Developer(s) |
|
---|---|
Initial release | 29 July 2014 [1] [2] |
Stable release(s) | |
Preview release(s) | |
Repository | |
Operating system |
|
Type | Encrypted voice calling,video calling and instant messaging |
License | AGPL-3.0-only [10] [11] [12] [13] [a] [b] |
Website | signal |
Signal is an open-source,encrypted messaging service for instant messaging,voice calls,and video calls. [14] [15] The instant messaging function includes sending text,voice notes,images,videos,and other files. [16] Communication may be one-to-one between users or may involve group messaging.
The application uses a centralized computing architecture and is cross-platform software. It is developed by the non-profit Signal Foundation and its subsidiary Signal Messenger LLC. Signal's software is free and open-source. Its mobile clients,desktop client,and server are all published under the AGPL-3.0-only license. [a] [b] [11] [10] [12] [13] The official Android app generally uses the proprietary Google Play Services,although it is designed to be able to work without them. Signal is also distributed for iOS and desktop programs for Windows,macOS,and Linux. Registration for desktop use requires an iOS or Android device. [20] [21]
Signal uses mobile telephone numbers to register and manage user accounts,though configurable usernames were added in March 2024 to allow users to hide their phone numbers from other users. [22] After removing support for SMS on Android in 2023, [23] [24] the app now secures all communications with end-to-end encryption. The client software includes mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel. [23] [25]
The non-profit Signal Foundation was launched in February 2018 with initial funding of $50 million from WhatsApp co-founder Brian Acton. [26] As of January 2022 [update] ,the platform had approximately 40 million monthly active users. As of May 2021 [update] ,it was downloaded more than 105 million times. [27] [28]
Signal Timeline | |
---|---|
May 2010 | Moxie Marlinspike and Stuart Anderson (Whisper Systems) launch TextSecure and RedPhone on Android. [29] |
Nov 2011 | Whisper Systems is acquired by Twitter, [30] "primarily so that Mr. Marlinspike could help the then-startup improve its security." [31] |
Dec 2011 –Jul 2012 | TextSecure and RedPhone are released as free and open-source software under the GPLv3 license. [32] [33] |
Jan 2013 | Moxie Marlinspike leaves Twitter and founds Open Whisper Systems (OWS) as a collaborative open source project for the continued development of TextSecure and RedPhone. [34] [35] |
Feb 2014 | OWS adds end-to-end encrypted group chat and instant messaging capabilities to TextSecure. [36] |
Jul 2014 | OWS releases Signal as a RedPhone counterpart for iOS. [37] [38] |
Mar 2015 | OWS discontinues support for encrypted SMS/MMS messaging in TextSecure,while retaining its encrypted IM capabilities. [39] At the same time,OWS adds encrypted IM to Signal on iOS. [40] |
Nov 2015 | RedPhone is merged into TextSecure on Android and the app is renamed as Signal. [41] |
Dec 2015 | Signal Desktop is launched as a Chrome App. [42] |
Oct 2017 | OWS announces the deprecation of their Chrome App and the release of a new Electron-based Signal Desktop. [43] |
Mar 2017 | OWS transitions Signal's calling system from RedPhone to WebRTC and adds the ability to make video calls with the mobile apps. [44] [45] |
Feb 2018 | Moxie Marlinspike and Brian Acton launch the Signal Foundation with an initial $50 million in funding from Acton,who had left WhatsApp's parent company Facebook in September 2017. [46] [47] |
Nov 2019 –Feb 2020 | Signal adds support for iPads, [48] view-once images and videos,stickers,and reactions. [49] |
Aug 2020 –Sep 2020 | Signal adds message requests [50] and one-to-one voice and video calling to Signal Desktop. [51] [52] |
Oct 2020 –Dec 2020 | Signal starts transitioning to a new encrypted group chat system with support for @mentions,group admins,and more granular permissions. [53] It also adds support for encrypted group calling. [53] |
Signal is the successor of the RedPhone encrypted voice calling app and the TextSecure encrypted texting program. The beta versions of RedPhone and TextSecure were first launched in May 2010 by Whisper Systems, [54] a startup company co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson. [55] [56] Whisper Systems also produced a firewall and tools for encrypting other forms of data. [55] [57] All of these were proprietary enterprise mobile security software and were only available for Android.
