blog/data/2016-07-03-signal-landline.txt

   1 Title: How to use the Signal app if you only have a land line (ie no mobile phone)
   2 Tags: english, debian, sikkerhet, surveillance
   3 Date: 2016-07-03 14:20
   4
   5 <p>For a while now, I have wanted to test
   6 <a href="https://whispersystems.org/">the Signal app</a>, as it is
   7 said to provide end to end encrypted communication and several of my
   8 friends and family are already using it.  As I by choice do not own a
   9 mobile phone, this proved to be harder than expected.  And I wanted to
  10 have the source of the client and know that it was the code used on my
  11 machine.  But yesterday I managed to get it working.  I used the
  12 Github source, compared it to the source in
  13 <a href="https://chrome.google.com/webstore/detail/signal-private-messenger/bikioccmkafdpakkkcpdbppfkghcmihk?hl=en-US">the
  14 Signal Chrome app</a> available from the Chrome web store, applied
  15 patches to use the production Signal servers, started the app and
  16 asked for the hidden "register without a smart phone" form.  Here is
  17 the recipe how I did it.</p>
  18
  19 <p>First, I fetched the Signal desktop source from Github, using
  20
  21 <pre>
  22 git clone https://github.com/WhisperSystems/Signal-Desktop.git
  23 </pre>
  24
  25 <p>Next, I patched the source to use the production servers, to be
  26 able to talk to other Signal users:</p>
  27
  28 <pre>
  29 cat &lt;&lt;EOF | patch -p0
  30 diff -ur ./js/background.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js
  31 --- ./js/background.js  2016-06-29 13:43:15.630344628 +0200
  32 +++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js    2016-06-29 14:06:29.530300934 +0200
  33 @@ -47,8 +47,8 @@
  34          });
  35      });
  36
  37 -    var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
  38 -    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
  39 +    var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org:4433';
  40 +    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
  41      var messageReceiver;
  42      window.getSocketStatus = function() {
  43          if (messageReceiver) {
  44 diff -ur ./js/expire.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js
  45 --- ./js/expire.js      2016-06-29 13:43:15.630344628 +0200
  46 +++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js2016-06-29 14:06:29.530300934 +0200
  47 @@ -1,6 +1,6 @@
  48  ;(function() {
  49      'use strict';
  50 -    var BUILD_EXPIRATION = 0;
  51 +    var BUILD_EXPIRATION = 1474492690000;
  52
  53      window.extension = window.extension || {};
  54
  55 EOF
  56 </pre>
  57
  58 <p>The first part is changing the servers, and the second is updating
  59 an expiration timestamp.  This timestamp need to be updated regularly.
  60 It is set 90 days in the future by the build process (Gruntfile.js).
  61 The value is seconds since 1970 times 1000, as far as I can tell.</p>
  62
  63 <p>Based on a tip and good help from the #nuug IRC channel, I wrote a
  64 script to launch Signal in Chromium.</p>
  65
  66 <pre>
  67 #!/bin/sh
  68 cd $(dirname $0)
  69 mkdir -p userdata
  70 exec chromium \
  71   --proxy-server="socks://localhost:9050" \
  72   --user-data-dir=`pwd`/userdata --load-and-launch-app=`pwd`
  73 </pre>
  74
  75 <p> The script start the app and configure Chromium to use the Tor
  76 SOCKS5 proxy to make sure those controlling the Signal servers (today
  77 Amazon and Whisper Systems) as well as those listening on the lines
  78 will have a harder time location my laptop based on the Signal
  79 connections if they use source IP address.</p>
  80
  81 <p>When the script starts, one need to follow the instructions under
  82 "Standalone Registration" in the CONTRIBUTING.md file in the git
  83 repository.  I right clicked on the Signal window to get up the
  84 Chromium debugging tool, visited the 'Console' tab and wrote
  85 'extension.install("standalone")' on the console prompt to get the
  86 registration form.  Then I entered by land line phone number and
  87 pressed 'Call'.  5 seconds later the phone rang and a robot voice
  88 repeated the verification code three times.  After entering the number
  89 into the verification code field in the form, I could start using
  90 Signal from my laptop.
  91
  92 <p>As far as I can tell, The Signal app will leak who is talking to
  93 whom and thus who know who to those controlling the central server,
  94 but such leakage is hard to avoid with a centrally controlled server
  95 setup.  It is something to keep in mind when using Signal - the
  96 content of your chats are harder to intercept, but the meta data
  97 exposing your contact network is available to people you do not know.
  98 So better than many options, but not great.  And sadly the usage is
  99 connected to my land line, thus allowing those controlling the server
 100 to associate it to my home and person.  I would prefer it if only
 101 those I knew could tell who I was on Signal.  There are options
 102 avoiding such information leakage, but most of my friends are not
 103 using them, so I am stuck with Signal for now.</p>
 104
 105 <p><strong>Update 2017-01-10</strong>: There is an updated blog post
 106 on this topic in
 107 <a href="http://www.hungry.com/~pere/blog/Experience_and_updated_recipe_for_using_the_Signal_app_without_a_mobile_phone.html">Experience
 108 and updated recipe for using the Signal app without a mobile
 109 phone</a>.</p>