[HN Gopher] Help users in Iran reconnect to Signal
___________________________________________________________________
Help users in Iran reconnect to Signal
Author : arkadiyt
Score : 1115 points
Date : 2021-02-04 16:42 UTC (1 days ago)
(HTM) web link (signal.org)
(TXT) w3m dump (signal.org)
| Ericson2314 wrote:
| Doesn't this chip away at the benefits of Signal not being
| federated? Say the proxies need to be updated?
| grandchild wrote:
| Not really. There's not much Signal-protocol-specific
| technology involved on the proxy, other than dropping traffic
| that doesn't go towards the Signal server itself.
| Ericson2314 wrote:
| Fair enough.
| arendtio wrote:
| As much as I admire the cause, I can't ignore the irony:
|
| First Signal doesn't want to build a federated service because it
| is too complicated to build (for the guys who brought us a new
| class of encryption) and now they are asking us for proxy servers
| because their centralized network can be censored...
|
| But since Signal is probably the best option for private
| communication right now, I don't want anybody to discourage to
| run a proxy right now.
| londons_explore wrote:
| This is going to be a game of cat and mouse...
|
| And if you're the mouse, you really don't want to be hobbled by
| not having an auto-update mechanism in your proxy servers...
|
| At the very least they could have made it load the config from
| https://signal.org on startup, or made an apt package that
| sysadmins can easily update with everything else.
| eatbitseveryday wrote:
| I do not know anyone in Iran but have spare cash to host a VPS or
| two. How can I help anyone without broadcasting my proxy for the
| censors to eventually get ahold of?
|
| edit: https://twitter.com/alsdkjflasdkjf1
|
| edit2: You can drop me a mail here, too:
| jegzc4na8j7@temp.mailbox.org
| mr_woozy wrote:
| Happy to spin up a proxy, but now what?
|
| how do I offer it to others for use if I don't use twitter?
| realducksoft wrote:
| This proxy failed to be probing resistant. The PoC code is
| released by studentmain: https://github.com/signalapp/Signal-TLS-
| Proxy/issues/3#issue...
| lucb1e wrote:
| That's the sort of PoC that should be PGP encrypted to the
| Signal authors instead of publicly posted. Iran will have a
| field day with it being posted like this.
|
| Except, of course, that posting public keys is too 1990s for
| him https://moxie.org/2015/02/24/gpg-and-me.html (which
| contains some good arguments but offers no solutions, so
| whatcha gonna do, post a phone number and trust the signal
| servers to give you the right public key? That's better than
| self-published public keys? For an anarchist? Is it smart to
| post phone numbers publicly anyway, see e.g. SS7?) Perhaps just
| ignore this paragraph, I'm just a confused person seeing mixed
| signals.
| mercora wrote:
| it is pretty trivial though and an obvious deficit easily
| visible by just looking at the "code" or nginx config in this
| case... it is even trivial to come up with this without
| knowing any of the setups details...
| 2Gkashmiri wrote:
| this is fine and dandy but when you have a state actor operating
| with such offensive tactics like india is currently engaged in
| kashmir, there isnt much these "proxies" can do. sorry. the idea
| of these proxies is all fun and nice but when a government can
| just whitelist the entire fucking internet and none of these
| nonsense works
|
| https://www.theguardian.com/world/2020/jan/15/internet-parti...
|
| https://thewire.in/rights/kashmir-internet-white-list-net-ne...
|
| https://thewire.in/rights/modis-thought-control-firewall-in-...
|
| >The reason the government wants to keep blocking full access to
| the internet in the Valley is its fear of civil disobedience.
|
| and the ban is still in place although it is on high speed mobile
| internet today.
|
| https://thekashmirwalla.com/2020/12/high-speed-internet-ban-...
|
| not to forget there were reports of CISCO being brought in to
| build this fucking firewall
| f430 wrote:
| its weird that all the criticisms of the technique in this
| article is being downvoted without any rebuttal
|
| people underestimate the security intelligence service of
| countries in this region. They have far more capacity than
| people in the West estimate.
|
| It's irresponsible of HN to put people in potential harms way,
| Iran is at a breaking point, they have nothing to lose and will
| stop at nothing to stop exfiltration and access to internet.
| 2Gkashmiri wrote:
| yes. back after 5 august, i think i got my first crack at
| internet in february 2020 with 2G internet and a whitelist of
| "allowed websites". i found out in my own tests that ssh
| tunneling over random ports used to work. i had managed to
| set up a server on amazon aws, and i did a dirty ssh tunnel
| to that to get access to blocked websites. even that failed
| after some tries and changing networks.
|
| >It's irresponsible of HN to put people in potential harms
| way, Iran is at a breaking point, they have nothing to lose
| and will stop at nothing to stop exfiltration and access to
| internet.
|
| yes. shocked pikachu face gets a random HN reader nothing but
| people can die as a result of this. heck i have records of
| people who are locked up since last year because of "social
| media misuse" aka dissent
| f430 wrote:
| I think people on HN are mostly North Americans, they are
| generally very ignorant of the workings outside their own
| suburbs/city (we live in the best part of the world they
| say!)
|
| So there is this bias towards other 3rd world countries. To
| many they are still a backwards, technologically illiterate
| countries yet somehow North Korea routinely dominates other
| wealthier nations in cyber security.
|
| India's intelligence agency has always been competing with
| Pakistani, very much like the Iranian security forces &
| Israeli intelligence, these guys have been fighting battles
| the rest of the world will never hear about, so its foolish
| to underestimate their capabilities like we do on HN.
| jagiammona wrote:
| Noob question: Can a Signal proxy be usefully run on a Raspberry
| Pi (RP4 ModelB 8GB RAM)?
| heydabop wrote:
| > The proxy is extremely lightweight. An inexpensive and tiny
| VPS can easily handle hundreds of concurrent users.
|
| I would bet yes.
| jagiammona wrote:
| Thanks for the help!
| Thorentis wrote:
| Well, well. Just a week ago [0] I was lamenting the fact that
| Signal was _too_ centralised. This comment was made in the
| context of P2P not being the best solution (due to other privacy
| issues), but that something in between was needed. When will
| Signal realise that the centralised approach to hosting is not
| going to last forever? The code is open source. The server code
| is supposedly open source, but on closer inspection it is missing
| some features and is very out of date. The actual server code is
| clearly still kept close to their chests.
|
| There needs to be a way for the same Signal application to, in an
| emergency, connect to a different server. Perhaps even some form
| of federation so that once somebody switches server, they can
| still reach people on a different server if need be. I would
| absolutely love to see some work done on making a Matrix/Signal
| hybrid.
|
| [0] https://news.ycombinator.com/item?id=25976914
| Havoc wrote:
| Does this potentially proxy other stuff too?
|
| I've got a couple of idle servers but don't want mystery stuff
| proxied. Ie open to other traffic
| 2cb wrote:
| It only allows a whitelist of Signal related URLs, nothing
| else.
|
| See here in the code:
|
| https://github.com/signalapp/Signal-TLS-Proxy/blob/master/da...
| lstwn wrote:
| Here is another proxy: https://signal.tube/#langis.lstwn.de
| est31 wrote:
| In the long run, starlink will make it even harder for autocrat
| regimes to censor the internet. Russian authorities already try
| to ban connections to Starlink.
| AndrewBissell wrote:
| Yes I'm sure Starlink would never do something like censor
| traffic at some regime's behest. Elon Musk is famously
| independent and not at all beholden to funding from the U.S.
| and China.
| sschueller wrote:
| /sarcasm
| mr_woozy wrote:
| This is the only benefit that comes to mind when weighing
| against obscuring the night sky. Heck even freeing Australians
| from Telestra's Iron grip would be an accomplishment.
| quenix wrote:
| Unfortunately, it's easy for governments to criminalise owning
| Starlink terminal equipment. Also, Starlink may be legally
| forced to deny service to users in certain geographical
| regions.
| roywiggins wrote:
| Iran's been having a tough time shutting down illicit
| satellite receivers.
|
| > One woman in the Iranian capital, whose satellite dish was
| demolished by the police several months ago, told "Persian
| Letters" that the first thing she did the day after her
| apartment complex was raided was order a new dish and
| receiver.
|
| > "That's the only fun we have here. There's nothing worth
| watching on [state television]," she said. "They can come and
| take my dish away. I will get a new one."
|
| https://www.rferl.org/a/persian_letters_satellite_dishes_ira.
| ..
| est31 wrote:
| Unless the government can seize Starlink's assets, or shut
| down/harm their operations, they can't really tell Starlink
| to do anything. E.g. if they can shoot down satellites,
| they'd have influence.
|
| This is especially true for economies that are as
| disconnected from the US as the Iranian one is.
|
| The only thing a state has control over is payments from
| users. But if smuggling in transceiver equipment with pre
| paid traffic isn't that hard.
| rohit89 wrote:
| Starlink will need a license to broadcast in the country.
| And the dishes also need to transmit which will give away
| your position.
| est31 wrote:
| Dishes don't _have_ to transmit, only if you want an
| upload channel. It 's entirely thinkable that important
| content like websites or feeds by important influencers
| is pushed to all users.
| 2Gkashmiri wrote:
| one question to people here. would you have acted in the same way
| you are doing now if US govt had banned parler and they wanted
| people to contribute to keep the service up? for all i know
| everyone colluded against them and killed them. now, if anyone
| wanted to help them stay afloat, why did you go after their
| hosting provider, CDN and payment processors? if helping signal
| is meaning defying iran, then helping parler would mean defying
| the US.
|
| think about it
| Cyclone_ wrote:
| Not exactly the same. Signal is banned by Iranian government,
| parler was banned by US companies.
| throwitaway1235 wrote:
| Accurate but a disingenuous concept (not you) because U.S
| companies are approaching nation state power, i.e Google,
| Amazon etc.
| 2Gkashmiri wrote:
| Yes. Exactly. How do we as outsiders know the us govt isnt
| doing backchannel deals with faang, even with one is enough
| to get the ball rolling.
|
| Even if thats not the case, my question still stands. If
| American companies banned parler, why dodgy govt intervene
| like how it tries to potray a sense of high handedness when
| it comes to Iran. If the can sanction companies to not
| serve Iran, cant they force them to serve parler in the
| first place? If not then they are silently agreeing with
| faang decision, against free speech
| not2b wrote:
| If everyone announces their proxies the Iranian government will
| be monitoring those announcements and will be able to block
| traffic to them. It may be better for those with friends and
| family in Iran to run proxies and quietly inform only people they
| trust.
| monadic3 wrote:
| Not to mention you can get into significant legal trouble
| helping people sanctioned by the US.
| aendruk wrote:
| > You can share your proxy with friends and family using this URL
| format: https://signal.tube/#<your_domain_name> [...] The latest
| beta release of the Android app is registered to handle links
| from signal.tube.
|
| This scheme is convenient for those with correctly configured
| devices, but comes at the cost to everyone else of increased risk
| of inadvertent leaks of the fact that they're attempting to
| circumvent the block. I'd be interested to hear more about what
| factored into the decision to make this trade-off.
| remram wrote:
| Good point! I wonder why they didn't reverse the scheme, e.g.
| https://mydomain.example.org/#is-a-signal-proxy
| mhils wrote:
| AFAIK you can register URL handlers for a specific domain
| (signal.tube), but not for a specific hash. And you don't
| want Signal to appear as an alternative browser on every
| link.
|
| Edit: On a second thought, I wonder if a custom scheme would
| have worked, e.g. signal-proxy://example.com?
| 2cb wrote:
| If you click on one of the links it is using
| sgnl://signal.tube/#[domain] to deliver the proxy settings
| to the Signal app.
| remram wrote:
| You can set the host to "*" on Android, but maybe not on
| iOS?
|
| For example, my Mastodon app pops up to open all links that
| look like a Mastodon profile
| (https://example.org/@somename).
|
| https://github.com/tateisu/SubwayTooter/blob/4cf16c6ee890a7
| d...
| LinuxBender wrote:
| How would you let users know about this proxy without letting
| their government know about it? Instead of platforms like
| twitter, how about randomly giving out random proxies in some
| header that the app could query on cloudflare or google or
| akamai? Does Signal already make use of any CDN's for out-of-band
| signalling and fail-over? If the Signal proxy could expose an
| obfuscated load metric, then the CDN could pick another proxy via
| health checks. The proxy could advertise itself via CDN's as
| well.
| mholt wrote:
| That's the trick isn't it: having an entire population know
| something an oppressive government doesn't.
|
| Even if you teach everyone how to deploy their own servers,
| then that's the knowledge the government will start targeting.
| You can make blocks expensive, i.e. blocking other major,
| useful services that would disrupt society too much for them to
| want to deal with, but this of course has its own costs.
|
| It's censorship and surveillance all the way down.
| roywiggins wrote:
| As far as I know, Iran is much too open an society to
| actually prevent its citizens from knowing anything in
| particular.
|
| That's not to say it's a free society or that censorship
| doesn't exist there, just that it's not the sort of regime
| that is particularly good at it.
|
| If I had to guess, Iranian expats would be a likely set of
| people to start up proxy servers for their family and friends
| back home.
| not2b wrote:
| Yes, which is why Signal is doing a disservice by telling
| people to announce their proxies on Twitter. The expats
| should just tell their friends and family, and tell them to
| pass the word on only to people they trust.
| ALittleLight wrote:
| But this doesn't stop them from doing that. If you have
| an expat friend or family member with a proxy, use
| theirs, if not, check the latest tweet with the hashtag
| and use that.
| [deleted]
| polishdude20 wrote:
| At some point, the easier option is for there to be a
| revolution or some sort of governmental change.
| upofadown wrote:
| True but not everyone is keen to experience the civil war
| that often accompanies such a change.
| TedDoesntTalk wrote:
| Easy to say when it is not your life or your families'
| lives at risk.
| sixstringtheory wrote:
| Communication is key to both of those things.
| LinuxBender wrote:
| That is precisely why I am suggesting using a CDN. Old school
| CDN that is. Back in the day, if you had Akamai, your site
| would just use one (or many) of their generic names. Nowadays
| you can use your own domain to front their network, but you
| don't have to. If Signal was using a few CDN's and cycled
| through many generic end-point names, then Iran would have to
| block all the CDN's which would be nearly the same as
| shutting off the internet. This would not have to be the
| default mode of Signal. It could be an option that the client
| suggests. "Hey, it appears we are blocked. Use alternate
| proxies?" Then cycle through many different CDN's using many
| generic end-point names. Some of the CDN's can also do layer
| 4 vips and not have to decrypt anything. They can just act as
| a TCP tunnel if need be, just costs more.
| RL_Quine wrote:
| Generally speaking censorship by a government needs to be
| pretty poorly done at best. Taking out the bulk of the usage of
| Signal is easy, removing it completely is hard. Much better to
| apply minimum cost and effort where it counts most.
| ip26 wrote:
| Yup, I would run one but I don't know any Iranians...
| bijoo wrote:
| > How would you let users know about this proxy without letting
| their government know about it?
|
| From the blog post, "A more discrete approach would be to only
| send the link via a DM or a non-public message."
|
| > how about randomly giving out random proxies in some header
| that the app could query on cloudflare or google or akamai
|
| That would "..increases the chance that Iranian censors will
| simply add those IPs to their block list"
|
| It looks like the solution provided in the blog post is limited
| to helping folks run their own proxy for people they know.
| cmroanirgo wrote:
| I think Signal is clearly recognising that nearly sny server or
| system they create will be blocked, which is why they
| recommended this being done on an individual layer.
|
| From the article:
|
| > A more discrete approach would be to only send the link via a
| DM or a non-public message. You can post something like this on
| your favorite social network:
|
| > * #IRanASignalProxy Reply to this thread if you want the
| connection details, and follow me so I can DM you the link.*
| [deleted]
| not2b wrote:
| No good; people working for the Iranian state will DM. Signal
| didn't think this through. No one should announce proxies via
| social media. Tell people how to set one up for friends and
| family.
