protocol, it is much harder to track every TLS request than every TOR or Signal request due to them not being the majority of web traffic.

Personal attacks in academic debates:
Finally, if you want to debate an issue, you do not even have any concrete explanations on your accusations and it is a taboo in academic debate to attack a person directly and not the concepts of ideas and theories.

If you have any arguing issues, please explain in concrete manner with backing evidences on any ideas or theories and not persons.

This comments and discussion section is not a section for personal attacks but constructive discussions and concrete academic debates.

rJune 25, 2016 8:33 AM

@Thoth,

If you wanted to automate the transcription it could be done easily from the secure box w OCR and a webcam pointed at the source.

I'm sure Clive would recommend diode's or a lantap and one-way udp broadcasts of the encoded data over it.

I'm really beginning to understand the style of setup/architecture you guy's oft recommend.

ReezgJune 25, 2016 2:21 PM

@Thoth

>What makes you think Govt Agencies are not picking off anyone using TOR or >remotely suspected of trying to "make life difficult for Govt" ?

>Computer Network Exploitation have grown sophisticated and State funded groups >with the blessing and technological transfers are growing. Look at the >Military-Industrial-Government complex and it's advances and growth. It >wouldn't be difficult to implant massive amounts of persistent malware (looking >at the poor state of security for Android) into every Android device and >compromise them.

As I said before, attacks are expensive. They're noisy. They have risk of detection.

It would only take a single person noticing such an attack to blow the cover on the entire thing. And then the Feds would have the finger pointed at them, and then people would stop sending sensitive data over Signal and WhatsApp. It's wholely counterintuitive to a goal of intelligence gathering. And at a time when most Feds, *especially* the NSA, are trying to patch up their reputation with hackers and the broader tech ecosystem, they aren't going to be hacking anyone and everyone that uses Signal. And for WhatsApp - are you insane? You think Feds will hack all one Billion of its users?


>You seem also not to understand what I am talking about and not bothered to read and ask and simply jump to conclusions.

No, I read and understand what you're talking about. You seem to be largely ignorant of how tech functions these days.

>1.) TLS/Jabber or Google Hangouts use TLS and XMPP protocol which are Open >Source and can be easily verified.

Google disabled XMPP support a while back. As for Jabber - it can be useful, but you can't reasonably expect a non-techie person to agree to use it. Signal at least is fire and forget after the initial setup, even for non-techies.


>2.) The TLS is only used as an exterior tunnel where you send your separately >encrypted ciphertext through the TLS tunnel established by either TLS/Jabber or >Google Hangouts.

Which still leaks valuable metadata that is auto-recorded by Google. Which can then be retrieved by third parties you may not feel comfortable with looking at your data.

>3.) If you don't trust Google via Google Hangouts, I did mention TLS/Jabber and >there are multiple TLS/Jabber services to be used as your first layer exterior >tunnel.

What part of "metadata" do you not understand?

>4.) Defense should not be relied on the TLS tunnel and it's only duty is to >obfuscate your traffic. The strength of your encryption done on a separated >device. This creates a "Box-in-a-box" effect where if the TLS happens to fail >or the server admins are forced to show your chat records, you have the >internal and actual security layer of the separately enciphered chat.

You and are talking about two wholely divorced threat models.

I am talking about being able to protect against passive surveillance e.g. the most common.

You're talking about trying to protect against active surveillance, which is a Sisyphean endeavor.


>5.) Agencies have been known to figure who is who in TOR network and map the >TOR network. An example is FBI hired Carniege Mellon university to probe TOR. >FBI have also managed to bring down Silk Road despite it being a TOR hidden >service.

You have absolutely no idea how Tor works if you think "mapping" it is going to give the Feds the ability to track traffic down.

As for Carnegie Mellon University, they used a 0-day. They exist. Your argument is "Tor is not perfect, therefore it is worthless".

Again, almost every single word that you post is destructive.

> 6.) Signal like any other messaging apps have it's own protocols and headers. >These headers marking that the message is secured by Signal would immediately ?>be noticed on packet inspection. This may trigger suspicion if you live in many >of the authoritarian countries like China, Russia, Singapore, Malaysia, Britain >...etc... that have attempted to regulate free speech and also cryptographic >strength attempts. USA can be added to the list of non-free speech country as >well.

Okay, and? By that logic, you shouldn't be advocating against WhatsApp, yet you are.

>7.) Most usage of Signal does not include any form of obfuscation layer to >attempt to hide the message protocol signatures and headers.

You must be new here if you think promoting Security-through-Obscurity works.


> 8.) Due to TLS being a common Internet protocol, it is much harder to track >every TLS request than every TOR or Signal request due to them not being the >majority of web traffic.

