[whispersystems] Signal Server source code

Discussion:

Frank Röhm

2016-01-26 12:05:16 UTC

Hello
when there was Redphone, there was an issue “Redphone Server” (#63) concerning the source code of Redphone which was not available.
I wonder now if that has changed under Signal.
I see in the Open Whisper System repositories now a "TextSecure-Server”:
https://github.com/WhisperSystems/TextSecure-Server
and another repo “PushServer”:
https://github.com/WhisperSystems/PushServer
so is one of these the actual server sourcecode of Signal?
I didn’t go deep into the code to find out.

Or is it in Signal itself (and I don’t find it)?

Where can I find the source-code of Signal, so I could establish my own server for my own and closed Signal-App (as a fork of Signal)?

Thanks

frank

Frank Röhm

2016-01-26 12:42:32 UTC

Permalink

I believe there are still two separate servers, and I believe the same issue with Redphone's source being closed exists.

So the two mentioned server (TextSecure-Server and PushServer) are not related to the real Signal Server’s Source code?

Xavier Lebrun

2016-01-26 12:47:10 UTC

Permalink

to what i understood

textsecure and push servers refers for the message part only

but still i am not sure 100%

Am 26.01.2016 um 13:33 schrieb Michel, Stephen J. <
I believe there are still two separate servers, and I believe the same

issue with Redphone's source being closed exists.
So the two mentioned server (TextSecure-Server and PushServer) are not
related to the real Signal Serverâs Source code?

Frank Röhm

2016-01-26 13:14:35 UTC

Permalink

Post by Xavier Lebrun
to what i understood
textsecure and push servers refers for the message part only

Siipola Antti

2016-01-26 13:59:18 UTC

Permalink

To my understanding, there are no official or even unofficial instructions available ATM.

I did look into this couple of months ago and came to conclusion that the texting part is there and some handling for voice, but voice relay (or "switch"?) is missing. By this I mean a service that bounces the voice traffic between the call participants.

You may look into the client implementations and perhaps a Wireshark capture of couple of voice calls to deduce the infrastructure Whispersystems has built. I'm afraid replicating this will require writing new code or at least adapting some other project's implementation to get a complete stack.

Also, I think this topic should be continued here: https://groups.google.com/forum/#!forum/whispersystems-community-unofficial

Br, Antti

-----Original Message-----
From: whispersystems-***@lists.riseup.net [mailto:whispersystems-***@lists.riseup.net] On Behalf Of Frank Röhm
Sent: 26. tammikuuta 2016 15:15
To: whispersystems
Subject: Re: [whispersystems] Signal Server source code

Post by Xavier Lebrun
to what i understood
textsecure and push servers refers for the message part only

Is there any explanation how to set up my own server?
This would exactly show which server to use and which source code it is.
But I don’t find, there was neither under Redphone times.

Server was forever closed source, the explanation at this times from moxie was, that they don’t want to support it they have not the time for it.
And server source code without support would cause support questions anyway moxie said.
By the way, he called it not “server” but “Switch”.

frank

----------------------------------------------------------------
Please note: This e-mail may contain confidential information
intended solely for the addressee. If you have received this
e-mail in error, please do not disclose it to anyone, notify
the sender promptly, and delete the mess

Raphael Arias

2016-01-26 14:19:35 UTC

Permalink

Thanks, Antti.

The question about server support pops up on average once per week on
this list. The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

I would like to point out, that this mailing list is archived online at
[0] so you can look at old threads there before asking the same
questions again.

The mailing list Antti linked to [1] might be where you can find answers
to questions that are not answered here.