| DangerousPie wrote:
| There are plenty of people that don't have friends of
| family in Iran but would still like to help.
| ufmace wrote:
| > No good; people working for the Iranian state will DM.
|
| They'll probably try, but it's not very scalable. It's
| tough to build and maintain a Twitter account with a
| history that looks like a real regular person, much less
| create a bunch of them fast with history that dates back
| before the day you started. If most of them make a modest
| effort to verify users, most of them should remain
| unblocked. It's all pretty decentralized, so it's not that
| big as deal if a few of them do get discovered and blocked.
| boomboomsubban wrote:
| People working for the Iranian state generally would be
| discernible from their Twitter account, and by controlling
| the information you hand out you can also flag the hidden
| accounts that aren't easily recognized.
|
| You also overestimate how committed Iran is to stopping
| this. Doing this in public risks the state finding out, but
| outside of times of crisis the state is usually pretty slow
| to respond. Keeping it private tanks participation rates.
| not2b wrote:
| There are about 700,000 people of Iranian descent in the
| Los Angeles area alone (the largest such community in the
| US). Most of them are in the US to escape the regime, and
| most of friends and family in Iran who they keep in touch
| with. The people in Iran also have their own networks.
|
| So a down-low friends and family approach could reach a
| lot of people.
| boomboomsubban wrote:
| If you just filter the amount of those 700,000 down to
| how many are aware Signal exists, I bet we'd already be
| at a low enough number to see the problem with your plan.
| ariosto wrote:
| This is inspiring. I am going spin one up and also look into
| contributing to your source code.
| S53Vflnr4n wrote:
| Hey Signal, your next contender will be Narendra Modi's Hindu
| nationalist Indian govt. But Modi is one step ahead, blocked the
| whole internet in Delhi.
| Jkvngt wrote:
| What if political dissidents don't want to give their phone
| numbers to the former head of Twitter security on the eve of
| President Biden's re-engagement with the Islamic theocracy of
| Iran?
| SandunFernando wrote:
| The login code you entered doesn't match the one sent to your
| phone. Please check the number and try again.
|
| It looks like you haven't logged in from this browser before.
| Please enter the login code from your phone below.
|
| NOT COMING MY PHONE CODE
| elif wrote:
| I would keep in mind that the US has weird antiterror laws about
| assisting enemies and also laws which construe bypassing system
| designs as hacking.
|
| For instance, Virgil Griffith is being held and charged for
| giving a high level description of bitcoin transactions at an
| academic conference in North Korea.
|
| This is incredibly more specific and more technical of an act.
|
| https://www.coindesk.com/usa-v-virgil-griffith-what-we-know-...
| x86ARMsRace wrote:
| This law is trivially easy to get on the wrong side of.
| Something like this would be definitely in scope of the anti-
| terror law you're talking about. American HN users beware.
| eatbitseveryday wrote:
| Can someone who is a lawyer comment on this, please?
|
| edit: further.. how is Signal shielded (if at all) from
| providing services to anyone in Iran? Wouldn't they be a target
| in such a case? The blog post is an explicit call for
| assistance specifically to do so.
| iudqnolq wrote:
| > Executive order 13722, signed by President Donald Trump in
| 2016, prohibits U.S. persons from exporting services to
| *North Korea*.
|
| Edit: You might find GitHub's description of how they handle
| this interesting: https://github.blog/2021-01-05-advancing-
| developer-freedom-g...
| nulbyte wrote:
| Not a lawyer, but details of the sanctions are public[1],
| including Iran General License D-1 which covers services,
| software, and hardware incident to personal communications.
| The license has details for fee based and generally public
| free-of-charge services. We want Iranians to be free to
| communicate.[2]
|
| [1]: https://home.treasury.gov/policy-issues/financial-
| sanctions/...
|
| [2]: https://home.treasury.gov/news/press-releases/sm0322
| iudqnolq wrote:
| Virgil Griffith was told not to enter North Korea by the US
| government, and snuck in through China anyway. He admitted to
| specifically talking about how to use cryptocurrencies to avoid
| sanctions, and admitted he knew at the time that that was
| illegal.
|
| https://www.nytimes.com/2019/12/02/nyregion/north-korea-virg...
| AnthonyMouse wrote:
| I wonder how many First Amendment lawyers would be champing at
| the bit to take a case where a prosecutor was dumb enough to
| charge someone with a crime for assisting dissidents to
| communicate.
| eightails wrote:
| Problem is that to many from the other side of the Atlantic
| "dissidents" look an awful lot like "terrorists".
| AnthonyMouse wrote:
| Calling everybody "terrorists" is for politicians and
| pundits. Judges spend all day seeing through hyperbole like
| that.
| pmlnr wrote:
| So... federate but not really?
|
| I'd heavily advise instead to run as many xmpp servers* as
| possible, and let people/friends use them.
|
| *not matrix, unless one configures it to forget the data and only
| act as a message broker, like XMPP. For this specific use, it's
| better.
| djl0 wrote:
| If Iran is blocking Signal but not other apps, namely Whatsapp,
| does this mean Iran has access to Whatsapp data?
|
| I fully expect the US govt to have access to fb/whatsapp data (at
| least the metadata), but it's a bit surprising to me that Iran
| would too.
| danenania wrote:
| I think FB's policy is to comply with local laws regardless of
| ethical concerns?
| xirbeosbwo1234 wrote:
| I think FB's policy is to _____(verb)_____ regardless of
| ethical concerns.
|
| They certainly aren't complying with U.S. antitrust laws.
| They comply if it makes them money and don't comply if it
| doesn't make them money.
| benlivengood wrote:
| There are a few requests reported:
|
| https://transparency.facebook.com/government-data-
| requests/c...
| mzs wrote:
| which you can't read without a FB account! In any case 6
| users/accounts in fist half of 2020
| beermonster wrote:
| Well...
|
| https://www.nytimes.com/2020/09/18/world/middleeast/iran-hac...
| ParanoidShroom wrote:
| I doubt it. By the same reasoning they would also have access
| to iMessage and other apps that aren't banned. Not sure what
| WhatsApp or fb has to do with this.
| 2cb wrote:
| Considering Apple put all data of Chinese users on Chinese
| servers to keep the CCP happy I have no doubt they're
| perfectly happy and willing to comply with government
| requests elsewhere too.
| twhb wrote:
| Iran blocks _every_ major foreign messaging app, except
| WhatsApp. Signal escaped it until now only because they had so
| few users. Also keep in mind that while WhatsApp claims to use
| the Signal protocol, they installed a backdoor that allows them
| to MITM conversations. So yes, I'd say it's virtually
| guaranteed that WhatsApp is sending unencrypted message data to
| Iran, and of course to the US too.
| oarsinsync wrote:
| > [WhatsApp] installed a backdoor that allows them to MITM
| conversations
|
| Citation?
| [deleted]
| kolmogorov wrote:
| https://signal.org/blog/there-is-no-whatsapp-backdoor/
| egberts wrote:
| "There's no backdoor."
|
| -- Perhaps the door is cracked (or ajar) and a microphone
| is listening in ... still?
| twhb wrote:
| HN discussion of that post:
| https://news.ycombinator.com/item?id=13394900
|
| I guess I'm coming down hard on one side of a controversial
| question, but in my mind, if it allows the server to
| intercept messages without users knowing about it under the
| default configuration, it's a backdoor.
| cgb223 wrote:
| Could the Iranian government also run a Signal proxy?
|
| Can they then read said proxy traffic since it's on their
| machine?
| NotEvil wrote:
| No, Nobody even signal can't, that's the whole point of e2e
| drummer wrote:
| They could certainly do this, but they would only see which
| local IP is trying to communicate with Signal (and thus trace
| the user). The traffic itself is end to end encrypted so they
| cant read it.
| blintz wrote:
| What is the state of the art on censorship resistance right now?
| This cat-and-mouse proxy fight never seems to go great for the
| good guys.
|
| My last in-depth reading on it was the excellent 2016 SoK paper
| "Towards grounding censorship circumvention in empiricism"
| (http://www.cs.umd.edu/class/fall2018/cmsc818O/papers/sok-cen...)
|
| The high level takeaway then seemed to be that researchers were
| not focusing efforts on measures that can actually help more
| people resist censors. Have we made progress since then?
| meibo wrote:
| Telegram got around Russian censors by constantly pushing new
| IPs for their servers with Google Cloud. Of course this is a
| cat and mouse game as well, but it worked out well for them,
| since Russia didn't want to block all of Google/AWS.
|
| https://news.ycombinator.com/item?id=26028415
| ignoramous wrote:
| I keep an eye on the work censorship.ai does as they are
| usually at the cutting edge of it:
| https://geneva.cs.umd.edu/papers/
|
| Tor, Jigsaw's Outline, and V2RayNG are worth keeping tabs on as
| they're FOSS projects and do much of their development in the
| open.
|
| Lantern's development whilst it was still open source was
| fascinating to see as well. Since 2016 (I believe) they stopped
| doing so out of security concerns:
| https://twitter.com/adamfisk/status/1316569766832869377
| robert_foss wrote:
| There are relatively good solutions like dns fronting on Amazon
| or Google, but they frown upon being used that way.
| [deleted]
| MikeGale wrote:
| Just remember, Iranian intelligence is no doubt monitoring this
| discussion.
| notsureaboutpg wrote:
| Hmm, I have a family member going to seminary in Iran and he has
| been in contact with me over Signal (he moved our family chat to
| it over WhatsApp because of recent events).
|
| Did this happen like literally today? Because otherwise I haven't
| heard of such a thing...
| whalesalad wrote:
| Where is the 'deploy to heroku' button when you need it
| signaliscia wrote:
| biden is trying to do a coup. signal=state dept.
| nrvn wrote:
| Signal could learn a lot from Telegram in this regard.
|
| Russian govt had tried to block Telegram but telegram servers
| just keep jumping over various cidrs and users got the ip
| addresses for connecting over push updates and the only thing the
| govt succeeded in was blocking a wide range of subnets including
| AWS ranges and GCP ranges thus disrupting a whole lot of
| businesses and even some government services.
|
| They gave up and lifted the ban eventually.
|
| https://www.schneier.com/blog/archives/2018/06/russian_censo...
| derefr wrote:
| Feels like there could be a good business in providing this
| CIDR-hopping push-updating proxy as a service other apps could
| embed. Like what CloudFlare does for DDoS protection, but as a
| forward-proxy + client middleware, instead of a reverse-proxy.
| mywittyname wrote:
| Depends on your definition of "good."
|
| Dealing with hostility from government bodies is probably no
| fun.
| agnosticmantis wrote:
| I believe telegram itself is blocked in Iran, though.
| smnrchrds wrote:
| It is indeed. Iran does not shy away from blocking large
| swaths of the internet in order to make sure the parts they
| want blocked will remain blocked. For example, before 2009,
| there were specific blogs on wordpress.com which were blocked
| and making sure the content the government wanted
| inaccessible would remain inaccessible had turned into a
| whack-a-mole game. In 2009, they simply blocked the entirety
| of Wordpress, Facebook, YouTube, etc. and made their jobs
| much easier.
|
| Iran would not hesitate to block all AWS IP addresses as a
| solution (I don't know if that is how they block Telegram
| now). GCP resources would not load in Iran anyway because
| Google has a very strict (much more strict than AWS and
| Azure) interpretation of the sanctions, so they don't have to
| worry about them.
| eternalban wrote:
| > It is indeed. Iran does not shy away from blocking large
| swaths of the internet
|
| > ran would not hesitate to block all AWS IP addresses as a
| solution
|
| DNS will not resolve _any_ .ir (.coms that are iranian)
| domains here in US, afaikt.
| whimsicalism wrote:
| Not at all true. Try http://www.president.ir/en
| eternalban wrote:
| That does not resolve for me. Neither do any of the news
| sites. I even tried government ministries, such as
| en.mop.ir. simple$ ping president.ir/en
| ping: cannot resolve president.ir/en: Unknown host
| simple$ ping en.mop.ir ping: cannot resolve
| en.mop.ir: Unknown host simple$ ping
| tehrantimes.com ping: cannot resolve
| tehrantimes.com: Unknown host simple$ ping
| presstv.com ping: cannot resolve presstv.com:
| Unknown host
| caf wrote:
| That might be something your ISP is doing. Try
| dig www.president.ir @8.8.8.8
| eternalban wrote:
| Thanks. That got me the ip but browser won't connect to
| it. So it's blocked at the ip level. (Why would an ISP do
| this? Mine is one of the majors. Curious.)
| sudosysgen wrote:
| Telegram blocking in Iran is theoretical. There are still a
| great many Iranians successfully using Telegram (via
| proxies or modified versions of the app).
| sigmar wrote:
| That article notes that Signal has been domain fronting since
| 2016. I think google has cracked down on it more recently
| though, and hence Signal has had to circumvent censors in a new
| way
| windthrown wrote:
| Correct, both Google and Amazon told Signal not to use them
| for domain fronting: https://signal.org/blog/looking-back-on-
| the-front/
| rzz3 wrote:
| What about Cloudflare?
| capableweb wrote:
| Answer from Cloudflare team seems to be "No" -
| https://community.cloudflare.com/t/could-cloudflare-
| support-...
| hanniabu wrote:
| Surprised by that considering their willingness to work
| with ethereum on resolving .eth domains through .eth.link
| domains.
| contravariant wrote:
| There has to be a cleverer way to solve the problem of
| having several domain names on the same IP than just
| sending the desired domain name in plaintext.
| aftbit wrote:
| Gross! I wonder what motivated these decisions inside
| Amazon & Google. This likely affects the Tor project domain
| fronting as well.
|
| We really should not have let the majority of internet
| traffic be served by a small handful of giant companies
| without some legal protections as to what they're allowed
| to do.
| powersnail wrote:
| I don't know.
|
| In the grand scheme of things, I don't like how much
| infrastructure technology giants control.
|
| In this specific case, however, domain fronting is
| basically saying "if you want to ban me, you have to ban
| all of us", without asking if the rest of "us" consent to
| be put on the same boat.
|
| It would be cool if they are, but it's perfectly
| understandable for them to disagree.
| jaywalk wrote:
| Believe me, I'm all about reigning in big tech.
|
| But I would be 100% against any law that required them to
| allow domain fronting. It's fine if they want to, but
| _requiring_ them to basically open up /leave open a hole
| in their systems is not right.
| hutzlibu wrote:
| What I recall from the discussion back then is, that
| domain fronting basically means, that Signal would
| disguise itself as google or amazon traffic. So I would
| say, it is understandable, that they decided this is not
| good for their buisness.
|
| So it was not an act by google and amazon to activly harm
| Signal, but rather canceling ongoing support of Signal,
| that could put their buisness to harm, which is something
| different.
| praseodym wrote:
| Probably malware using domain fronting techniques for C2
| traffic played a role in that decision. E.g.
| https://threatpost.com/apt29-used-domain-fronting-tor-to-
| exe...
| damnyou wrote:
| In general there are many things that are beneficial when
| used by good actors and harmful when used by bad actors.
| That's just the nature of power.
|
| I'm really bothered by blanket policies that prevent
| beneficial uses of a tool because it can also be used to
| cause harm. Google and Amazon need to figure out how to
| disambiguate the two.
| Craighead wrote:
| Yes yes, but, when will Verizon and Comcast be broken up?
| 2cb wrote:
| And this new way, while less convenient, is arguably superior
| due to its decentralisation. They're not just going after one
| service they're now going after people all around the world
| running these proxies.
|
| Just set one up myself took 15 minutes and that includes
| setting up a fresh VPS.
|
| Just thinking what the best way to share it is.
| birdyrooster wrote:
| lol i accidentally rented a decent VPS for 30 days in
| switzerland and now I have a use case for it whoo
| stonesweep wrote:
| I've been mulling this over today, as your ability to _get_
| the name /IP of the proxy has to be censorship resistant as
| well.