In November 2011, Whisper Systems announced that it had been acquired by Twitter. Neither company disclosed the financial terms of the deal. [58] The acquisition was done "primarily so that Mr. Marlinspike could help the then-startup improve its security". [59] Shortly after the acquisition, Whisper Systems' RedPhone service was made unavailable. [60] Some criticized the removal, arguing that the software was "specifically targeted [to help] people under repressive regimes" and that it left people like the Egyptians in "a dangerous position" during the events of the Egyptian revolution of 2011. [61]
Twitter released TextSecure as free and open-source software under the GPLv3 license in December 2011. [55] [62] [63] [64] RedPhone was also released under the same license in July 2012. [65] Marlinspike later left Twitter and founded Open Whisper Systems as a collaborative Open Source project for the continued development of TextSecure and RedPhone. [1] [66]
Open Whisper Systems' website was launched in January 2013. [66]
In February 2014, Open Whisper Systems introduced the second version of their TextSecure Protocol (now Signal Protocol), which added end-to-end encrypted group chat and instant messaging capabilities to TextSecure. [67] Toward the end of July 2014, they announced plans to merge the RedPhone and TextSecure applications as Signal. [68] This announcement coincided with the initial release of Signal as a RedPhone counterpart for iOS. The developers said that their next steps would be to provide TextSecure instant messaging capabilities for iOS, unify the RedPhone and TextSecure applications on Android, and launch a web client. [68] Signal was the first iOS app to enable end-to-end encrypted voice calls for free. [1] [69] TextSecure compatibility was added to the iOS application in March 2015. [70] [71]
From its launch in May 2010 [54] until March 2015, the Android version of Signal (then called TextSecure) included support for encrypted SMS/MMS messaging. [72] From version 2.7.0 onward, the Android application only supported sending and receiving encrypted messages via the data channel. [73] Reasons for this included security flaws of SMS/MMS and problems with the key exchange. [73] Open Whisper Systems' abandonment of SMS/MMS encryption prompted some users to create a fork named Silence (initially called SMSSecure [74] ) that is meant solely for the exchange of encrypted SMS and MMS messages. [75] [76]
In November 2015, the TextSecure and RedPhone applications on Android were merged to become Signal for Android. [77] A month later, Open Whisper Systems announced Signal Desktop, a Chrome app that could link with a Signal mobile client. [78] At launch, the app could only be linked with the Android version of Signal. [79] On 26 September 2016, Open Whisper Systems announced that Signal Desktop could now be linked with the iOS version of Signal as well. [80] On 31 October 2017, Open Whisper Systems announced that the Chrome app was deprecated. [9] At the same time, they announced the release of a standalone desktop client (based on the Electron framework [12] ) for Windows, macOS and certain Linux distributions. [9] [81]
On 4 October 2016, the American Civil Liberties Union (ACLU) and Open Whisper Systems published a series of documents revealing that OWS had received a subpoena requiring them to provide information associated with two phone numbers for a federal grand jury investigation in the first half of 2016. [82] [83] [84] Only one of the two phone numbers was registered on Signal, and because of how the service is designed, OWS was only able to provide "the time the user's account had been created and the last time it had connected to the service". [83] [82] Along with the subpoena, OWS received a gag order requiring OWS not to tell anyone about the subpoena for one year. [82] OWS approached the ACLU, and they were able to lift part of the gag order after challenging it in court. [82] OWS said it was the first time they had received a subpoena, and that they were "committed to treating any future requests the same way". [84]
In March 2017, Open Whisper Systems transitioned Signal's calling system from RedPhone to WebRTC, also adding the ability to make video calls with the mobile apps. [85] [86] [14]
On 21 February 2018, Moxie Marlinspike and WhatsApp co-founder Brian Acton announced the formation of the Signal Technology Foundation, a 501(c)(3) nonprofit organization whose mission is "to support, accelerate, and broaden Signal's mission of making private communication accessible and ubiquitous". [87] [26] Acton started the foundation with $50 million in funding and became the foundation's executive chairman after leaving WhatsApp's parent company Facebook in September 2017. [26] Marlinspike continued as Signal Messenger's first CEO. [87] As of 2020 [update] , Signal ran entirely on donations, as a nonprofit. [88]
