Signal’s protocol gets glowing reviews in first security audit
Signal is widely considered the gold standard of secure encrypted messaging apps but, until today, it hasn’t been subject to a fine-toothed audit. But the technology passed a major test Tuesday after an international team of security researchers gave the messaging platform’s security glowing reviews in its first ever formal security audit.
Researchers from the University of Oxford in the United Kingdom, Queensland University of Technology in Australia and McMaster University in Canada gave the messaging application a fervent thumbs up.
“We have found no major flaws in its design, which is very encouraging,” the five researchers wrote. They call on researchers to continue the testing and analysis of Signal.
Launched two years ago, Signal has long been heralded by security experts around the world. Edward Snowden recommends it and Matthew Green, a prominent cryptographer at Johns Hopkins University, says the high quality of the code makes him drool in delight.
The technology behind Signal underlies encryption in products from Facebook, WhatsApp, and Google, reaching over 1 billion individuals, most of whom don’t even know it. The Signal app itself has been downloaded 5 million times in the Google Play store (Apple’s App Store doesn’t publish numbers). It’s used widely by journalists, dissidents and government officials around the world. After coming under intense and prolonged phishing attacks, Democratic presidential nominee Hillary Clinton’s campaign is now using Signal for communications.
Signal is developed by Open Whisper Systems, a San Francisco-based nonprofit that, like many prominent internet freedom technologies, largely received its funding from U.S. government grants. Work with Facebook and Google may mean more money for the organization, but the exact terms of those partnerships remain unknown.
In addition to protecting communications, Signal collects vanishingly small amounts of data on its users. That means that when a government requests data from the company, they don’t find much. Earlier this month, an FBI subpoena and gag order revealed a Signal user’s account creation date and its last connection date.
Signal’s no-compromise encryption is at the center of a global debate on privacy and security. The problem, which FBI Director James Comey calls “Going Dark,” is that law enforcement and intelligence agencies will be locked out of communications and data that might otherwise aid their investigations. A vast consensus of cybersecurity experts argue that strong encryption which cannot be compromised is essential to the internet’s security, increasingly due to the threats from hackers looking to take data on everything from national secrets to personal data.
Strong encryption has taken off after revelations of mass surveillance by the world’s governments and news of continued devastating hacks against private individuals, some of the world’s biggest companies, and everyone in between. Since Edward Snowden’s leaks about the National Security Agency’s surveillance programs, the average internet user has become vastly more privacy-aware.
For a long time, consumers had to make a choice: Secure or easy. Early instant messaging or texting programs were easy to use but vastly insecure. Earlier security programs, like those based on PGP email security, were powerful but complex and intimidating. Signal represents a new era in security products where consumers can, to a significant extent, have the best of both worlds.
In just the last few weeks, Signal’s developers added GIF searching to the product. Although the decision raised some eyebrows, the motivation is clear: Make the product better, add more fun features, and more “normal” people will want to use it. All of sudden, you have many millions of users happily downloading a veritably secure messaging app. All it took was a few good GIFs.