Signal Encrypted Messenger on GNU/Linux
Privacy awareness has been thankfully growing steadily across the web, and a number of programs have arisen as a result; Signal, is one such program.
I won’t name drop, but enough major players in the world of privacy advocacy have given their seal of approval for Signal, and so I knew I had to check it out for myself.
Signal, is a program that ties into your phone number in a similar fashion to WhatsApp, and offers encrypted messaging between clients using their data / wifi rather than sms system, to allow for messaging worldwide. As well, video and audio chat options are available.
Signal Installation
Signal is available for download from the main website, and is available for Android, iOS, Mac, Windows and Linux.
I installed via the AUR for Antergos, other distributions may have their own packages in repos, and Debian based distributions can also install with the following instructions,
curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -
echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.listsudo apt update && sudo apt install signal-desktop
Setting up and using Signal
The first screen you’ll see when installing Signal, will ask if you wish to set up as a new install, or setup from exported data. Obviously, you’ll want to choose the option most appropriate. In this case, select a new install.
Next, you’ll be asked to install signal on your mobile device, verify your phone number, and scan a QR code. Once finshed, Signal will bring you to your main screen.
The application doesn’t have a plethora of options to be had, you can change a few things like making the program appear more like android, android dark, or iOS, and a few other basic settings, but that’s it. If your friends have Signal, it likely will find them based on your phone contacts, but you also have the option to search for friends.
From my iPhone I was able to initiate video calls, but unfortunately I was not able from my Signal in my Antergos setup. Text messaging did work fine however.
However, Signal from Android also has the ability to send normal SMS messages when contacting a phone number that does not utilize Signal, just as iMessage does on iOS devices. However, iPhones and Desktop users do not have this option.
That said, I do love the continuity much like iMessage for Apple devices, how I can text someone else using Signal from my phone, and continue my conversation on my laptop later on, providing they are a Signal user too.
Signal does include a couple of features also worth noting however, such as the ability to set disappearing messages. This means that messages will automatically be deleted after X time, which can be determined by you.
Another feature, is the ability to verify your contacts. This can be done via QR code, or by comparing a series of numbers on the two phones, to confirm that the person you are talking to, is who you believe they are (or at least the correct device is being used.)
Final words
Overall, Signal for GNU/Linux is a great messenger application utilizing the industry standard AES-256, as well as HMAC-SHA256 and Curve25519. You can be fairly confident that your message will be encrypted well. The only real downside, is convincing your friends or family to use it.
Now you
What are your thoughts on Signal? Would you use it to replace things like Skype with your contacts?
Today messengers are created better. For example, Utopia.
Utopia is convenient because it has everything! Browser, mail, cryptocurrency wallet and of course messenger
I completely agree with you. Everyone misses Utopia, although it is a very worthy and interesting product.
Don’t be fooled. Signal is a proprietary messaging service like Facebook Messenger, Whatsapp and Skype. You are forced to use the official, closed-sourced/proprietary Signal servers run on Google infrastructure, register with a valid phone number and device, and they’ve been hostile against people attempting to write third party clients to work with the server (there are third party clients of Facebook, Whatsapp and Skype, but why not Signal?).
The audits by US “security experts” are as good as an ad flyer as they have to suck up to their masters or lose their government contracts, not to mention exploits are not always obvious given the intelligence community’s large bag of tricks with side channel attacks and flawed hardware (Intel chips, etc.).
Moxie Marlinspike and his company (OWS) is heavily endorsed and funded with tens of millions by organizations aligned with the US government. Coupled with the fact the OWS is hired to implement Signal encryption for Google, Facebook and Microsoft which are all considered corporate extensions of the US intelligence arm at no backlash from law enforcement and the state, I can only come to one conclusion – it’s a honeytrap.
@alanp
Judging by how you have to ridicule or talk down every valid comment here with valid criticisms of Signal, you’ve been drinking too much of the kool-aid and treating it as a religion.
Signal is a great product, simple to use, and held in high regard among cyber security experts. Highly recommend.
