Introducing Signal header image

Introducing Signal

There is now an updated version of this post. Read “Introducing Signal – Updated.”

After the last U.S. presidential election and the repeal of privacy protection laws regarding your Internet use, many consumers became interested in keeping their communications private. The phrase “Use Signal” started gaining traction on social media. But what is Signal?

Signal (or to use its full name, Signal Private Messenger) is an encrypted communications app created by Open Whisper Systems. It secures your phone calls, your texts, and your video calls.

Don’t let the word “encrypted” scare you off; Signal isn’t hard to use at all. The interface is very similar to what your phone already has. It seamlessly integrates with your phone’s dialer and its texting function. Turning things on and off is as simple as tapping your screen.

History

Signal’s origin story begins in May 2010, with a company called Whisper Systems, founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson. Whisper Systems released an Android app called RedPhone, which let its users make encrypted VoIP calls to other RedPhone users. They also released TextSecure, an app that let you send encrypted text messages.

In November 2011, Whisper Systems was acquired by Twitter. RedPhone was taken offline, much to users’ dismay; it was very popular among protesters and activists, especially participants in the Arab Spring protests. But by July 2012, RedPhone and TextSecure were available again, this time as free open-source apps.

In January 2013, Moxie Marlinspike founded Open Whisper Systems, an open-source software project. RedPhone and TextSecure were combined to become Signal; it was released for iOS in July 2014, then for Android in November 2015.

How it works

Signal uses the Signal Protocol to encrypt your calls and texts. This is a combination of other encryption methods:  the Double Ratchet Algorithm, prekeys, and a triple Diffie-Hellman handshake.

So, what does that mean in English? Well, to put it simply…

Outside of computers, a ratchet is a mechanical device that’s a wheel with angled teeth paired with a pawl or cog. A ratchet can only move in one direction. In cryptography, a ratchet is a function that only goes one way; unlike algebra, you can’t take the answer and use it to figure out the rest of the formula.

As its name implies, the Double Ratchet Algorithm combines two ratchets: a Diffie Hellman key exchange and a hash function. Messages are encrypted and decrypted with data files called keys. The Double Ratchet Algorithm uses temporary session keys. Stealing one session key won’t let an attacker read any messages sent in the future.

So, imagine unlocking the door to your apartment. Unbeknownst to you, someone has made a copy of your key. You unlock your door, let yourself in, and lock the door behind you. The attacker takes his key, sticks it in the lock…only to find the key won’t budge. The lock has spontaneously changed after you went inside. And will do so every time you use your key.

That is the essence of Signal Protocol.

You can find Signal in your app store, either Google Play or iTunes. At this writing, Signal is only supported on smartphones, not tablets. After you’ve installed Signal, you can set it as the default program for calling and texting. You will need a phone number to get started, but it doesn’t have to be the same phone number that is attached to your SIM card.

Now that you’ve installed Signal, you can still do all the things you used to do. You can send group texts, attach photos and other files, call and video chat. The difference is that now everything will be kept private.

When you set Signal as your default, you can still communicate with people who don’t have it, even with people on landlines. However, in order to have privacy, everyone on the call or in the conversation will need to have Signal installed. When you text someone who doesn’t have Signal, your texts will have a symbol of an open padlock. When both of you have Signal, there will be a closed padlock in each text bubble.

screenshot of text conversation between two Signal users

A text message conversation between two Signal users. Note the padlock symbol on the messages. The text box at bottom reads “Signal message.”

screenshot of unsecured conversation in Signal

Screenshot of unencrypted text messages in Signal. The text box at the bottom reads “Unsecured MMS.”

By default, the ability to take screenshots is disabled. You can turn off this setting, but that would probably be counterproductive.

Signal will let you send an invitation to your contacts to install the app; you can even personalize the invite. I recommend doing this, just so your contacts know that they’re not receiving spam.

screenshot of Signal invitation

Screenshot of the default invitation message from Signal. It’s possible to personalize the message so the other person knows that it’s really you.

Is Signal Broken?

Ever since the infamous Wikileaks Vault 7 dump in March 2017, there has been the erroneous assumption that the CIA has somehow broken Signal and other secure apps like WhatsApp. This was further compounded by a tweet from the New York Times, which they have since deleted and apologized for. This left people wondering if they were now being monitored by government agents.

The real story of Vault 7 was that the CIA allegedly has the ability to install spyware on your phone. Of course, if your smartphone has been infected with some sort of spyware, no amount of encryption software will help you. That sort of situation would be like having someone look over your shoulder as you type.

Is Signal broken? No, it’s not.

That said, no security product is 100% unbreakable.  At best, you get what are called the six nines – 99.9999% reliability. The strong encryption of today is the weak and useless encryption of tomorrow. Computers become faster and more powerful every day, and security software must change to reflect that.

If there is any danger, it probably won’t come from the app itself. Signal – like many types of encrypted communication software – can hide your messages, but it can’t hide who you’re talking to. This may be all right for the average person, but if you’re being spied on by a government agency or one of their contractors, that alone may be dangerous. But for most of you reading this, that situation doesn’t apply to you.

Security is all about trust. There is some risk involved with trusting your information to a third party, be it Signal or a VPN. The key is finding an entity that is worthy of your trust. As of now, I’d say Signal is worthy of that.

Sharing is caring: