Signal, SHA1 and certificate pinning

Abstract:

Signal is globally regarded as an application that enables secure communication. At the network communication layer, it uses the standard TLS protocol to secure data transmission. In this paper, we analyze the level of security provided by the certificates chain used in the TLS protocol to secure communications with the https://textsecure-service.whispersystems.org service. We verify the basic certificate attributes and the process of validating the certificates chain that is performed in the iOS version of the Signal app. We conclude the paper by voicing some concerns and providing recommendations.