|
| The best idea I've had so far is using a CNAME response to
| a very common DNS query which would pass a basic filter,
| like I'd ask for "mail.mydomain.com" and it would respond
| with a CNAME pointing to the actual proxy. I have dead
| domains which I have configured with null records for MX
| and stuff (so spammers can't abuse them), I could hide the
| name of my proxies in the MX records a CNAMEs and nobody
| would be the wiser...
|
| The trick is getting the word out on how to do it - like
| "hey everyone, just ask random domains for "mx.domain.com"
| and use the 30 level MX" or something which would pass as
| legit traffic. Maybe...
| 2cb wrote:
| Using innocent sounding CNAMEs on abandoned domains is
| definitely a smart idea.
|
| I've definitely got some old domains kicking about, I'll
| see how far off they are from expiration and do something
| similar if they have at least a few months left in them.
|
| The proxies themselves can also be hosted at normal
| sounding domains and subdomains like cdn.technology.memes
| or whatever.
|
| And when you point other domains to them as CNAMEs use
| equally regular looking subdomains no algorithm would
| pick up as a proxy like webmail.abandoned.tld.
| stonesweep wrote:
| Thought following yours, I like the CDN idea - if you add
| in some dynamic DNS updates with random CNAME results it
| could also help - ask for cdn.example.com, get
| node182.example.com and 5 minutes later get a different
| CNAME result injected from some cron job...
| iudqnolq wrote:
| If your scheme for conveying innocent sounding proxy
| domains requires it's own innocent sounding domains what
| have you added?
| stonesweep wrote:
| To my thinking, it creates a chain of "it's really hard
| to block them all" - as soon as I saw (via the link) that
| you submit your new proxy to https://signal.tube I
| thought "...so the Iranian gov't just has to block any
| and all access - DNS, HTTP - to that domain" and people
| can't even see what proxies are out there. So if my
| friendly domain name is "learned as a Signal proxy" they
| just block my domain (personally, I'd use two domains to
| double-blind it).
|
| My conceptual idea is that how you get the person the
| name of the proxy to use has to hide as signal amongst
| the noise and not get trapped in DNS/domain blocking
| filters - and if it's keyword blocked by the Great
| Firewall, you just start asking other random domains for
| their MX records etc. I believe it's generally referred
| to as steganography:
| https://en.wikipedia.org/wiki/Steganography
| [deleted]
| Triv888 wrote:
| While it worked in that case, it is not an invincible method.
| emptybits wrote:
| Thank you. It's heartwarming to read about successes like this.
|
| Immediate recalling John Gilmore (GNU/EFF/etc.) in 1993:
|
| "The Net interprets censorship as damage and routes around it."
| freakynit wrote:
| How disgusting these governments have become it pisses me off.
| cyphar wrote:
| I know it's too late to engineer this at this point, but maybe
| Signal should consider adding a built-in Tor client. That way
| they can take advantage of the many thousands of existing Tor
| bridges, and Tor has been proven to be pretty effective at
| censorship resistance over the years...
| kodablah wrote:
| I doubt very much it's too late. Tor can be statically compiled
| into the apps, and assuming Signal is centralized, they can
| just run their own onion service and otherwise communicate as
| though they were using TCP.
| cyphar wrote:
| I meant that it's too late to solve it for this particular
| censorship event. You'd need to add a UI for selecting
| bridges and configuring Tor, all of which is substantially
| more complicated than just adding support for custom single-
| hop HTTPS proxies.
| rthomas6 wrote:
| This is one of the best arguments for
| federation/decentralization, is it not? It's not impossible to
| block a protocol, but it's harder than blocking an IP.
| derbOac wrote:
| Yeah I was thinking this is awfully close to some kind of
| federated system. It's not the same but it's pretty close to
| Signal asking for people to decentralize their service a bit to
| overcome censorship, which is one of the main arguments for
| decentralized systems.
| im3w1l wrote:
| We see again and again that Americans hate freedom of speech. So
| what is this but a power play? They want people to use controlled
| platforms where only American-approved activism is allowed.
| Actions that destabilize an enemy regime.
|
| Iranians who use Signal are American proxy forces. By definition
| it is treason.
| owl_troupe wrote:
| Iranians who use Signal are Iranians. Your statement is
| premised on the Iranian government having absolute authority to
| surveil the communications of Iranian citizens. By that logic,
| any from of end-to-end encrypted communication is treason. You
| might as well say that Iranian citizens have no general right
| to privacy and any expectation of such is also treason.
| im3w1l wrote:
| Signal is American controlled. Encryption in general is not.
| rhplus wrote:
| > Your proxy is now running! You can share your proxy with
| friends and family using this URL format:
| https://signal.tube/#<your_domain_name>
|
| Won't the censors just block DNS for `signal.tube` immediately?
| GranPC wrote:
| It looks like the Android app has an intent filter to present
| itself as an option to handle signal.tube links, so DNS
| resolution isn't necessary:
| https://github.com/signalapp/Signal-Android/blob/master/app/...
| MightyOwl13 wrote:
| Hey, did anyone actually try to run this? I'm getting a bunch of
| errors when trying to run the sudo docker-compose up --detach.
| How would I know if it's running or not? Sorry, quite new to this
| apart from hosting a couple of personal pages on a vps.
| l1am0 wrote:
| I found that simple apt-get docker does not work for me on
| debian. Tried the official docker documenation and that helped:
| https://docs.docker.com/engine/install/debian/
| 2Gkashmiri wrote:
| hey. i just thought of something. is it not possible for india or
| iran in this case to check your phone number and see if it is
| active on signal? if you are online means you are somehow
| bypassing their blocks. isnt then just a matter of tracking your
| cellphone and relevant xkcd applies ?https://xkcd.com/538/
|
| this is looking like a zero sum game unless signal account is
| delinked from phone numbers because the govt can play cat and
| mouse game indefinitely
| monadic3 wrote:
| > is it not possible for india or iran in this case to check
| your phone number and see if it is active on signal?
|
| WTF, why does signal require PII to use? Shouldn't it give you
| a public/private key pair on signup?
| f430 wrote:
| all they need to do is be in the approximate region of the cell
| signal through triangulation to figure out the phone numbers /
| unique identifiers attached to the phone.
|
| then its a matter of time before they link real identity to the
| phone. With the wide availability of femtocells, all they need
| to do is get lucky once.
|
| This puts operators of Signal proxies at potential harms way!
| Absolutely irresponsible for people on HN to downvote and
| downplay genuine security concerns.
| MrMorden wrote:
| How is a proxy operator in harm's way? They aren't in Iran,
| and the Iranian government understands the consequences of
| trying to do anything about it. Users are in no more danger
| than they've always been, and substantially less than if they
| didn't have communications ability.
| 2Gkashmiri wrote:
| oh. you are not joining all the dots here. an offensive govt
| already has KYC on cellphones. they can pull your details in
| a second. My reasoning. they have a list of say 100 users.
| every govt has lists. they check that list against signal
| users as "social graph" and voila, they know you are online
| or not. second, kyc documents show who you are so you are
| good as toast
| southerntofu wrote:
| WTF Signal?! You claim to help users from Iran, however you
| encourage them to circumvent a government ban by using proxy
| which redirect trafic based on TLS SNI header, in plaintext?!
| Maybe you think the Iranian government doesn't have the resources
| (yet) to log/drop packets based on SNI, however it may well be
| the case already or soon because that's really not hard to do.
|
| You are actively encouraging people to use technology that will
| reveal to their ISP/government they use Signal despite a
| government ban. You also force them to use phone numbers, which
| are uniquely-identifiable and are also advertised publicly in
| multi-user chats. ARE YOU TRYING TO GET PEOPLE JAILED OR KILLED?
|
| If you were really fighting for freedom and the right to
| legitimate dissent against unfair governments, then you would
| federate your services so you don't become a central authority
| who can ban users (SPOF), abandon phone numbers entirely (because
| they're a security nightmare and publishing them facilitates
| harassment, a known problem on your platform you have refused to
| address so far), and use established proxying mechanisms which
| are less detectable than a plaintext header containing
| "signal.org" (like Tor).
| quasirandom wrote:
| The SNI is encapsulated in an outer layer of TLS, which is
| removed before forwarding traffic to Signal. That's what nginx-
| terminate is doing.
| southerntofu wrote:
| The header will appear in plaintext between the user and the
| proxy (easy to detect/log/drop for their ISP/government), and
| still appear in plaintext between the proxy and Signal (which
| is less of a problem).
|
| The SNI header is not dropped to upstream because it's used
| whether the reverse proxy is operated by the intended
| recipient (Signal) or not (the proxy). That's precisely the
| reason why people have been promoting Encrypted SNI for some
| time now.
| quasirandom wrote:
| It is not true that Signal domains are visible in plaintext
| on the wire between the user and the proxy.
|
| You can spin up the proxy and check yourself.
|
| Alternatively, you can ask yourself "why go through the
| trouble of setting up a legitimate ca-signed certificate if
| Signal domains are already leaking in plaintext"? The whole
| point of the ca-signed cert is to make the traffic blend
| in. Why go through that trouble when a simple regular
| expression could identify it?
| southerntofu wrote:
| > You can spin up the proxy and check yourself.
|
| I just did, and you are right. I stand corrected, sorry
| for spreading FUD. Other criticism of Signal still
| applies. I would edit my original message to reflect
| that, however i can't because it's been posted a while
| ago.
|
| An attacker (such as the government) may not drop
| connections in real-time to Signal proxies without
| considerable efforts (i.e. for every HTTPS stream,
| verifying whether the remote server is a Signal proxy).
| However, after passively recording SNI headers, the
| attacker check those remote servers to figure out whether
| they are Signal proxies. As a conclusion, this Signal
| proxy is an effective censorship-circumvention tool, but
| does not protect users from the consequences of
| circumventing government censorship (which may be harsh).
|
| A possible mitigation would be to have the virtualhost
| terminating the outer TLS connection serve the reverse
| proxy only from a specific folder/location, which cannot
| be well-known. So the attacker would see you are
| connecting to https://proxy.example, but as long as
| https://proxy.example serves legit-looking pages on /,
| and the Signal proxy is served from
| https://proxy.example/foobar, the attacker may not
| passively discover the actual reverse proxy. Of course,
| every Signal proxy would need to use a different
| subfolder.
| realducksoft wrote:
| Damn, I've read the code. This won't work against an active
| probe. Censors just use signal domains and non-signal domains to
| test your proxy. If signal domains get passed and non-signal
| domains got denied, you are fucked. Besides, TLS in TLS is highly
| identifiable by simple packet length dpi. I'd hope there's better
| plan.
| toast0 wrote:
| TLS 1.3 supports (encrypted) padding bytes for Application
| Data; which could be used to normalize the packet lengths.
| Probably not accessibly via normal system TLS libraries though.
|
| Although, if only Signal is making nice sized packets, that
| could be suspicous.
| Diggsey wrote:
| > Censors just use signal domains and non-signal domains to
| test your proxy.
|
| If the censor already knows about your proxy they would have no
| reason to test it... The whole point is that there _isn 't_ a
| central list of proxies for them to easily block.
| [deleted]
| I_Byte wrote:
| This is the very same problem that Tor faced when Tor bridge
| use started to pick up in China around the late 2000s / early
| 2010s. You only needed a single Chinese user to connect to
| your server for it to be probed by the Chinese censors. Older
| versions of the obfs Tor bridge protocol could be detected by
| active probes and thus blocked very much like these Signal
| proxies. This is a cat and mouse game that Signal could very
| easily lose should Iran start to care about probing all new
| active connections that leave Iran.
| lucb1e wrote:
| No but look, they're blocking connections country-wide.
| Apparently they have government boxes installed on the
| outside lines. If you're looking at IP headers and deciding
| to drop or pass based on that, it's trivial to collect the
| IPs you don't yet know, check if they're running a proxy
| (Signal, Tor, I2P, whatever), then add them to the block list
| if they are.
|
| If it's trivial to figure out (by doing a nice handshake)
| whether something is a certain kind of proxy, then the cat-
| and-mouse game is reduced from finding lots of mice to
| updating the cat system to test whether passing animals are
| mice and instantly wiping out the mice population.
| pmlnr wrote:
| > there isn't
|
| YET. I wonder if someone will find a simple way to map these
| with shodan.
| eatbitseveryday wrote:
| > _SS560.204 Prohibited exportation, reexportation, sale, or
| supply of goods, technology, or services to Iran._
|
| > _Except as otherwise authorized pursuant to this part, and
| notwithstanding any contract entered into or any license or
| permit granted prior to May 7, 1995, the exportation,
| reexportation, sale, or supply, directly or indirectly, from the
| United States, or by a United States person, wherever located, of
| any goods, technology, or services to Iran or the Government of
| Iran is prohibited, including the exportation, reexportation,
| sale, or supply of any goods, technology, or services to a person
| in a third country undertaken with knowledge or reason to know
| that:_
|
| > _(a) Such goods, technology, or services are intended
| specifically for supply, transshipment, or reexportation,
| directly or indirectly, to Iran or the Government of Iran; or_
|
| > _(b) Such goods, technology, or services are intended
| specifically for use in the production of, for commingling with,
| or for incorporation into goods, technology, or services to be
| directly or indirectly supplied, transshipped, or reexported
| exclusively or predominantly to Iran or the Government of Iran._
|
| For US citizens, does helping folks in Iran in this way with a
| Signal proxy fall under these terms?
|
| https://www.ecfr.gov/cgi-bin/text-idx?SID=f384a46ec1b04cc7b2...
| chmod775 wrote:
| Why can't they just ship signal with a Tor client? This is
| precisely what Tor was built for.
|
| They can donate some money to charities running Tor nodes while
| they're at it, or run some themselves.
|
| Iran tried to censor Tor too, but it's pretty much impossible to
| do so fully. At least the Tor devs are usually on top of it,
| while Signal is inexperienced dealing with things like this.
| franga2000 wrote:
| Of course it's hard to censor Tor, but is it really hard to
| outright block it? Last time I looked into it, you could just
| fetch the list of edge nodes that have to be public by design
| and block all of those.
| vbezhenar wrote:
| What makes you think that it's hard to block Tor? Even
| Kazakhstan blocked Tor many years ago. They're using DPI:
| connection opens, client can write data, but can't read
| anything which is frustrating from user PoV.
| chmod775 wrote:
| > What makes you think that it's hard to block Tor?
|
| The fact that it is?
|
| There are secret bridges and Tor is able to disguise its
| traffic as other 'legitimate' protocols.
| SomebodyElseHa wrote:
| The bridges don't remain secret forever. All it takes is a
| government agency to ask the mailing list for one and then
| it's compromised. Once they're discovered, you can get into
| deep shit for trying to connect to that address.
|
| My ex moved to China, and she told me that the only people
| who say Tor can't be blocked are people who have never
| lived in a country where the government is actively trying
| to block it. Just because you can connect to it doesn't
| mean you won't get a knock on the door in a month asking
| why.
| viro wrote:
| Tor is is blocked in Iran.
| chmod775 wrote:
| Iran isn't able to detect bridges using obfs4 with DPI as of
| now (as far as I know).
|
| So no, it's not 'blocked'. They're just trying. Mostly by
| blocking bridges they know of.
| [deleted]
| gruez wrote:
| if they block can block tor what makes you think they can't
| block these proxies? furthermore if you use tor you can use
| the existing network of bridges/relays as well as their
| pluggable transports protocol to avoid DPI/traffic analysis.
| viro wrote:
| They can block these proxies. Thats why in the
| #IRanASignalProxy section they say to share in more
| discrete ways if you can.
| woofcat wrote:
| Which to me is bad. They should run a service like Tor
| does to get private bridges. I don't know anyone in Iran
| but I have a server I could use for this. However I know
| zero people in Iran.
| 2cb wrote:
| So you use the hashtag on a public tweet etc and say DM
| me for a proxy.
| lacker wrote:
| Iran is already blocking Tor. In general, if Signal
| provides some central way to use Tor together with Signal,
| the Iranian government can just run it on their machine,
| and block every IP address that it tries to connect to.
