Gliph - Secure Messaging and Bitcoin Transfers on iOS, Android and the Web

[hivewallet]

Hi Rob, all good news, but have you opened sourced Gliph yet?

[1715290905]

1715290905

[1715290905]

1715290905

[Muhammed Zakir]

Privacy is one of our core beliefs. We created a privacy policy to demonstrate this. Part of providing privacy means preventing your data from being snooped on.

Gliph secures data in ways that most other messaging clients (like Whatsapp, GroupMe and Kik) do not. There are also options out there that are a better fit for high security needs (like certain implementations of PGP and OTR).

With Gliph, conversations and personal data are encrypted by SSL over the wire. This information is then encrypted in memory using your password and AES-256. We have an option that renders your account and data unrecoverable without your personal password.

We also have a variety of features for the privacy and security conscious user you might want to check out:

• You can suppress certain senders' names and message previews from Push Notifications.
• Gliph removes EXIF data from your photos before sending them on to the other person.
• You can permanently delete any message and remove it from both sides of the conversation.

I like the protection and privacy you guaranty. I hope Gliph will prevent data from the best hackers. Anyway take precautions for a back up like security. Good Luck!

Kindly,
        Muhammed Zakhir

[Gliph]

Hi Rob, all good news, but have you opened sourced Gliph yet?

Hey there, is this Wendell posting? I want to clarify so there is no sense of this being a Hive vs Gliph Q&A. We like Hive and what it is doing and are not positioning our company to be in competition with Hive.

Regardless, thanks for posing this important question again, I'll seek to clarify this:

We do not have plans to open source Gliph. Gliph does leverage open source components, and we have already contributed valuable open source code in the mobile space, specifically related to cross-platform Bluetooth technology to the bitcoin community.

As I mentioned previously in this thread, I explained in detail the reasons it is unlikely Gliph's code base will be open sourced at this time in one of my previous interviews with Adam Levine on Let's Talk Bitcoin. I ask if you have questions that were not answered there to direct them to me personally and I can try to explain. You can send me a message through this message board or use this link to chat with me: https://gliph.me/x68

There are some folks who feel that software products they use must be open source or rely solely on distributed technology. We believe open source is very important and support those people and their choices of products that do that. We also celebrate the value of distributed systems.  

However, Gliph is still a startup and it is not our focus to satisfy these requirements. As Muhammed sort of indicates below, Gliph is focused on building something that makes fantastic compromises between privacy, security, real-world utility and great user experiences. We can't do everything, or we'd accomplish nothing.

I like the protection and privacy you guaranty. I hope Gliph will prevent data from the best hackers. Anyway take precautions for a back up like security. Good Luck!

Thank you, Muhammed. If you are interested in testing some of the stuff we have coming, please let me know!

--

A few folks signed up, but if anyone else is interested in the Android beta program, please feel free to join here: https://plus.google.com/communities/115060523812882093982

[moni3z]

https://gli.ph/security2.html

You could've just used the open sourced Textsecure client and server crypto engineering which is known to be secure/audited with your custom UI/app to also send coins. Much easier than rolling your own. You can still sell the app if a lot of people use it regardless if it's guts are entirely made up of Textsecure with some added bitcoin functionality.

If the goal is to sell this software with custom crypto engineering you should consider message encryption using a fast native stream cipher like Salsa20 (or ChaCha) + polynomial MAC (Poly1305, VMAC). I would also use ephemeral keys, ECDH over Curve25519 or copy what Textsecure has done to create each session(s) with temporary keys. Ditch RSA +OAEP, just use a curve to derive a key it's much less complex. You save a lot of bandwidth too using Poly1305 which should be essential for any mobile app.

I assume you've also done self signed distributed certs or pinning http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

Finally pay somebody respected to audit your software since money transactions and private messaging is involved. Ask this guy who respected crypto engineers are that can be contracted for auditing: https://twitter.com/matthew_d_green this will generate more interest in your app since none of us can verify the code.

[chipmadness]

Just downloaded the app on iOS, pretty nice app. I am loving these new bitcoin apps hitting iOS lately! Great work, make sure to keep the security up. Is it possible to implement TOR?

[Gliph]

Moni3z, thanks first for taking the time to give this feedback. It is important I preface my response with a repeat from my previous post: There are also options out there that are a better fit for high security needs. Gliph's intention is not to be the world's most secure messaging client. Gliph is focused on making fantastic compromises between privacy, security, real-world utility and great user experiences. We make these compromises to execute on Gliph's actual mission: to help people transact with their peers in a trusted, efficient and delightful way.