Between November 2019 and February 2020, Signal added iPad support, view-once images and videos, stickers, and reactions. [89] They also announced plans for a new group messaging system and an "experimental method for storing encrypted contacts in the cloud." [89]
Signal was reportedly popularized in the United States during the George Floyd protests. Heightened awareness of police monitoring led protesters to use the platform to communicate. Black Lives Matter organizers had used the platform "for several years". [90] [88] During the first week of June, the encrypted messaging app was downloaded over five times more than it had been during the week prior to the murder of George Floyd. [90] In June 2020, Signal Foundation announced a new feature that enables users to blur faces in photos, in response to increased federal efforts to monitor protesters. [88] [91]
On 7 January 2021, Signal saw a surge in new user registrations, which temporarily overwhelmed Signal's capacity to deliver account verification messages. [92] CNN and MacRumors linked the surge with a WhatsApp privacy policy change and a Signal endorsement by Elon Musk and Edward Snowden via Twitter. [92] [93] The surge was also tied to the attack on the United States Capitol. [94] International newspapers reported similar trends in the United Arab Emirates. [95] Reuters reported that more than 100,000 people had installed Signal between 7 and 8 January. [96]
Between 12 and 14 January 2021, the number of Signal installations listed on Google Play increased from over 10 million to over 50 million. [97] [98] [99] [100] On 15 January 2021, due to the surge of new users, Signal was overwhelmed with the new traffic and was down for all users. [101] [102] On the afternoon of 16 January, Signal announced via Twitter that service had been restored. [103]
On 10 January 2022, Moxie Marlinspike announced that he was stepping down from his role as CEO of Signal Messenger. [104] He continues to remain on the Signal Foundation's board of directors and Brian Acton has volunteered to serve as interim CEO during the search for a new CEO. [104]
In August 2022, Signal notified 1900 users that their data had been affected by the Twilio breach including user phone numbers and SMS verification codes. [105] At least one journalist had his account re-registered to a device he did not control as a result of the attack. [106]
In September 2022 Signal Messaging LLC announced that AI researcher and noted critic of big tech Meredith Whittaker would fill the newly created position of President. [107]
Graphs are unavailable due to technical issues. There is more info on Phabricator and on MediaWiki.org. |
Signal's userbase started in May 2010, when its predecessor TextSecure was launched by Whisper Systems. [54] According to App Annie, Signal had approximately 20 million monthly active users at the end of December 2020. [108] In January 2022, the BBC reported that Signal was used by over 40 million people. [109]
The development of Signal and its predecessors at Open Whisper Systems was funded by a combination of consulting contracts, donations and grants. [110] The Freedom of the Press Foundation acted as Signal's fiscal sponsor. [87] [111] [112] Between 2013 and 2016, the project received grants from the Knight Foundation, [113] the Shuttleworth Foundation, [114] and almost $3 million from the US government–sponsored Open Technology Fund. [115] Signal is now developed by Signal Messenger LLC, a software company founded by Moxie Marlinspike and Brian Acton in 2018, which is wholly owned by a tax-exempt nonprofit corporation called the Signal Technology Foundation, also created by them in 2018. The Foundation was funded with an initial loan of $50 million from Acton, "to support, accelerate, and broaden Signal's mission of making private communication accessible and ubiquitous". [87] [26] [116] All of the organization's products are published as free and open-source software.
In November 2023, Meredith Whittaker revealed that she expected the annual cost of running Signal to reach $50 million in 2025, with the current cost estimated around $40 million. [117]
Signal provides one-to-one and group [118] voice and video [14] calls with up to forty participants on iOS, Android, and desktop platforms. [119] [120] The calls are carried via the devices' wired or wireless (carrier or WiFi) data connections. [69] The application can send text messages, documents files, [16] voice notes, pictures, stickers, GIFs, [121] and video messages. The platform also supports group messaging.
