I didn't mind much that TextSecure removed the SMS feature, since I didn't use it anyway, but I think the removal was badly handled. I'm glad someone is catering to the users who used this feature, it gets more eyes on the code and increases the pressure on the Signal team to do things right.
When TextSecure removed SMS encryption there wasn't a clear warning about it in the what's new message, and as far as I can tell there was no deprecation period or warning to users who had been using it. You'd be sending encrypted messages before the update, and unencrypted messages after. For some reason they didn't link to their blog post[1] in the what's new message. It looks to me like they didn't want people to notice that they were removing a feature.
This lessens my trust in the creators and makes me hesitate to update the app since I don't know if they will change or remove features I do use in the future without warning. Hopefully they'll review their process so they don't scare more people over to SMSSecure.
If you didn't use the feature, you might have missed it, but we talked about its removal publicly for over a year. We also made many incremental changes over that year in order to phase it out so that it wasn't a sudden removal. We did all of that, despite the fact that it was used by an incredibly tiny fraction of our total install base. The people who used encrypted SMS are very vocal, but the users we're really targeting never even knew it existed.
I think projects like this one are great. I have no idea if the people behind it know what they're doing or can write secure software, but we've always wanted some place where the people who want to import their GPG key, manually select their underlying block cipher, or support WoT style key signatures can go. Projects like these might be a better fit for those users.
I am an avid TS user. I hate that they stopped SMS because the move is contrary to their stated goal[s]. Taking that as understood, I do not feel they mishandled notification of their stupid decision.
I'm one of the developers of this project. If you have any questions, let me know.
To be clear, this project isn't endorsed in any way by Open Whisper Systems. We forked their codebase pre-v2.7.0 and are integrating upstream commits, but that's it.
The idea isn't to compete with TextSecure, it's to provide the encrypted SMS functionality TextSecure used to (with all it's compromises and drawbacks) for people that push-based messaging isn't an option for.
The really hard part about encrypting communications is key distribution and validation (eg: validating that the public key for number 555-1234 actually belongs to Alice).
The underlying reasons are actually pretty sensible.
Signal (as it will be) can't deliver encryption via SMS on iOS due to platform restrictions. Neither can tablets or computers normally send SMS messages. (To say nothing of metadata risks, although TextSecure cannot address that without a decoupling layer, like Tor, and in any case low-latency low-bandwidth mixnet messaging is very hard versus nation-state adversaries with traffic correlation abilities.)
It's also clear that voice and video can't be delivered well or at all by SMS/MMS, and that MMS in particular is a huge pain in the arse.
However, users who have limited/no data plans are up in arms. Whole bunch of 1-star reviews. Clearly quite a few vocal users (not necessarily users in regions you might expect) liked this feature, used it, seemingly needed it. I know that sometimes when travelling even I'm out of data service, but within SMS service.
So it may be that a fork does make semantic sense here. Signal will eventually deliver cross-platform best-in-class secure messaging, group messaging, voice/video/etc - features which cannot be delivered by SMS - and SMSSecure could deliver encrypted SMS messages for users on the Android platform (only).
As someone who doesn't follow TextSecure or anything else, how does this work? How do my messages get encrypted, yet the people I'm texting don't need to install anything to read them? What am I missing here.
SMSSecure's default mode is to send normal, unencrypted SMS messages so people using regular SMS clients can still receive them.
If both users have SMSSecure, they can exchange keys and upgrade to an encrypted session.
Also, there's some amount of autodetection going on. SMSSecure will automatically prompt the user to start a secure session if it detects the recipient is also using SMSSecure.
But yes, if a user tries to start a secure session with someone who doesn't have SMSSecure installed, the recipient will just see a bunch of garbage (limitation of the transport).
Both parties need to have SMSSecure installed, and a secure session started — a roundtrip of sms to exchange keys, or something (im not an expert so not sure if those are keys, or something else).
Otherwise they will only see a garbage of letters/numbers.
