Hacker News new | ask | show | jobs
by pR0Ps 4087 days ago
Actually, if you receive a message from someone using SMSSecure, you'll get a prompt asking if you want to upgrade to a secure session. But yes, there is no way to look someone up and check if they're using SMSSecure.

The detection was actually inherited from TextSecure and works by "tagging" shorter messages with some detectable whitespace after the message contents. A bit of a hack, but it's a limitation of the transport.

Relevant commit: https://github.com/SMSSecure/SMSSecure/commit/93d94f2b7a9fd6...
1 comments
psykovsky 4086 days ago
So, that detection can be used by anyone who receives one of my texts to see if I use SMSSecure or not? Isn't that a metadata leak?
link
pR0Ps 4085 days ago
Yes, anyone who analyzes the messages you send can assume that you are using SMSSecure.

However, compared to the amount of metadata that's already being leaked over SMS[1], adding the fact that you could[2] be using a specific SMS client that has the ability to encrypt messages doesn't seem too bad.

There was an option in a previous version of TextSecure to disable this tagging, but it was deemed unused and axed[3]. For the same reason, I'm loathe to add it back in, but having the option shoved under the "Advanced" menu may not be too bad.

[1] This is something that TextSecure does much better with. SMS messages (even encrypted) still leak metadata on who you're messaging and when.

[2] There's some element of deniability with whitespace tags (granted, not a lot). On the other hand, if you're registered with TextSecure (which can be checked simply by adding a user your contacts and opening the app), there's only one reason you would be there.

[3] See https://github.com/WhisperSystems/TextSecure/commit/40eca5e0...

link