Shall I migrate to Signal, Threema or Telegram? No, because they all have — WhatsApp included — the same problem: They are walled gardens. Imagine a world where for each mail recipient using a separate domain, I would need separate mail client? Or in other words: Gmail users can only communicate with Gmail users. Let’s […]

New feature lets Signal users control who can text or voice call, add them to groups.

Both Signal and WhatsApp are encrypted, but Signal takes extra steps to keep your chats private.

Earlier this year, Open Whisper Systems was served with a federal subpoena for records on its users, according to documents published today. Prosecutors were seeking data on two suspects who used...

Bruxelles recommande à son personnel d'utiliser la messagerie Signal pour discuter avec des personnes extérieures à l'institution, afin de relever le niveau de sécurité des communications. Les échanges très sensibles en revanche continuent de passer par des canaux dédiés.

WebRTC DNS lookups exploited in clever hack

We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.

Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with.

All message contents are end-to-end encrypted, so we don’t have that information either.

Signal decouples its secure messaging service from your phone number – a bit.

Could this smart new Signal feature be enough to make you ditch WhatsApp?

The privacy-first messaging app recently rolled out an opt-out feature that was criticized by security experts and panned by users.

Last update: May 22, 2020
Español - Italiano
Introduction
This article analyses the security and confidentiality features of the most commonly used communication services or applications.
Note: the comparison is made between WhatsApp (the most widespread 1.6 billion users), Telegram (the most secure and widespread 400 million users), Signal and Wire (the most secure and confidential) according to world statistics. A comparison in terms of functionality is available at this address.
Remark: for any communication…

WhatsApp, Signal e Telegram promettono tutte la stessa cosa: comunicazioni sicure. Ma ci possiamo fidare?

Open Whispers System, qui édite Signal, teste une nouvelle approche qui permet d'étendre encore plus la confidentialité de sa communauté. Comment ? En intervenant au niveau des métadonnées.

If you need top level privacy protection do some or all of the following

Signal is calling on its users to oppose the EARN IT Act, which it fears will be used to undermine end-to-end encryption, forcing it to leave the US market.

The move is part of EU’s efforts to beef up cybersecurity, after several high-profile incidents shocked diplomats and officials.

A reminder, because this sometimes surprises people, and feel free to correct me if the facts have changed recently:

Telegram supports end-to-end encryption only in 1:1 private chats.

End-to-end encryption is disabled by default.

Telegram does not support end-to-end encryption, at all for group chats, its most popular use case.

Instead, Telegram claims that those group chats are "encrypted" by dint of the TLS connection between Telegram clients and the Telegram servers, which can, in this model, read all group traffic.

People like to dunk on the weirdness of the limited E2E crypto Telegram does have; it's archaic and idiosyncratic and people have published research results about it, though none to my understanding are of real practical impact. I support people dunking on bad crypto. But that has nothing to do with why Telegram is an inferior secure messenger.

By comparison, Signal, which Durov has repeatedly talked down:

• has modern, ratchet-based forward secure end-to-end crypto, always, in both group and private messaging;

• won the Levchin Prize, refereed by some of best-known names in academic cryptography, for the design and implementation of that cryptosystem, as well as for its implementation at WhatsApp;

• ha repeatedly foregone basic messaging app features simply to avoid collecting user metadata; Signal didn't even have user profiles until they could figure out a way to implement it in a privacy-preserving manner, and even their GIF sharing feature has a purpose-built anonymity system; we'll only this year potentially get usernames instead of phone numbers because it took that long to design a trustworthy social graph that didn't leave Signal with a giant pile of subpoenable metadata.

Use whatever messaging app you want.

The encryption app is putting a $50 million infusion from WhatsApp cofounder Brian Acton to good use, building out features to help it go mainstream.

Platform has option to make messages automatically disappear after set time period

Occasionally when Signal is in the press and getting a lot of favorable discussion, I feel the need to step into various forums, IRC channels, and so on, and explain why I don’t trust Signal. Let’s do a blog post instead.

Another critical code injection vulnerability found in Signal Desktop app lets remote hackers steal your chats in plaintext

Et c'est un peu grâce à Facebook

Long before we knew that it would be called Signal, we knew what we wanted it to be. Instead of teaching the rest of the world cryptography, we wanted to see if we could develop cryptography that worked for the rest of the world. At the time, the industry consensus was largely that encryption and cryptography would remain unusable, but we started Signal with the idea that private communication could be simple. Since then, we’ve made some progress. We’ve built a service used by millions, and software used by billions. The stories that make it back to us and keep us going are the stories of people discovering each other in moments where they found they could speak freely over Signal, of people falling in love over Signal, of people organizing ambitious plans over Signal. When we ask friends who at their workplace is on Signal and they respond “every C-level executive, and the kitchen staff.” When we receive a subpoena for user data and have nothing to send back but a blank sheet of paper. When we catch that glimpse of “Signal blue” on a metro commuter’s phone and smile.

Whilst WhatsApp might not provide full content of messages, the kind of metadata it provides is often enough to draw an informative map of a target's life, said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union (ACLU). She noted that WhatsApp already shares contact information with Facebook where users haven't opted out, which they may provide to government. And the WhatsApp privacy policy notes that it does store some location and contacts information where users have opted to provide them.

"The best practise is to purge information," Guliani added. "When it comes to metadata, how often is WhatsApp purging this kind of information?" As a comparison, the Signal messaging app doesn't store any such metadata and therefore doesn't need to purge it. And whilst it openly admits contact numbers are shared with Signal servers, they're garbled by an encryption algorithm into what's known as a "hash" (though former developer Frederic Jacobs told me it's "trivial" to bruteforce those hashes, so if in the unlikely event a fake Signal server is set up to target a user, their contacts could be exposed).