|
| Iran can block these proxies, too, but this way there isn't
| any centralized listing of proxies. This proxy setup is
| simple enough that a single person could run a proxy for a
| few dozen of their friends, and the Iranian government
| might just never find out about it.
| gruez wrote:
| there are public and private bridges.
| sudosysgen wrote:
| If I remember correctly from what my Iranian friends told
| me not long ago, there are indeed working bridges in
| Iran.
| f430 wrote:
| exactly, this article is exceptionally egregious at
| estimating state actor's tools agumented by HUMINT
| capabilities to hunt down anybody trying to subvert their
| iron curtain.
|
| I fear that some naive Western expat will participate and
| find themselves in a hostage. Many countries in this
| don't have any treaties with Western nations, they dont
| have high regard for human rights either.
| milofeynman wrote:
| Tor has a very similar proxy setup that can be used to get
| around blocks like this.
|
| https://2019.www.torproject.org/docs/bridges.html.en#Plugga
| b...
| sporksmith wrote:
| Yup. I just tested ~~the fdroid~~ signal (the non-google-
| play apk from signal's web site) with orbot (a tor VPN
| for android) and verified it works correctly for text
| messaging. As you say, using a bridge _should_ make it
| difficult for iran to block. I wouldn 't be surprised
| though if voice/video was too high latency or doesn't
| work at all. https://mobile.twitter.com/sporksmith/status
| /135738175783478...
| ignoramous wrote:
| Signal is taking a leaf out of Telegram's book here in
| crowd-sourcing censorship circumvention which has worked so
| well for Telegram in Russia, especially.
|
| One could use censorship evading VPNs like Tor, Lantern,
| Shadowsocks, Psiphon in addition to using these proxies.
| They all have different evasion mechanisms.
|
| The thing that works for user-run proxies is, it is like a
| hydra, you censor one proxy another crops up.
| kelnos wrote:
| I'm worried that Iran is less concerned about collateral
| damage. Russia gave up because successfully banning
| Telegram would also ban significant parts of the internet
| that Russian businesses (etc.) depend on, so that was
| unworkable. I expect that Iran won't care quite as much.
|
| Regardless, I hope this does actually end up working, and
| allows Iranians to use Signal without a prolonged cat-
| and-mouse game.
| ryanlol wrote:
| Tor is very easy to block, and relies on very similar
| proxies to circumvent that.
| southerntofu wrote:
| You probably haven't followed Tor development in the past
| years. obfs4 and snowflake a really cool circumvention
| methods that are orders of magnitude harder to detect and
| block than these "signal" TLS proxies.
|
| The TLS proxy signal just advertised uses plaintext TLS
| SNI header to determine where to route the packets, which
| makes it really trivial to detect and/or block. The same
| cannot be said about tor.
| ryanlol wrote:
| I'm familiar with obfs4 and snowflake.
|
| Signals TLS proxy is naive compared to obfs4, but at it's
| core it's a similar solution.
| benlivengood wrote:
| https://github.com/signalapp/Signal-TLS-Proxy/issues/3 is the
| major issue with the current proxy and hopefully it's fixed
| quickly before a bunch of folks set up a proxy and forget about
| it.
| [deleted]
| [deleted]
| nojvek wrote:
| Wow! This is what I call decentralized internet. Where unless
| Apple can take down the app from the AppStore (we should fight
| against the monopoly) Signal is hard to censor.
|
| Unless Iran totally kills its internet to all.
|
| Sure there is the dark side that it could be used to organize
| crimes and terror, but I think we have to recognize the right to
| meaningful communication and privacy.
|
| Signal gives me hope on the internet of the future.
| MayeulC wrote:
| Hmm, looks like these are just a few nginx rules, they might as
| well publish those.
|
| Internet is a bad fit for this. I wish everyone was using
| yggdrasil, I2P, tor or something similar.
|
| I mean: I could provide as many yggdrasil addresses as I wanted
| to. It would be possible to setup a few VPNs to connect separate
| networks (though potentially traceable).
| icare_1er wrote:
| The future is in initiatives like these... examples here and
| there show that the internet is way to vulnerable to censorhip
| (China, Twitter and AWS in the US, Iran, etc...). I hope the push
| for de-centralized platforms will expand. Well done Signal.
| superkuh wrote:
| What happens when Iran's government itself runs a bunch of these
| proxies?
| IncludeSecurity wrote:
| Even worse, what happens when they MITM all of the installs
| because the docker container has really bad security such as:
|
| RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz
|
| https://github.com/signalapp/Signal-TLS-Proxy/blob/master/ng...
|
| Installing via HTTP, with no verification of installer seems
| like a reallyyyyy bad idea.
| RL_Quine wrote:
| That's awful.
| gspr wrote:
| I noticed the same thing, and filed an issue [1]. The first
| reply does not fill me with a lot of confidence (but it's
| unclear to me whether the person is affiliated with the
| project or not).
|
| [1] https://github.com/signalapp/Signal-TLS-Proxy/issues/6
| aftbit wrote:
| They have completely disabled issues on that repository.
| Wow I used to really like Signal...
| kelnos wrote:
| And it seems they've fixed the issue, without any kind of
| public comment.... still not great:
| https://github.com/signalapp/Signal-TLS-
| Proxy/commit/39a97da...
| kdunglas wrote:
| I (partially) fixed this issue, and I'm not affiliated in
| any way with Signal. It's public
| (https://github.com/signalapp/Signal-TLS-Proxy/pull/2),
| and it looks like they welcome contributions, because
| they merged mine.
| gspr wrote:
| Sorry for not noticing your PR before filing the bug.
|
| I still find the way they (partially) dealt with this a
| bit worrisome.
| cryo wrote:
| Wouldn't it be saner to also verify the downloaded
| archive hash? It looks like the domain resolving of
| nginx.org is trusted without doubt.
| sneak wrote:
| You'd be building and running these outside of Iran for them
| to work, which would limit the Iranian government's ability
| to perform the attack you describe.
| harg wrote:
| If all the traffic going via the proxies is e2e encrypted is
| there much that can happen?
| TedDoesntTalk wrote:
| But the fact that you are in Iran and using Signal may get
| you added to a watchlist. They can trace the IP addresses
| connecting to the proxy server back to a household or phone,
| no?
| harg wrote:
| I don't think Iran is as oppressive a regime as you make it
| out to be. AFIAK the act of using (or attempting to use)
| Signal is not illegal. The resources required to trace an
| IP and track down the user simply because they used a
| messaging app seems unfeasable. Not to mention IP addresses
| on mobile devices are highly dynamic especially if you're
| jumping between wifi and cellular. Correct me if I'm wrong
| but I think in practice it's pretty hard to link IP
| addresses to actual individuals.
| sudosysgen wrote:
| Not much. It's 99% certain that Iran already has the IPs of all
| Signal users, and they haven't penalized people for using
| encrypted messaging as of now.
| tannhauser23 wrote:
| This is the kind of privacy initiatives we need. While we argue
| in America about deplatforming, Iran, China, and other
| authoritarian countries around the world are actually suppressing
| and punishing free communication. Kudos to Signal for this
| initiative.
| notsureaboutpg wrote:
| America suppresses and punishes free communication, you just
| aren't aware of it because they control what you see when you
| live there.
| throwitaway1235 wrote:
| This is only popular and presented as altruistic because toppling
| the Iranian regime aligns with the foreign policy of Western
| states.
|
| Now that's fine if you support the expansion of global liberal
| democracy (which happens to be neither liberal or democratic) but
| just don't be deluded into believing this is some good guy vs bad
| guy scenario. As we speak, U.S media is advocating for the
| removal of Signal because Americans may also have access to
| encrypted private speech!
| 3np wrote:
| The good news is that regardless of framing, this doesn't
| discriminate US users either.
|
| You can see it as a Trojan horse if you will
| Krasnol wrote:
| I am not in the US and this is popular to me because I'm happy
| to be able to help people out who are suppressed by their
| government.
|
| Not everything is a US conspiracy in geopolitics...
| throwitaway1235 wrote:
| That nation states do things to advance their interests
| globally is not a conspiracy. Foreign policy 101.
|
| Who is to say that the Western technocratic system of
| government replacing the current Iranian regime would not
| also be oppressive? I personally believe it would be vastly
| more oppressive.
| Krasnol wrote:
| > That nation states do things to advance their interests
| globally is not a conspiracy. Foreign policy 101.
|
| This level of argumentation is so beyond sense and reason
| that I'm not even sure which nation you're talking about.
| Iran is not advancing anything and Signal is not part of
| the US government.
|
| > Who is to say that the Western technocratic system of
| government replacing the current Iranian regime would not
| also be oppressive? I personally believe it would be vastly
| more oppressive.
|
| Nobody is saying that because you can't but you don't have
| to if you want to help people out who are opressed under a
| dictatorship.
| throwitaway1235 wrote:
| Signal is an American company with it's headquarters in
| California. My point is that the global interests of
| nation states and their alliances are not only pursued
| through government channels but also through their
| influence on domestic private companies.
|
| I agree that my second point was too personal and
| unproductive.
| Krasnol wrote:
| > Signal is an American company with it's headquarters in
| California. My point is that the global interests of
| nation states and their alliances are not only pursued
| through government channels but also through their
| influence on domestic private companies.
|
| Please outline those channels which connect Signal to the
| US government. Otherwise please stop insulting me with
| this story. Selling basic human rights as some evil US
| government agenda is ridiculous.
| hikerclimber wrote:
| i hope this doesn't work.
| frEdmbx wrote:
| Is Firechat still around? What other chat solutions allow for
| local meshnet?
| isoprophlex wrote:
| Almost everyone in these comments is asking questions of various
| degrees of pedantry or outright dissing signal/moxie/no
| federation/whatever...
|
| Just spin up a server if you can spare the expense and help some
| people out.
|
| Action > inaction.
|
| edit: you can get the connection details via @appliedlambdas on
| twitter!
| isoprophlex wrote:
| Considering that there's plenty of people also sharing these on
| Twitter I've decided to openly share mine as a canary..:
|
| https://signal.tube/#instafax.nl
| koheripbal wrote:
| Talk is cheap.
| 2cb wrote:
| You can literally spin this up on a $5 a month VPS as well, not
| like you need to break the bank. And with so many TLDs there's
| plenty of dirt cheap domains too. I just spun one up in 15 mins
| and if it gets blocked I'll happily spin up more.
| mzs wrote:
| Whoa whoa whoa... there can be legal consequences for spinning-
| up a proxy in countries sanctioning Iran. This is a case where
| action can in fact be way worse for someone than inaction. I
| still can't find any discussion about that and it's worth
| investigating.
| thefifthsetpin wrote:
| I imagine that you're right, but it feels like a really weird
| case to choose to prosecute.
| stonesweep wrote:
| During the EFF "run a tor node" challenge a few years back,
| I learned that many cloud providers (a) hold you
| responsible for any traffic transgressing your proxy, and
| (b) generally were OK with running a relay node but not an
| exit node. Responses varied provider by provider, some have
| written rules some do not.
|
| Point being there are already discussions about the relay
| topic with cloud providers and it's not a weird edge case
| to me (and the law in your jurisdiction may have a strong
| opinion on this), I imagine there are legal things about
| where you live vs. where the server lives which also
| matter.
| bigiain wrote:
| Sure.
|
| But then one day they come and "ask" you to backdoor your
| employers platform. And when you say "WTF???" they start
| talking about terrorism charges for the VPS/proxy you ran
| back in 2021 in violation of Iranian sanctions.
|
| Chilling effects are real. Laws they can "choose to
| prosecute" or not, just means they have more ways to coerce
| you if they want...
| [deleted]
| dijit wrote:
| How flippant.
|
| "Almost everyone in these comments is asking questions of
| various degrees of pedantry or outright dissing
| hospitals/insurance/medical bankruptcy/whatever...
|
| Just donate to a charity if you can spare the expense and help
| some people out.
|
| Action > inaction."
|
| Healthcare and communication aren't comparable. But my point is
| that you can criticise institutions for their (contested)
| faults.
|
| If you place yourself on the mantle of non-federation, then
| availability and censorship resistance are your cross to bear,
| frankly.
|
| The notion that I should help them workaround their
| architectural failure when it's been widely criticised (and
| criticism openly dismissed) multiple times is a little wild.
| ampdepolymerase wrote:
| It is not. Healthcare and communications are very much
| comparable if your life and livelihood are on the line. If
| the downside risk for both is a dead person then they are
| very much morally equivalent.
| isoprophlex wrote:
| Your neighbor asks you to drive them to the hospital. Do you
| lecture them on the failures of privatized healthcare? No,
| you defer your opinion to the relevant place and time.
|
| This right now is about people having their access to
| uncensored communication cut off, and moxie asking people to
| help out. If you think their architecture is doomed, you're
| free to codify your opinion somewhere in a pull request or
| comment under an article about signal's protocol philosophy.
| dijit wrote:
| The analogy falls a bit flat because this forum contains,
| mostly, the arbiter of the root problem- namely that signal
| is not censorship resistant by itself. And we should
| criticise them for that because it was a warning delivered
| in a timely manner and never heeded.
|
| Helping my neighbour in this case means allowing them to
| use my social insurance. Namely by using xmpp/matrix. It is
| low/no cost to them (unlike moving countries for socialised
| medicine.)
| 2cb wrote:
| > signal is not censorship resistant by itself. And we
| should criticise them for that because it was a warning
| delivered in a timely manner and never heeded.
|
| I don't believe Signal ever claimed to be censorship
| resistant to begin with. I just looked at their
| description on the App Store and nothing there mentions
| bypassing censorship.
|
| Signal in fact did used to be censorship resistant before
| they were prevented from using domain fronting by third
| parties outside of their control.
|
| Now the Iranian people need help and Signal has made it
| extremely easy for anyone who visits sites like this to
| kick in and provide that help. It's likely proxies are a
| stopgap solution but that's okay. Iranians are having
| their messages blocked now and Signal has managed to
| release a working fix rapidly.
| cyphar wrote:
| > > signal is not censorship resistant by itself. And we
| should criticise them for that because it was a warning
| delivered in a timely manner and never heeded.
|
| > I don't believe Signal ever claimed to be censorship
| resistant to begin with. I just looked at their
| description on the App Store and nothing there mentions
| bypassing censorship.
|
| Moxie's talk on Signal's centralisation and how (in his
| view) that makes it better than decentised systems
| explicitly claims that Signal is better at censorship
| resistance than "decentralised systems" (his comparison
| was basically limited to email and the argument was
| primarily that you cannot move email accounts easily --
| in my view that's a pretty colossal strawman of
| distributed systems, but you can be the judge)[1].
|
| This argument was based on the fact they do domain
| fronting (whoops) and that they can move their servers
| and update all clients simultaneously. I think it's more
| than fair to bring up that this argument is not true in
| practice and that other decentralised systems (such as
| Tor) are clearly far more censorship resistant than
| Signal. That doesn't mean you shouldn't help them solve
| the immediate problem though.
|
| [1]: https://www.youtube.com/watch?v=Nj3YFprqAr8&t=1027
| dijit wrote:
| You write this as if I contested anything you said. Maybe
| signal didn't _claim_ to be censorship resistant but it's
| _essentially_ marketed as such by well meaning people.
| It's "the secure messenger", what is it secure against if
| not governments? Your ISP?
|
| Or does security of access not get covered by this
| definition?
|
| If people had chosen a federated system instead, then
| instead of _needing_ this very quick solution to be
| hacked together, the system would have dynamically moved
| around it.
|
| But, it's a future we'll never know now. Signal has the
| mindshare (and certainly the favour!) of the people, so
| the ship has sailed and I'm tilting at windmills.
|
| I think it's ridiculous that we have to patchwork _their_
| broken system that _we_ warned them of, but that's the
| reality and I am not one to put principles before people.
| TheJoYo wrote:
| Everyone complaining this is just a cat-and-mouse game, it's not
| a game these people choose to play. They either play it or their
| movement dies.