All communication sessions between Signal users are automatically end-to-end encrypted (the encryption keys are generated and stored on the devices, and not on servers). [122] To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band. [123] The platform employs a trust-on-first-use mechanism to notify the user if a correspondent's key changes. [123]
Until 2023, Android users could opt into making Signal the default SMS/MMS application, allowing them to send and receive unencrypted SMS messages in addition to the standard end-to-end encrypted Signal messages. [67] Users could then use the same application to communicate with contacts who do not have Signal. [67] As of October 2022, this feature has been deprecated due to safety and security concerns, and was removed in 2023. [124] [24]
TextSecure allowed the user to set a passphrase that encrypted the local message database and the user's encryption keys. [125] This did not encrypt the user's contact database or message timestamps. [125] The Signal applications on Android and iOS can be locked with the phone's pin, passphrase, or biometric authentication. [126] The user can define a "screen lock timeout" interval, where Signal will re-encrypt the messages after a certain amount of time, providing an additional protection mechanism in case the phone is lost or stolen. [123] [126]
Signal has a feature for scheduling messages. [127] In addition, timers may be attached to messages [128] to automatically delete the messages from both the sender's and the receivers' devices. [128] The time period for keeping the message may be between five seconds and one week, [128] and begins for each recipient once they have read their copy of the message. [129] The developers stressed that this is meant to be "a collaborative feature for conversations where all participants want to automate minimal data hygiene, not for situations where the recipient is an adversary". [128] [129]
Signal's app icon may be changed with a variety of colour themes for customization and to hide the app. The application name can also be customized. [130] Messages can have effects like spoilers and italics, and users can add each other via QR code. [131]
Signal excludes users' messages from non-encrypted cloud backups by default. [132]
Signal allows users to automatically blur faces of people in photos to protect identities. [133] [134]
Signal includes a cryptocurrency wallet functionality for storing, sending and receiving in-app payments. [135] Apart from certain regions and countries, [135] the feature was enabled globally in November 2021. [136] As of January 2022 [update] , the only supported payment method is MobileCoin. [135]
In February 2024, Signal added a username feature to the beta version of the app. This is a privacy feature that allows users to communicate with others without having to share their telephone number. [137] [138]
Signal requires that the user provide a telephone number for verification, [139] eliminating the need for user names or passwords and facilitating contact discovery (see below). [140] The number does not have to be the same as on the device's SIM card; it can also be a VoIP number [139] or a landline as long as the user can receive the verification code and have a separate device to set up the software. A number can only be registered on one mobile device at a time. [141] Account registration requires an iOS or Android device. [20] [21]
This mandatory connection to a telephone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a "major issue" for privacy-conscious users who are not comfortable with giving out their private number. [140] A workaround is to use a secondary phone number. [140] The ability to choose a public, changeable username instead of sharing one's phone number was a widely-requested feature. [140] [142] [143] This feature was added to the beta version of Signal in February 2024. [144]
Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number. [140] A similar vulnerability was used to attack at least one user in August 2022, though the attack was performed via the provider of Signal's SMS services, not any user's provider. [105] The threat of this attack can be mitigated by enabling Signal's Registration Lock feature, a form of two-factor authentication that requires the user to enter a PIN to register the phone number on a new device. [145]
When linking Signal Desktop to a mobile device, the conversations history will not be synced; only the new messages will be shown on Signal Desktop. [146]
In July 2016, the Internet Society published a user study that assessed the ability of Signal users to detect and deter man-in-the-middle attacks. [25] The study concluded that 21 out of 28 participants failed to correctly compare public key fingerprints in order to verify the identity of other Signal users, and that most of these users believed they had succeeded, while they had actually failed. [25] Four months later, Signal's user interface was updated to make verifying the identity of other Signal users simpler. [147]
In 2023, the French government is pushing for the adoption of a European encrypted messaging alternative to Signal and WhatsApp named Olvid as their secured platform for communications. [148]
Signal messages are encrypted with the Signal Protocol (formerly known as the TextSecure Protocol). The protocol combines the Double Ratchet Algorithm, prekeys, and an Extended Triple Diffie–Hellman (X3DH) handshake. [149] [150] It uses Curve25519, AES-256, and HMAC-SHA256 as primitives. [23] The protocol provides confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (a.k.a. future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity. [151] It does not provide anonymity preservation, and requires servers for the relaying of messages and storing of public key material. [151]