So long,
Raphael

[0] https://lists.riseup.net/www/arc/whispersystems
[1]
https://groups.google.com/forum/#!forum/whispersystems-community-unofficial

Post by Siipola Antti
To my understanding, there are no official or even unofficial instructions available ATM.
I did look into this couple of months ago and came to conclusion that the texting part is there and some handling for voice, but voice relay (or "switch"?) is missing. By this I mean a service that bounces the voice traffic between the call participants.
You may look into the client implementations and perhaps a Wireshark capture of couple of voice calls to deduce the infrastructure Whispersystems has built. I'm afraid replicating this will require writing new code or at least adapting some other project's implementation to get a complete stack.
Also, I think this topic should be continued here: https://groups.google.com/forum/#!forum/whispersystems-community-unofficial
Br, Antti
-----Original Message-----
Sent: 26. tammikuuta 2016 15:15
To: whispersystems
Subject: Re: [whispersystems] Signal Server source code

Post by Xavier Lebrun
to what i understood
textsecure and push servers refers for the message part only

Is there any explanation how to set up my own server?
This would exactly show which server to use and which source code it is.
But I don’t find, there was neither under Redphone times.
Server was forever closed source, the explanation at this times from moxie was, that they don’t want to support it they have not the time for it.
And server source code without support would cause support questions anyway moxie said.
By the way, he called it not “server” but “Switch”.
frank
----------------------------------------------------------------
Please note: This e-mail may contain confidential information
intended solely for the addressee. If you have received this
e-mail in error, please do not disclose it to anyone, notify
the sender promptly, and delete the message from your system.
Thank you.

Frank Röhm

2016-01-26 15:45:11 UTC

Permalink

Post by Raphael Arias
The question about server support pops up on average once per week on
this list.

Funny that a search in the archive didnt show any results.
Search for: server source code -> 0 hits
That was my first try, by the way.

Post by Raphael Arias
The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

Anyway, thank for this answer, exactly this I wanted to know.
Roger and over.

frank

Vyacheslav Raskulin

2016-01-26 22:50:17 UTC

Permalink

Post by Raphael Arias
The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

And where is this place,finally?

Post by Raphael Arias

Post by Raphael Arias
The question about server support pops up on average once per week on
this list.

Funny that a search in the archive didnt show any results.
Search for: server source code -> 0 hits
That was my first try, by the way.

Post by Raphael Arias
The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

Anyway, thank for this answer, exactly this I wanted to know.
Roger and over.
frank

Raphael Arias

2016-01-26 23:24:42 UTC

Permalink

Post by Vyacheslav Raskulin

Post by Raphael Arias
The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

And where is this place,finally?

Hi Vyacheslav,

see below ;)

Best regards,
Raphael

Post by Vyacheslav Raskulin
Thanks, Antti.
The question about server support pops up on average once per week
on this list. The answer is always the same: it is not supported
by WhisperSystems and this mailing list is not the place to discuss
it.
I would like to point out, that this mailing list is archived
online at [0] so you can look at old threads there before asking
the same questions again.
The mailing list Antti linked to [1] might be where you can find
answers to questions that are not answered here.
So long, Raphael
[0] https://lists.riseup.net/www/arc/whispersystems [1]

https://groups.google.com/forum/#!forum/whispersystems-community-unoffic
ial

Xavier Lebrun

2016-01-26 23:50:38 UTC

Permalink

1

question about the server support is frequent and response is always the
same.
the signal project is a service project not a software project.
so no support for software...

there is the google groups for that.
but maybe another place shall be up.

2

for the source code it is much less discussed frankly.

some emails were exchanged recently but not directly on the mailing.

message server is released
call server is not released

xavier

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Vyacheslav Raskulin

Post by Raphael Arias
The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

And where is this place,finally?