Both Signal and TOR use TLS. What in the world makes you think they don't?

rJune 25, 2016 3:49 PM

@Reezg,

Yes, base64+encryption passed over a traditionally plaintext pipe would be stupendously ignorant.

One may be able to get a little farther passing innocuous text and encoded documents(attachments) but those methodologies are not what i practice.

Not that I either have a need for, or practice anything at all to begin with so my sincere apologies for interjecting in this instance.

I practice a bunch of laymen(lame) ridicule I suppose. Thanks.

SubmissionJune 26, 2016 5:37 AM

The Gizmodo article Bruce links to does say:

"There are many Telegram users who think they are communicating in an encrypted way, when they’re not because they don’t realize that they have to turn on an additional setting..."

Even the Master's Thesis (more reliable than Gizmodo) does say:

"But assuming the users follow the protocol*, their chat session can be considered authenticated and safe from third parties."

*i.e. you must use a secret chat and verify in person the fingerprint visualisation. (Checking the fingerprint also applies to WhatsApp and Signal!)

TotoJune 26, 2016 12:45 PM

I find it strange to see that Signal on Android requires the Google Play Services to function. My Android phone has no Google apps or API layer like the Play Services. Other apps like WhatsApp work like a charm and can be downloaded pretty easily from their creator's websites or via a side loading store. Signal refuses to function without Google Play Services unfortunatly.

WooJune 27, 2016 5:32 AM

Regarding Telegram, I'm more bothered by the blatant privacy violations than the security issues (I tend to use instant messengers only for non-topsecret communications anyways).
The app uploads your whole phonebook to their servers (without any notice or approval), and when someone signs up for a new account, will automatically and nonpreventibly send an info message to all persons who have his phone# in their phonebook, no matter how this number was acquired.
Of course, this practice is never mentioned anywhere in their FAQ or privacy statement...
You can't approve who can add your contact. By default, everyone can message anyone, and you have to block them individually. IMHO, that's completely ass forward.

When I signed up for Telegram, it took a mere 5 minutes to get a whole slew of messages from salesfolk, slightly-known people and a few others I would have preferred NOT to know I've moved to a new messenger, since I hoped to cut off a few old ties by getting rid of ICQ. Yeah, no luck with that.

Is privacy really valued so little nowadays, esp. with the young generation, that this behaviour is deemed acceptable?!

FenrirJune 27, 2016 9:09 AM

Woo,
The 'average folks' have no idea what's going on. They can't figure out where the Start button is, let alone understanding what's going on with their data.

Markus OttelaJune 27, 2016 8:07 PM

@James

RE: Telegram

it's UI is much more polished

I agree. Especially the Signal desktop client doesn't really scale to screen, and there's no way to reply to quote previous screens.

you have the ability to send messages which self-destruct

This is complete, utter snake oil. It assumes the sender can control data they send to recipient's device. Sure, you can implement it in FOSS, but the only way to prevent recipient from modifying their client's source code not to do that is by making the software proprietary -- an act that would make Signal completely insecure.

you can password protect the app

Signal does that too.

you can chat to people using just a username and not a phone number

While it's nice to have that, It's unlikely you need end-to-end encryption with people you've never met and who can't look you up in a phone book anyway. Remember: you need to be able to verify the fingerprint to ensure there's no man in the middle. If you don't know who you're verifying the code with, a phone call to stranger is hardly a solution. Telegram has the crappiest fingerprints there are: instead of reading hexadecimals, you say something like "fully white cube, light blueish cube, darker blue cube": transmitting two bits of information with three words is crap compared to four bits per hexadecimal character. Plus there's a fingerprint collision attack with pre-calculation that has just 64-bit complexity.

The non-secret chats are still considered secure although you have to trust Telegram more

Considered secure the same way Facebook chat is secure: Meaning it's not. TLS simply isn't enough in our modern world. The fact you can't have end-to-end encryption for groups is enough reason not to use Telegram.

The downside? They use their own encryption algorithm (MTProto). The upside? By offering non-secret chats by default you can use a wide variety of devices.

MTProto, a algorithm with non-standard construction is another huge reason to avoid Telegram. Plus, there's no technical barrier in Signal protocol to synchronize messages between multiple clients.

Markus OttelaJune 27, 2016 8:22 PM

@Carl Byoir

Product placements as content. This appears to be fairly common with the Intercept's coverage of tech.

I see no problem evaluating these tools. Signal has no business model, so there's no economic incentive for writer to recommend it over the others. There's a big difference between native advertising and tech review. I completely agree smartphones are inherently insecure against FVEY agencies, but that's not the only threat model out there. People haven't exactly stopped using smartphones after the Snowden leaks -- quite the opposite in fact. So, using Signal over bad tools provides relatively more security and should be encouraged.


