Go to the profile of x0rz
x0rz
Security Researcher

Operational Signal

Using Signal pseudonymously

Tor + Signal = ❤️️

A lot of people are asking me about secure messaging and how to properly use such tools. Every secure messaging application is different and will offer different solutions to counter different threats. You need to know your own personalized threat model before choosing the right tool. Ask yourself who are you protecting against?

Signal is not made of magic

First of all, Signal is an encrypted instant messaging solution. It is not intended to anonymize you or to hide with whom you are communicating. Signal uses a centralized communication scheme with end-to-end encrypted messages. This means your messages (upon having verified the safety numbers) will only be intelligible by you and your remote recipient.

The Signal core protocol is one of the best encryption protocol there is to protect confidentiality (with by default forward secrecy and strong cryptographic algorithms). But encryption doesn’t mean Open Whisper Systems or SIGINT-capable actors can’t identify with whom you’re talking to.

And it’s not about trusting Open Whisper Systems or not, because 1) you should not trust any central authority and 2) their servers could easily be compromised by some third party. Signal being used by a lot of “persons of interest” it represents a very interesting target for any three-letter agency or nation-state hackers. It is also worth noting that the centralized servers (that seems to be hosted on AWS) are running closed source code — though it does not impact confidentiality of the messages they could be exploited to monitor relationship and activity between targets.

You can use Signal as an overt secure messaging platform on your own phone, or as a covert system to communicate. I’ll review the second option as the first one is obviously easy to set up (given some security guidelines).

Using Signal covertly

One often mentioned issue with Signal is the need of a valid phone number. It really depends on your threat model. Is it really an issue? If yes, then you should consider using some other tools that don’t require a phone number (XMPP w/ OTR, Ricochet, …). Nonetheless, there are some ways to set up a clean account, thanks to virtual phone numbers.

Setting up a clean account

First step would be to set up a “clean” environment with your own “opsec” methods. For newbies I would recommend Tails or Subgraph. Tor is of course highly recommended if you wish to remain anonymous, even if I prefer the term “pseudonymous” as you’ll be identified with a unique phone number after all.

1. Get yourself a new phone number

There are numerous virtual phone number providers accepting bitcoins so you can get yourself a new phone number. I won’t get into the details as it is pretty much straightforward. Use Tor. Use Bitcoin. And get yourself a clean number.

2. Create your Signal account using the command-line

Install the excellent signal-cli tool from Github and register your new number with it, it can be done in two easy commands:

⚠️ ️Beware as Java (used by signal-cli) is not working very well with torify or proxychains, so I would recommend setting up a transparent proxy if you want to use Tor with it.

3. Setting up Signal Desktop

Next step, install Signal Desktop (yes, it comes as a Chrome app). Before proceeding any further you should make sure that all Chrome/Chromium connections are going through Tor using your global proxy settings or via a transparent proxy.
Upon opening for the first time the Signal application it should ask you to scan a QR code. This QR code is used by Signal to pair with your existing mobile device, that is in fact our signal-cli client in this context.
Simply translate this QR code to raw text using your favorite QR code scanner, it should translate to something like this: tsdevice:/?uuid=cAg4kd…&pub_key=LpRhjdD2D…

Now pair your desktop app with the addDevice option:

You should see the Signal Desktop app ask you for a new device name and there you go! You now can enjoy using Signal pseudonymously 😉

And voilà! You’re all set with your brand new account ;-)

Please feel free to share and comment. Anything to suggest? Reach out to me via Twitter or Signal at +17752386572 👍