| ncallaway wrote:
| Of course it's a cat and mouse game.
|
| That doesn't mean it's unwinnable. That means you create a lot
| of evasive mice and win.
|
| Perfect is the enemy of the good. This is the kind of thing
| where winning is more important than a perfect strategy.
|
| Be water.
| secfirstmd wrote:
| FWIW right now to any Iranian friends on here. We have Umbrella
| in Persian/Fa now available. It's a massive open source guide to
| digital and physical security. Everything from how to use Signal
| to how to deal with arrest.
|
| More info: https://www.secfirst.org.
|
| iOS: https://apps.apple.com/us/app/umbrella-security/id1453715310
|
| Android:
| https://play.google.com/store/apps/details?id=org.secfirst.u...
|
| Web (Beta): https://umbrella.secfirst.org
|
| Github: https://github.com/securityfirst/
| teekert wrote:
| I'd be happy to run this, but I don't really feel like spreading
| this (for everyone I know) useless info into my social network
| (which would be via email for me?)
|
| I would gladly sent a link to Signal for my proxy though so they
| can forward it to people that need it? Hmm, I'm beginning to see
| the problem now..
| wheybags wrote:
| Agreed, I'd happily run a server but I would need some kind of
| aggregator service to post my proxy on. Surprisingly enough I
| don't have many contacts in Iran lol
| teekert wrote:
| But, I do understand that it is otherwise difficult to reach
| Iranians and not hand their government a list of urls to
| block. But I think my reach is useless. If your reach is not,
| then maybe you'll also reach the Iranian government easily.
|
| Moreover, should I run this from my personal server? Could it
| become a target for nefarious stuff? I feel the same as I do
| when I think about running a TOR exit node. I want to be like
| my hero Edward Snowden but... I'm afraid of the stuff that
| gets associated with my IP address.
|
| Also, a https://www.linuxserver.io/ Docker image would be
| cool ;)
| notsureaboutpg wrote:
| I have contacts in Iran but none of them are having trouble
| accessing Signal (I'm talking to them with it right now!)
| realducksoft wrote:
| Here is an interesting discussion:
| https://github.com/signalapp/Signal-TLS-Proxy/issues/3
| dunefox wrote:
| Wouldn't Briar be a good choice? https://briarproject.org/
| aendruk wrote:
| Not yet. https://code.briarproject.org/briar/briar/-/issues/445
| upofadown wrote:
| Apple devices are fairly rare in Iran.
| lucb1e wrote:
| They're fairly rare compared to Android in most countries,
| actually, also rich countries. That it doesn't work on
| Apple devices being seen as a blocker was the last thing I
| expected when clicking that link.
| pmlnr wrote:
| There was an article in 2014: "Imagining a Rebel Firefox" (
| https://medium.com/@efrensandoval/imagining-a-rebel-firefox-... )
| which played with the idea if every firefox node would become
| tor(ish) gateway.
|
| Is there no way to build this in the Signal clients themselves?
| Eg. on is on a wifi, try to upnp, ask the user if they'd wish to
| help.
| circularfoyers wrote:
| Similar to the Tor Project's Snowflake[1] Firefox addon?
|
| [1] https://addons.mozilla.org/en-US/firefox/addon/torproject-
| sn...
| samename wrote:
| Thanks for mentioning this! I'm surprised I hadn't seen this
| before.
| qwertay wrote:
| No because mobile devices suck for P2P. Even on wifi and
| plugged in you likely couldn't force your app to stay open and
| the phone on. Easier to tell a bunch of people to run a docker
| container on a raspberry pi.
| sergiosgc wrote:
| Signal should be federated. This censorship problem would not
| exist, or would be organically routed around, were the service
| federated.
|
| Without federation, Signal is just another stepping stone in the
| long path of eventually abandoned instant messengers, all the way
| back from ICQ. We will get to an SMTP-like protocol, and email-
| like service, at some point. If not Signal, some other one.
| vineyardmike wrote:
| > organically routed around
|
| Do any SMTP servers still allow organic routing? I was under
| the impression that all modern servers have extremely
| cumbersome auth/dkim and its hard to not be GMail and still
| send a real msg and have it arrive
| BenjiWiebe wrote:
| DKIM/SPF really aren't that bad. And you can not be Gmail and
| still get emails sent. Except Outlook/Hotmail/etc will
| randomly start blocking your emails, and only unblock your
| emails after you pester them enough.
| robertfw wrote:
| Have a look at matrix - https://matrix.org/
| ignoramous wrote:
| Signal was federated at one point:
| https://lwn.net/Articles/687294/
|
| Moxie, one of the original authors of the Signal protocol, said
| federation severely restricted flexibility and so they had to
| move on: https://news.ycombinator.com/item?id=11668912
| Evidlo wrote:
| They "federated" with only one other server run by the
| Cyanogenmod team.
|
| Agreeing on and keeping some spec up to date is a solved
| problem. Just ask any web standards committee.
| WookieRushing wrote:
| I'm not so sure. Moxies reasons about how federation leads to
| protocol development slowing and then freezing are solid.
|
| It's why we re not using smtp for chat. SMTP can't be extended
| enough so replacements are built instead. Similarly if signal
| federated, eventually it would freeze and a few years later
| users would move to wherever they could get new features.
|
| Federation is a good thing but only when the protocol is
| finished or if there is a forcing mechanism to allow updates to
| the protocol. ethereum/Bitcoin are good examples as they have
| flag days that force the value of currency to be in the balance
| to keep the protocol moving forward.
| rthomas6 wrote:
| I don't see what prevents updating as long as you don't care
| about fragmentation. You probably can't compile all brand new
| software on a very old Linux kernel, but who cares. I mean
| yeah, you'll have to care more about fragmentation, but it's
| not all or nothing. You'll still be able to update the
| protocol, you just have to make breaking changes less often.
|
| I think XMPP is a better comparison than SMTP. In its heyday,
| XMPP had several clients, some with different proprietary
| extensions, and all the core functionality basically worked
| across all the clients. Though it turns out some of the
| messengers I thought were XMPP were actually different
| protocols that XMPP could work with. Imagine that. People
| still use it too, though it's not as popular as it was in the
| 2000s.
| admax88q wrote:
| Honestly deltachat works great and its chat over smtp and
| imap.
|
| Im not sure "chat" needs this much constant "innovation" at
| the protocol level. Most of the issues with email are client
| UX more so than actual protocol limitations.
| beermonster wrote:
| Not really kept up with the latest with this, but chat over
| IMAP is a thing
|
| https://archive.fosdem.org/2020/schedule/event/coi/
| doublestandard2 wrote:
| It's an irony how American companies try circumvents another
| country's law (regardless of whether you call it censorship or
| not, it is still a law) and boast about it.
|
| Yet, in the US these companies help the mainstream narrative to
| enforce censorship by banning (Google and Apple App market) or
| simply not offering other point of views basic hosting services
| (AWS).
|
| I am an Iranian and don't agree with all of our government
| actions but I can clearly see a tech neo-colonialism/neo-
| imperialism here. I am sure Signal's intention and people wanting
| to help is genuinely good but this does not change this double-
| standard.
|
| I would like to see your supportive reaction if an Iranian
| company offers hosting to Parler. I imagine you would call it
| foreign intervention!
| Krasnol wrote:
| > Yet, in the US these companies help the mainstream narrative
| to enforce censorship by banning
|
| Why THESE companies? Where did Signal do this? Or are all US
| companies the same entity to you?
| doublestandard2 wrote:
| I describe my sentiment more precisely. By "these companies"
| I refer to entities or even individuals who take a very
| simplistic view toward this issue (Blocking of Signal by
| Iranian government).
|
| In this simplistic viewpoint, issues in 3rd world countries
| (even this naming is condescending) are assumed to be
| evident. In this case an evil government versus oppressed
| people who can not even communicate with each other freely.
| So 'we' good people must help these poor people against their
| oppressive government.
|
| This is in contrast to a much more nuanced view of the issues
| in the west. End-to-end encryption is a debated issue in the
| US and EU and legislators have proposed laws to ban it or
| enforcing other mechanisms to circumvent by law enforcement
| such as backdoors.
|
| I mentioned the US as an example, because of Signal is
| operating under US jurisdiction. Moreover, the recent events
| in the US demonstrated that how a supposedly stable democracy
| is vulnerable to chaos. In this situation the tech companies
| decided to limit the communication of people or access to
| their platform for the greater good (according to them). I am
| not stating whether this is good or bad. I just want to point
| out that the issue is complex, nuanced and needs debate in
| the society. Keep in mind that the US is a superpower
| surrounded by two oceans and two friendly countries and has
| no serious external threat.
|
| This is in contrast to Iran which is in a chaotic region and
| surrounded by the US military bases. It has suffered wars and
| coup in its recent history. It is currently under harsh
| economic sanctions with a possible goal of people revolting.
| The Iranian government has reasons to be paranoid and fearful
| that Signal can be used to organize violent demonstration.
| They cannot even demand information regarding criminal cases
| such as drug trafficking from these tech companies.
|
| In the US the decision of giving access to tools and
| platforms is out-sourced to companies but in most part of the
| world governments make these kind of policies (again not
| necessarily good or bad).
|
| I don't have a solution to these problems and I am not trying
| to say that we have an equivalence here. What I am expecting
| is a more nuanced and sophisticated perspective toward the
| issue.
| Krasnol wrote:
| > This is in contrast to a much more nuanced view of the
| issues in the west. End-to-end encryption is a debated
| issue in the US and EU and legislators have proposed laws
| to ban it or enforcing other mechanisms to circumvent by
| law enforcement such as backdoors.
|
| It looks to me like you try to cloud your false argument in
| whataboutisms based upon a profound lack of knowledge:
|
| > I mentioned the US as an example, because of Signal is
| operating under US jurisdiction.
|
| The reason Signal is a good way to go is because this
| doesn't matter. Signal doesn't save any conversations they
| can hand over to the US (or other) government.
|
| > This is in contrast to Iran which is in a chaotic region
| and surrounded by the US military bases.
|
| Yeah, yeah I get it. We all do. US = bad but how does it
| change anything for the oppressed people in Iran we can
| help here? If those would have been people in the US, we'd
| be doing the same thing for them here in the EU.
|
| > What I am expecting is a more nuanced and sophisticated
| perspective toward the issue.
|
| A whataboutism and derailment of the issue is neither
| nuanced nor sophisticated. It's quite shady and ignorant.
|
| Here is something you can do to help people out but instead
| of doing that, you try to build some weird case which
| actually helps the Iranian government.
| hutzlibu wrote:
| "I would like to see your supportive reaction if an Iranian
| company offers hosting to Parler. "
|
| This is a hacker forum and not a US foreign ministry praise
| board, even though it is mainly US based. In other words, I
| doubt the reaction here would be rage, if a iranian company
| would do that. Hackers usually are not in favor of censorship
| or information restriction.
|
| So who do you mean, with "you"?
| doublestandard2 wrote:
| Fair enough, you have a good point. By, "you" I mean a tech
| person who is supportive of Signal action and is willing to
| setup a proxy without realizing that this is circumventing
| another country's law.
|
| I agree I could have said it more clearly and less
| emotionally.
| Normille wrote:
| I think you expressed it really well. Double standards and
| hypocrisy seem to be one trait that Americans inherited
| from their British founders.
| alentist wrote:
| > Hackers usually are not in favor of censorship or
| information restriction. So who do you mean, with "you"?
|
| There are many comments on previous HN threads defending
| censorship and information restriction, precisely as the GP
| has described it.
|
| https://news.ycombinator.com/item?id=25693742
|
| https://news.ycombinator.com/item?id=25691631
|
| https://news.ycombinator.com/item?id=25706993
|
| https://news.ycombinator.com/item?id=25733038
| hutzlibu wrote:
| There are certainly peoole here defending censorship, but
| the parent poster spoke like "we" would follow US geopolicy
| in general. And in general I don't see the majority here in
| favor of kicking out parler etc.
|
| Rather the contrary. Anyway, by my tautological definition
| of hacker, no hacker would be in favor of banning a
| communication app, anyway, so ...
| ryanlol wrote:
| What you call "defending censorship" is perhaps better
| described as "defending free speech". Forced speech is not
| free speech.
| alentist wrote:
| _Censorship is the suppression of speech, public
| communication, or other information, on the basis that
| such material is considered objectionable, harmful,
| sensitive, or "inconvenient." Censorship can be conducted
| by governments, private institutions, and other
| controlling bodies._
|
| Amazon, Apple, Google, Twitter, Facebook, etc. are
| multibillion-dollar corporations that control a colossal
| share of online communications.
|
| Let's not play pretend here.
| swebs wrote:
| Stong disagree. When a handful of tech companies that
| form an Oligarchy on modern communication decide to
| systemically oppress members of one political party,
| that's the antithesis of free speech.
| ryanlol wrote:
| Lets not pretend that this has anything to do with their
| political party.
|
| Would you also say that tech companies banning ISIS is
| systematically oppressing members of one religion?
|
| > that's the antithesis of free speech
|
| It's not. Companies enjoy freedom of speech too, but
| you'd force them to publish content they don't want to
| publish. That's the antithesis of free speech.
| pre wrote:
| Well. A Russian company, DDos-Guard, did host Parler in the end
| didn't they?
|
| And sure enough, the FBI is investigating.
|
| Signal is a charity rather than a company, but dunno if that
| makes any actual difference.
| throwaway19937 wrote:
| > I would like to see your supportive reaction if an Iranian
| company offers hosting to Parler. I imagine you would call it
| foreign intervention!
|
| It's fine with me if an Iranian company offers to host Parler.
|
| Having said that, I'm also in favor of prosecuting US companies
| that violate any sanctions we have against Iran.
| notsureaboutpg wrote:
| Why are you in favor of sanctions on Iran? I've never really
| heard a good argument. It mostly tends to be "Well they say
| things I don't like that scare me, like Death to America" so
| very anti free speech type arguments.
| throwaway19937 wrote:
| I vouched for this post but you appear to be shadow-banned.
|
| > Why are you in favor of sanctions on Iran?
|
| My position isn't that Iranian sanctions are a good idea -
| I don't yet have an informed opinion about them.
|
| We have laws against US companies trading with Iran and I
| believe in the rule of law as a general principle.
| reactspa wrote:
| Am honestly not trolling here although it will sound like it:
|
| Can someone please explain to me why it's a OK to reconnect
| Iranians to Signal, but not Trump supporters to Twitter (the
| ones censored and banned by Twitter)?
| beirut_bootleg wrote:
| Because Signal didn't block Iran? This is false equivalence.
| [deleted]
| [deleted]
| scaramanga wrote:
| Hi, glad to help. The answer is that it depends on what your
| values are.
|
| If you want to reconnect people to twitter (a publishing
| platform) who have been banned for racist hate speech or
| inciting violence, and the laws in your jurisdiction permit
| you to do that. Then you can do that without going to jail.
|
| If you want to reconnect people to signal (a personal
| communications tool) who have been disconnected from it due
| to reasons best understood by the Iranian government, an the
| laws in your jurisdiction permit you to do that. Then you can
| do that without going to jail.
|
| It's really just a value judgement whether you consider
| giving a publishing platform to racists against the will of
| said publishing platform is a worthwhile activity.
|
| And, again, it's just a value judgement whether you consider
| giving the right to privately communicate back to Iranians
| who have been, effectively, deprived of it by connecting them
| to a service which will willingly have them is a worthwhile
| activity.
|
| Your values may differ from mine. And both my and your values
| could differ from the majority of HN users. My experience is
| that perfect alignments of values rarely, if ever, occur
| between any two individuals.
| im3w1l wrote:
| It goes way way beyond inciting violence. For example,
| Facebook recently shut down the page of Socialist Workers
| Party in Britain. Facebook suspended well known libertarian
| Ron Paul. Timer blocked links to the New York Post Joe and
| Hunter Biden expose and locked accounts that shared it.