@ Marlo

The problem is that you have no way of verifying that Signal that you download on the App Store was actually compiled from the source code it's supposed to come from

Apple's AppStore has this issue, but it's not the fault of OpenWhisper Systems.
Android has reproducible builds: https://whispersystems.org/blog/reproducible-android/

Wouldn't surprise me at all if the feds have already given WhatsApp permission from the inside to lie about being "end-to-end encrypted" when in fact they're not.

IIRC Moxie has personally overseen the implementation of Signal protocol in WhatsApp. WA proprietary license is indeed troublesome as it makes reproducible builds impossible. Were WA to receive a national security request to make changes to protocol now, it would be very hard to detect them. Signal doesn't have this problem.

Markus OttelaJune 27, 2016 9:17 PM

@Brando

As much as I'd like to just say "it's snake oil, don't use it", there's going to be a lot of people who need more convincing.

RakEM encrypts the content and uses peer-to-peer direct transmission between devices – we don’t see your messages on our servers, so if we were asked to produce message logs, etc. we would comply and provide nothing since we have nothing. WhatsApp stores the messages on their servers – making it an easier target for hackers.

This is actually a bad thing. It means there is no decent protocol like TLS that protects messages in transit. Were they using TLS and servers, it would mean only intelligence agencies could access their end-to-end encryption with TLS-MITM attacks. P2P is not a security feature -- although it takes global, centralized censorship off-the-table. Having no server means every other router from ISP to tiny nation states can get access to RakEM's proprietary encryption. Claiming hackers can access messages from server is complete fabrication, as WA server only stores ciphertexts encrypted by clients.

RakEM encrypts the locally stored messages on the users device vs WhatsApp that does not encrypt the locally stored messages – they are clear text.

WhatsApp database was encrypted before Signal protocol, likely before Raketu existed.

RakEM users can ‘unsend’ messages, wiping them off their device and the recipients device vs WhatsApp that does not have unsend

This is snake oil, read my previous posts in this thread.

RakEM uses our patent pending self-mutating encryption, that encrypts the content differently each time it is sent. WhatsApp uses an encryption method involving public private key which don’t change every time.

"Self mutating" isn't a thing in cryptography. Not understanding the proper terminology, and claiming WhatsApp doesn't change encryption key (they do after every message) means they don't know their field.

"RakEM encrypts everything – messages, location, pics, doodles, voice, video, including voice and video calling."

For example, location leaks via other software if you enable GPS on device.

"WhatsApp’s parent, Facebook, has said it will be adding advertising to WhatsApp later this year – how will it target these ads if WhatsApp (and Facebook) cannot read your messages?"

This needs a source, but for the sake of argument: WhatsApp can most likely use phone numbers as identifiers between WA account and Facebook. Ads are displayed based on how Facebook tracks user online. WA doesn't have to read your messages to track you.

RakEM, using our device to device direct transmission, does not see nor does it store you message meta-data on our servers, vs WhatsApp that sees and stores your message metadata on their servers.

This should've been part of the first summary point. Again, it doesn't matter when everyone from ISP to IX routers world wide can access the metadata.

Signal Systems (Open Whisper Systems), the encryption used by WhatsApp, was funded by the U.S. government, and is still funded by the U.S. government. RakEM is not funded by the U.S. government, nor has it ever been – we are independent – no backdoors.

The intersection of funding and FOSS protocol in a Venn diagram of backdoors is empty.

Encryption

Depending on devices and network conditions, RakEM uses an encryption key length of up to 4096 bit, using the maximum possible for a given task and conditions...

This is pure technobabble that explains in absolutely no way how the algorithm or protocol works.

Displaying hex dumps of CT to describe conventional pub key encryption: "7d087efcceff332k3diosuehe5422343", but forgetting non-hex chars inside? Really?

The RakEM encryption that shows different ciphertexts for every message offers absolutely nothing new. The only symmetric cipher mode of operation that doesn't have always different ciphertet is electronic code book (ECB). ECB is usually the second cautionary tale told (right after reusing one-time-pad) on every course that even touches crypto. There are exactly two alternatives: Either they don't know the first thing about crypto, or they are deliberately misleading users by claiming they've invented initialization vectors.

RakEM is not currently open source

And yet they have the audacity to criticize FOSS tools.

For RakEM, we are developing a new feature that either prevents screen capture all together, or when a screen capture is taken of RakEM, the capture is a black screen, no image of RakEM is taken. We have this working in our labs and will be releasing this feature in an upcoming release.

I heard they also cast a spell on their app that makes muggles forget about taking a photo of smartphone screen with another device.