Don’t be fooled. Signal is a proprietary messaging service like Facebook Messenger, Whatsapp and Skype. You are forced to use the official, closed-sourced/proprietary Signal servers run on Google infrastructure, register with a valid phone number and device, and they’ve been hostile against people attempting to write third party clients to work with the server (there are third party clients of Facebook, Whatsapp and Skype, but why not Signal?).
The audits by US “security experts” are as good as an ad flyer as they have to suck up to their masters or lose their government contracts, not to mention exploits are not always obvious given the intelligence community’s large bag of tricks with side channel attacks and flawed hardware (Intel chips, etc.).
Moxie Marlinspike and his company (OWS) is heavily endorsed and funded with tens of millions by organizations aligned with the US government. Coupled with the fact the OWS is hired to implement Signal encryption for Google, Facebook and Microsoft which are all considered corporate extensions of the US intelligence arm at no backlash from law enforcement and the state, I can only come to one conclusion – it’s a honeytrap.
@alanp
Judging by how you have to ridicule or talk down every valid comment here with valid criticisms of Signal, you’ve been drinking too much of the kool-aid and treating it as a religion.
> Signal is a proprietary messaging service like Facebook Messenger, Whatsapp and Skype. You are forced to use the official, closed-sourced/proprietary…
False. Signal is open source software.
> audits by US “security experts†are as good as an ad flyer as they have to suck up to their masters or lose their government contracts
This is the exact same flawed reasoning used by science denying conspiracy theorists trying to poke holes in global warming.
> Moxie Marlinspike and his company (OWS) is heavily endorsed and funded with tens of millions by organizations aligned with the US government.
The way you say it is more than a bit misleading. The U.S. Government funding you might be referring to came through the Open Technology Fund. Since its creation in 2012, the OTF has used public funds to support Signal, The Tor Project, Tails, Cryptocat, Briar, The Guardian Project, NoScript, Qubes OS, Subgraph OS, Ricochet, and many other Open Source privacy software projects that have applied for it. This funding and the reasons for why they provide it have always been public information:
https://www.opentech.fund/projects
https://www.opentech.fund/about/program
> OWS is hired to implement Signal encryption for Google, Facebook and Microsoft which are all considered corporate extensions of the US intelligence arm at no backlash from law enforcement and the state, I can only come to one conclusion – it’s a honeytrap.
Why would OWS be hired to implement signal encryption for those other companies? It’s open-source, they can implement it themselves. A healthy amount of skepticism can be a very good thing, but you are approaching paranoid delusional levels.
> you’ve been drinking too much of the kool-aid and treating it as a religion.
I’ll admit to being a bit of a fanboy, but a religion, impossible I’m an atheist.
I don’t have a phone so fuck Signal
well good for you :/
Why does a chat application NEED my phone number? Why it don’t ASK about it if I want to send a SMS instead? Even Skype works without a phone number…
see my answer to the question directly above
…..tied to your phone number…. ehm what??? Why??? secure??? how???
It just another privacy/security joke like telegram.
Signal is mainly used as a secure replacement for standard sms (look up it’s origins in the app called “textsecure”). In this case the people you communicate with would have your phone number anyway. You might be confusing security/privacy with anonymity. In any case, you don’t have to use your real phone number to register, you can use a google voice number. From the reddit faq:
Why does Signal ask for my phone number?
Signal uses phone numbers as identifiers. It is meant to be an easy way for regular nontechnical people to send end-to-end encrypted messages and make end-to-end encrypted voice and video calls to people who they would otherwise communicate with unencrypted via SMS/MMS or a phone call.
The number you sign up with does not have to be the one that is tied to your device’s SIM card. If you want, you can sign up with a Google Voice number, any VoIP number, or a landline number, and hand that out to your contacts as your “Signal number”:
https://source.opennews.org/articles/shields-using-signal-without-your-phone-number/
Signal Desktop is just another Electron/JavaScript monster.
Telegram is better- native Windows/Linux desktop clients.
