Hacker News new | ask | show | jobs
by gioi 4010 days ago
Just yesterday I was trying to get a bot working on the TextSecure platform. A vastly disappointing experience: almost not existing libraries, sparse and incomplete documentation, unstable protocol breaking without any kind of notice (https://github.com/JavaJens/TextSecure/issues/6, for example). And still no way to register without a phone, which would be amazing for this kind of project: https://github.com/WhisperSystems/TextSecure/issues/1085

I think Telegram is succeeding in what TextSecure is failing: attracting a widespread community of developers. This is only a confirmation, in my opinion.

EDIT: and, by the way, while Telegram security is no good, I wonder why we cannot have both (security & developer-friendliness)
3 comments
moxie 4010 days ago
Try using libtextsecure instead of interacting with websockets directly. We publish artifacts, and while the API might change over time, if you stick with a versioned artifact you'll be good. http://open-whisper-systems.readme.io/v1.0/docs/textsecure-j...

We have a few bots in production that use libtextsecure and have been running fine for almost a year without any maintenance.

link
dmix 4010 days ago
Last year I wanted to help out with the TextSecure browser (chrome extension) project and had a similar experience as the OP.

I was a bit at loss about where to begin, as I couldn't find documentation about getting the extension setup for dev/testing. Specifically I couldn't get past the QR-code auth screen as I seemed to be missing some special configuration to connect with the servers.

I just assumed it wasn't really ready for outside devs yet.

But I just checked back in on the repo and it looks like a new CONTRIBUTING doc has been added, which is great: https://github.com/WhisperSystems/TextSecure-Browser/blob/ma... This is the type of stuff I was looking for.

I'm happy to see WhisperSystems making contributing more accessible. I probably could have learned this stuff by asking the devs, but I didn't want to bother them, I much prefer reading docs and playing with it myself first.

link
gioi 4009 days ago
Thank you for your answer and for your time.

My language of choice for the bot was Clojure. I was interfacing with libaxolotl-java and basically rebuilding libtextsecure in Clojure (that was months ago).

Yesterday, when I discovered libtextsecure-java (while exploring Github repositories, by the way, I didn't notice your website had been updated in the meantime), I started a rewrite, using README as my primary source of documentation (the only piece of doc I could find, actually).

Ok, so what's this `KeyHelper`? Ok, I'll search on Github. Fine, it's actually `org.whispersystems.libaxolotl.util.KeyHelper` - luckily I knew it was in a completely different project. The same goes for `AxolotlStore`, which is actually `org.whispersystems.libaxolotl.state.AxolotlStore`, and it's not even mentioned on libaxolotl-java README because the latter is outdated.

Then: what is `TrustStore`? Good luck finding out that! Basically it is a wrapper around a binary file - which I had to download from TextSecure source repo without knowing what there was inside, and which by the way is encrypted with the password whisper (documentation: nowhere - thank you @AsamK for your textsecure-cli sources on github).

Ok, and finally figuring out - turning to TextSecure-Server docs - what is a signaling key, what are the specifics for the client-generated password (which by the way is sent over SSL via Basic authentication - probably not the most secure method ever, but probably there are many reason for that) and what is an install ID, I finally had the opportunity to debug obscure security problems on Java and to meet in person a Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1167153). Not to mention the fact that apparently libtextsecure-java doesn't work over websockets but only over GCM (https://github.com/WhisperSystems/libtextsecure-java/pull/5) - however I won't be surprised if it did.

A really nightmarish experience. Maybe this summer I'll try to reimplement libtextsecure in another language and then document thoroughly my efforts. Who knows.

link
jumperjake 4009 days ago
Any chance of providing an api that is more friendly to be used from other languages? Java is not the easiest thing to work with.

Also, does this library work on other systems besides android? I've noticed `android` appearing multiple places and google specific api (`GoogleCloudMessaging`).

link
_jomo 4010 days ago
I'm using Cyanogenmod and I wanted to try TextSecure. There is a version for SMS pre-installed, but I'm not a fan of paying money for 128 bytes of data.

I don't have any Google Services installed.

So I tried finding it on F-Droid, but it wasn't there. I found out there has been a lot of discussion about this. [0][1]

I decided to compile it on my own. That requires to use use Google Libraries, oh well. I managed to get that done and was disappointed when I tried to use it. It also requires to have Google Services installed on your phone for push notifications. I don't have that.

I tried finding a solution, and other people complained about this and there was the idea to use websockets instead of google push notifications [3]. Someone forked TextSecure and started working on it [4].

Unfortunately that fork isn't stable yet, and it doesn't communicate with 'producion' users of TextSecure [5].

This is where I gave up. It shouldn't be so hard to install a free app on a free system.

Also, the websocket fork is somewhat dead [6].

0: https://f-droid.org/posts/security-notice-textsecure/

1: https://github.com/WhisperSystems/TextSecure/issues/127

3: https://github.com/WhisperSystems/TextSecure/issues/1000

4: https://github.com/JavaJens/TextSecure

5: https://github.com/JavaJens/TextSecure/issues/10

6: https://github.com/JavaJens/TextSecure/issues/15

link
iamthebest 4010 days ago
I had the same experience. I am using CyanogenMod as well and as much as I dislike Google I did install the Play services. I can't even remember why but I think I needed it to use the google voice app.

Anyway, google play apparently tried to auto-update and bricked itself; now it just says "no connection" when I launch the play store.

Last week I tried to install TestSecure but it would not run. It just gave an error message about needing to update play services.

I ended up installing the Telegram app in F-Droid.

link
Nullabillity 4009 days ago
I've had Play Services brick itself a few times, but uninstalling all updates tends to fix it.
link
vosper 4009 days ago
After all that effort, do you regret not just buying it?
link
tedks 4009 days ago
What are you saying the comment parent should have bought? TextSecure is free-libre-open-source software, it isn't sold anywhere. It depends on the Google Play Services, and cannot be run effectively if the framework is not installed on the device.
link
vosper 4009 days ago
> There is a version for SMS pre-installed, but I'm not a fan of paying money for 128 bytes of data.

I think I misread this as saying there was a paid-for version available for install, but I have no idea how I got that, since it's clear that it's the SMS charge he doesn't want to pay for.

link
janimo 4009 days ago
My TextSecure Golang package has a command line client with a simple echo-bot mode included. While the API is far from finished or very clean, it can be used for making simple bots.

https://github.com/janimo/textsecure

link