Markus OttelaJune 27, 2016 9:45 PM

@Thoth

If you use Signal or known protocols for secure messaging, everyone observing from the network would see the headers indicating what protocols you use. This will give your intention away and you bet NSA et. al. would delegate additional resources to you because you used secure E2E messaging.

The only way to make Signal less obvious sign of wanting privacy is to ask everyone to use it. The more diversity, the more noise and more general acceptance. Labeling it as dangerous or as criminal tool is the worst that can be done.

"If you use a TLS/Jabber (i.e. Google Hangouts or just Jabber with TLS), you use it as an obfuscation tunnel."

Part of the reason we use end-to-end encryption is because we consider TLS mostly worthless against nation states. The header that rings bells isn't simply "?OTR" or whatever Signal uses but any non-decodable plaintext under TLS-layer. I understand that Signal user looks more suspicious than a WhatsApp user, but unless WhatsApp integrates every security benefit out there, we're stuck using alternative tools. The destination IP and packet length can also reveal the protocol.

Better off use TLS as obfuscation tunnel since TLS is commonly deployed and blunts their suspicion.

TLS is most of the time already the outer shell for OTR over XMPP, and it's likely also used to protect Signal protocol in WhatsApp and Signal. Again, the destination IP to Signal server is a dead giveaway. Tor provides a useful layer here, as does the approach of split, separated TCB. As a reminder, TFC piggybags on OTR, that in turn piggybags on TLS.

R3LLiMJune 27, 2016 9:48 PM

@Comrade Major or anyone that can provide more info on Wickr

Why is Wickr bad to use?

Markus OttelaJune 27, 2016 10:03 PM

@Reezg

Active attacks are expensive. There's no way the NSA would use them on everyone and anyone that uses Signal.

Are they really? How many users are running Snort? Can personal security products detect all exploits against zero days in mobile operating systems? Baseband processors? I think not. I challenge you to counter the following argument: "By knowing who the elite security specialists are, and by avoiding them, with the average window of opportunity of 312 per zero day, you can hack into 99.99% of Androids for almost a year for the price of just 1-2 million dollars, by using a carefully polished exploit that causes no crashes, performance drag (it's not like key exfiltration needs to mine bitcoin) or warnings."

There's no way the NSA would use them on everyone and anyone that uses Signal

That feels about right, but why wouldn't they use them on everyone they feel they want to?

You have this notion that using certain services like Signal or Tor will result in active attacks against you.

When it's the only way to get access to communication, why not? FBI has been using Magic Lantern for this since early 2000s. Snowden's been talking about NSA routinely doing key exfiltration. Appelbaum's been talking about CNE automation. UK just accepted Snooper's Charter that allows bulk-hacking of entire cities. Please do enlighten us.

Instead, you advocate for using services where your communication's metadata can be more actively tracked.

It's easier to obfuscate metadata by runinng XMPP+OTR over Tor than it is to hide your identity with Signal, prepaid cards, separate phones...

You advocate against end-to-end and advocate for MitM being able to monitor and record your ciphertext.

Please rephrase.

services that would auto-record your ciphertext for you while gathering metadata that would be all-but-unavailable for Feds doing passive snooping.

You should never assume Signal server isn't recording your metadata. OWS isn't above the law, and Moxie is against canary warrants despite EFF's recommendations.

Markus OttelaJune 27, 2016 10:16 PM

@ Thoth

What I propose can be simply put in the following steps

We've discussed extensively why single airgapped TCB isn't enough. For anyone not familiar with it, I've written an article about it.

Agencies have been known to figure who is who in TOR network and map the TOR network.

It's not the same case, as it's not about anonymous publishing, but hiding your geolocation from server and agency performing close access operations / knowing what smartphones/laptops to turn into listening devices, assuming decryptor device has a remaining covert exfiltration channel. Tor is a useful layer but it can't be the only one.

Most usage of Signal does not include any form of obfuscation layer to attempt to hide the message protocol signatures and headers.

The target IP header is again, a giveaway in itself: you don't need to look into protocol headers with Signal.

Markus OttelaJune 27, 2016 10:30 PM

@ Reezg

but you can't reasonably expect a non-techie person to agree to use XMPP"

I've seen children create MSN messenger accounts and install the client. Setting up OTR on top of that isn't very complicated. Just because someone makes it easier and mainstream users become more lazy, doesn't make setting up XMPP harder in absolute sense.

I am talking about being able to protect against passive surveillance e.g. the most common.

You're living in the year 2003. The threat model is no longer just passive collection, it's actually moving from TLS-MITM to bulk CNE.

You're talking about trying to protect against active surveillance, which is a Sisyphean endeavor.

You're neglecting a decade of cat-and-mouse game with security protocols and crypto. There are of course active, targeted attacks you can't really defend yourself, but there are ways to make you much more secure against hacking.