The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and multicast encryption. [151] In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership. [151]
In October 2014, researchers from Ruhr University Bochum (RUB) published an analysis of the Signal Protocol. [23] Among other findings, they presented an unknown key-share attack on the protocol, but in general, they found that it was secure. [152] In October 2016, researchers from UK's University of Oxford, Queensland University of Technology in Australia, and Canada's McMaster University published a formal analysis of the protocol. [153] [154] They concluded that the protocol was cryptographically sound. [153] [154] In July 2017, researchers from RUB found during another analysis of group messengers a purely theoretic attack against the group protocol of Signal: A user who knows the secret group ID of a group (due to having been a group member previously or stealing it from a member's device) can become a member of the group. Since the group ID cannot be guessed and such member changes are displayed to the remaining members, this attack is likely to be difficult to carry out without being detected. [155]
As of August 2018 [update] , the Signal Protocol has been implemented into WhatsApp, Facebook Messenger, Skype, [156] and Google Allo, [157] making it possible for the conversations of "more than a billion people worldwide" to be end-to-end encrypted. [158] In Google Allo, Skype and Facebook Messenger, conversations are not encrypted with the Signal Protocol by default; they only offer end-to-end encryption in an optional mode. [132] [159] [156] [160]
Up until March 2017, Signal's voice calls were encrypted with SRTP and the ZRTP key-agreement protocol, which was developed by Phil Zimmermann. [1] [161] In March 2017, Signal transitioned to a new WebRTC-based calling system that introduced the ability to make video calls. [86] Signal's voice and video calling functionalities use the Signal Protocol channel for authentication instead of ZRTP. [162] [85] [14]
To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes) out-of-band. [123] The platform employs a trust on first use mechanism in order to notify the user if a correspondent's key changes. [123]
After receiving and decrypting messages, the application stored them locally on each device in a SQLite database that is encrypted with SQLCipher. [163] The cryptographic key for this database is also stored locally and can be accessed if the device is unlocked. [163] [164] In December 2020, Cellebrite published a blog post announcing that one of their products could now access this key and use it to "decrypt the Signal app". [163] [165] Technology reporters later published articles about how Cellebrite had claimed to have the ability to "break into the Signal app" and "crack Signal's encryption". [166] [167] This latter interpretation was rejected by several experts, [168] as well as representatives from Signal, who said the original post by Cellebrite had been about accessing data on "an unlocked Android phone in their physical possession" and that they "could have just opened the app to look at the messages". [169] [170] Similar extraction tools also exist for iOS devices and Signal Desktop. [171] [172]
Signal relies on centralized servers that are maintained by Signal Messenger. In addition to routing Signal's messages, the servers also facilitate the discovery of contacts who are also registered Signal users and the automatic exchange of users' public keys. By default, Signal's voice and video calls are peer-to-peer. [14] If the caller is not in the receiver's address book, the call is routed through a server in order to hide the users' IP addresses. [14]
The servers store registered users' phone numbers, public key material and push tokens which are necessary for setting up calls and transmitting messages. [173] In order to determine which contacts are also Signal users, cryptographic hashes of the user's contact numbers are periodically transmitted to the server. [174] The server then checks to see if those match any of the SHA256 hashes of registered users and tells the client if any matches are found. [174] The hashed numbers are thereafter discarded from the server. [173] In 2014, Moxie Marlinspike wrote that it is easy to calculate a map of all possible hash inputs to hash outputs and reverse the mapping because of the limited preimage space (the set of all possible hash inputs) of phone numbers, and that a "practical privacy preserving contact discovery remains an unsolved problem." [175] [174] In September 2017, Signal's developers announced that they were working on a way for the Signal client applications to "efficiently and scalably determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service." [176] [177]
All client-server communications are protected by TLS. [161] [178] Signal's developers have asserted that their servers do not keep logs about who called whom and when. [179] In June 2016, Marlinspike told The Intercept that "the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second". [132]
The group messaging mechanism is designed so that the servers do not have access to the membership list, group title, or group icon. [73] Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered. [180] [181]
