If you ever make a call from your IPhone, you used to have two options: Accept the probability that any wire tapper, hacker or government authority can listen in to your conversations, or pay a hefty price tag for some voice encryption software.
As of yesterday there is now a third option: Open Whisper Systems, the open source software group, have announced the release of Signal, the first iOS app designed to enable strong encrypted voice calls for free. “We’re trying to make private communications as available and accessible as any normal phone call,” says Moxie Marlinspike, the founder of the nonprofit software company, whom is a hacker security researcher. He also adds, that later this summer, encrypted text messaging will be integrated into Signal as well, to create what he describes as a “single, unified app for free, easy, open source, private voice and text messaging.”
Signal encrypts your calls with a tested protocol known as ZRTP and AES 128 encryption, theoretically this protocol is strong enough to withstand all known attacks by anyone from would-be-hackers to GCHQ. Recent tests on an older version of the app revealed some questionable bugs, which Marlinspike says have now been resolved. The user only has a sign of a pair of words that appear on the screen to clarify that the call is not being monitored by a third party. These two words must be read aloud to the person on the other end of the call, as a form of authentication.
Like any new untested app, users should not entirely trust Signal’s security until other researchers have had their chance to examine it. Marlinspike admits “there are always unknowns,” such as vulnerabilities in the software of the iPhone that could allow snooping. But in terms of preventing an eavesdropper on the phone’s network from intercepting calls, Signal’s security protections are “probably pretty great,” he says.
Open Whisper Systems’ founder Marlinspike has been a fixture of the security and cryptography community for years, demonstrating ground breaking hacks like ones that revealed vulnerabilities in the Web encryption SSL and Microsoft’s VPN encryption MS-CHAPv2. He co-founded the start-up Whisper Systems in 2010 with the intention of providing encryption for communication and hardening security on Google’s Android. But the work was put on hold when Whisper Systems was acquired by Twitter in 2011.
Whisper’s iOS app is expected to be globally in demand. The group have set up dozens of servers to handle user’s encrypted calls in more than 10 different countries around the world to minimise the chance of latency.
In fact, Marlinspike says that call quality and ease of use are two of the top priorities for Open Whisper Systems: Clunky encryption programs like PGP, no matter how secure they may be, don’t get used. “In many ways the crypto is the easy part,” he says. “The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes.”