Generated.

[homepage.git] / blog / data / 2016-10-10-signal-landline.txt

Title: Experience and updated recipe for using the Signal app without a mobile phone
Tags: english, debian, sikkerhet, surveillance
Date: 2016-10-10 11:30

<p>In July
<a href="http://people.skolelinux.org/pere/blog/How_to_use_the_Signal_app_if_you_only_have_a_land_line__ie_no_mobile_phone_.html">I
wrote how to get the Signal Chrome/Chromium app working</a> without
the ability to receive SMS messages (aka without a cell phone).  It is
time to share some experiences and provide an updated setup.</p>

<p>The Signal app have worked fine for several months now, and I use
it regularly to chat with my loved ones.  I had a major snag at the
end of my summer vacation, when the the app completely forgot my
setup, identity and keys.  The reason behind this major mess was
running out of disk space.  To avoid that ever happening again I have
started storing everything in <tt>userdata/</tt> in git, to be able to
roll back to an earlier version if the files are wiped by mistake.  I
had to use it once after introducing the git backup.  When rolling
back to an earlier version, one need to use the 'reset session' option
in Signal to get going, and notify the people you talk with about the
problem.  I assume there is some sequence number tracking in the
protocol to detect rollback attacks.  The git repository is rather big
(674 MiB so far), but I have not tried to figure out if some of the
content can be added to a .gitignore file due to lack of spare
time.</p>

<p>I've also hit the 90 days timeout blocking, and noticed that this
make it impossible to send messages using Signal.  I could still
receive them, but had to patch the code with a new timestamp to send.
I believe the timeout is added by the developers to force people to
upgrade to the latest version of the app, even when there is no
protocol changes, to reduce the version skew among the user base and
thus try to keep the number of support requests down.</p>

<p>Since my original recipe, the Signal source code changed slightly,
making the old patch fail to apply cleanly.  Below is an updated
patch, including the shell wrapper I use to start Signal.  The
original version required a new user to locate the JavaScript console
and call a function from there.  I got help from a friend with more
JavaScript knowledge than me to modify the code to provide a GUI
button instead.  This mean that to get started you just need to run
the wrapper and click the 'Register without mobile phone' to get going
now.  I've also modified the timeout code to always set it to 90 days
in the future, to avoid having to patch the code regularly.</p>

<p>So, the updated recipe for Debian Jessie:</p>

<ol>

<li>First, install required packages to get the source code and the
browser you need.  Signal only work with Chrome/Chromium, as far as I
know, so you need to install it.

<pre>
apt install git tor chromium
git clone https://github.com/WhisperSystems/Signal-Desktop.git
</pre></li>

<li>Modify the source code using command listed in the the patch
block below.</li>

<li>Start Signal using the run-signal-app wrapper (for example using
<tt>`pwd`/run-signal-app</tt>).

<li>Click on the 'Register without mobile phone', will in a phone
number you can receive calls to the next minute, receive the
verification code and enter it into the form field and press
'Register'.  Note, the phone number you use will be user Signal
username, ie the way others can find you on Signal.</li>

<li>You can now use Signal to contact others.  Note, new contacts do
not show up in the contact list until you restart Signal, and there is
no way to assign names to Contacts.  There is also no way to create or
update chat groups.  I suspect this is because the web app do not have
a associated contact database.</li>

</ol>

<p>I am still a bit uneasy about using Signal, because of the way its
main author moxie0 reject federation and accept dependencies to major
corporations like Google (part of the code is fetched from Google) and
Amazon (the central coordination point is owned by Amazon).  See for
example
<a href="https://github.com/LibreSignal/LibreSignal/issues/37">the
LibreSignal issue tracker</a> for a thread documenting the authors
view on these issues.  But the network effect is strong in this case,
and several of the people I want to communicate with already use
Signal.  Perhaps we can all move to <a href="https://ring.cx/">Ring</a>
once it <a href="https://bugs.debian.org/830265">work on my
laptop</a>?  It already work on Windows and Android, and is included
in <a href="https://tracker.debian.org/pkg/ring">Debian</a> and
<a href="https://launchpad.net/ubuntu/+source/ring">Ubuntu</a>, but not
working on Debian Stable.</p>

<p>Anyway, this is the patch I apply to the Signal code to get it
working.  It switch to the production servers, disable to timeout,
make registration easier and add the shell wrapper:</p>

<pre>
cd Signal-Desktop; cat &lt;&lt;EOF | patch -p1
diff --git a/js/background.js b/js/background.js
index 24b4c1d..579345f 100644
--- a/js/background.js
+++ b/js/background.js
@@ -33,9 +33,9 @@
         });
     });
 
-    var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
+    var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org';
     var SERVER_PORTS = [80, 4433, 8443];
-    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
+    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
     var messageReceiver;
     window.getSocketStatus = function() {
         if (messageReceiver) {
diff --git a/js/expire.js b/js/expire.js
index 639aeae..beb91c3 100644
--- a/js/expire.js
+++ b/js/expire.js
@@ -1,6 +1,6 @@
 ;(function() {
     'use strict';
-    var BUILD_EXPIRATION = 0;
+    var BUILD_EXPIRATION = Date.now() + (90 * 24 * 60 * 60 * 1000);
 
     window.extension = window.extension || {};
 
diff --git a/js/views/install_view.js b/js/views/install_view.js
index 7816f4f..1d6233b 100644
--- a/js/views/install_view.js
+++ b/js/views/install_view.js
@@ -38,7 +38,8 @@
             return {
                 'click .step1': this.selectStep.bind(this, 1),
                 'click .step2': this.selectStep.bind(this, 2),
-                'click .step3': this.selectStep.bind(this, 3)
+                'click .step3': this.selectStep.bind(this, 3),
+                'click .callreg': function() { extension.install('standalone') },
             };
         },
         clearQR: function() {
diff --git a/options.html b/options.html
index dc0f28e..8d709f6 100644
--- a/options.html
+++ b/options.html
@@ -14,7 +14,10 @@
         &lt;div class='nav'>
           &lt;h1>{{ installWelcome }}&lt;/h1>
           &lt;p>{{ installTagline }}&lt;/p>
-          &lt;div> &lt;a class='button step2'>{{ installGetStartedButton }}&lt;/a> &lt;/div>
+          &lt;div> &lt;a class='button step2'>{{ installGetStartedButton }}&lt;/a>
+           &lt;br> &lt;a class="button callreg">Register without mobile phone&lt;/a>
+
+         &lt;/div>
           &lt;span class='dot step1 selected'>&lt;/span>
           &lt;span class='dot step2'>&lt;/span>
           &lt;span class='dot step3'>&lt;/span>
--- /dev/null   2016-10-07 09:55:13.730181472 +0200
+++ b/run-signal-app   2016-10-10 08:54:09.434172391 +0200
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+cd $(dirname $0)
+mkdir -p userdata
+userdata="`pwd`/userdata"
+if [ -d "$userdata" ] && [ ! -d "$userdata/.git" ] ; then
+    (cd $userdata && git init)
+fi
+(cd $userdata && git add . && git commit -m "Current status." || true)
+exec chromium \
+  --proxy-server="socks://localhost:9050" \
+  --user-data-dir=$userdata --load-and-launch-app=`pwd`
EOF
chmod a+rx run-signal-app
</pre>

<p>As usual, if you use Bitcoin and want to show your support of my
activities, please send Bitcoin donations to my address
<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>