Signal's server architecture was federated between December 2013 and February 2016. In December 2013, it was announced that the messaging protocol Signal uses had successfully been integrated into the Android-based open-source operating system CyanogenMod. [182] [183] [184] Since CyanogenMod 11.0, the client logic was contained in a system app called WhisperPush. According to Signal's developers, the Cyanogen team ran their own Signal messaging server for WhisperPush clients, which federated with the main server, so that both clients could exchange messages with each other. [184] The WhisperPush source code was available under the GPLv3 license. [185] In February 2016, the CyanogenMod team discontinued WhisperPush and recommended that its users switch to Signal. [186] In May 2016, Moxie Marlinspike wrote that federation with the CyanogenMod servers had degraded the user experience and held back development, and that their servers will probably not federate with other servers again. [187]
In May 2016, Moxie Marlinspike requested that a third-party client called LibreSignal not use the Signal service or the Signal name. [187] As a result, on 24 May 2016 the LibreSignal project posted that the project was "abandoned". [188] The functionality provided by LibreSignal was subsequently incorporated into Signal by Marlinspike. [189]
The complete source code of the Signal clients for Android, iOS and desktop is available on GitHub under a free software license. [11] [10] [12] This enables interested parties to examine the code and help the developers verify that everything is behaving as expected. It also allows advanced users to compile their own copies of the applications and compare them with the versions that are distributed by Signal Messenger. In March 2016, Moxie Marlinspike wrote that, apart from some shared libraries that are not compiled with the project build due to a lack of Gradle NDK support, Signal for Android is reproducible. [190] Signal's servers are partially open source, but the server software's anti-spam component is proprietary and closed source due to security concerns. [13] [191]
In October 2014, the Electronic Frontier Foundation (EFF) included Signal in their updated surveillance self-defense guide. [192] In November 2014, Signal received a perfect score on the EFF's secure messaging scorecard; [122] it received points for having communications encrypted in transit, having communications encrypted with keys the provider does not have access to (end-to-end encryption), making it possible for users to independently verify their correspondents' identities, having past communications secure if the keys are stolen (forward secrecy), having the code open to independent review (open source), having the security designs well-documented, and having a recent independent security audit. [122] At the time, "ChatSecure + Orbot", Pidgin (with OTR), Silent Phone, and Telegram's optional "secret chats" also received seven out of seven points on the scorecard. [122]
Former NSA contractor Edward Snowden has endorsed Signal on multiple occasions. [78] In his keynote speech at SXSW in March 2014, he praised Signal's predecessors (TextSecure and RedPhone) for their ease of use. [193] [194] In December 2014, Der Spiegel leaked slides from an internal NSA presentation dating to June 2012 in which the NSA deemed Signal's encrypted voice calling component (RedPhone) on its own as a "major threat" to its mission of accessing users' private data, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as "catastrophic" and led to a "near-total loss/lack of insight to target communications [and] presence". [195] [196]
Following the 2016 Democratic National Committee email leak, it was reported by Vanity Fair that Marc Elias (the general counsel for Hillary Clinton's presidential campaign) had instructed DNC staffers to exclusively use Signal when saying anything negative about Republican presidential nominee Donald Trump. [197] [198]
In March 2017, Signal was approved by the sergeant at arms of the U.S. Senate for use by senators and their staff. [199] [200]
On 27 September 2019, Natalie Silvanovich, a security engineer working in Google's vulnerability research team at Project Zero, disclosed how a bug in the Android Signal client could let an attacker spy on a user without their knowledge. [201] The bug allowed an attacker to phone a target device, mute the call, and the call would complete – keeping the audio open but without the owner being aware of that (however they would still be aware of a ring and / or a vibration from the initial call). [202] The bug was fixed the same day that it was reported and patched in release 4.47.7 of the app for Android. [203]
In February 2020, the European Commission recommended that its staff use Signal. [204] Following the George Floyd protests, which began in May 2020, Signal was downloaded 121,000 times in the U.S. between 25 May and 4 June. [205] In July 2020, Signal became the most downloaded app in Hong Kong on both the Apple App Store and the Google Play Store after the passage of the Hong Kong national security law. [206]
As of January 2021 [update] , Signal is a contact method for securely providing tips to major news outlets such as The Washington Post , [207] The Guardian , [208] The New York Times , [209] and The Wall Street Journal . [210]
Candiru claims the ability to capture data from Signal Private Messenger with their spyware, at a fee of €500,000. [211]
On 9 August 2022, Ismail Sabri Yaakob, the Prime Minister of Malaysia, reported that his Signal account was "hacked" and infiltrated by a third party, sending out messages and impersonating the politician. No details were disclosed regarding the method used to gain access to the account. [212]