You could've just used the open sourced Textsecure client and server crypto engineering which is known to be secure/audited with your custom UI/app to also send coins. Much easier than rolling your own. You can still sell the app if a lot of people use it regardless if it's guts are entirely made up of Textsecure with some added bitcoin functionality.

Textsecure's iOS implementation remains in "early development stage" and is not ready for production. Gliph has been cross-platform, (web, android, iOS for some time). Also, I would assert that technical integrations between multiple cloud wallet services and a secure and private social platform is more challenging than it may appear.

If the goal is to sell this software with custom crypto engineering you should consider message encryption using a fast native stream cipher like Salsa20 (or ChaCha) + polynomial MAC (Poly1305, VMAC). I would also use ephemeral keys, ECDH over Curve25519 or copy what Textsecure has done to create each session(s) with temporary keys. Ditch RSA +OAEP, just use a curve to derive a key it's much less complex. You save a lot of bandwidth too using Poly1305 which should be essential for any mobile app.

Again, the goal of Gliph is strictly not to sell it as security software, even though this is a value proposition compared to other popular options in the market today. I appreciate these specific technical implementation ideas, and will take them into consideration.

I assume you've also done self signed distributed certs or pinning http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

Indeed, our current Android app does do certificate pinning. Although it is worth mentioning that since we did do this additional security enhancement, making the fix for Heartbleed immediately broke all existing clients running Gliph for Android app with certificate pinning. This resulted in a lot of user frustration and created retention issues for the product. This is what I mean about needing to continuously make compromises between security and user experience. If you go too far out on a limb, the only folks you'll attract are hyper-security people and again, we are not after that group of folks. There are other products that are great at addressing those needs.

Finally pay somebody respected to audit your software since money transactions and private messaging is involved. Ask this guy who respected crypto engineers are that can be contracted for auditing: https://twitter.com/matthew_d_green this will generate more interest in your app since none of us can verify the code.

I agree this is a terrific idea, and as soon as the company is capitalized to the point to offer this, we will perform the audit.

Just downloaded the app on iOS, pretty nice app. I am loving these new bitcoin apps hitting iOS lately! Great work, make sure to keep the security up. Is it possible to implement TOR?

Thanks for checking it out! Gliph does work in conjunction with TOR, so long as you have your device set up to route app traffic over the connection. We are unlikely to build native tor support in because it is not too hard to set up and toggle on as a device-wide choice and because every new security feature takes time and energy away from building new products and services that bring us closer to our mission.

[wendell]

Hi Rob, all good news, but have you opened sourced Gliph yet?

Hey there, is this Wendell posting? I want to clarify so there is no sense of this being a Hive vs Gliph Q&A. We like Hive and what it is doing and are not positioning our company to be in competition with Hive.

Regardless, thanks for posing this important question again, I'll seek to clarify this:

We do not have plans to open source Gliph. Gliph does leverage open source components, and we have already contributed valuable open source code in the mobile space, specifically related to cross-platform Bluetooth technology to the bitcoin community.

As I mentioned previously in this thread, I explained in detail the reasons it is unlikely Gliph's code base will be open sourced at this time in one of my previous interviews with Adam Levine on Let's Talk Bitcoin. I ask if you have questions that were not answered there to direct them to me personally and I can try to explain. You can send me a message through this message board or use this link to chat with me: https://gliph.me/x68

There are some folks who feel that software products they use must be open source or rely solely on distributed technology. We believe open source is very important and support those people and their choices of products that do that. We also celebrate the value of distributed systems.  

However, Gliph is still a startup and it is not our focus to satisfy these requirements. As Muhammed sort of indicates below, Gliph is focused on building something that makes fantastic compromises between privacy, security, real-world utility and great user experiences. We can't do everything, or we'd accomplish nothing.

Hi Rob, it was me.

The post had nothing to do with perceived competition; I also don't consider you competitive. I wrote what I wrote because it seems highly irresponsible to market something as "secure and private" when it is impossible to audit the source—we're in the post-Snowden era here, are we not? I don't mean to pick on you guys in particular, you seem like a nice, well-intentioned bunch. But if you truly care about privacy and security, then I don't see how you can disagree with my premise. The old way of doing things has had its day.

"Any person can invent a security system so clever that she or he can't think of how to break it." —Bruce Schneier

Anyway it's your company and you are of course free to do as you like, but I will continue to encourage you to re-think this strategy, and likewise discourage anyone I know from using Gliph until a different direction is taken.

PS- Can you explain to me why "startup" and "open source" are at odds? I don't really follow.

[🏰 TradeFortress 🏰]

We do not have plans to open source Gliph.