0 trackers, 67 permissions found.

At Signal, we’ve been thinking about the difficulty of private contact discovery for a long time. We’ve been working on strategies to improve our current design, and today we’ve published a new private contact discovery service. Using this service, Signal clients will be able to efficiently and scalably determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service.

In collaboration with Signal, Microsoft is introducing a Private Conversations feature in Skype, powered by Signal Protocol.

Signal is a new security protocol and accompanying app that provides end-to-end encryption for instant messaging. The core protocol has recently been adopted by WhatsApp, Facebook Messenger, and Google Allo among many others; the first two of these have at least 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a novel technique called ratcheting in which session keys are updated with every message sent. Despite its importance and novelty, there has been little to no academic analysis of the Signal protocol.

We conduct the first security analysis of Signal’s Key Agreement and Double Ratchet as a multi-stage key exchange protocol. We extract from the implementation a formal description of the abstract protocol, and define a security model which can capture the “ratcheting” key update structure. We then prove the security of Signal’s core in our model, demonstrating several standard security properties. We have found no major flaws in the design, and hope that our presentation and results can serve as a starting point for other analyses of this widely adopted protocol.

People say things like this about Signal but tend not to acknowledge why Signal is like that. Look at how Signal handles something as basic as user profiles, then compare it to how other applications address the same problems. I'll recommend Wire alongside WhatsApp any day, but keep in mind that Wire's servers apparently have a record of every conversation that has occurred between any two Wire users (not the content, mind you, just the link).

This is why I disagree with Matthew Green, do not think we've totally figured out secure messaging yet and that they're all "so good", and think that if you're serious about privacy --- enough to have strong opinions about WhatsApp vs. Signal, for instance --- that you should use multiple messengers:

• a "tier 1" secure messaging app like Signal that makes all reasonable tradeoffs in favor of security and privacy regardless of the UX cost, used when possible and for sensitive conversations.

• a "tier 2" secure messaging app like WhatsApp or Wire as your "daily messenger".

• "tier 3" messenger applications (including email) that you use mostly to rendezvous to a real messenger application.

In this scheme you can start to understand Signal as not just a decent messenger application with best-in-class security and privacy, but also as a laboratory for future privacy enhancements to messaging.

When MicroG stopped working for you, Signal complained because it thought that you were still a GCM user. You can reset that by following these steps to re-register:

Tap on the Menu.
Choose Settings.
Choose Advanced.
Tap 'Signal' to slide the indicator (from blue to off).
Choose 'OK' in the 'Disable Signal Messages' pop up.
Tap 'Signal' a second time to re-register.
Enter or Edit your phone number.
Tap Register.
Complete the registration process.
Send messages on Signal.

If your device does not include Google Play Services (or microG or OpenGApps) when you re-register, the app will fall back to using WebSockets to keep a connection open to the Signal server. New information that's queued on the Signal server (such as encrypted messages or tokens that are used to set up calls) will automatically be pushed to your phone as soon as it arrives on the server. The app just needs to check at an interval to make sure that the connection hasn't died.

If you're using an Android phone that includes Google Play Services (or microG or OpenGApps), your phone will have an open GCM connection. Signal will automatically detect this when you register (or re-register) and use that existing connection in order to preserve battery life. It's worth noting here that any information that's pushed through GCM will be visible to Google. That's why Signal is designed so that no information is ever transmitted through GCM. If there's new information queued on the Signal server and your app isn't connected to the service, an empty notification is pushed to your device through GCM. The notification wakes up the app, it automatically recognizes the empty notification as meaning that it needs to connect to the Signal server, and then it fetches the queued information through a separate encrypted channel. This way, Google does not have access to metadata about who Signal users communicate with. (Other apps that use GCM may or may not have implemented this workaround.)

Moxie Marlinspike has said that both the Play Store build and the website build are reproducible, so I assume that means they are both compiled from the same branch on GitHub. In other words, it should be one and the same APK whichever way you choose to install it. Here's a blog post explaining how you can verify that.

Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.

Signal Desktop is now available in a new, standalone form, and the Chrome App has been deprecated.

Signal-Android - A private messenger for Android.

Using Signal pseudonymously

Cette application, recommandée par le lanceur d’alerte Edward Snowden, permettait jusqu’ici des conversations écrites ou vocales chiffrées. Elle offre maintenant la possibilité de passer des appels vidéo sécurisés.

In the "first half of 2016" (the most specific we're permitted to be), we received a subpoena
from the Eastern District of Virginia. The subpoena required us to provide information about two
Signal users for a federal grand jury investigation.

We've designed the Signal service to minimize the data we retain about Signal users, so the only
information we can produce in response to a request like this is the date and time a user
registered with Signal and the last date of a user's connectivity to the Signal service.

Notably, things we don't have stored include anything about a user's contacts (such as the contacts
themselves, a hash of the contacts, any other derivative contact information), anything about a
user's groups (such as how many groups a user is in, which groups a user is in, the membership lists
of a user's groups), or any records of who a user has been communicating with.

All message contents are end to end encrypted, so we don't have that information either.

This is the first subpoena that we've received. It originally included a broad gag order that
would have prevented us from publishing this notice, but the ACLU represented us in quickly
and successfully securing our ability to publish the transcripts below. We're committed to
treating any future requests the same way: working with effective and talented organizations
like the ACLU, and publishing transcripts of our responses to government requests here.

Below is the transcript for this request.

For some reason, people have gotten pretty interested in mobile security lately. So let’s talk about a secure messaging app called Signal.

Signal is unusual because it combines cutting edge cryptography with consumer friendliness and is actually successful. It's pragmatic, not ideological. Crypto-warriors have a long history of producing secure software that nobody uses and then blaming the general public for not getting it; this sort of blog post is just a continuation of this decades long trend.