You must be new here if you think promoting Security-through-Obscurity works.

There's a difference between security through obscurity and reducing size of fingerprint.

MichaelJune 28, 2016 3:50 AM

@ Clive Robinson, "Oh and so many others who would sing any old song for US Dollars, in fact a little update on an old saying gives "He who pays the piper, gets to hear what they want to hear"."

what else would they sing for? the euro obviously can't compete. it's a race to the bottom, to grill more oil, that is.

MichaelJune 28, 2016 3:56 AM

@ Michael Otella, "The threat model is no longer just passive collection, it's actually moving from TLS-MITM to bulk CNE."

lol omgz... I just dont understand why the fuss about everyday conversations. if you don't have anything to hide, you don't have anything to be afraid or to hide/obfuscate. For a lot of people, the government passively collecting their conversations is perfectly fine for the purpose of national security. If they use to for selective punishments, then that's another story, but so far there is no indication that the G-men have lost their integrity.

What I'm more worried about is collecting/selling my data for advertising use. That's the bigger threat in my model.

MichaelJune 28, 2016 4:05 AM

I'm not saying WhatsApp is snake oil, in fact, far from it, but the fact that the same user can access his message contents from more than one device is alarming. To comply with regulations, the service could have added an invisible end-point which forward all your conversations to a LEO database, despite layers of transport security. My belief is that is technically feasible.

Markus OttelaJune 28, 2016 6:47 AM

lol omgz... I just dont understand why the fuss about everyday conversations.

It's not about everyday conversations of people who never discuss things that might affect the status quo. It's about those who actually pose meaningful challenge to government, having to self censor topics in their everyday conversation. Your definition of terrorist is different from that of governments.

If you don't have anything to hide, you don't have anything to be afraid or to hide/obfuscate

You're either incredibly naive or trolling.

but so far there is no indication that the G-men have lost their integrity.

Thanks. I can finally stop worrying about gerrymandering, political repression such as COINTELPRO and foreign governments considering me an extremist for visiting Linux Journal's forums.

Nick PJune 28, 2016 9:04 AM

@ Michael

re everyday conversations

This article describes and links to a nice write-up by Solove on the situation. It's really about power people have over you once they know things, even harmless ones. The question is, "Should government agencies, some with authority to imprison or murder you, be able to collect, determine, provide to third parties, and deny you information about you with criminal immunity for any problems that come of their actions?" That versus agencies collecting information we know about with methods we know about with due process for charges and a right to challenge incorrect information. What we mostly have today. I can't see why any rational person would trade one for the other.

Significant consequences arising from these systems include people on Do Not Fly list with no way to challenge it, people's house SWATed since a name/address is wrong, camping trips making you a terrorist, and so on. Them not knowing anything about you by default while needing probable cause to search you makes you way safer. It also increases their odds of success of catching REAL criminals by forcing them to go where evidence trail leads. Due process also means they better attest to the quality of evidence, too.

Way better than re-creating the secret systems of government we spent American blood fighting decades ago.

Nick PJune 28, 2016 9:30 AM

@ Markus Ottela

"We've discussed extensively why single airgapped TCB isn't enough"

It's a pretty, good article. First suggestion is replacing HSA with High Strength Attacker (HSA) for first usage. Remember it's a term I invented to replace existing ones. So, nobody knows what the acronym means yet. Still in bootstrapping phase. Also, if addressing to a general audience, always explain what the concept of TCB means before you use it. Even a surprising amount of "INFOSEC" publications don't address the concept. I'm open to suggestions and revisions on the definition to make it more effective. I usually say something like:

"It's very important to consider the Trusted Computing Base (TCB) of your security scheme. The TCB is every component, from hardware to software, that must work correctly for the system to be secure. Example TCB components are operating system kernel, the filesystem, keyboard input, display output, DMA controller for input/output, and whatever generates your keys. TCB components are ideally few in numbers, each as small as possible, and each built with rigorous attention to correctness." Then, I illustrate the TCB in given schemes. First two sentences and last one represent most important facts to get across.

"We can send as many messages we want using new a USB-drive every time, throwing the used ones in the shredder."

I'm curious. Is this how you initially conceived your design or a way you've created to explain it? It's a pretty good illustration of what you're doing.

"The transmitting side has two LEDs connected in parallel with opposite polarities. "

I assumed it as a regular, serial diode. I didn't know it had LED's and batteries. Better than I imagined! There's still potential for one-way property to fail due to EMF crosstalk somehow. I'm not qualified to say what the risk is or what cheap mods would knock it out. It's something that needs review at some point. Also, since it's basically a form of octocoupler, the speed might be increased by using faster ones at some point. I know distance affects EMF from reading on TEMPEST and Red-Black sheilding. So, maybe combine with the free-space optics concept, esp the homebrew one that does 10Mbps, to physically separate the two at some distance while keeping power to each unit really low.

"like SIGINT drones, there would be no way to avoid linearly increasing cost when scaling up surveillance. Currently, such an attack would be too expensive. The day it isn’t, you’ll know:"

Great point and image. Got a good laugh out of it. Believe it or not, I still use this great trailer to illustrate the concept to laypersons along with tidbits like this. They find the scenario entirely believable due to incompetence and insecurity they've seen in all other tech. Now just gotta connect that perception to their votes. :)

R3LLiMJune 28, 2016 9:49 AM

@Markus Ottela

Thank you for that information I appreciate it. So, is Signal the safest messenger out there to use?

Clive RobinsonJune 28, 2016 1:15 PM

@ Nick P,

I assumed it as a regular, serial diode. I didn't know it had LED's and batteries.

The reason is contrary to what most people believe serial comms are based on tri-level not bi-level signaling. This is for historical reasons when "current loop" signaling was used. Originaly telex lines used to be upto +/- ~96volt (nominaly 80V but as high as 110V) through a standard 1200 ohm resistance to give ~20-45mA loop current or about +/- 24-60V at the distant receiver. At the receiver the line went into a rectifier and a standard PO3000 relay to act as both a load and "signal present" indicator. The "no current" state was used as an alarm signal called unsuprisingly "break" and the relay would drop out. Thus the three signals were "mark", "space" and "break". As time went on the break level became used not just to detect line faults but also in short breaks as a signalling system.

Any voltage above 30V even through limit resistors can be enough to stop your heart, so was not considered safe for "local working". Thus people designed their own lower voltage signaling, not just for safety but also to have a greater than 50/75 baud rate. The various voltages selected where nominaly multiples of "12volt lead acid accumulators" (actually nearer 14volt when new and fully charged).

Whilst initially it was still current loop signaling it quickly became voltage switching nominally +-24volt (allowing upto 28V). Thus you need to take an input from +25volts through 1200 ohms to -25volts through the same resistance but still detect +3 to -3 volts. But you also need to be able to detect between a short to protective ground and an open on the line. However with the advent of home conputers with ROM, other chips and electromechanical items needing +/- 12V, this became the noninal voltages used with home computers and printers.

The signaling levels are binary zero is a positive voltage above 3volts, binary one is a negative voltage of -3volts or more. The problem was how to deal with "break" signalling, various techniques were tried but the norm became extended "space" signaling. This however did not give "line open" not connected indication. Thus various tricks such as pull up resistors have been tried. However these do not work with galvanic isolation which the opto coupler's give. Thus you have actually switched back to the old current loop type break detection. The batteries shown on the receiver side are in reality "current sources" switched by the opto couplers.

A correct galvanicaly issolated universal line converter circuit is a little bit more complicated --but not much-- than the circuit shown. If you want a full circuit I have one I designed back in the early 1980's, but unless you have old Creed or similar Telex machines or more modern Trend TEMPEST approved TTY kit you need to drive you'll have no need for 70% of it.

Dirk PraetJune 29, 2016 5:37 AM

@ Michael

I just dont understand why the fuss about everyday conversations. if you don't have anything to hide, you don't have anything to be afraid or to hide/obfuscate.

Please send me a full list of all your accounts and passwords (mail, social media, websites etc.) I promise I won't use or sell them to anyone else for advertising purposes.

Kind regards,

Your friendly neighbourhood anarchist

R3LLiMJune 29, 2016 3:45 PM

I'm considering using Signal as my messenger. In order to use their service you have to input your phone number from the device you're going to use it on and allow access to your contact list. That seems a bit intrusive.

Markus OttelaJune 30, 2016 2:02 AM

@ Nick P:

I added HSA to terminology at the front page of the blog but I probably should make edits to articles (TCB too). Many things are outdated, e.g. WhatsApp protocol description. It turns out Signal's double ratchet protocol was not used during the time of writing. When the protocol changed, notifications about E2EE started popping up and fingerprints were enabled. There's a lot of updating to be done but TFC keeps me busy whenever I have spare time.

The USB-drive explanation was just a way to bridge the way airgapped TCB is used, to how the three-computer setup works. It also helps the users understand how they should setup the system were they only to use PGP (as Green suggested): public keys on TxM, private key on RxM; The issue there is manual typing of public key (something I did with previous TFC signing key) is insanely annoying.

There's still potential for one-way property to fail due to EMF crosstalk somehow.