Gliph has zero actual security or privacy. Period. You are absolutely throwing your coins, and your privacy away.

Also: http://www.wired.com/2013/11/inputs/

[🏰 TradeFortress 🏰]

The post had nothing to do with perceived competition; I also don't consider you competitive. I wrote what I wrote because it seems highly irresponsible to market something as "secure and private" when it is impossible to audit the source—we're in the post-Snowden era here, are we not? I don't mean to pick on you guys in particular, you seem like a nice, well-intentioned bunch. But if you truly care about privacy and security, then I don't see how you can disagree with my premise. The old way of doing things has had its day.

"Any person can invent a security system so clever that she or he can't think of how to break it." —Bruce Schneier

Anyway it's your company and you are of course free to do as you like, but I will continue to encourage you to re-think this strategy, and likewise discourage anyone I know from using Gliph until a different direction is taken.

PS- Can you explain to me why "startup" and "open source" are at odds? I don't really follow.

This is an especially good point. Here's something from 2008, regarding backdoors in Skype and why you cannot (no exceptions) trust closed source software:

It is antics like this that should make us think twice about trusting proprietary, closed-source software. It demonstrates the inherent value of free and open source code: Backdoors and hidden activities such as this don't have a chance. They will be discovered and removed. With proprietary software you can never know what you get. This is not just limited to software that hails from a heavily monitored society. Even in the west, the most reputable software vendors have had moments where the mere opportunity to capture more data than they really needed about you was just too tempting to pass.

Free and open source is the answer to a world written in code. Our data, our thoughts, our privacy should be worth enough to us that we want to protect them. We have seen here again that you cannot do that with proprietary software.

http://www.geekzone.co.nz/foobar/5823

How true that was, as we've learned in 2013. For those that don't know, Skype originally started with end to end encryption and the promise 'We do not have access to communication data' right in their privacy policy. Today, we know Skype is a PRISM partner.

Security and privacy is fundamentally incompatible with closed source software. There are no exceptions.

PS: Hive, I liked your wallet until you added altcoin crap. But nice to see it open source, though what is it licensed under? Source code published != open source.

Posted from Firefox on Ubuntu

[hivewallet]

PS: Hive, I liked your wallet until you added altcoin crap. But nice to see it open source, though what is it licensed under? Source code published != open source.

GPLv2

[Gliph]

Hi Rob, it was me.

Thanks for coming forward as a person.

The post had nothing to do with perceived competition; I also don't consider you competitive.

Great. Then this is an intellectual discussion and we can steer clear of attacks and simply disagree on specific things if necessary.

I wrote what I wrote because it seems highly irresponsible to market something as "secure and private" when it is impossible to audit the source—we're in the post-Snowden era here, are we not? I don't mean to pick on you guys in particular, you seem like a nice, well-intentioned bunch. But if you truly care about privacy and security, then I don't see how you can disagree with my premise. The old way of doing things has had its day.

The lynchpin of these conversations is usually in the individual interpretation of the word "secure." To clarify, your premise is the word 'secure' may only be used if the source is open, correct?

As I've mentioned, for some folks, that means they can view the source, or the source is available for someone you trust to consult. We're all for these folks and point them to use OTR messaging and PGP.  These kind of people often are ok dealing with the UX downfalls and limitations of these systems.

Most folks don't compile Linux for themselves. So they do treat OS X or their (hopefully) updated copy of Windows as offering security and privacy. I think they have good reason to feel that way, particularly with iOS--even though that is closed source.

I will continue to encourage you to re-think this strategy.

The feedback has been received, thank you.

Can you explain to me why "startup" and "open source" are at odds? I don't really follow.

I won't do nearly as good of a job as dreeves has in compiling Yehunda Katz and AParecki's considerations in this HN thread.

Costs of open sourcing your startup:

1. Reviewing all of the code that you want to open source for secrets that could compromise security.
2. Improving parts of the code that are embarrassing or too coupled to infrastructure that isn't going to be made open source.
3. Additional communication overhead for communicating with the open source community so that contributors don't do work that you're already working on.
4. Time spent triaging and working with features that may not have been high internal priorities (or risk pissing off the open source ecosystem).
5. A general willingness to cede control over the precise direction and priorities to a larger group of open source people.
Aaron Parecki adds:
6. Support costs of helping people get their dev environments set up.
But Yehuda, obviously, is in favor of open-sourcing as long as you understand those costs, and lists these advantages, most of which the article also notes:
1. Gaining additional contributions from open sourcers that would have been expensive or technically impossible to do in-house.
2. A vibrant community of people that are interested in the product, its direction, and are knowledgeable in the implementation.
3. People willing to do cleanup work in order to become familiar with the project and become contributors.
4. Getting insight into product direction by people willing to put their money where their mouth is and dedicate time to implementation (this is the flip side of some of the negative above).
5. A recruitment pool that is already familiar with the product and its implementation.