Hi Vyacheslav,
see below ;)
Best regards,
Raphael

https://groups.google.com/forum/#!forum/whispersystems-community-unoffic
ial
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWqAA6AAoJEEHRIZEpQl/vfuoP/3R8r5qEsRNg/YXqr+ihx1eV
o54b/8Hq3lqNny7GXWZyIEzHeXeFzuRSHQZhx90w+xv7XKIx1JRQBfVOvf6C/uod
lpOZytLQDozmKCUin0JDNfoUtmBxtbpsE1dl7fgN7XjOpQhRs1gP0spyRwLk9Fhp
b498JHdz98ZvgCoLCOJLVGl6rtE6MpWNLH6D8Q13rk6332jxG8CH6QufK5I1zYvY
3nSFRGxksb+IokPRrvp7UUNQ1BipERZi7P67cf/3/WxfxtjBHplxXQVffi+DohPz
+KWDI7NfKszYkyg/Qws2i5lrlV+eVBvA2HK+kNfmv0Xipyu3chWi0VTH93gL7dlB
b5TyAT2kvuipo5VF719Zsiy3KdkSsEWJ/gitwWiP0wfcXN7xpDMeb8f0Fj24vMfq
5u0CHBAZAAvSbiR7kNSFscGkKOpU+uZZWPE+AVHSHfkkapR1bN5ACWfFZET7hc/q
vyVV8tULCpPH9tLPxa/xM7cmxINJrOH7ihgY+mCYN0ZptqIN7Cx5fe9NN0+HAMGB
Vqf8V4b5CYuqAeOatZbhBnrRDRIDJZMkcOUjrRxz8T0YTrfNDLcRaEtReMh64yJP
zHIOxYIIAsDtRtrb5v7SDCehsSw52SA1MKc4PxzrZTobybC4LRY8rogtTlmcsqJt
3SV2cYDpCus2T6Sjf2QK
=6apa
-----END PGP SIGNATURE-----

Sam Lanning

2016-01-27 00:15:59 UTC

Permalink

This is true of client side code, which is the important part, and the part
that is open source. So this critique does not apply to Signal.

And even if signal did supply source code for the servers, it wouldn't
prove anything, as they could technically run a modified version.

Sam.
On 27 Jan 2016 12:10 a.m., "TiagoTiago" <

Hm, isn't it a common critique of other projects that present themselves
as protecting the user's privacy, that they don't got part of their code
open, and therefore, for all we know, could be hiding some dangerous bug or
even an intentional backdoor? (wasn't there some talk a while back about
some crypto standards that at first appeared secure but actually had a
secret masterkey?)

Post by Xavier Lebrun
1
question about the server support is frequent and response is always the
same.
the signal project is a service project not a software project.
so no support for software...
there is the google groups for that.
but maybe another place shall be up.
2
for the source code it is much less discussed frankly.
some emails were exchanged recently but not directly on the mailing.
message server is released
call server is not released
xavier

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Vyacheslav Raskulin

Post by Raphael Arias
The answer is always the same: it is not supported by
WhisperSystems and this mailing list is not the place to discuss it.

And where is this place,finally?

Hi Vyacheslav,
see below ;)
Best regards,
Raphael

Justin Tracey

2016-01-27 05:00:30 UTC

Permalink

Wouldn't it at least make it less likely they are running a backdoored
server, since by providing a functional server code that is compatible
with the client, if they were at the same time running a backdoored
server, they would have to go thru the effort of removing all traces of
the backdoor without breaking anything in the code they provide to the
public? (this inquiry is related to the concern that it could be a way
to hide the presence of a backdoor in the crypto, or even the protocol
itself, from anyone that didn't know where to look for)

Any conceivable back door the server could run would have to either
change outgoing traffic in a malicious way, which would be just as
detectable with and without a supposed server "source," or be completely
transparent to the public interface, which also obviously doesn't become
easier or harder to detect with the server "source." What attacks are
you mitigating by having this code? In any case, it doesn't matter
because...

I mean, there would always be a way to continue to hide this
hypothetical backdoor, but all alternatives I can think of, would
involve additional effort on top of keeping everything running smoothly
in the production network, so it would at least rule out the low-hanging
threats.