In April 2021, Signal announced the addition of a cryptocurrency wallet feature that would allow users to send and receive payments in MobileCoin. [213] This received criticism from security expert Bruce Schneier, who had previously praised the software. Schneier stated that this would bloat the client and attract unwanted attention from the authorities. [214] The wallet functionality was initially only available in certain countries, but was later enabled globally in November 2021. [136]
In December 2016, Egypt blocked access to Signal. [215] In response, Signal's developers added domain fronting to their service. [216] This allows Signal users in a specific country to circumvent censorship by making it look like they are connecting to a different internet-based service. [216] [217] As of May 2022 [update] , Signal's domain fronting is enabled by default in Egypt, UAE, Oman, Qatar, Iran, Cuba, Uzbekistan and Ukraine. [218]
As of January 2018 [update] , Signal was blocked in Iran. [219] [220] Signal's domain fronting feature relies on the Google App Engine (GAE) service. [220] [219] This does not work in Iran because Google has blocked Iranian access to GAE in order to comply with U.S. sanctions. [219] [221]
In early 2018, Google App Engine made an internal change to stop domain fronting for all countries. Due to this issue, Signal made a public change to use Amazon CloudFront for domain fronting. However, AWS also announced that they would be making changes to their service to prevent domain fronting. As a result, Signal said that they would start investigating new methods/approaches. [222] [223] Signal switched from AWS back to Google in April 2019. [224]
In January 2021, Iran removed the app from app stores, [225] [226] and blocked Signal. [227] Signal was later blocked by China in March 2021, followed by its removal from the App Store in China on 19 April 2024. [228] [229]
On August 9, 2024, Signal was blocked in Russia. Roskomnadzor claimed that this was due to "violations of the law on combating terrorism and extremism". [230] [231] Around the same, Signal was also blocked in Venezuela following the contested 2024 presidential election and subsequent protests. [230]
In 2020, the app was used for coordination and communication by protesters during the George Floyd protests as they relied on the app's end-to-end encryption to share information securely. [232]
In March 2021, the United Nations recommended Myanmar residents use Signal and Proton Mail to pass and preserve evidence of human rights violations committed during the 2021 coup. [233]
Signal's terms of service states that the product may not be used to violate the law. [234] According to a former employee, Signal's leadership at the time told him they would say something "if and when people start abusing Signal or doing things that we think are terrible". [234] In January 2021, the position of Signal's leadership was to take a "hands-off approach to moderation" as the company's employees are not able to read user messages and the Signal Foundation does not "want to be a media company". [234] [154]
In 2016, authorities in India arrested members of a suspected ISIS-affiliated terrorist cell that communicated via Signal. [235]
Radical right-wing militias and white nationalists use Signal for organizing their actions, including the Unite the Right II rally in 2018. [236] [237] [238] [239]
The claim that Signal is used to fund terrorist or criminal activities is the justification for Turkey to criminalize the app for the general population, which Abdullah Bozkurt claims is a way the "government abuses its counterterrorism laws to punish critics, opponents and dissidents." [240] [241]
End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to read or send messages.
The following is a comparison of instant messaging protocols. It contains basic general information about the protocols.
This is a comparison of voice over IP (VoIP) software used to conduct telephone-like voice conversations across Internet Protocol (IP) based networks. For residential markets, voice over IP phone service is often cheaper than traditional public switched telephone network (PSTN) service and can remove geographic restrictions to telephone numbers, e.g., have a PSTN phone number in a New York area code ring in Tokyo.
Matthew Rosenfeld, better known by the pseudonym Moxie Marlinspike, is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the Signal Protocol encryption used by Signal, WhatsApp, Google Messages, Facebook Messenger, and Skype.
WhatsApp is an instant messaging (IM) and voice-over-IP (VoIP) service owned by technology conglomerate Meta. It allows users to send text, voice messages and video messages, make voice and video calls, and share images, documents, user locations, and other content. WhatsApp's client application runs on mobile devices, and can be accessed from computers. The service requires a cellular mobile telephone number to sign up. In January 2018, WhatsApp released a standalone business app called WhatsApp Business which can communicate with the standard WhatsApp client.
Whisper Systems was an American enterprise mobile security company that was co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson in 2010. The company was acquired by Twitter in November 2011. Some of the company's software products were released under open-source licenses after the acquisition. An independent group called Open Whisper Systems later picked up the development of this open-source software, which led to the creation of the Signal Technology Foundation.