| scaramanga wrote:
| Thanks for pointing that out. Yes, sadly, it would appear
| that those are the values of Facebook and Twitter.
| Insofar as an institution like a corporation can be said
| to possess "values" anyway...
|
| But let's just assume we both dislike the editorial
| policies of Twitter. A pretty safe assumption, I think :)
|
| Will spamming Twitter via a network of TLS proxies do
| anything to change their editorial policy to something
| more preferable to you or I?
|
| Will setting up a network of TLS proxies to Signal give
| Iranians access to Signal?
|
| Perhaps the answer to those two questions will give some
| indication as to what the practical (and moral)
| differences are.
|
| For my two pence. I think anyone should be allowed to use
| a phone for any purpose, and I accept that a tap-proof
| phone can be used to commit crimes. I don't think Osama
| Bin Laden should be able to take out a page in the new
| york times to give his hot take on his "hugely
| successful" WTC attacks. Don't get me wrong, I'm not
| saying that these examples map directly to the point in
| hand, but I am just pointing out that they are different
| media and the balance between freedom of speech and
| public decency are struck differently and that tactics
| for finding political solutions to censorship in each
| case might look different, too.
| [deleted]
| jb775 wrote:
| Ironic how people want to help de-censor what's considered to be
| an enemy nation (by the media), but are ok with censoring half
| their next-door neighbors based on politics.
| olah_1 wrote:
| They're already discussing what to do when "fascists" (read:
| Christian rednecks) start posting signal group links.
|
| > One employee pointed out that fascists are often quite public
| about their activities, as the recent insurrection in broad
| daylight at the Capitol showed
|
| https://www.theverge.com/22249391/signal-app-abuse-messaging...
| Jweb_Guru wrote:
| Nobody here thinks anyone in the US should be unable to use
| Signal.
| jb775 wrote:
| > One employee pointed out that fascists are often quite
| public about their activities, as the recent insurrection in
| broad daylight at the Capitol showed
|
| https://www.theverge.com/22249391/signal-app-abuse-
| messaging...
|
| Thanks to olah_1 for this reference
| andrewzah wrote:
| ...Until it gets branded as a white supremacist tool for
| encrypted communications.
|
| Call me extremely pessimistic but events like Jan 6. will be
| used as justification to start attacking applications that
| offer end-to-end encryption, and encryption in general. Just
| like 9/11 was used to justify eroding certain civil
| liberties.
| gonational wrote:
| I love how everyone here jumps on this, spread the love and joy
| for Iran, meanwhile much of the same group of people is perfectly
| OK with an entire cohort of our population being utterly censored
| and shunned. Best of all, the same cult will down vote this
| comment into oblivion, and while doing it they will convince
| themselves that they are doing it to make this prediction a self-
| fulfilling prophecy, and then when they read this last part they
| will then again feel doubly justified. In the end, we all lose
| because of politics and ignorance. A couple will add a snide and
| "clever" reply, in order to justify their down vote to themselves
| and to others. Inside, everyone is lying to themselves, because
| they know the truth.
| l1am0 wrote:
| While you are on it. There is a similiar easy to use docker-
| compose file for setting up a tor bridge :)
| https://community.torproject.org/relay/setup/bridge/docker/
| [deleted]
| shervin01 wrote:
| Hi, from Iran with love!
|
| First of all, thank you moxie and signal team for this proxy.
|
| Until 2018, many Iranians used telegram but Iran's regime after
| Russia blocked this messenger. telegram released mtproxy and this
| proxy was helpful. Russia lifted the ban on telegram but this app
| is still blocked on my country. but with VPNs, many iranians
| still use this app. after 2018, second most popular messaging app
| in iran was whatsapp, until facebook's new privacy policy, like
| all of you, many iranians switch from whatsapp to signal.
| mullah's regime removed signal app from the iranian app stores
| and started blocking all signal traffic in the country, but they
| don't block whatsapp. I'm not a paranoid but it is difficult to
| understand for me why they didn't block whatsapp after 2018? can
| they break whatsapp encryption?
|
| I have a suggestion for signal team: please put tor in the
| signal, tor is better than any proxys or vpns.
| baxtr wrote:
| Thx Sherwin! Just out of curiosity: is iMessage working ok in
| Iran?
| tgragnato wrote:
| I'm not Iranian, but I spent a lot of time over this for a
| friend. iMessage works ok once you are able to activate it.
| But Apple insists on contacting "init-p01md.apple.com" with
| plaintext HTTP, this sometimes connects successfully, but
| often it doesn't.
| alireza94 wrote:
| Not the OP but, I can confirm that iMessage works perfectly
| in Iran; However, because of both economical situation
| (inflation and the higher price of iPhone comparing to
| average Android phones) and the fact that local companies
| cannot release their apps on the AppStore, only a small
| portion of people use iPhone or in this case iMessage.
| spullara wrote:
| I'm surprised that Tor isn't integrated already. Moxie was
| pushing that at Twitter - a prototype was even built.
| elif wrote:
| Blocking tor exit nodes is considerably easier than an
| arbitrary proxy server. Tor provides a list, in fact.
| kodablah wrote:
| Using onion services doesn't use exit nodes, that's only
| for exiting to the public internet.
| lights0123 wrote:
| No, it's the opposite--if Signal _wants_ exit nodes, they
| obviously won 't block them. It's the entry nodes that need
| to be blocked. Some are easy to find, but others require
| you to send an email from a unique email address from a
| trusted provider to get lists of IPs.
| kijiki wrote:
| These blocks tend to be reactive, so if a blocked app starts
| using Tor, Iran will block Tor fairly quickly. So in return
| for a short-lived regain of the use of Signal, all of Tor
| gets blocked.
|
| This proxy arrangement is better because folks who start them
| tell their friends in Iran, who tell their friends, but it
| isn't listed publicly, like most Tor entry nodes are. When
| the authorities find a proxy and block it, they only
| disconnect a subset of Signal users, who hopefully have other
| proxies they've learned from other friends or friends-of-
| friends. So now the blocking is trying to put out a thousand
| small fires that they have to find one-by-one.
|
| <I have consulted for the Signal Foundation in the past, but
| not recently and haven't talked with anyone there about this>
| xrisk wrote:
| Tor bridges work in the same way as this proxy; except Tor
| operates a centralized way of getting access to them.
| 7357 wrote:
| Love back!
| 2cb wrote:
| I just set up one of these Signal proxies. Hope it helps you
| and others in your country communicate freely and safely. [1]
|
| Regarding Tor: if you want a Signal-like app that uses an onion
| router look at Session. [2]
|
| It uses the same encryption protocol and very similar UI to
| Signal but routes all traffic through the Loki network so your
| traffic passes through three nodes. It is an onion network like
| Tor.
|
| One other benefit of Session is the lack of metadata inherent
| to its design. No phone numbers or even usernames are attached
| to your account. You get a set of characters that looks similar
| to a bitcoin address and a QR code to make sharing it easier.
|
| Of course this lacks the convenience of Signal but it's as hard
| to block as Tor.
|
| [1] https://signal.tube/#signal.xanny.family
|
| [2] https://getsession.org
| southerntofu wrote:
| I don't understand the point of reinventing many wheels. Why
| not build a friendly chat app on top of established onion
| routing protocols (Tor/I2P), or add your own onion routing
| backend (proxy) to established federated chat apps like
| Conversations, which already has perfect Tor integration for
| Jabber/XMPP over .onion servers?
|
| Also, Session is promoted as a non-profit project, but
| following links around about LokiNet and Oxen you find out
| about a blockchain-based cryptocurrency, which is known to be
| an anti-pattern on many levels (though they use Proof-of-
| Service not Proof-of-Work which is slightly less worse).
|
| Finally, Session appears to be free-software (good), but is
| not distributed on F-Droid, the only privacy/security-
| friendly app store for Android. They encourage you to
| download random APKs from Google Play (which requires Google
| Play Services malware and a google account) or Github (owned
| by Microsoft, though i note they sign checksums with PGP on
| Github so it's safer to download from there than Google Play,
| even though they don't provide instructions on how to verify
| signatures). On F-Droid, they could either have F-Droid
| build/distribute the package with Fdroid's PGP key, or open
| their own F-Droid repo with their own PGP key (like Newpipe
| did), or both.
|
| I really appreciate their communication around dissent and
| the need to protect communications to help the people against
| their governments. However these three points i just noted
| are really shady to say the least. I understand they need to
| please investors to put money in their fridges, however
| trying to mix for-profit incentives with non-profit services
| to the communities is always a dead-end.
| aftbit wrote:
| Session has:
|
| 1. An associated crypto-currency (not outright bad but weird
| smell IMO) [1]
|
| 2. Abandoned perfect forward secrecy and deniability [2]
|
| 3. Never completed an audit (though supposedly one is in
| progress) [3]
|
| There are a million and one encrypted chat programs out
| there. Why should I use this one?
|
| [1]: https://github.com/oxen-io/oxen-mobile-wallet
|
| [2]: https://getsession.org/session-protocol-technical-
| informatio...
|
| [3]: https://getsession.org/faq/
| upofadown wrote:
| >Abandoned perfect forward secrecy and deniability...
|
| I suspect that is the future for encrypted messaging.
| Pretty much everyone ends up keeping their old messages
| around thus negating the value of forward secrecy[1].
| Deniability ends up being just some forgability scheme in
| most cases[2].
|
| So the benefit of those features turned out to not be worth
| the extra risk of the added complexity.
|
| [1]:
| https://articles.59.ca/doku.php?id=pgpfan:forward_secrecy
|
| [2]:
| https://articles.59.ca/doku.php?id=pgpfan:repudiability
| 2cb wrote:
| I mentioned it because it has a seamlessly built in onion
| routing protocol. I read further down the thread that Tor
| is blocked in Iran, but I'm guessing the same is unlikely
| to be true of Loki/Oxen simply because it isn't nearly as
| well known.
|
| The lack of metadata is also quite a unique selling point
| in my eyes. There's a million encrypted messengers now
| sure. How many automatically connect through an onion
| router with zero config required and don't require you to
| create an account at all, but instead assign you a random
| ID disconnected entirely from your phone number, email, and
| other personal identifiers?
|
| It's certainly an option to consider is the only thing I'm
| saying. Tor was mentioned so Session popped into my head
| for the reasons mentioned above.
|
| Regarding PFS. They currently implement the Signal
| Protocol. Session is of course FOSS so anyone can check
| this. Your source does say they're planning to fork it as
| the Session Protocol later this year so it integrates with
| their network more easily. But that's an upcoming,
| unfinished project. To be honest I don't know much about it
| as it's still in development. I do know that currently
| Session uses the Signal Protocol through an onion router
| without the need to so much as create an account.
|
| And yes the network itself is a bit of a convoluted idea
| that tries to do many things at once, but the fact they run
| on a blockchain means they already have a lot of nodes set
| up in different countries around the world through which to
| route traffic, and the reason they could build a
| decentralised network quite quickly despite being a
| relatively young project is they incentivise those node
| operators with cryptocurrency.
|
| Because it is a young project they are still undergoing
| audit yes. This is absolutely something worth noting. It's
| a relatively new project. It's no longer in beta, but
| nowhere near as well established as Signal. However it's
| precisely because of this it's unlikely governments are
| bothering to target it yet.
| hayalci wrote:
| Jami and Tox are completely decentralized messaging
| systems. They are not directly associated with
| "blockchain" buzzword as well so they have that going for
| them, too.
|
| https://jami.net/
|
| https://tox.chat/
| 2cb wrote:
| Jami uses git and TLS to implement E2E encrypted
| chats.[1] That doesn't sound all that secure to me. I'd
| feel much more comfortable using a fork of Signal with an
| onion router.
|
| I don't get the prejudice some have against blockchains
| either. It's not even like this is Keybase where they
| shoehorned a crypto wallet into the app. They do have a
| wallet but it's a totally separate application. Session
| is purely a messenger and nothing else, you'd have no
| idea a blockchain was involved at any part of the backend
| if you weren't told about it.
|
| I have played around with Tox and it's a cool project,
| but it's been in beta since 2014 and is not well
| optimised for mobile at all. I don't think it'll go very
| far personally.
|
| [1] https://jami.net/swarm-introducing-a-new-generation-
| of-group...
| olah_1 wrote:
| Session protocol is currently running on session now[1].
| It's actually the reason that they were able to allow up
| to 100 people in closed groups now.
|
| [1]: https://getsession.org/session-release-roundup-10/
| 2cb wrote:
| Looking at the technical writeup [1] it sounds like
| they're currently running a hybrid of the two as they do
| a staged rollout of the various changes they've made to
| the Signal Protocol.
|
| But yes you are correct it looks like they're justifying
| ditching PFS by saying "if someone has your keys you're
| screwed anyway."
|
| However they're not just stripping away security
| outright, it's more that they're betting on onion routing
| to cover the user instead - no one who is sniffing
| traffic on your WiFi network will be able to get your
| keys because the traffic is routed through the onion
| network, therefore the only way anyone would get those
| keys is by pwning your entire device or having physical
| access to it while it's decrypted which, as they note, is
| endgame no matter what messenger you use.
|
| I don't necessarily think this is smart as it's best to
| not put all your eggs in one basket especially where
| security is concerned. But given all traffic goes between
| 5-7 nodes [1] the scope for someone without remote or
| physical access to your device to get your keys is
| extremely limited _assuming_ their onion network is as
| secure as they claim.
|
| As for deniability, they sign the message with the long-
| term keypair, but once the message is validated this
| signature is wiped. So again it pretty much comes down to
| relying on their onion routing to ensure this signature
| isn't intercepted in transit.
|
| Finally I think it's relevant Session is really designed
| for a different use case than Signal - since your ID is
| not connected to any personal identifiers, you can wipe
| it whenever you want and get a new ID that has zero
| cryptographic connection to the old one. So while there's
| no ratcheting of keys, the intention isn't really for
| someone to stick with the same account for years like it
| is for Signal where your account uses your phone number
| as an identifier.
|
| I'll wait for the results of the audit, if they come out
| and say Session is fundamentally flawed I'll happily
| concede. I have zero ties to this project aside from
| finding it useful for particular use cases. My prediction
| is the initial audit will find some potential vulns as
| they roll out more of the Session Protocol simply because
| it's a new fork. Probably why they're getting the audit
| done now. That's the responsible move when forking a
| crypto protocol it seems to me.
|
| I maintain that for people who want a messenger that
| knows as little about them as possible, doesn't rely on a
| personal identifier, and connects to an onion router
| reliably (by comparison, using Tor on mobile is... not a
| good experience) it's at very least an interesting
| project to watch even if it still needs time to mature.
|
| [1] https://getsession.org/session-protocol-technical-
| informatio...
| olah_1 wrote:
| My only annoyance with the crypto currency is that it
| doesn't have a good UX yet. They have stated before though
| that Session will always remain free for everyone. I think
| compensating node operators in some capacity makes sense
| but if it's not implemented well, node operators feel a bit
| screwed over.
|
| Regarding your footnote #2 about PFS, it said this (among
| other things).
|
| > In some theoretical scenarios, these properties do
| protect users; however the utility of these protections in
| real-world scenarios is often more limited in scope than
| might be expected. We must also consider that these
| safeguards are offered at the expense of additional
| complexity, decreased account portability, and multi-device
| limitations. These protocols were simply not designed to be
| run over a decentralised network.
|
| I have to say, I've considered the utility of it myself. It
| seems to me that I'm far, far more likely to have my chats
| compromised through my chats being stored in plain text on
| my devices than in a technical scenario that PFS could have
| prevented. What do you think?
| 2cb wrote:
| I haven't played with their crypto wallet honestly so I
| can't provide any kind of informed opinion on it. It's a
| fork of Monero, but Monero is more widely accepted.
| Although Monero's wallet has a terrible UX too so if
| they've forked their wallet too, that'll be why.
|
| Session has a pretty nice UX though, better than Wickr
| which has been around longer, although not as refined as
| Wire. It's pretty much a more barebones Signal without
| phone numbers as far as pure UX goes. It should follow
| the system setting for dark mode though. No idea why it
| doesn't.