Since TxM must be assumed to be clean (not vulnerability-free but malware-free), the relevant attack is key leak from RxM to NH. Let's assume RxM's serial interface or Rx.py can be exploited to run arbitrary code that reverses serial pin order and uses data diode's Rx-side wires as antennas. I'm not sure the EM field is strongh enough to induce a current data diode's Tx-side (NH); AFAIK LEDs don't conduct current below forward voltage. If that's not enough assurance, putting a DIAC in front of Tx pin should help.

Also, Jones' data diode had a ground loop around the PCB to shield the devices. Something like that could be used as well.

I should really put more effort to data diode design but it's not the first priority at the moment.

"Also, since it's basically a form of octocoupler, the speed might be increased by using faster ones at some point."

Jones warned about not using ICs as it's easy to hide a tiny CPU inside it. High assurance probably needs LEDs and phototransistors. I had issues finding a fast enough phototransistor (someone at Reddit may have found one but I haven't gotten around to ordering them). The reliable speeds Jones got were around 1200 baud/s -- I'm not expecting more.

The optocoupler I'm using is Vishay's CNY75 that works reliably at 9600 baud/s. The faster ones that support up to 1M baud/s are more complex on the inside: I'd appreciate if anyone could tell me how to connect the Rx side pins: Most serial ports support 115200 baud/s, some go up to 921600 baud/s -- file transmission could really use a speedup.

--while keeping power to each unit really low.

From the perspective of acting as an antenna that leaks signals from CPU, memory etc, limiting the current flow with resistors to absolute minimum would be a great idea. As for the signals that pass through the data diode, those are all public (they are all passed through NH, assumed to be in control of the adversary).

They find the scenario entirely believable due to incompetence and insecurity they've seen in all other tech.

Maybe I'm expecting linear adaptation of technology and drones get deployed exponentially, but I still find it hard to believe skies will be filled with them in my lifetime. We'll see.

Markus OttelaJune 30, 2016 2:08 AM

@ R3LLiM

Signal is the best mobile app out there, but like Snowden said, smartphones can be 'owned' with single malicious SMS. Security is a layered process. It's hard to give definite answers but I think I made a decent summary about secure communication here.

Clive RobinsonJune 30, 2016 4:26 AM

@ Markus Ottela, Nick P, Thoth,

DIACs are, not commonly available to home constructors and thus quite expensive. A cheaper and easier solution and readily available parts is a pair of Zener (avalanch) diodes in series anode to anode will do the same job. Roughly the conduction voltage will be Vz+0.7V.

However all such sharp knee threshold devices have a real down side when it comes to EMC/EmSec, if you have a filtered signal it's rise and fall times are relatively slow thus have low harmonic content and energy. Stick one of these devices in and you end up with the near equivalent of a comb generator, that can be well into the GHz region of the EM spectrum. Thus like large wild animals "they need care and attention in their feeding"[1]. The solution to this is to use series resistors and capacitors to the signal ground forming a "T filter" at appropriate points.

With regards,

The issue there is manual typing of public key (something I did with previous TFC signing key) is insanely annoying.

Yes, the "manual typing" was the major failing I identified with hand held authetication devices for financial transactions a decade or so ago. @Nick P and myself had quite a conversation about it in the past as he favourd a USB type solution. There is no way around this problem if the device is going to be "out off sight" as part of it's normal operation (and locking it in a safe does not work either). The NSA solution is "Cryptofill" via what they call "Crypto Ignition Keys" which you have on your car key ring etc. @Thoth has quite reasonably realised that Smart Cards / Subscriber Identity Modules are the way to go on this. The only down side is making them more rugged. One way might be to use a USB dongle that uses serial protocols to access an onboard SC/SIM.

Speaking of USB...,

The USB-drive explanation was just a way to bridge the way airgapped TCB is used, to how the three-computer setup works.

You might want to update this with an outline of why "energy gapping" is required using the issue of low end ultrasonics from laptop piezo speakers to a small electret microphone in another device. As well as how light that humans cannot see can be picked up as a reflection off of a wall etc with a photomultiplier (Markus Klune at Cambridge Labs has papers on this). So the photo diode serial signal splitter needs to be in a metal --not plastic-- box.

[1] Silly news story of today on the BBC, apparently a man riding a mountain bike in some woods in the US was eaten by a Grisly Bear... Why this is given prominance in the UK morning news I have no idea.

Dirk PraetJune 30, 2016 5:42 AM

@ Clive

Silly news story of today on the BBC, apparently a man riding a mountain bike in some woods in the US was eaten by a Grisly Bear... Why this is given prominance in the UK morning news I have no idea.