Messenger, also known as Facebook Messenger, is an American proprietary instant messaging service developed by Meta Platforms. Originally developed as Facebook Chat in 2008, the client application of Messenger is currently available on iOS and Android mobile platforms, Windows and macOS desktop platforms, through the Messenger.com web application, and on the standalone Facebook Portal hardware.
Wickr is an American software company based in New York City. It is known for its instant messaging application of the same name. The Wickr instant messaging apps allow users to exchange end-to-end encrypted and content-expiring messages, and are designed for iOS, Android, Mac, Windows, and Linux operating systems. Wickr was acquired by Amazon Web Services (AWS) in mid-2021. The free version of the app was discontinued in December 2023.
Telegram Messenger, commonly known as Telegram, is a cloud-based, cross-platform, social media and instant messaging (IM) service. It was originally launched for iOS on 14 August 2013 and Android on 20 October 2013. It allows users to exchange messages, share media and files, and hold private and group voice or video calls as well as public livestreams. It is available for Android, iOS, Windows, macOS, Linux, and web browsers. Telegram offers end-to-end encryption in voice and video calls, and in optional private chats, which Telegram calls Secret Chats.
ChatSecure is a messaging application for iOS which allows OTR and OMEMO encryption for the XMPP protocol. ChatSecure is free and open source software available under the GPL-3.0-or-later license.
TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other applications. TextSecure used end-to-end encryption to secure the transmission of text messages, group messages, attachments and media messages to other TextSecure users.
Open Whisper Systems was a software development group that was founded by Moxie Marlinspike in 2013. The group picked up the open source development of TextSecure and RedPhone, and was later responsible for starting the development of the Signal Protocol and the Signal messaging app. In 2018, Signal Messenger was incorporated as an LLC by Moxie Marlinspike and Brian Acton and then rolled under the independent 501c3 non-profit Signal Technology Foundation. Today, the Signal app is developed by Signal Messenger LLC, which is funded by the Signal Technology Foundation.
Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email addresses for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.
In cryptography, the Double Ratchet Algorithm is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol to provide end-to-end encryption for instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF), such as a hash function, and is therefore called a double ratchet.
The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.
Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.
The Signal Technology Foundation, commonly known as the Signal Foundation, is an American non-profit organization founded in 2018 by Moxie Marlinspike and Brian Acton. Its mission is to "protect free expression and enable secure global communication through open source privacy technology." Its subsidiary, Signal Messenger LLC, is responsible for the development of the Signal messaging app and the Signal Protocol.
The UFED is a product series of the Israeli company Cellebrite, which is used for the extraction and analysis of data from mobile devices by law enforcement agencies.
Conversations is a free software, instant messaging client application software for Android. It is largely based on recognized open standards such as the Extensible Messaging and Presence Protocol (XMPP) and Transport Layer Security (TLS).
Silence is a free, open-source messaging encryption software, based on a fork from TextSecure software. It allows the secure exchange of SMS and MMS-type messages with other Silence or TextSecure users. The program allows message encryption and identity verification between correspondents by comparing the fingerprint of the encryption keys.
{{cite web}}
: Missing or empty |title=
(help)I finally got the chance to read all of this more carefully, and it seems that all Cellebrite is doing is reading the texts off of a phone they can already access. To [sic] this has nothing to do with Signal at all. So: never mind.
A group of terrorist suspects in India said to be inspired by Islamic State wanted to emulate US whistleblower Edward Snowden and use encrypted communication tool Signal to stay in touch, it was revealed in interrogation by the National Investigation Agency (NIA).
In the days since rioters stormed Capitol Hill, fringe groups like armed militias, QAnon conspiracy theorists and far-right supporters of President Trump have vowed to continue their fight in hundreds of conversations on a range of internet platforms. Some of the organizers have moved to encrypted messaging apps like Telegram and Signal, which cannot be as easily monitored as social media platforms.
This year, Kessler and his fellow white nationalist co-organizers switched much of their rally planning throughout the summer to private groups on Facebook Messenger and the encrypted texting app Signal...
Telegram and Signal are far more stable and secure and could prove more enduring homes and recruitment stations for far-right groups.
A year later, in the runup to an ultimately barely attended sequel to Unite the Right in D.C., organizers appeared to stay off the platform, opting instead to discuss logistics over Facebook Messenger and the encrypted texting app Signal.