I'd add to that a security audit in advance of open sourcing the project to protect existing users.

Depending on the project size and age, all that may be low cost. It may even be a cost you're happy to deal with if you feel it is a major value proposition to the audience you're after.

A few more reasons:

 - Gliph's iOS app is completely native, and largely front-end UI (where heavy lifting is done by servers) Objective-C is complex code that is original and valuable and not something we want easily copied by competitors. 

 - Server-side, we do incorporate open source libraries, however the great majority of Gliph platform is original software . The web application is complex, powerful and valuable intellectual property that we have worked very hard on for years. While our goal is to make a big contribution to society, Gliph is not a charity.

 - The Coinbase and Blockchain API's have undocumented peculiarities that we have learned with great pain over time. At this point, it is up to other startups to also figure these issues out to be competitive in this space.

But the number one reason right now is that I personally do not think most regular internet users can explain what it means for software to be open source, let alone how software is built.  They just want to be able to get things done. They want reasonable security and privacy precautions taken without the details. We take care of that for them. Our users do not write in to us ask for open source code, they write in asking for new and better features.

So startups that deal with Bitcoin have a dual problem: they must provide security even though it's value is only understood when there is an intrusion, and they must also actually create a product of real value that gets adopted.

To turn this back to Gliph, we have built an incredibly powerful platform that is just barely scratching the surface for our intent. While it may not meet your particular requirements of security, the platform is secure and handles data securely with privacy controls that are simply not available on any other product right now. 

On the topic of Privacy, our team thought carefully about Gliph's privacy policy which is written in a way that anyone can read. Not just people who know how and have the luxury of spending time reading code for this purpose.

[Gliph]

Hey BitcoinTalk,

We released some cool new stuff today:

0. We added a completely new Desktop Web app to use with gliph. Here's the promo video showing it off:



1. We brought bitcoin back to Gliph in the App Store. Now you can send Bitcoin to other Gliph users and also using a QR code scanner.

2. We added secure Group Messaging. Please see previous posts in thread to go over in detail how we handle security and our views on open source.

3. We have a totally revamped Android Application. It is now basically parity with iOS (no PIN lock on it)

Uniquely, Gliph hooks up to both Coinbase and Blockchain.info wallets. It allows super easy p2p transfers (between Gliph users) and spending outside Gliph using QR codes.

rob

edit: typo

[TheButterZone]

I love the music in that promo video.

One feature that we bitcoiners may like to use is GliphMe- https://gliph.me/

The way I would explain it is that for the person contacting you, it's like those live sales/support chats that Amazon and other sites use - use any non-text-only browser and it'll work without installing any add-ons. You'll get notifications of new messages and open your Gliph app to chat back to them.

[Muhammed Zakir]

Hey BitcoinTalk,

We released some cool new stuff today:

0. We added a completely new Desktop Web app to use with gliph. Here's the promo video showing it off:



1. We brought bitcoin back to Gliph in the App Store. Now you can send Bitcoin to other Gliph users and also using a QR code scanner.

2. We added secure Group Messaging. Please see previous posts in thread to go over in detail how we handle security and our views on open source.

3. We have a totally revamped Android Application. It is now basically parity with iOS (no PIN lock on it)

Uniquely, Gliph hooks up to both Coinbase and Blockchain.info wallets. It allows super easy p2p transfers (between Gliph users) and spending outside Gliph using QR codes.

rob

edit: typo

Great work! For more attention, you can run a small campaign for a week. Will get a good attention from it.

Thank you, Muhammed. If you are interested in testing some of the stuff we have coming, please let me know!

--

A few folks signed up, but if anyone else is interested in the Android beta program, please feel free to join here: https://plus.google.com/communities/115060523812882093982

Sorry I couldn't follow the post for some time. I like to test your stuffs. I am using android and it is sad to hear that you are no longer developing it. Anyway, I can test IOS app too but it will take a little time than testing on android.
Kindly,
       MZ

[Newar]

Gliph Newsletter - October 14th, 2014

========================================

Claim Your New Gliph Username

We're transitioning away from Legacy symbol-based usernames to alphanumeric.

Get yours before it is taken
New usernames are first come, first served!
<https://blog.gli.ph/2014/09/25/gliph-transitions-to-new-username-system/>

========================================

Introducing Gliph Profile Pages

You can now opt-in to having a Profile Page available on the web. This page makes it easier to connect with you and lets people know you accept Bitcoin.

