[guardian-dev] Ciao TextSecure SMS

Jacob Appelbaum jacob at appelbaum.net
Thu May 14 14:55:15 EDT 2015


On 5/14/15, Daniel Martí <mvdan at mvdan.cc> wrote:
> On Thu, May 14, 2015 at 17:32:02 +0000, Jacob Appelbaum wrote:
>> TextSecure is Free Software with a non-free dependency for signaling.
>> My understanding is that WebSockets is the future for TextSecure and
>> Signal, which is perhaps partially deployed? I guess that the GCM and
>> Apple push are both not working out very well for
>> Signal/TextSecure/Redphone users. So good news on that front: they're
>> ditching the non-free notification component soon, I think.
>
> I've also heard that, hopefully they can move on to a free software
> stack at some point.

I think that process is well underway - I look forward to the full switch.

>
>> That isn't entirely accurate - I have used it on a device without the
>> play store but with GCM. That isn't commonly deployed but it functions
>> entirely without a google account and without a bunch of google apps.
>> It requires exactly one google service for GCM functionality.
>
> Well, even though not requiring an account is a plus, requiring non-free
> software to run on the device is still bad.

What phone that uses a modern telephone network doesn't? I mean, I'm a
fan of my motorola c123 as much as anyone... And even with replicant,
effectively no baseband is free software and the one or two that are
free, they're not usable or useful.

>
>> TextSecure isn't in F-Droid for a bunch of very reasonable reasons
>> that Moxie outlined. Regardless of what anyone calls it - both are
>> freely licensed. F-Droid isn't quite feature complete with the Play
>> store in some important areas, which is sad and lucky us: it is
>> improving over time thanks to the hard work of F-Droid developers!
>
> Yes, TextSecure is not in F-Droid for a whole bunch of reasons. His
> reasons are that we don't have some features, ours are that his app
> would require heavy patching to be free software, for example.
>
> I honestly don't agree with all of his demands either. He requested that
> we force users to run the latest version of his app, that we remove
> older builds or that we provide an analytics service much like the one
> provided by Google Play.
>

I think it is reasonable to ask for removal of known vulnerable
software when a newer version that fixes the issues is released.
Especially for high profile, high security software. I think requiring
analytics is a bit fussy though. :)

> Some others are legitimate, like the signing. That is being worked on
> and at the moment it's deployed for some apps with the cooperation of
> the respecting upstream devs.
>

Exciting! Is there a document that explains this process?

>> However WhatsApp isn't Free Software as far as I understand, which was
>> the original point of my message. So even if WhatsApp is otherwise
>> identical in usability and security claims, we'd have no way to verify
>> that it was true without source code, reverse engineering or well,
>> blind faith.
>
> I'll give you that TextSecure is partially free software, but IMHO
> that's as good as saying it's not. Even though the black box it contains
> may not make the crypto system and secure messaging less secure, I would
> still not call it free software.
>

It is free software but it is partially non-functional without GCM.
That is a bummer but it doesn't make it non-free software in my view.
wget on Windows is still Free Software even if it runs on an awfully
non-free platform.

>> Just as a side note - SMS is just slightly better than GCM. There are
>> nearly no good Free Software options that only uses open protocols
>> over open and free networks.
>
> I actually heard SMS is worse, and that this is why Moxie dropped its
> support in TextSecure.

SMS can be done with Free Software on a C123 - so the full stack is
possible. I don't think that is true for GCM, yet. That's slightly
better in my view. Though there is obviously the issue with SIM cards
(non free software, non-free hardware). You can also use SIP but the
SS7 backbone isn't free either. :-(

Ironically, any place where Android or Android with F-Droid runs is
not one of those places. Most SMS uses a non-free baseband and many of
those baseband CPUs are... in control of the Free Software driven
application CPU. Doh.

None of those factors make any of the software involved more or less
Free Software, of course.

All the best,
Jacob


More information about the guardian-dev mailing list