| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by jlund 4420 days ago
	Full disclosure: I wrote that Support Center article. The comment I was replying to made it sound as though TextSecure's infrastructure is almost entirely Google-based. It is not, and that's what I meant when I said "This isn't entirely true." The server is open source and it already includes preliminary support for WebSockets and Apple's APN push messaging network. Google's GCM is merely one component, and alternatives are being worked on. Apple also has root access to all iOS devices via their over-the-air update framework. Opaque basebands and graphics chips with closed source drivers are difficult to trust too. None of these scenarios mean that software which offers serious improvements over the status quo should be casually dismissed. TextSecure can (and does) provide significant protection from mass surveillance and targeted surveillance. Security nihilism is corrosive.

1 comments

acqq 4420 days ago

So it's still true that currently the sever side uses only Google servers. It's nice to hear that there's work on the alternatives.

What you call "nihilism" is simply the observation of the current state. At the moment Google has root access and all the metadata of all TextSecure users, and currently the user can't configure TextSecure to use some other servers even if he'd prefer to do so. Still I'm glad that I've seen that some server-side code is now open source.

jlund 4420 days ago

The server side is currently relaying messages for the in-progress iOS and Chromium clients. That's functionality that exists today, even though the clients are still under development. The TextSecure server is an elegant and important part of TextSecure's infrastructure. I stand by my assertion that it's an oversimplification to say that TextSecure == Google's Servers.

Google does not have access to any metadata, other than the fact that you are a TextSecure user who has received a Push notification. GCM payloads are fully encrypted. Google cannot tell who a message was from, they cannot see which numbers were involved (users are free to register with a number that is different than the one assigned to the cell phone that is running TextSecure), they cannot tell whether or not it was part of a group conversation, and they cannot see its contents.