|
| > I have to say, I've considered the utility of it
| myself. It seems to me that I'm far, far more likely to
| have my chats compromised through my chats being stored
| in plain text on my devices than in a technical scenario
| that PFS could have prevented. What do you think?
|
| To be honest I agree. It's always good to have layers of
| security in case there's an exploited vulnerability in
| one. However, it seems pretty far fetched that someone
| with the ability to pull off a successful attack to grab
| your keys in the first place is going to be stopped from
| grabbing past messages by PFS.
|
| If they've got your keys they've either cracked the
| layers of encryption that protect them in transit (highly
| unlikely) or they've pwned your device (much more
| likely). If they've got remote code execution on your
| device PFS isn't going to make any difference to
| anything. As you say, messages stored in plaintext is a
| far bigger real world risk.
|
| This is why I always have disappearing messages on. That
| makes me feel safer than PFS. At least then in the worst
| case scenario past messages simply aren't there in
| storage.
|
| To put it another way, if I had to choose between
| disappearing messages and PFS, and I could only have one,
| I'd choose disappearing messages.
|
| And it does also seem to me less like they're removing
| security, more like they're relying on a different form
| of it. They're having to strip PFS to make the protocol
| work reliably on their onion network. The fact all my
| traffic goes E2EE through 5-7 nodes, as per the technical
| description, should provide a strong level of protection
| against any traffic sniffing threat model assuming their
| fancy new way of doing onion routing is as secure as they
| say.
|
| It seems to me that's what it really hinges on. As long
| as their onion router is actually secure, the E2EE
| messages are going to be secure in transit.
|
| The biggest risk then would come back to unpatched
| exploits or 0days in the OS or side channel attacks in
| Session itself. That's how most attacks on messengers
| succeed after all, not by complex attacks on the crypto
| protocol but through side channel attacks in the
| application or exploits in the underlying OS.
| Melting_Harps wrote:
| > My only annoyance with the crypto currency is that it
| doesn't have a good UX yet. They have stated before
| though that Session will always remain free for everyone.
| I think compensating node operators in some capacity
| makes sense but if it's not implemented well, node
| operators feel a bit screwed over.
|
| Preface: i've been in it since 2011, but I entirely
| agree. It's still too complicated for most users, but we
| as community have gone a long way from where we were 10
| years ago, so we certainly have blinders as to where to
| improve upon.
|
| Could you specify what it is specifically that makes the
| overall UX so disappointing? I ask because I think we are
| now entering a phase of on-boarding a lot of non-tech
| people onto BTC network as payment settlement networks
| and other misc financial services, something I already
| have personal experience with, but having a tech person
| lime these out would be a tremendous help.
|
| Thanks!
| toyg wrote:
| _> can they break whatsapp encryption_
|
| They don't have to, they just need Facebook to cooperate.
| k3j45hkj34hkj wrote:
| I think you mean the phone vendors, as they are the ones
| holding the unencrypted chat history in the users cloud
| storage. Facebook themselves do not have access to the chat
| logs (unless they are compelled to inject keys).
| WhyNotHugo wrote:
| Terms and conditions were updated a few weeks ago. The fact
| that the key will only remain on your phone has been
| removed from them.
| 2cb wrote:
| They could literally have a hidden function in WhatsApp
| that scoops up all your chat history and sends it to
| Facebook if the government ask them to. It's closed source.
| No one has a clue what it's doing.
|
| To be clear I'm not suggesting this is absolutely
| happening. I'm merely pointing out it's entirely possible
| from a technological perspective given it's closed source
| software owned by Facebook. That's not a recipe for
| privacy.
| ryanlol wrote:
| > It's closed source. No one has a clue what it's doing
|
| This is just bullshit. If you have access to the binaries
| you can find out what the software does.
| lmm wrote:
| The same is true of Signal in most practical ways. You
| can only run it on platforms that are fundamentally
| closed-source (either iOS or Google Play Services), so
| there's no reason to believe the RNGs it uses (and
| therefore all your session keys) are not backdoored. And
| you can only install it through official app stores where
| it's difficult or impossible to inspect what binary you
| have or "pin" a given version. So I don't see that it's
| meaningfully more secure than WhatsApp.
| 2cb wrote:
| The mere fact it hoovers up less metadata alone makes it
| more private. I also trust the developers more way way
| more than I trust Facebook. That's a personal preference
| though and if you trust WhatsApp and don't mind that it
| leaks contacts and other metadata to Facebook to profile
| you then use WhatsApp.
|
| If I wanted to I could install a fork of Signal that
| doesn't require Google Play [1] and run it on any non-
| Google Android build. I would do if it wasn't for the
| fact I'm currently using an iPhone.
|
| [1] https://langis.cloudfrancois.fr/
| acct776 wrote:
| I run Signal on GrapheneOS and find this comment
| incorrect and borderline offensive.
| lmm wrote:
| I see that Signal no longer depends on Google Play
| Services specifically. However it's still the case that
| it depends on proprietary Google code (it just includes
| that code in its own APK now) and still can't practically
| be installed without auto-update (again, it just includes
| that in its APK).
| tga_d wrote:
| The "proprietary Google code" is a library with a well
| defined API, you can see what it has access to. I agree
| that Signal should take it out, but it's not an
| especially big deal from a security perspective.
|
| The auto update functionality just tells you that an
| update is available, you can choose not to install it.
| You can also independently verify that the sha256 sum
| matches the one given on the website, and that the binary
| that sha256 sum corresponds to is produced via the
| reproducible build instructions. There are occasional
| bugs (I'd estimate a couple times a year, though it's
| less and less frequent) that causes the reproducible
| build to not match the provided build, and it's quickly
| noticed by someone and an issue opened in the issue
| tracker. If there were no explanation or no quick
| resolution, people would publicly raise a stink about it.
| xorcist wrote:
| > you can choose not to install it
|
| There is a time bomb in there and servers will kick you
| out regularly unless you have updated.
|
| If you get a patched client running you could probably
| change whatever string is required but some sort of
| action is required on the client side.
| tga_d wrote:
| Sure, but that's an unrelated phenomenon to the security
| implications being discussed. The argument against auto-
| updates is "it's running code without my permission or
| ability to audit first"; putting a recency requirement
| for client-server communication doesn't impact that
| concern, and I don't see any reason why it would be
| considered a bad thing.
| josephg wrote:
| To be clear about the threat vector, there's also nothing
| stopping signal from doing the same if they wanted to.
| Its impossible to tell if the version of signal you
| download from the app store is unmodified from the code
| you can find on github. I trust signal more than I trust
| facebook, but if you use signal, even though its
| opensource you _still_ have to trust them not to put
| anything funky in the binary they upload to apple
| /google.
|
| I'd love for iOS and android to add some sort of OS-level
| application hash or something. "This app was compiled
| with xcode version X / llvm version Y with this set of
| options. The resulting binary hashes to ZZZ". That way
| with the source code you could verify that the binary on
| your phone is unchanged.
|
| (Another approach would be to get apple / google to do
| the compilation themselves from the project on github. If
| apple builds my project, they could put some signed
| metadata in the bundle saying "We (apple) compiled this
| from git SHA XXX")
| 2cb wrote:
| This is very true. Reproducible builds for mobile apps
| would be far superior. You can build Signal from source
| for Android if you wish, although obviously this is a
| massive pain to do for each update, there's absolutely
| nothing stopping you from doing it.
|
| On iOS it's a lot more difficult to get the required
| certificates from Apple but you can run your own build in
| Xcode and deploy it to your personal device if you are a
| registered Apple developer.
|
| While reproducible builds are obviously the gold
| standard, for apps you install from the Play Store or the
| App Store, developers sign the apps that get distributed
| with their own private keys. As Google and Apple don't
| have access to these it should be verifiable that the
| apps are not tampered with.
|
| There is an exception here with the Play Store, where
| there is an opt-in option for Google to sign the app on
| your behalf [1], but I think we can safely assume Signal
| are manually signing with their own private keys.
|
| In any case it's easy to just grab an APK from an Android
| device and check signatures for yourself.
|
| For iOS though, no surprises here it's locked down.
| Although from what I gather reading Apple's security
| documentation, it confirms that apps must be signed by
| developers with their private keys. [2] But unlike
| Android there's sadly no way I can tell for the user to
| independently verify this without jailbreaking.
|
| But ultimately, short of building each version yourself,
| all this is moot if you distrust the developers.
|
| [1] https://developer.android.com/studio/publish/app-
| signing [2] https://manuals.info.apple.com/MANUALS/1000/M
| A1902/en_US/app...
| hanniabu wrote:
| Are there any instructions to build the app yourself for
| signal?
| mariojv wrote:
| Yes, they have some docs on GitHub for how to do it:
| https://github.com/signalapp/Signal-Android/wiki/How-to-
| buil...
|
| You can build the iOS version too for development:
| https://github.com/signalapp/Signal-
| iOS/blob/master/BUILDING...
|
| I haven't done it before but you should even be able to
| deploy that build to your phone in theory:
| https://codewithchris.com/deploy-your-app-on-an-iphone/
|
| It's unclear to me if there are any restrictions on iOS
| that would prevent you from doing that.
| hanniabu wrote:
| I just realized one issue with this is that their latest
| production branch is private so you would receive delayed
| updates.
| josephg wrote:
| I spent a few hours trying to get a local build of
| signal-ios working a few weeks ago, in order to write a
| PR fix a bug with lost voice messages. The xcode project
| uses a plethora of device entitlements I'm not allowed to
| have (since I don't have the proper signal signing key).
| Even after a couple hours of tweaking to get it building
| and deployed to my device, its currently crashing on
| startup because it can't access some special signal local
| device store.
|
| You can certainly get your own build working (without
| notifications and other features). But personally I found
| it prohibitively difficult to do so.
| Nextgrid wrote:
| I think you will have a problem when it comes to push
| notifications. I doubt a local build would be able to
| receive push notifications addressed to App Store builds.
| greysonp wrote:
| Hi there, Signal Android dev here. We have reproducible
| build steps, so you actually can verify the code is the
| same :)
|
| https://github.com/signalapp/Signal-
| Android/tree/master/repr...
| vaduz wrote:
| Reproducible builds do not help to determine if the
| version you download via the Play Store (or, for those on
| enterprise devices, any pre-installed corporate stores)
| is the same as you build - Play Store presents no real
| means to verify that. This includes any auto-updates if
| they are enabled.
|
| It's an issue with Play Store as a delivery channel, the
| individual app in question can't do much about that.
|
| Reproducible builds help if you: - download the APK
| separately (includng from the Signal website, or some of
| the other sources) - install the file locally via
| sideload - disable updates (!)
| tprynn wrote:
| The instructions posted by the dev directly include
| instructions for pulling the APK from your phone which
| was installed through the Play Store.
|
| https://github.com/signalapp/Signal-
| Android/tree/master/repr...
| hutzlibu wrote:
| Reverse engeneering is a thing, though. I would think,
| there is fame to be gained to show such a behavior from
| whatsapp, so some hackers could feel motivated to do this
| from time to time.
| 2cb wrote:
| Absolutely. Of course hackers are reverse engineering
| WhatsApp, that's how all those nasty exploits it has keep
| getting sold to governments by the NSO Group.
|
| But reverse engineering is a skill in itself and modern
| day smartphone OS's use a lot of code obfuscation when
| apps are compiled. This effectively means even those
| talented hackers are going through the reverse
| engineering process pulling at threads until they get
| lucky.
|
| Reverse engineering (in this context, at least) doesn't
| just show you the code as the developer wrote it. And FB
| hires a lot of very clever people including cybersecurity
| experts who could sneak these things in using innocent
| looking code scrambled around the app. Even open source
| projects are at risk of having backdoors put in that pass
| review and simply look like innocent bugs if they get
| discovered, let alone closed source apps that have to be
| reverse engineered.
|
| Again not going conspiracy nut and saying that's what FB
| is doing. Just saying it'd be very easy for FB to hide it
| if they _were_ doing it.
|
| To me the biggest confirmed weakness of WhatsApp is the
| cloud backups. E2EE is pointless when the message
| database is synced up to iCloud or Google Drive. WhatsApp
| even tells you this itself. When you enable cloud backups
| (and they keep bugging you until you do it) it literally
| tells you the backups aren't secured by E2EE. [1]
| Because, well, of course they aren't.
|
| [1] https://faq.whatsapp.com/iphone/chats/how-to-back-up-
| to-iclo...
|
| "Media and messages you back up aren't protected by
| WhatsApp end-to-end encryption while in iCloud."
| kovac wrote:
| Well, WhatsApp client does have access to the unencrypted
| chats.
|
| Not saying this happens, one possibility can always be to
| send encrypted traffic to WhatsApp servers while opening a
| second unencrypted channel to govt servers if a govt asks
| for it.
| mike_d wrote:
| I have a proxy up at https://signal.tube/#s.bpj.net
|
| If you can help share more proxies to people who need them,
| please send me an email (in my HN profile).
| franga2000 wrote:
| I'm surprised Tor isn't blocked, since it's pretty easy to
| block it, but if it's not, you can always tunnel your entire
| phone through Tor, which would include Signal. Do keep in mind,
| that depending on your threat model, you might want to separate
| your apps across multiple devices or at least accounts (I mean
| like Android user accounts), so only some go through Tor (see
| the Silk Road case for why), but that also equally applies to
| VPNs.
|
| I don't remember what it's called, but I think the app is
| official by the Tor devs and basically makes a local VPN that
| your phone connects to and then forwards all traffic through
| Tor. It was on F-Droid last time I checked.
| mmc4444 wrote:
| > so only some go through Tor (see the Silk Road case for
| why), but that also equally applies to VPNs.
|
| Can you explain this?
| franga2000 wrote:
| I looked into the Silk Road story again and it looks like I
| was misremembering how they caught DPR, but splitting your
| "personally identifiable" and other browsing is still a
| good idea.
|
| Let's say you use the Tor browser to browse some regular
| (non-Tor) site that is illegal in your country for whatever
| reason. But let's say you then remember you still haven't
| paid your taxes so you open a new tab and quickly go do
| that. But you're still in the Tor browser, so your
| e-banking traffic is going out the same exit node as your
| "illegal" traffic. Now, anyone that saw both of those
| things come out of the same node can conclude that it's
| somewhat likely both were done by the same person. If that
| someone is the government, they can get access logs from
| your bank and see which account was accessed by the exit
| node's IP. The more times you do this, the stronger the
| link between you personally and the illegal site is.
|
| Of course, doing your taxes through the same Tor session is
| something most people would know to not do, but if your
| entire device is tunneled through Tor, you no longer have a
| say in what data it leaks. Your banking app probably sends
| requests periodically in the background to check for
| updates or whatever, your email client syncs your emails,
| etc. If any one of those services can be coerced by your
| government (and chances are they can) then whatever illegal
| things you do in that session can be loosely linked to you.
| I say loosely, because there are many people on one exit
| node, but the data points start adding up after a while
| (and depending on the insanity of your leaders, just being
| on the list of candidates might be enough to disappear
| you).
|
| As for how they would get that metadata in the first place,
| there are a few ways. The exit node might be under their
| jurisdiction, but since we're talking about bypassing
| censorship, it certainly isn't. They could also have
| compromised the "illegal" server
| (hacked/coerced/honeypot...), in which case it's just a
| matter of cross-referencing the site's logs with anything
| they can get their hands on (and if the government is
| authoritarian enough, they probably already have access to
| a lot). The last option is compromising the exit node,
| which is also not impossible. There's nothing stopping your
| government from setting up a thousand Tor exit nodes and
| logging all the metadata. If you're constantly running Tor,
| chances are you land on one of their exit nodes eventually.
