With the depths of domestic government surveillance still not fully realized, secure communications capabilities are at a premium, especially for the privacy conscious.
Already, we’ve seen some services such as Lavabit and Silent Circle’s Silent Mail shudder operations rather than hand over decryption keys to the government that would enable snooping over their respective users. Both companies realized shortcomings in their products’ email encryption capabilities that made it impossible for them to keep to their promises of preserving user privacy. Since then, however, the two companies have joined forces in what they’re calling the Dark Mail Alliance, an effort to develop an open protocol and architecture for private email.
In the meantime, while secure email may be a challenging hill to climb, secure end-to-end encrypted text messaging has been a bit easier to conquer, with successful systems, for example, storing encryption keys on the user’s device keeping them away from the NSA’s reach. And now, given an announcement yesterday, encrypted messaging is within reach of millions of Android mobile device users.
Open WhisperSystems announced that its TextSecure protocol will be integrated as part of the CyanogenMod OS-level SMS app, bringing encryption to 10 million users; CyanogenMod provides aftermarket firmware for Android devices.
Open WhisperSystems cofounder Moxie Marlinspike, right, said in the announcement it was important to have this be a seamless, transparent integration for the user, who would now be able to send encrypted text messages in as simple and reliable fashion as before. He also said this is just the first step toward providing secure communications capabilities to the masses, and that an end-to-end encrypted communications client for Apple iOS is in the works, as is a TextSecure browser extension.
“This effort marks the beginning of our transition to the data channel as a TextSecure transport, which should hopefully open up a host of ongoing opportunities,” Marlinspike said. “Soon we will have a truly cross platform seamless asynchronous messaging system built on open protocols and open source software, with an already massive user base.”
Unlike Silent Circle’s secure text messaging client Silent Text, for example, TextSecure does not require both ends of the conversation to have the client installed, nor are encryption keys stored with OpenWhipser Systems. Instead, they are kept on the user’s device.
Marlinspike said the native CyanogenMod SMS client was modified to support the TextSecure protocol, and that TextSecure for CyanogenMod runs on the TextSecure V2 protocol and supports forward secrecy and the 3DHE agreement for deniable messages.
“If an outgoing SMS message is addressed to another CyanogenMod or TextSecure user, it will be transparently encrypted and sent over the data channel as a push message to the receiving device. That device will then decrypt the message and deliver it to the system as a normal incoming SMS,” Marlinspike said. “The result is a system where a CyanogenMod user can choose to use any SMS app they’d like, and their communication with other CyanogenMod or TextSecure users will be transparently encrypted end-to-end over the data channel without requiring them to modify their work flow at all.”
Marlinspike said too that the recipient device does not have to be on in order for messages to be sent.
“The user doesn’t have to initiate a key exchange and wait for a round trip to complete, or know that the recipient is ‘online,'” he said.