At Signal, we’ve been thinking about the difficulty of private contact discovery for a long time. We’ve been working on strategies to improve our current design, and today we’ve published a new private contact discovery service. Using this service, Signal clients will be able to efficiently and scalably determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service.

In collaboration with Signal, Microsoft is introducing a Private Conversations feature in Skype, powered by Signal Protocol.

Signal is a new security protocol and accompanying app that provides end-to-end encryption for instant messaging. The core protocol has recently been adopted by WhatsApp, Facebook Messenger, and Google Allo among many others; the first two of these have at least 1 billion active users. Signal includes several uncommon security properties (such as “future secrecy” or “post-compromise security”), enabled by a novel technique called ratcheting in which session keys are updated with every message sent. Despite its importance and novelty, there has been little to no academic analysis of the Signal protocol.

We conduct the first security analysis of Signal’s Key Agreement and Double Ratchet as a multi-stage key exchange protocol. We extract from the implementation a formal description of the abstract protocol, and define a security model which can capture the “ratcheting” key update structure. We then prove the security of Signal’s core in our model, demonstrating several standard security properties. We have found no major flaws in the design, and hope that our presentation and results can serve as a starting point for other analyses of this widely adopted protocol.

People say things like this about Signal but tend not to acknowledge why Signal is like that. Look at how Signal handles something as basic as user profiles, then compare it to how other applications address the same problems. I'll recommend Wire alongside WhatsApp any day, but keep in mind that Wire's servers apparently have a record of every conversation that has occurred between any two Wire users (not the content, mind you, just the link).

This is why I disagree with Matthew Green, do not think we've totally figured out secure messaging yet and that they're all "so good", and think that if you're serious about privacy --- enough to have strong opinions about WhatsApp vs. Signal, for instance --- that you should use multiple messengers:

• a "tier 1" secure messaging app like Signal that makes all reasonable tradeoffs in favor of security and privacy regardless of the UX cost, used when possible and for sensitive conversations.

• a "tier 2" secure messaging app like WhatsApp or Wire as your "daily messenger".

• "tier 3" messenger applications (including email) that you use mostly to rendezvous to a real messenger application.

In this scheme you can start to understand Signal as not just a decent messenger application with best-in-class security and privacy, but also as a laboratory for future privacy enhancements to messaging.

When MicroG stopped working for you, Signal complained because it thought that you were still a GCM user. You can reset that by following these steps to re-register:

Tap on the Menu.
Choose Settings.
Choose Advanced.
Tap 'Signal' to slide the indicator (from blue to off).
Choose 'OK' in the 'Disable Signal Messages' pop up.
Tap 'Signal' a second time to re-register.
Enter or Edit your phone number.
Tap Register.
Complete the registration process.
Send messages on Signal.

If your device does not include Google Play Services (or microG or OpenGApps) when you re-register, the app will fall back to using WebSockets to keep a connection open to the Signal server. New information that's queued on the Signal server (such as encrypted messages or tokens that are used to set up calls) will automatically be pushed to your phone as soon as it arrives on the server. The app just needs to check at an interval to make sure that the connection hasn't died.

If you're using an Android phone that includes Google Play Services (or microG or OpenGApps), your phone will have an open GCM connection. Signal will automatically detect this when you register (or re-register) and use that existing connection in order to preserve battery life. It's worth noting here that any information that's pushed through GCM will be visible to Google. That's why Signal is designed so that no information is ever transmitted through GCM. If there's new information queued on the Signal server and your app isn't connected to the service, an empty notification is pushed to your device through GCM. The notification wakes up the app, it automatically recognizes the empty notification as meaning that it needs to connect to the Signal server, and then it fetches the queued information through a separate encrypted channel. This way, Google does not have access to metadata about who Signal users communicate with. (Other apps that use GCM may or may not have implemented this workaround.)

Moxie Marlinspike has said that both the Play Store build and the website build are reproducible, so I assume that means they are both compiled from the same branch on GitHub. In other words, it should be one and the same APK whichever way you choose to install it. Here's a blog post explaining how you can verify that.

Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.

Signal Desktop is now available in a new, standalone form, and the Chrome App has been deprecated.

Signal-Android - A private messenger for Android.

Using Signal pseudonymously

Cette application, recommandée par le lanceur d’alerte Edward Snowden, permettait jusqu’ici des conversations écrites ou vocales chiffrées. Elle offre maintenant la possibilité de passer des appels vidéo sécurisés.

In the "first half of 2016" (the most specific we're permitted to be), we received a subpoena
from the Eastern District of Virginia. The subpoena required us to provide information about two
Signal users for a federal grand jury investigation.

We've designed the Signal service to minimize the data we retain about Signal users, so the only
information we can produce in response to a request like this is the date and time a user
registered with Signal and the last date of a user's connectivity to the Signal service.

Notably, things we don't have stored include anything about a user's contacts (such as the contacts
themselves, a hash of the contacts, any other derivative contact information), anything about a
user's groups (such as how many groups a user is in, which groups a user is in, the membership lists
of a user's groups), or any records of who a user has been communicating with.

All message contents are end to end encrypted, so we don't have that information either.

This is the first subpoena that we've received. It originally included a broad gag order that
would have prevented us from publishing this notice, but the ACLU represented us in quickly
and successfully securing our ability to publish the transcripts below. We're committed to
treating any future requests the same way: working with effective and talented organizations
like the ACLU, and publishing transcripts of our responses to government requests here.

Below is the transcript for this request.