--- /dev/null
+Title: How to use the Signal app if you only have a land line (ie no mobile phone)
+Tags: english, debian, sikkerhet, surveillance
+Date: 2016-07-03 14:15
+
+<p>For a while now, I have wanted to test
+<a href="https://whispersystems.org/">the Signal app</a>, as it is
+said to provide end to end encrypted communication and several of my
+friends and family are already using it. As I by choice do not own a
+mobile phone, this proved to be harder than expected. And I wanted to
+have the source of the client and know that it was the code used on my
+machine. But yesterday I managed to get it working. I used the
+Github source, compared it to the source in
+<a href="https://chrome.google.com/webstore/detail/signal-private-messenger/bikioccmkafdpakkkcpdbppfkghcmihk?hl=en-US">the
+Signal Chrome app</a> available from the Chrome web store, applied
+patches to use the production Signal servers, started the app and
+asked for the hidden "register without a smart phone" form. Here is
+the recipe how I did it.</p>
+
+<p>First, I fetched the Signal desktop source from Github, using
+
+<pre>
+git clone https://github.com/WhisperSystems/Signal-Desktop.git
+</pre>
+
+<p>Next, I patched the source to use be able to talk to other Signal
+users using</p>
+
+<pre>
+cat <<EOF | patch -p0
+diff -ur ./js/background.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js
+--- ./js/background.js 2016-06-29 13:43:15.630344628 +0200
++++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js 2016-06-29 14:06:29.530300934 +0200
+@@ -47,8 +47,8 @@
+ });
+ });
+
+- var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
+- var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
++ var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org:4433';
++ var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
+ var messageReceiver;
+ window.getSocketStatus = function() {
+ if (messageReceiver) {
+diff -ur ./js/expire.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js
+--- ./js/expire.js 2016-06-29 13:43:15.630344628 +0200
++++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js2016-06-29 14:06:29.530300934 +0200
+@@ -1,6 +1,6 @@
+ ;(function() {
+ 'use strict';
+- var BUILD_EXPIRATION = 0;
++ var BUILD_EXPIRATION = 1474492690000;
+
+ window.extension = window.extension || {};
+
+EOF
+</pre>
+
+<p>The first part is changing the servers, and the second is updating
+an expiration timestamp. This timestamp need to be updated regularly.
+It is set 90 days in the future by the build process (Gruntfile.js).
+The value is seconds since 1970 times 1000, as far as I can tell.</p>
+
+<p>Based on a tip and good help from the #nuug IRC channel, I wrote a
+script to launch Signal in Chromium.</p>
+
+<pre>
+#!/bin/sh
+cd $(dirname $0)
+mkdir -p userdata
+exec chromium \
+ --proxy-server="socks://localhost:9050" \
+ --user-data-dir=`pwd`/userdata --load-and-launch-app=`pwd`
+</pre>
+
+<p> The script set start the app and configure Chromium to use the Tor
+SOCKS5 proxy to make sure those controlling the Signal servers (today
+Amazon and Whisper Systems) as well as those listening on the lines
+will have a harder time location my laptop based on the Signal
+connections if they use source IP address.</p>
+
+<p>When the script starts, one need to follow the instructions under
+"Standalone Registration" in the CONTRIBUTING.md file in the git
+repository. I right clicked on the Signal window to get up the
+Chromium debugging tool, visited the 'Console' tab and wrote
+'extension.install("standalone")' on the console prompt to get the
+registration form. Then I entered by land line phone number and
+pressed 'Call'. 5 seconds later the phone rang and a robot voice
+repeated the verification code three times. After entering the number
+into the verification code field in the form, I could start using
+Signal from my laptop.
+
+<p>As far as I can tell, The Signal app will leak who is talking to
+whom and thus who know who to those controlling the central server,
+but such leakage is hard to avoid with a centrally controlled server
+setup. It is something to keep in mind when using Signal - the
+content of your chats are harder to intercept, but the meta data
+exposing your contact network is available to people you do not know.
+So better than many options, but not great. There are options
+avoiding such leakage, but most of my friends are not using them, so I
+am stuck with Signal for now.</p>
projects / homepage.git / commitdiff