Secure Messaging

[Ste4thOverride]

This is more of a feature request than an issue. I request that the QKSMS team add support for Axolotl from OpenWhisperSystem to allow secure messaging between users.

Since most users use this app mainly for sms adding a simple toggle to enable the option allowing users to communicate securely and privately over data using this protocol would be a great adddition.

[kashifo]

I think that technology is for Instant Messaging apps and this is SMS app. Also i think that's not standard - if you use that tech to send a message to old or different phones they can't read them.

[Ste4thOverride]

@KashifAnwaar That is not exactly correct if the other corresponding party you communicate with is using SMS the default fallback is to send over the SMS/MMS protocol. There would be no way for a user to end up getting a message they cannot read in this scenario. Only if the other user is using the same protocol would the message be sent over the secure communication channel. Signal is the main SMS texting app that uses this but an example of an IM app using the protocol is WhatsApp but the rollout isn't 100% complete yet for all users.

[rugk]

As Signal does no longer have this feature, why not just switch to a fork of Signal Silence (formerly SMSSecure)?

[Ste4thOverride]

@rugk I don't want encryption over the SMS channel as Silence provides but over a data Channel Similar to the way Signal, Whatsapp, Allo, FB Messenger are now doing using the signal protocol. The feature can be opt in but it would be a huge win for privacy to add this feature.

[rugk]

Well.. in this case this is clearly the wrong app it is - surprise, surprise - a SMS app. Building encryption over a data channel would require building a whole new system, infrastructure and - more or less - a whole new app, so it is unrealistic that this will happen any time soon.

Just use another app for this feature. A more realistic scenario for QkSMS would be E2E similar to Silence does it.

Only if the other user is using the same protocol would the message be sent over the secure communication channel.

This would also happen here. Users would have to use QkSMS always. If you want to have something cross-platform-compatible using an open-standard and being decentralized you can have a look into XMPP e.g. with https://conversations.im/.

[kashifo]

That's what i said in the starting itself.

[rugk]

So this issue can be closed or do you consider using some E2E-encryption like Silence?

Or: Is it possible to use this app and Silence together, so that Silence can decrypt messages and they can be received by QkSMS? Or the other way around: Let QkSMS receive messages and send them to Silence for decryption when it notices they are encrypted?

I just remember there is an issue about this already: https://github.com/SilenceIM/Silence/issues/145

But I don't know whether you - from QkSMS - can do something about this.

[Ste4thOverride]

Secure SMS has a huge number of issues which is why the Open Whisper Team abandoned it and moved to the data channel. https://whispersystems.org/blog/goodbye-encrypted-sms/

Everything is already built and open source all it takes is implementing it in the current app. https://open-whisper-systems.readme.io/

I already know and use XMPP but it also has a number of extensive issues that doesn't make it realistic for a large amount of users to use including the big one asynchronous messaging.

[Ste4thOverride]

I will try to get into contact with @moxie0 can offer some information on adding or integration support for the signal protocol within QKSMS or another team member from Open Whisper System, I will try to try to contact them

[moxie0]

@moezbhatti That'd be sweet. If you'd like you can use the Signal server and client code to drop that in. The server side is here: https://github.com/whispersystems/textsecure-server

Once you have the server side running, you can use the libsignal-service lib to communicate with it for sending/receiving messages: https://github.com/whispersystems/libsignal-service-java

Send me an email if you decide to go down that road and have any questions.

[moezbhatti]

Awesome, I appreciate the support @moxie0

I've got two big things I want to refactor and then I'll be working towards integrating this. I'll definitely let you know if I have any questions

[rugk]

See https://github.com/SilenceIM/Silence/issues/487 for a idea how to integrate this.

[d-g]

(I, presumably, have to clarify downvote.)

Please, don’t support proliferation of proprietary encryption protocols, which, as @kashifo noted, makes communication with you complicated beyond measures for users of other software.