Tox is best- no servers, no middle man.
Sooner or later Signal true nature will be revealed- that it was created with the approval of the 3-letter agencies.
It does use a lot of memory, but I would hardly call Telegram “better”. Better at spying on it’s users maybe. While telegram’s client software may be open source, the server side is not and the crypto is “homegrown”. As long as there are no built in backdoors, you could say it’s better than nothing but homegrown crypto is basically security through obscurity. Better to use thoroughly tested methods that have been poked and prodded by the best in the business, that’s Signal. If you’re still skeptical read the white paper and review the code yourself, nothing is stopping you.
as for “…created with the approval of the 3-letter agencies”
“Signal is developed by a group called Open Whisper Systems. In general, receiving an investment implies the need to generate a profit for the investors. Moxie Marlinspike has said:
Open Whisper Systems is a project rather than a company, and the project’s objective is not financial profit.
One of the “highlights” that they’ve listed on their hiring page is:
Not VC Funded
We’re not a business. We’d rather think creatively than think about the dough.
To answer the question “where does the money come from”, they recently tweeted:
We’re supported by grants and donations, and everything we produce is open source. ”
More info:
The U.S. Government funding you might be referring to came through the Open Technology Fund. Since its creation in 2012, the OTF has used public funds to support Signal, The Tor Project, Tails, Cryptocat, Briar, The Guardian Project, NoScript, Qubes OS, Subgraph OS, Ricochet, and many other Open Source privacy software projects that have applied for it. This funding and the reasons for why they provide it have always been public information:
https://www.opentech.fund/projects
https://www.opentech.fund/about/program
Use it with a friend stationed and working in Beijing. Works great, not a single instance where it appeared to fail or was delayed in either my sending or receiving of texts. Only real issue I dislike is, you must attach a picture or video first before typing the text. Doesn’t seem to let you do it the other way around. You also can’t send multiple pictures in one instance. Must send them one at a time.
I’ve been trying to get friends and family to switch from iMessage, Skype, and FaceTime to either Telegram or Wire for three years now. Only one person has. As far as the rest of my family and friends are concerned, “everyone” is on iMessage and/or Skype, and they don’t care about their privacy as they “have nothing to hide.” I’m just a “paranoid schmoe” who should use iMessage and/or Skype and/or FaceTime like everyone else. Trying to convince them otherwise is like talking to a brick wall.
So Signal may be great, but good luck getting people to use it.
Signal priorities privacy is my ass. Their website has google, and getclicky services. Fucking hpyractises! Martin you should not be writing about stuff that you do not understand or research well. You could have asked them to comment and your article would be interesting but now it’s just fraud.
you must be out of your mind!! Signal is widely regarded in the cryptography world as the “gold standard” of mobile privacy/security messaging.
Plus your broken english makes me suspect you’re a Russian bot/troll. How well does the FSB pay?
MODS!! got one for you!
You referenced WhatsApp as being similar. In fact, WhatsApp uses lobotomized Signal code and protocol. However they’ve done some things in the same of end-user friendliness that’s made it not as robust.
I have Signal installed on my Android phone, but not the desktop version. But so far I haven’t been able to convince my friends to use it. They all use LINE so I had to switch to that myself eventually: Both video calls and chats are encrypted on LINE. https://line.me/en-US/
Ed Snowden recommends Signal though so I guess it’s pretty secure.
It needs Google Services to work and it’s not avaliable un F-Droid. I wouldn’t say is the best for privacy if relies un Google to work
While not on f-droid, the APK is available on their website and does not require google services to run https://signal.org/android/apk/ (scroll half way down)
It’s running fine on Lineage OS sans-google for me and has successfully linked to a desktop application install :)
Only really “safe” solution has to be decentralized. Of course, the downside, is that there is no central server to keep messages in sych – both devices need to be on. But, at least, no middle-man.
with SIgnal both devices do NOT need to be on, except for the initial setup of the desktop app as a “linked device”. After that, either one can be powered off and messages can be sent/received seamlessly.