The entire point of end-to-end encryption is that you don't have to
trust the communication channel. A Signal message could be dropped off
at the front porch of the NSA and they wouldn't be able to do anything
with it, other than look at the metadata. Given some basic assumptions
about the system (e.g. you don't have malware on your phone, nobody owns
a large scale quantum computer, etc.), we can formally prove that the
messages you send can only be read by the desired party. Again, that's
the whole point. If it were possible for there to be a back door on
Signal's servers that could read messages, then the problem is with the
Signal client, not the server.

- Justin

Ivan Kwiatkowski

2016-01-27 07:26:26 UTC

Permalink

I think this conversation about whether or not the server may contain
backdoors is a little misguided.
There are legitimate reasons why people might want to have a look at
the server's code, and I think there are enough FOSS believers and/or
advocates in this community that they don't have to be listed again.
Unless anyone here is arguing that having a closed-source server is
better security-wise, let's just move on.

I assume that the bottom line is that there are other pragmatic
reasons why the OWS team has chosen not to publicly release the server
software. Here are a couple ones from the top of my head:
- - Preventing fragmentation of the user-base
- - Hindering hostile forks
- - No time to document the code / document how to set up servers /
handle the inevitable support requests

JusticeRage

Post by Justin Tracey

Wouldn't it at least make it less likely they are running a
backdoored server, since by providing a functional server code
that is compatible with the client, if they were at the same time
running a backdoored server, they would have to go thru the
effort of removing all traces of the backdoor without breaking
anything in the code they provide to the public? (this inquiry is
related to the concern that it could be a way to hide the
presence of a backdoor in the crypto, or even the protocol
itself, from anyone that didn't know where to look for)

Any conceivable back door the server could run would have to
either change outgoing traffic in a malicious way, which would be
just as detectable with and without a supposed server "source," or
be completely transparent to the public interface, which also
obviously doesn't become easier or harder to detect with the server
"source." What attacks are you mitigating by having this code? In
any case, it doesn't matter because...

I mean, there would always be a way to continue to hide this
hypothetical backdoor, but all alternatives I can think of,
would involve additional effort on top of keeping everything
running smoothly in the production network, so it would at least
rule out the low-hanging threats.

The entire point of end-to-end encryption is that you don't have
to trust the communication channel. A Signal message could be
dropped off at the front porch of the NSA and they wouldn't be able
to do anything with it, other than look at the metadata. Given some
basic assumptions about the system (e.g. you don't have malware on
your phone, nobody owns a large scale quantum computer, etc.), we
can formally prove that the messages you send can only be read by
the desired party. Again, that's the whole point. If it were
possible for there to be a back door on Signal's servers that could
read messages, then the problem is with the Signal client, not the
server.
- Justin

Frank Röhm

2016-01-27 07:35:21 UTC

Permalink

Post by Ivan Kwiatkowski
I assume that the bottom line is that there are other pragmatic
reasons why the OWS team has chosen not to publicly release the server
- Preventing fragmentation of the user-base
- Hindering hostile forks
- No time to document the code / document how to set up servers /
handle the inevitable support requests

Exactly that last point was the reason moxie gave me under red phone where this was discussed a bit in an issue (#63).
I really can understand this point, but…

If I understand right, it is possible to set up the text server part (without the calling function)?
So could I set up a clone which would use my server for only texting?
Anyone knows if this is theoretisch possible?

Thank

Natanji

2016-01-27 11:29:31 UTC

Permalink

Yes it is possible, but for heaven's sake, bring this to the unofficial server support mailing list that qas listed two or three times within the past week alone, and not the one here.

The spam with off-topic discussions here has become so frequent lately that I'm considering unsubscribing from this mailing list. At least search the archives once before you post yet another question on server support? :/

Maybe we should just abandon ship on this ML here and make an unofficial ML which explicitly bans server support questions...? I'm really frustrated atm.