What might be really feasible instead, is to provide some support for transport-agnostic PGP signatures and encrypted messages (so called ‘inline’ PGP).

Besides being much more interoperable: either right away with some easy manipulations required or in a more automated way with the help of something like https://oversec.io; it also should be simpler to implement (presumably, through https://openkeychain.org).

[zilexa]

What is the current view on this request? Is QKSMS going to support secure SMS to other QKSMS users (and potentially also to Silence or Signal users)?

[d-g]

ZileXa wrote:

Is QKSMS going to support secure SMS to other QKSMS users (and potentially also to Silence or Signal users)?

‘Signal’? Did it ever support encrypted SMS? I was under impression that they renamed the program from ‘Text Secure’ to ‘Signal’ just around the time when they dropped support for encrypted SMS (MMS).

In any case, that was a couple of years ago, so today ‘Signal’ is a mere cleartext SMS application, unless tied to eponymous proprietary service.

[zilexa]

My apologies, you are correct. The question remains though, will QKSMS support encrypted SMS?

[buzuck]

d-g Wrote:

‘Signal’? Did it ever support encrypted SMS?

Yes, but it was a long time ago. Here is the blog post where they explained their point of view: https://signal.org/blog/goodbye-encrypted-sms/

I disagree with most of their points:

1. "Encrypted SMS/MMS can never be seamless" : Silence (ex SMS-Secure, a fork from TextSecure, former name of Signal) is trying to automatically detect when two people are using the app, and are still using clear text messages. As I understood, buy adding extra characters to the messages, that are stripped by a conventional messaging app.
2. "iPhone compatibility is here": No comment :man_facepalming: Understandable though, as they are a company and don't have unlimited money
3. "SMS and MMS are a security disaster": This one is a good point. However, I tend to think that weak encryption with metadata leakage is better than no encryption at all. The goal here is not to prevent intrusion, but to limit it :slightly_smiling_face:
4. "It’s holding us back": Same as 2.

[d-g]

Fol wrote:

d-g Wrote:

‘Signal’? Did it ever support encrypted SMS? ‘Signal’? I was under impression that they renamed the program from ‘Text Secure’ to ‘Signal’ just around the time when they dropped support for encrypted SMS (MMS).

Yes, but it was a long time ago. Here is the blog post where they explained their point of view: https://signal.org/blog/goodbye-encrypted-sms/

Yes, sure, and as you noticed this article talks about features of ‘Text Secure’. I never used neither it nor its successor, so I am not well aware of exact dates, but I supposed that dropping SMS (MMS) support was one of the key reasons to rename the program. That would be logical, at least, since ‘text’ in English might refer specifically to messaging via phone network.

I disagree with most of their points:

1. "Encrypted SMS/MMS can never be seamless" Silence (ex SMS-Secure, a fork from TextSecure, former name of Signal) is trying to automatically detect when two people are using the app, and are still using clear text messages. As I understood, buy adding extra characters to the messages, that are stripped by a conventional messaging app.

Thanks, that would be another reason not to implement a protocol, which has so obscure and fragile features.

2. "iPhone compatibility is here": No comment :man_facepalming: Understandable though, as they are a company and don't have unlimited money
3. "SMS and MMS are a security disaster": This one is a good point.

Good, yet confusingly phrased: it narrows ‘security’ to the privacy of correspondence.

While that’s only one side of security, and, in fact, from that point of view it is considered ‘secure’ enough to be widely used as transport for one time passwords.

Another side — verifiability — is much more of disaster, comparing to any other communication in our daily use. So one might argue, than signing SMS is more topical issue than encrypting them.

However, I tend to think that weak encryption with metadata leakage is better than no encryption at all. The goal here is not to prevent intrusion, but to limit it :slightly_smiling_face:

4. "It’s holding us back": Same as 2.

In any case, I believe, we all understand real motives behind that decision.

[zilexa]

Ok so that means QKSMS will not go the Silence route?