Signal Desktop Beta: Convenience Added to Security

Signal Private Messenger has been simplifying the encryption of voice and text messages for several years now. Not only is it a drop-in replacement for existing Android and iOS contract and messaging apps, but its handling of encryption handshakes is invisible to the user, making encrypted messages no harder from the end-user’s perspective than non-encrypted ones. That is an accomplishment in itself, but Signal has gone one step further, releasing a beta version of Signal Desktop for Android, allowing users to text and play calls from a laptop or workstation synced to a phone.

Signal has come in for some criticism, which I should probably answer before going further. First, the rumor persists that its server code is proprietary. According to Open Whisper Systems, the non-profit that develops Signal, that was true until June 2016 because restrictions on the Apple store were incompatible with the GNU General Public License. However, changes in those restrictions now make it possible to license Signal’s server code under the Affero General Public License, which the Free Software Foundation recommends for on-line services.

Similarly, Signal has been criticized for using centralized servers. However, as a non-profit, Open Whisper Systems is less likely than a commercial service to sell information about its servers, as some have feared it might do. Moreover, Open Whisper’s servers are in over a dozen countries, their exact locations undisclosed, which reduces the chances of them being hacked or impounded. Admittedly, a de-centralized app such as the GNU Project’s Ring would be more secure, but Signal’s servers are not as insecure as the bare fact of centralized servers would imply.

All that said, why bother with a desktop version? After all, the whole point of a phone is unchain users from the desktop? However, anyone who asks that question must be among the few whose eyesight makes them indifferent to the ease of a larger screen. For that matter, their fingers must be slender enough that a full-sized keyboard holds no allure for them.

But with privacy becoming a greater concern for both corporations and activists, there are many who use messaging and phone calls for several hours a day who would probably welcome a larger screen or keyboard. Although Signal Desktop is not a necessity, for such users it is a welcome luxury.

Setting up Signal Desktop
Signal itself is available as an Android app from the Google Play Store. To use the desktop, you must have a phone with Signal installed (so far, Signal does not run on tablets). The Electronic Frontier Foundation has detailed step by step instructions for installing Signal.

Once Signal is installed, you can send encrypted messages to anyone else who has installed Signal; any other calls are sent but uncrypted, although you do have the option of sending an invitation to Signal as well.

Signal Desktop itself is a Chrome/Chromium app available on the Chrome web store. Once it is installed, you can find the app by clicking on the Apps button on the left of your browser’s bookmark toolbar. Clicking the launcher starts the installation wizard, which ends with using the QR reader on your phone to sync the phone with the desktop — an approach that is both one of the few practical uses for QR codes I have seen and an additional piece of privacy, since QR codes are unreadable by humans.

The first time that you use Signal Desktop — or after using the synced phone without the desktop — open the Settings menu and select Settings > Import now to keep the phone and desktop in sync. From the Setting menu, you can also set a theme, and the structure of notifications.

Current Limitations
Signal Desktop is currently in beta release, which may explain why it lacks most of the settings available for Signal on a phone. Or maybe Signal Desktop is not intended to have all those features, since it depends on a synced phone.

Among the functions that Signal Desktop can currently do is send a text, with or without an attachment, allow manual checking of safety numbers (Open Whisper System’s user-friendly name for what is usually called the encryption handshake, which is unseen by Signal users in ordinary use). It can also delete a conversation, or set the time from the present that a conversation will be automatically deleted automatically.

Among the functions Signal Desktop currently lacks is the ability to make a phone call. Nor can it add a contact or group, or edit information for a contact.

In addition, you should also be aware that the desktop cannot add a passphrase to the app, or block screen shots. In general, the beta lacks most of the settings available for Signal on a phone, but these are the ones that are more essential.

Some of these functions may be eventually added for the general release. However, from the little that has been said, I gather than Open Whisper Systems does not intent for the desktop to be a complete replacement for a phone with Signal installed. Instead, it seems meant as a convenience to be used together with a synced phone.

However, even in its current form, Signal Desktop is an addition worth having. Anyone who has cursed the slowness of a text message caused by their pudgy fingers or the need to correct an autocorrect mistake will appreciate the fact that using the desktop transforms texting into real time conversations. That, by itself is an improvement worth having.

 

The Right Way to Do Security
Another point about Signal Desktop — in fact, about Signal in general — is how easy its security is to use. For years, I have seen so-called firewall wizards that are harder to use than iptables from the command line, and distributions that dump an array of security apps on to the desktop and leave users to sort through them without so much as a man page to assist them. Even when such software is better arranged, it generally requires extra steps in order to perform routine tasks, which means that it utterly fails to encourage the average user to adapt more secure habits.

By contrast, any implementation of Signal is no harder to use than an unencrypted app. In fact, unless users decide to play a more active role, they could easily forget that their phone calls and texts are being encrypted at all. This approach is security the way it should be done, and I look forward to seeing future developments in Signal and Signal Desktop in the next few years.

message-log

Signal Desktop is not yet a complete replacement for Signal on an Android phone, but it does make Signal more convenient to use.