I guess it's far easier to focus on this kind of stories than explaining to the British public just to what mind-boggling extent they have been lied to and betrayed by the Murdoch empire and an utterly disconnected political caste obsessed with their own personal interests only.

ianfJune 30, 2016 9:04 AM


@ Dirk Praet, Clive

I'll tell you why there was a grizzly bear-eats-MTB-cyclist item in the morning news flow on the BBC: in newsrooms all over the globe at all times there are floating "human-interest" Mondo Cane-type short stories, or vignettes, to be used as slot fillers for scheduled items that for one reason or another have gone AWOL at their allotted time. Deployed also in order to lighten the often way somber mood of a news broadcast – they don't like us to switch channels. Usually these items are gleaned from other stations' feeds the same morning & bought for just this purpose. They're emitted maybe twice during the day, and then forgotten. Had the story instead been of a cyclist bites grizzly bear type, I'd guarantee you, that we'd see it in plenty more places.

Clive, if you remember the UK long-running TV series Drop the Dead Donkey, or either, or both the Canadian CBC, and the U.S. HBO TV episodic drama called The Newsroom, all of them had plenty of just such story fillers, which means alles ist klar and Bob's your uncle.

BREXTONEJune 30, 2016 11:57 AM

Michael

I just dont understand why the fuss about everyday conversations. if you don't have anything to hide, you don't have anything to be afraid or to hide/obfuscate.

That says quite a volume about you.

It is not about hiding. It is about minding your own damn business.

Also, I do mind collection "for 'national security' purposes". It is of no benefit to me personally. I suspect it is of no benefit to the aforementioned "nation" either. Do forgive me my insolence.

Nick PJune 30, 2016 3:05 PM

@ Clive Robinson

Interesting stuff on the signaling history. Far as other comment, I'm only resisting the smartcard stuff due to subversion and verifiability. There's very-few vendors pushing it with subversion risk that's hard to estimate. The quality of the general tooling & interface standards are also shit which Thoth confirmed. That will lead to bad implementations. So, it has to be a clean-slate smartcard.

Good news is that the older nodes can probably handle it if we sacrifice on CPU, etc as that's exactly what smartcard vendors do. The bad news is it takes esoteric skills plus tech that's *definitely* patented & lawsuit-worthy. Independent evaluation and verification of their stuff from HDL to transistors with verifiable image to match decapping is a compromise I'd consider making. I like both Infineon and Gemalto. I'd lean toward Infineon as I expect Netherlands to be a greater risk when U.S. starts putting pressure on. In Germany, there's already strong activity both for and against surveillance tech plus lots of breakers (eg CCC) to keep assessments going.

@ Markus Ottela

" The faster ones that support up to 1M baud/s are more complex on the inside"

What do you mean by that?

"but I still find it hard to believe skies will be filled with them in my lifetime."

I was talking about the enemy stealing the keys part. People expect they'll get hacked. It's a useful fear to play on countering surveillance or drones. Also was a nice visualization of how they'd be used.

R3LLiMJune 30, 2016 9:53 PM

@Markus Ottela

Thank you for the information appreciate it! My brain is like a sponge to all of this type of stuff. I just wish I had the knowledge that so many people have on this website.

@Dirk Praet

I 100% agree! That right there is called dumbing down the public and desensitizing them to what really matters. A man gets eaten by a bear all over the news headlines while your government is doing the dirty work and passing BS laws taking our freedoms away one by one. Death by paper cuts.

RoverJuly 1, 2016 7:07 AM

Hello,

I am a Signal user and familiar with all the issues (no enough users using it, blah blah). It is also strange that messaging apps users are blindly faithful. They even refuse to install other messaging apps resulting in Mexican Stand-off.

I have noticed in this thread as well as Micah's article an absent of comment on Wire Swiss that has all the features of Signal except that it is not:
1) tied to a SIM or mobile phone number
2) It is of minimalist design - e-mail and password - to create an account. No profile like Skype and name can be changed at will.
3) Can use mobile number optionally to facilitate searches but that does not have to be the same as that in the SIM card, if there is one.
4) It has encrypted video conferencing.
5) It only uses the Contact if allowed but does not demand.

I am also a user and fan of Wire as I like its idea of not relying on the mobile phone or SIM card. Give that a try on its browser version before installing any apps.

Rover

Max ArgesonAugust 8, 2016 3:28 AM

@James Telegrams "e2e" still goes through Apple push servers in plain text. Telegram is great on Android - iOS users get a false sense of privacy from it, however. That's worse that using FB where you know anyone can intercept the message.

Shroedinger's CatDecember 16, 2016 6:10 AM

About "Don't use Telegram":

I've read this article - it's inflating ADO about nothing.

MProto uses good cryptographic algoritms, such as SHA-1, AES etc. There is a full description of MProto’s functionality on Telegram site. If you don’t find it, it just means you don’t try to do it.

Turned off encryption by default is not a big problem and Telgram don’t hide this fact.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.