Exactly that last point was the reason moxie gave me under red phone where this was discussed a bit in an issue (#63).
I really can understand this point, butâŠ

If I understand right, it is possible to set up the text server part (without the calling function)?
So could I set up a clone which would use my server for only texting?
Anyone knows if this is theoretisch possible?

Thank

Jani Monoses

2016-01-27 11:51:24 UTC

Permalink

FWIW I made a PR to change the readme.

https://github.com/WhisperSystems/TextSecure-Server/pull/64

Post by Natanji
Yes it is possible, but for heaven's sake, bring this to the unofficial
server support mailing list that qas listed two or three times within the
past week alone, and not the one here.
The spam with off-topic discussions here has become so frequent lately
that I'm considering unsubscribing from this mailing list. At least search
the archives once before you post yet another question on server support? :/
Maybe we should just abandon ship on this ML here and make an unofficial
ML which explicitly bans server support questions...? I'm really frustrated
atm.

Am 27.01.2016 um 08:26 schrieb Ivan Kwiatkowski <
I assume that the bottom line is that there are other pragmatic
reasons why the OWS team has chosen not to publicly release the server
- Preventing fragmentation of the user-base
- Hindering hostile forks
- No time to document the code / document how to set up servers /
handle the inevitable support requests

Exactly that last point was the reason moxie gave me under red phone where
this was discussed a bit in an issue (#63).
I really can understand this point, butâŠ
If I understand right, it is possible to set up the text server part
(without the calling function)?
So could I set up a clone which would use my server for only texting?
Anyone knows if this is theoretisch possible?
Thank

Leo Francisco

2016-01-27 15:25:15 UTC

Permalink

Hey Natanji and anyone else interested,

I would recommend having all your mailing list emails going to a
separate folder. I use Thunderbird and it's really easy to set up
folders and filters (Tools>Message Filters) to have different lists
going into different folders. I'm sure this is easy to do using Gmail
web interface too. I also use a separate email just for mailing lists.

Just thought I'd share as this is quite a high traffic list and I know
that can get annoying for some people.

All the best
Leo

Post by Natanji
Yes it is possible, but for heaven's sake, bring this to the
unofficial server support mailing list that qas listed two or three
times within the past week alone, and not the one here.
The spam with off-topic discussions here has become so frequent lately
that I'm considering unsubscribing from this mailing list. At least
search the archives once before you post yet another question on
server support? :/
Maybe we should just abandon ship on this ML here and make an
unofficial ML which explicitly bans server support questions...? I'm
really frustrated atm

Am 27.01.2016 um 08:26 schrieb Ivan Kwiatkowski
I assume that the bottom line is that there are other pragmatic
reasons why the OWS team has chosen not to publicly release the

server

- Preventing fragmentation of the user-base
- Hindering hostile forks
- No time to document the code / document how to set up servers /
handle the inevitable support requests

Exactly that last point was the reason moxie gave me under red
phone where this was discussed a bit in an issue (#63).
I really can understand this point, butâŠ
If I understand right, it is possible to set up the text server
part (without the calling function)?
So could I set up a clone which would use my server for only texting?
Anyone knows if this is theoretisch possible?
Thank

Raphael Arias

2016-01-27 09:18:20 UTC

Permalink

Hey Frank,

Yes, this should be theoretically possible. I have not tried but believe others have.

I will, once again, refer everyone interested in this topic to the unofficial mailing list at

https://groups.google.com/forum/#!forum/whispersystems-community-unofficial
<https://groups.google.com/forum/#%21forum/whispersystems-community-unofficial>

Please :)
There are quite a few people on this list and this discussion is tiring for many of them, I imagine.

Have a wonderful day, everyone!
Raphael

Am 27. Januar 2016 08:35:21 MEZ, schrieb "Frank Röhm" <***@gmx.net>:

If I understand right, it is possible to set up the text server part
(without the calling function)? So could I set up a clone which
would use my server for only texting? A nyone knows if this is
theoretisch possible? Thank