[+] [-] tveita|11 years ago|reply
When TextSecure removed SMS encryption there wasn't a clear warning about it in the what's new message, and as far as I can tell there was no deprecation period or warning to users who had been using it. You'd be sending encrypted messages before the update, and unencrypted messages after. For some reason they didn't link to their blog post[1] in the what's new message. It looks to me like they didn't want people to notice that they were removing a feature.
This lessens my trust in the creators and makes me hesitate to update the app since I don't know if they will change or remove features I do use in the future without warning. Hopefully they'll review their process so they don't scare more people over to SMSSecure.
[1] https://whispersystems.org/blog/goodbye-encrypted-sms/
[+] [-] moxie|11 years ago|reply
I think projects like this one are great. I have no idea if the people behind it know what they're doing or can write secure software, but we've always wanted some place where the people who want to import their GPG key, manually select their underlying block cipher, or support WoT style key signatures can go. Projects like these might be a better fit for those users.
[+] [-] classicsnoot|11 years ago|reply
[+] [-] dTal|11 years ago|reply
[+] [-] patcon|11 years ago|reply
https://github.com/WhisperSystems/Flock/blob/master/flock/sr...
https://github.com/WhisperSystems/Flock/blob/master/flock/bu...
https://github.com/WhisperSystems/Flock/blob/master/flock/sr...
[+] [-] yownie|11 years ago|reply
[+] [-] pR0Ps|11 years ago|reply
To be clear, this project isn't endorsed in any way by Open Whisper Systems. We forked their codebase pre-v2.7.0 and are integrating upstream commits, but that's it.
The idea isn't to compete with TextSecure, it's to provide the encrypted SMS functionality TextSecure used to (with all it's compromises and drawbacks) for people that push-based messaging isn't an option for.
[+] [-] hobarrera|11 years ago|reply
How did you guys attack this problem?
[+] [-] sarciszewski|11 years ago|reply
[+] [-] sschueller|11 years ago|reply
Reason for the fork: https://whispersystems.org/blog/goodbye-encrypted-sms/
[+] [-] AlyssaRowan|11 years ago|reply
Signal (as it will be) can't deliver encryption via SMS on iOS due to platform restrictions. Neither can tablets or computers normally send SMS messages. (To say nothing of metadata risks, although TextSecure cannot address that without a decoupling layer, like Tor, and in any case low-latency low-bandwidth mixnet messaging is very hard versus nation-state adversaries with traffic correlation abilities.)
It's also clear that voice and video can't be delivered well or at all by SMS/MMS, and that MMS in particular is a huge pain in the arse.
However, users who have limited/no data plans are up in arms. Whole bunch of 1-star reviews. Clearly quite a few vocal users (not necessarily users in regions you might expect) liked this feature, used it, seemingly needed it. I know that sometimes when travelling even I'm out of data service, but within SMS service.
So it may be that a fork does make semantic sense here. Signal will eventually deliver cross-platform best-in-class secure messaging, group messaging, voice/video/etc - features which cannot be delivered by SMS - and SMSSecure could deliver encrypted SMS messages for users on the Android platform (only).
[+] [-] ToastyMallows|11 years ago|reply
[+] [-] pR0Ps|11 years ago|reply
If both users have SMSSecure, they can exchange keys and upgrade to an encrypted session.
Also, there's some amount of autodetection going on. SMSSecure will automatically prompt the user to start a secure session if it detects the recipient is also using SMSSecure.
But yes, if a user tries to start a secure session with someone who doesn't have SMSSecure installed, the recipient will just see a bunch of garbage (limitation of the transport).
[+] [-] Couto|11 years ago|reply
Otherwise they will only see a garbage of letters/numbers.
[+] [-] darkhorn|11 years ago|reply
https://play.google.com/store/apps/details?id=cz.oksystem.sm...
[+] [-] sarciszewski|11 years ago|reply
[+] [-] classicsnoot|11 years ago|reply
[+] [-] psykovsky|11 years ago|reply