From: Petter Reinholdtsen Date: Sun, 3 Jul 2016 12:14:50 +0000 (+0200) Subject: New blog post about Signal. X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/1f755297464321fe50641dbd579df597a6bba0c6 New blog post about Signal. --- diff --git a/blog/data/2016-07-03-signal-landline.txt b/blog/data/2016-07-03-signal-landline.txt new file mode 100644 index 0000000000..d0843d6448 --- /dev/null +++ b/blog/data/2016-07-03-signal-landline.txt @@ -0,0 +1,100 @@ +Title: How to use the Signal app if you only have a land line (ie no mobile phone) +Tags: english, debian, sikkerhet, surveillance +Date: 2016-07-03 14:15 + +

For a while now, I have wanted to test +the Signal app, as it is +said to provide end to end encrypted communication and several of my +friends and family are already using it. As I by choice do not own a +mobile phone, this proved to be harder than expected. And I wanted to +have the source of the client and know that it was the code used on my +machine. But yesterday I managed to get it working. I used the +Github source, compared it to the source in +the +Signal Chrome app available from the Chrome web store, applied +patches to use the production Signal servers, started the app and +asked for the hidden "register without a smart phone" form. Here is +the recipe how I did it.

+ +

First, I fetched the Signal desktop source from Github, using + +

+git clone https://github.com/WhisperSystems/Signal-Desktop.git
+
+ +

Next, I patched the source to use be able to talk to other Signal +users using

+ +
+cat <<EOF | patch -p0
+diff -ur ./js/background.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js
+--- ./js/background.js  2016-06-29 13:43:15.630344628 +0200
++++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/background.js    2016-06-29 14:06:29.530300934 +0200
+@@ -47,8 +47,8 @@
+         });
+     });
+ 
+-    var SERVER_URL = 'https://textsecure-service-staging.whispersystems.org';
+-    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments-staging.s3.amazonaws.com';
++    var SERVER_URL = 'https://textsecure-service-ca.whispersystems.org:4433';
++    var ATTACHMENT_SERVER_URL = 'https://whispersystems-textsecure-attachments.s3.amazonaws.com';
+     var messageReceiver;
+     window.getSocketStatus = function() {
+         if (messageReceiver) {
+diff -ur ./js/expire.js userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js
+--- ./js/expire.js      2016-06-29 13:43:15.630344628 +0200
++++ userdata/Default/Extensions/bikioccmkafdpakkkcpdbppfkghcmihk/0.15.0_0/js/expire.js2016-06-29 14:06:29.530300934 +0200
+@@ -1,6 +1,6 @@
+ ;(function() {
+     'use strict';
+-    var BUILD_EXPIRATION = 0;
++    var BUILD_EXPIRATION = 1474492690000;
+ 
+     window.extension = window.extension || {};
+ 
+EOF
+
+ +

The first part is changing the servers, and the second is updating +an expiration timestamp. This timestamp need to be updated regularly. +It is set 90 days in the future by the build process (Gruntfile.js). +The value is seconds since 1970 times 1000, as far as I can tell.

+ +

Based on a tip and good help from the #nuug IRC channel, I wrote a +script to launch Signal in Chromium.

+ +
+#!/bin/sh
+cd $(dirname $0)
+mkdir -p userdata
+exec chromium \
+  --proxy-server="socks://localhost:9050" \
+  --user-data-dir=`pwd`/userdata --load-and-launch-app=`pwd`
+
+ +

The script set start the app and configure Chromium to use the Tor +SOCKS5 proxy to make sure those controlling the Signal servers (today +Amazon and Whisper Systems) as well as those listening on the lines +will have a harder time location my laptop based on the Signal +connections if they use source IP address.

+ +

When the script starts, one need to follow the instructions under +"Standalone Registration" in the CONTRIBUTING.md file in the git +repository. I right clicked on the Signal window to get up the +Chromium debugging tool, visited the 'Console' tab and wrote +'extension.install("standalone")' on the console prompt to get the +registration form. Then I entered by land line phone number and +pressed 'Call'. 5 seconds later the phone rang and a robot voice +repeated the verification code three times. After entering the number +into the verification code field in the form, I could start using +Signal from my laptop. + +

As far as I can tell, The Signal app will leak who is talking to +whom and thus who know who to those controlling the central server, +but such leakage is hard to avoid with a centrally controlled server +setup. It is something to keep in mind when using Signal - the +content of your chats are harder to intercept, but the meta data +exposing your contact network is available to people you do not know. +So better than many options, but not great. There are options +avoiding such leakage, but most of my friends are not using them, so I +am stuck with Signal for now.