Open source encrypted app is key to security for Facebook

Moxie Marlinspike, a co-developer of the Signal encrypted mobile messages app, is seeing his security technology used by Facebook’s messaging service, WhatsApp.

Open source encrypted app is key to security for Facebook

Encryption is a key technology for social media websites such as Facebook, and the technology developed by Moxie Marlinspike (the name is a pseudonym) and now marketed by his company Open Whisper Systems in the Signal app, is playing a big part in online community moves to improve security of user data.

This comes at the same time as the much-reported stand-off between Apple and the FBI over access to iPhone user data.

One of the developers behind Signal is believed to have been recruited by Apple.

So what is so important about Signal 2.0 secure private messaging.

According to Open Whisper Software:

“It is now possible to send end-to-end encrypted group, text, picture, and video messages between Signal on iPhone and TextSecure on Android, all without SMS and MMS fees. Signal 2.0 blends private phone calls and private messaging into a single interface.”

End-to-end encryption means that phone conversations cannot tapped onto or private messages read by anyone other than sender and recipient, even the service provider. This is not always the case with SMS/MMS messages.

Moxie Marlinspike wrote on his blog last year:

“It’s the end of the road for encrypted SMS/MMS in TextSecure.

“The TextSecure story started back in 2009, at the dawn of the smartphone era. Back then, TextSecure focused on securing the transport that everyone coming from feature phones was familiar with: SMS. Today, many things have changed, and TextSecure now emphasizes the “TextSecure transport,” which uses data rather than SMS. While we remain committed to supporting plaintext SMS/MMS in addition to the encrypted TextSecure transport so that the app can function as a unified messenger, we are beginning the process of phasing out support for SMS/MMS as an encrypted transport in favor of the TextSecure data protocol.”

According to Moxie Marlinspike the reason for this is that encrypted SMS/MMS can never be seamless. Users need to manually initiate a “key exchange,” which requires a full round trip before any messages can be exchanged.

“We don’t believe that people should even need to know what a “key” is, so this added bit of friction has always felt wrong to us,” says Moxie Marlinspike.

Also there are cases where it is not possible to detect uninstalls or reinstalls, resulting in a situation where sessions are half-open, or where users who’ve uninstalled TextSecure receive blocks of garbled text from their contacts who still have active sessions.

Moxie Marlinspike says:

“SMS and MMS are a security disaster. They leak all possible metadata 100% of the time to thousands of cellular carriers worldwide. It’s common to think of SMS/MMS as being “offline” or “peer to peer,” but the truth is that SMS/MMS messages are still processed by servers–the servers are just controlled by the telcos.”

All of the Signal 2.0 code is open source, and has been made available on GitHub.

“This allows experts to verify our protocols and our cryptography,” said Open Whisper Software.

The app is free and has no adverts. And so Open Whisper Systems is supported by community donations and grants.

Leave a Reply

Your email address will not be published. Required fields are marked *