Read More <https://blog.gli.ph/2014/09/25/introducing-gliph-profile-pages/>

========================================

Secure Group Messaging Arrives on Gliph

Gliph now supports secure group messaging across all of its existing clients and its new desktop web application.

<https://blog.gli.ph/2014/07/21/gliph-adds-secure-group-messaging/>

========================================

Privacy Policy Gets an Update

With all of these product updates, we also took the time to update Gliph's Privacy Policy.

<https://blog.gli.ph/2014/07/21/privacy-policy-update/>

========================================

Gliph's Android App Gets Big Update

We released a major update to the Gliph Android app recently. Read about the upgrade.

<https://blog.gli.ph/2014/07/21/big-update-to-the-gliph-android-application/>

========================================

I am very sorry to see the symbols go    It was one of the major things what set Gliph apart from any other chat app I know. Was there no way to keep them alongside the "new" way?

[Gliph]

I am very sorry to see the symbols go    It was one of the major things what set Gliph apart from any other chat app I know. Was there no way to keep them alongside the "new" way?

Hey Newar,

Thanks for noticing and posting this reply here. To answer your question, we are keeping the "Legacy" symbol-based usernames available with the same use cases as before. You can use the old username you have to: Login, Reset your password (if you have not disabled PW reset on your account), Be found in the Gliph system using Add Connection, and even Added to a Group.

So your old username still works, and in fact you can choose not to get a new username if you want. We wanted our existing users to be able to keep things the way they are if they want.  All of this is outlined in the blog post on Gliph's username update here.

That said, we have what we believe to be very good reasons for transitioning away from the old username system.  I'm going to quote our blog post here for convenience:

As regular users of Gliph ourselves, we have found the Gliph Legacy usernames have not become easier to use over time. Though stylistically unique, Gliph Legacy usernames got in the way of the experience in a few ways.

First, people from the Gliph community told us they like the service but find it too hard to connect with other people. A basic function is being able to look up another person in the system and the symbols added friction to that process.

Sometimes when the symbol-usernames were shown in a public group conversation, it was challenging to track who was who. An emerging problem with Gliph Legacy usernames is that they don’t store well in password management tools like 1Password.

The symbol-based usernames were a daring and interesting way to stand out for a company championing privacy and security before people were paying attention to these things.

Privacy and security are still top priorities with us, but Gliph is bigger than those two things. Gliph now helps people connect and transact with each other using Bitcoin. We want the focus here, not on a novel username system.

Moving to alphanumeric usernames simplifies the Gliph platform without sacrificing pseudonymity. You don’t have to remember the symbols that your friend chose or find them on our symbol keyboard. You just need to know their unique written username and type it in.

We have some exciting things related to Bitcoin that we are working on, I hope what you feel we lost in the uniqueness of the symbol usernames will be more than made up for in increased practicality, usability and sheer joy from using Gliph. I implore you: stay tuned.

rob

[Gliph]

Hey Bitcointalk,

Today we released the first version of Gliph Marketplace, a new way to buy and sell using cash or Bitcoin. This is the easiest way to close a deal P2P using bitcoin yet.

Our team has brought together secure messaging, transaction workflow and digital payments into an awesome new P2P transaction experience we call Deal Flow.

• Deal Flow helps you stay focused on completing a deal by integrating messaging and useful push notifications into the buying and selling experience. Gliph Marketplace has privacy built-in eliminating the distraction of “burner” phone numbers and “email gateways.”
  
• Deal Flow saves you time with intuitive listing status updates. For example, when someone is ready to buy something from you, the status moves from “Q&A” to “Offer Submitted.” Deal status updates ensure you have the most recent information so you can make the best decision with your time.
• Deal Flow earns you money faster by making digital payments an integrated part of the Gliph Marketplace experience. Once you’ve accepted an offer, paying for the item using Bitcoin is handled in a single tap.

Watch the promo video here.

[TheButterZone]

My first Gliph Marketplace item: https://gli.ph/l/54b032ea9e9ad173b8cc794b

[Gliph]

My first Gliph Marketplace item: https://gli.ph/l/54b032ea9e9ad173b8cc794b

That is a nice piece. Thank you for listing it!

Other BitcoinTalk folks who are interested, feel free to PM me.

[Gliph]

Hey BTCtalk peeps,

We released version 2.0 of iPhone app (with Gliph Marketplace today). It has a bunch of improvements from the 1.x versions.

You can read about the update in our blog entry here.