>I do love the continuity [..] how I can text someone else using Signal from my phone, and continue my conversation on my laptop later on
Oh boy.. rant incoming: I assume this thing uses two asymmetric keys (which in reality you end up with four keys in a one-on-one conversation, but that’s not the point). One encrypts data and is public, one decrypts data and it’s supposed to be private. How was the laptop able to retrieve the private key? Where did it got it from? From Signal’s server? This means they can always decrypt your conversations. From your phone? Is your phone able to send that keyat any given time just because the Signal servers request it? Do you see my problem with it? With any “””encrypted””” messaging system in fact. The only one that got it (sort of) better was Threema (is it spelt this way? idk, idgaf) – you had to physically bring the two devices together, they would exchange keys, then use those keys to encrypt the conversation. NOW, you’d have to trust the application not to do mischievous and undocumented actions without your consent, and your devce (as well as the other person’s device) not to do the same, or include it in some backup.
My point it, it is no diffreent than any other IM client/service. Treat them all as if there are tens/hundreds/thousands of people near you and the one you’re speaking to, which can see or hear what you are talking about. And for me that’s fine. If I’m about to ask someone to get out and have a drink or something, or if I’m going to be asked by someone, it’s definitely not something that can be kept as a secret. The place that I will go will have other people in it that will see me anyway. And I will continue using VKontakte for this purpose. And SMS as well – it’s not much of a difference whether the VK guys see my conversation or whether my cell cervice provider sees it. Hell, at least it doesn’t leave my country – I think, not sure.
> How was the laptop able to retrieve the private key? Where did it got it from? From Signal’s server? This means they can always decrypt your conversations.
uh no, here is how the end to end key exchange works: https://youtu.be/NmM9HA2MQGI
You also have to bring devices together to sync them. When other people write to you, you can either bring your laptop/phone to them or trust them through the app.
I believe that the way it works is that it gets the PCs public key (that’s the QR code you scan with your phone) and then the phone is basically a relay between the PC and and the target. So it should be secure if not exactly perfect but proper key exchange is difficult with PCs as they would need a camera for it. The drawback in it all is that the PC “app” is based on electron framework and is not native in any way or form. So large resource use and questionable patching speed when issues are found in chromium that electron is based on.
In the end I do prefer Threema as it has excellent UI for key exchange, being is so simple that even friends who don’t know anything about crypto want to get nice three green dots (which you get for doing in person key exchange). The additional benefit is that the account is not bound to your phone number and there is actual ability to backup it all for transfer to another device. Yes, it costs a few € but it is well worth it IMHO.
Still, if people refuse to use Threema due to the cost then Signal is by far the best alternative despite it’s user unfriendly way of dealing with key exchange and demanding a phone number.
top says Martin wrote this article,bottom says Mike ?
It’s to confuse the enemy, muhahaha…
I deleted my facebook account a few weeks ago and I needed an alternative for communicating with people around me. I have used Signal-desktop for a month now, and I love it. However it’s not easy to get people to use it. Apart from the most obvious reasons for using signal, I also read that you could use it to send old school sms from your phone. However, this is only possible on android, not on iphone. Plus, when using signal to send sms on android, the messages do not show up on the signal-desktop application on the computer.
Do anybody know an alternative where both computer and iphone/android is in sync?
Oh! A little pro-tip. If you install the beta of signal-desktop, then you can make use of the tray-icon by using the command –stay-in-tray when you start the application :)
> when using signal to send sms on android, the messages do not show up on the signal-desktop application on the computer.
syncing standard sms is a feature most of us would love to see, but this isn’t really something the Signal team can solve while keeping communications secure. It’s kind of the nature of the sms network. I would recommend trying to convince people to just use Signal. Eventually sms will go the way of the 5.25″ floppy disk.
Do we need the phone turned on in order to use signal? Or we just need the phone number to verify our account?
you don’t need the phone turned on. You just need the phone install completed first. After that all messages are downloaded once that device is connected and then subsequently deleted from server.