|
| DISCLAIMER: the above was probably a bit too paranoid, but
| as I have zero experience hiding from an authoritarian
| government, I'm not in a position to judge how much
| paranoia is justified. It's entirely possible that none of
| this applies because your specific adversary doesn't employ
| these specific de-anonymization tactics, but that is
| something you need to know for your specific situation. I
| assumed an "everything is fucked" threat model here, but
| yours might not be as severe and other types of mitigations
| might be more appropriate.
| snthd wrote:
| >I have a suggestion for signal team: please put tor in the
| signal, tor is better than any proxys or vpns.
|
| You can get a tor proxy for Android at
|
| https://guardianproject.info/apps/org.torproject.android/
| eloeffler wrote:
| Honest question: Is using Tor not a risk by itself in Iran? I
| wonder if this doesn't pop up under surveillance mechanisms as
| conspirative behavior and may trigger focussed surveillance,
| which is hard to get out of.
|
| But maybe so many people in Iran use Tor that it's not very
| outstanding to use it? I remember there were stats on that
| published on the Tor Project Website...
|
| Edit: To answer myself after 5 minutes of thinking: Of course
| there are bridges, too. I guess they don't appear as suspicous
| as regular entry nodes?
| leveleer323 wrote:
| This is why the mindset that no body will leave whatsapp or
| social media is very detrimental and erroneous. Even if a few
| 1000 tech savy users use distributed communication that looks
| like regular traffic all the time, then when an event like this
| where governement shuts down all main stream social media
| happens, people will be forced to learn about distributed
| communication and mass transformation will happen.
| leptoniscool wrote:
| Is there a similar project to help Trump reconnect to twitter? /s
| xtracto wrote:
| You say it as a joke but I get sad at seeing all these efforts
| to circumvent a government policy while another government is
| allowed to obliterate a same type of service (parcel).
|
| As I have said before. I'm not in the US and I don't care about
| its politics. But I'm scared and hiw easily they can define
| Good and Bad and then manipulate the internet
| throwaway122378 wrote:
| Iranian protestors, help
|
| American protestors, censor ban deplatform
| TimWolla wrote:
| I created an HAProxy configuration that should be equivalent to
| the nginx configuration within the Signal-TLS-Proxy repository:
|
| https://gist.github.com/TimWolla/457c45dfccde26fc674dde4b3c7...
|
| I could not test it with the Signal client yet, because the Beta
| is not yet available for me. However I verified that the nested
| TLS works using openssl and netcat.
| remram wrote:
| Their proxy seems to just be nginx, I'm surprised they didn't
| just share nginx or apache configurations. Most people with a
| box suitable for running this are probably already running a
| web server, so there's no reason they should be proxying from
| their existing web server to this dockerized server which just
| proxies to Signal.
|
| Looking into their repo, they also appear to be building an
| nginx image from docker.io/ubuntu:20.04 instead of using
| docker.io/nginx. They are also running two separate nginx
| processes. I wonder how they ended up with this weird intricate
| setup.
|
| I would be glad to help if they offered straightforward
| instructions.
| jlund wrote:
| The Nginx configs use modules that are not compiled by
| default, so most preexisting Nginx binaries in mainstream
| distros won't work.
| 2cb wrote:
| This is correct, just set one of these up and it uses extra
| Nginx plugins.
|
| Also the way they've done it makes it incredibly easy for
| anyone who isn't a tech expert with a web server to still
| help out with a $5 domain and a $5 VPS. You literally run
| three commands and it's done.
|
| They want as many people as possible running these so
| blocking them all is as difficult as possible. It's the
| smartest approach to have a low barrier to entry for
| something like this.
| dingoegret wrote:
| Help undermine security measures taken against seditionists in
| another country. You don't have to worry about any of the
| consequences of civil strife because you don't live there. You
| just get to pretend to be the good guy. Meanwhile a bunch of
| goofballs protest in D.C and American politicians and tech
| industry freak out that it's sedition and needs to be mercilessly
| stamped out. Seditionists wearing hollween costumes. They haven't
| even begun assassinating scientists and planting bombs in civil
| buildings yet.
| pencilcode wrote:
| Cloudflare's warp might help here
| s1artibartfast wrote:
| In light of all the government Internet shut downs in the past
| years, I'm very curious to see the impact of star link and other
| Connection methods that might bypass geographic restrictions.
| Will SpaceX and other service providers shut down access when
| local governments request it? If not,Will the governments ask on
| a perceived threat to stability
| mechnesium wrote:
| I'm betting hard against a big corporation like SpaceX to do
| the right thing. By nature, a corporation's sole purpose is to
| follow the money and make as much of it as possible.
|
| Take a look at Activision/Blizzard bending the knee to China to
| avoid losing its Chinese user base.
| stunt wrote:
| So their government is blocking Facebook, Twitter, Youtube,
| Telegram, Signal, BBC, CNN, Netflix, and probably many other
| social and media platforms.
|
| Meanwhile we are blocking Iranians to access Docker, Slack,
| Gitlab, Google Code, Github(Github until recently), Paypal, Apple
| Store, Play Store, AWS, Coursera, Adobe, Nvidia, AVG, Avast,
| Symantec, McAfee, Matlab!!, Oracle and many more.
|
| It should be really fun to use Internet in Iran.
| amir734jj wrote:
| It is not fun. Trust me. I am an Iranian and I used to sell VPN
| back in Iran when I was in high school. I had hundreds of users
| and I was threatened with prosecution and I left the country.
| Literally everything is blocked except government or university
| websites. On the positive side, you can Torrent as much as you
| want or download any music or hack websites and it is
| completely fine :)
| Sunspark wrote:
| I never see Iranian IPs on torrents. Is that because they are
| all on VPNs?
| amir734jj wrote:
| I am not sure. I never had any problem downloading Torrent
| back then without VPN. I have been living in the U.S. for
| 12+ years. Things may have changed.
| Siira wrote:
| Netflix even blocks VPS IPs, to enforce their regional locks or
| something.
| notsureaboutpg wrote:
| I use all the websites and products US seems to block (except
| the antiviruses), but none of the ones the Iranian govt seems
| to block (except YouTube for fun).
|
| The ones blocked by Iran aren't important in my opinion whereas
| the ones the US blocks all seem very important.
| 319e82aff522 wrote:
| Spot on! This is the 21st century's version of being born into
| a poor African American family.
|
| Jokes aside it's truely painful. I was lucky to have a job that
| got me out easily. Though it felt embarrassing when I was
| seeing everyone uses Docker and AWS extensively at my new job
| while I had never used them properly not because I wasn't smart
| enough but just because of where I born :(
| mholt wrote:
| I'm a big fan of the idea of independently-run proxy servers.
|
| Caddy has a secure forward proxy plugin born out of a research
| project at Google that does something similar, but works with any
| clients that let you configure HTTP proxies, and doesn't
| terminate TLS: instead it tunnels it over TLS. The proxy server
| itself can also be probe-resistant, i.e. difficult to detect that
| a website is acting as a proxy.
|
| I'm hoping more people can help test the patch to support Caddy
| v2: https://github.com/caddyserver/forwardproxy/pull/74
|
| (Edit: Disclaimer - Don't use this in situations where your
| personal safety or freedom could be at risk... not yet. Not until
| more people with more experience can vet its implementation for
| bugs, and a very clear threat profile can drawn up. If you have
| experience with this, we'd love your help.)
| graaCHa wrote:
| White people are so naive that they believe the research
| sponsored by a giant advertisement company is net positive for
| the people of the world. Meanwhile Q lives in their closet
| 2Gkashmiri wrote:
| how does something like this work against DPI? i guess not
| great?
|
| >Don't use this in situations where your personal safety or
| freedom could be at risk
|
| https://theintercept.com/2020/12/06/kashmir-social-media-pol...
| https://thewire.in/media/kashmir-journalist-auqib-javeed-pol...
|
| reason why i have a general disregard for technologies that are
| based on some sort of "link" AFK, phone number or the stupid
| facebook real name policy. this is as of today being used to
| crack down on dissent. what you are saying is true but
| https://thenextweb.com/in/2020/01/08/kashmirs-police-want-pe...
| when you have your govt do this, how can you keep your signal
| account private? your phone is already listed. isnt it? cant
| the police see if you are on signal and if online means you are
| bypassing them somehow regardless of what you might be saying?
| rfoo wrote:
| > how does something like this work against DPI? i guess not
| great?
|
| No, it's pretty good. Think about it: all DPIs can see is an
| ordinary https connection. Since the traffic itself is
| encrypted, to discriminate this from normal web browsing the
| DPI device can only depend on metadata. Classic moves are:
|
| 1. Packet length pattern for TLS-in-TLS. 2. TLS
| fingerprinting.
|
| The first could be defeated by adding padding to the first
| few packets of each of your connections. [1]
|
| The second.. someone built a socks5 <-> https CONNECT proxy
| client [2] out of Chrome's codebase, which means it shares
| all the fingerprint with Chrome and you really can't tell.
|
| [1] https://github.com/klzgrad/forwardproxy/commit/2350f380f8
| db2... [2] https://github.com/klzgrad/naiveproxy
| theptip wrote:
| Does this use TCP over TCP (painful in the face of packet
| loss[1]) or can you do something like using QUIC for the
| forward proxy to try to avoid breaking the tunneled TLS
| connection's retry timers?
|
| [1]: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
| mholt wrote:
| Http3 support is being talked about in an issue (am mobile so
| no link for you right now) but the first priority -- pending
| dev resources -- is to merge the v2 PR and vet for bugs.
| lxgr wrote:
| It looks like a normal HTTP proxy supporting CONNECT (i.e.
| TLS over TLS), which wouldn't suffer from the problem you
| mention.
|
| Note that TLS over TLS is _not_ the same thing as TCP over
| TCP. TCP over TCP is usually only a problem for VPNs or
| something similar (i.e. anything that sends raw IP packets
| over TCP).
| theptip wrote:
| Ah, that's the piece I was missing. Thanks.
| realducksoft wrote:
| Signal just closed their issue function there. See here:
| https://github.com/net4people/bbs/issues/60
| turminal wrote:
| Or they could just let people host their own server instances.
| Would be considerably more censorship resistant from the start.
| JohnBerea wrote:
| Or just use Element/Matrix which already lets you do that.
| hospadar wrote:
| I feel like this answer to "how to make government censorship
| of private communications over the internet impossible" is
| more complex though than just "use element/matrix"
|
| It seems like both signal and matrix choose "Human-
| meaningful" over "distributed" on Zooko's Triangle:
| https://en.wikipedia.org/wiki/Zooko%27s_triangle
|
| Matrix is federated which I'd argue is pretty different than
| "distributed". Certainly the fact that federation is built-in
| makes matrix more resistant to lazy censors who are slow to
| block popular homeservers, but a concerted check-any-IP-and-
| if-it-seems-like-it-might-be-a-homeserver-then-block-it
| action by a censor would be harder to deal with.
|
| Wouldn't a truly distributed/secure/really-super-hard-to-
| block protocol rely on non-meaningful addresses (i.e. public-
| key-derived like a tor hidden service) and some kind of
| interesting mesh setup (i.e. like tor) to route and deliver
| messages?
| eeZah7Ux wrote:
| > Wouldn't a truly distributed/secure/really-super-hard-to-
| block protocol rely on non-meaningful addresses (i.e.
| public-key-derived like a tor hidden service) and some kind
| of interesting mesh setup (i.e. like tor) to route and
| deliver messages?
|
| Yes. You just described Briar.
| notme77 wrote:
| Found the PM
| awestroke wrote:
| You're welcome to either use such a decentralised service or
| fork signal and add decentralisation / federation. Centralised
| services get more users by having a lower threshold of
| adoption.
| pmlnr wrote:
| > You're welcome to either use such a decentralised service
| or fork signal and add decentralisation / federation.
|
| It's called XMPP. It predates Signal by ~15 years.
| TedDoesntTalk wrote:
| And the clients for XMPP still suck, 15 years later. You
| might find a good one on one OS after trying out several
| (install, test for a few days, repeat), but then when you
| want a client on your phone or another OS, you have to try
| the install/test cycle all over again.
|
| In my experience, most of the clients just don't do WEll
| everything a modern IM client needs.... group chat without
| needing to know a FQDN address, alerting on new
| messages/mentions, image and attachment support, encryption
| without wonky key management, multisession support
| (connecting simultaneously from multiple devices not
| leading to problems), on and on...
|
| I used XMPP for years on iOS, android, Mac, windows, and
| linux. Hated it every day.
| pmlnr wrote:
| Conversations and it's forks are all very good clients,
| and their voice/video chat works perfectly once the XMPP
| server configures the turn server. Gajim got a lot better
| recently. I even managed to get Pidgin to a decent,
| albeit not perfect level.
| awestroke wrote:
| And yet it hasn't become big yet.
| pmlnr wrote:
| It did, then the google reader effect kicked in. Google
| talk, whatsapp, facebook were all xmpp at one point,
| deliberately crippled, then nearly killed. See RSS.
| turminal wrote:
| What's the purpose of signal? Is it taking over the world or
| providing a service to people that care about their privacy
| and free (as in freedom) communication?
| sa1 wrote:
| There are lots of purposes but dismantling mass
| surveillance is a major one. This requires 'taking over the
| world'.
| fourthark wrote:
| ... Creating a central point of failure / censorship?
| TedDoesntTalk wrote:
| Yeah so this latest attempt seems to want to "fix" that.
|
| "Hey, let's distribute connections (proxy servers) to our
| central point of failure so that we can get around the
| central point of failure. Genius!" /s
| im3w1l wrote:
| They want to have a monopoly on points of failure. We can
| censor but no one else.
| eeZah7Ux wrote:
| Creating yet another walled garden.
| danShumway wrote:
| Well... except in Iran, hence the strategy of decentralizing
| proxy servers.
| ekianjo wrote:
| Too bad, the Signal devs love centralization. One day people
| will realize Signal is just not the right solution for what
| they actually need.
| Spivak wrote:
| The problem with this is that Signal is a huge success _right
| now_ where other federated chat platforms have fallen. Sure,
| something like Matrix might win the war eventually but by
| being centralized Signal shipped and is providing a useful
| service to millions of people today.
| turminal wrote:
| There are lots of problems in matrix that hinder its
| adoption, federation is likely not the biggest of them.
| tleb_ wrote:
| As if it was that simple; no it's not as simple as
| decentralization > centralisation. You might not agree with
| everything (I don't) but this video provides some good points
| https://www.youtube.com/watch?v=Nj3YFprqAr8
|
| I trust Signal to try their hardest to solve communication,
| spitting on them is not the solution.
| baybal2 wrote:
| It's simple, very simple.
|
| XMPP is by far more fluid, and "productive" when it comes
| adding new protocol features, or at least if you compare it
| with Signal.
|
| Marlinspike is making up the problem.
|
| A messaging client is as agile as its developers are, and
| in case of Signal, not that much.
|
| Evolving a protocol, and developing new features is done by
| doing programming, and not by some philosophical
| discourses, and pooing over the competition on tech events.
| pseudalopex wrote:
| I didn't watch the video but his article with the same
| title is almost entirely bad points.[1]
|
| Email is end to end encrypted for people who make it a
| priority. It would be end to end encrypted for everyone if
| Google or Microsoft made it a priority.
|
| The difference between XMPP and Signal is funding. Signal
| supports video on all platforms because Open Whisper
| Systems hired people to work on it. XMPP didn't because the
| popular clients are developed by volunteers.
|
| People don't like using lots of messaging apps. So
| switching apps is much harder than changing your email
| address because you have to convince other people to
| switch.
|
| Even Signal is moving away from using phone numbers.
|
| [1] https://signal.org/blog/the-ecosystem-is-moving/
| jampekka wrote:
| Signal's been "moving away from using phone numbers" for
| almost as long as it's been developed. They've burned
| tens of millions of dollars and have nothing to show for
| it on that front.
|
| Also they insist of making piece of shit bloatware
| clients and actively kill every attempt for someone to
| fix it. Because Moxie is always right apparently.
|
| I really hope the situation is just due to incompetence
| and hubris.
___________________________________________________________________
(page generated 2021-02-05 23:02 UTC)