[HN Gopher] Help users in Iran reconnect to Signal ___________________________________________________________________ Help users in Iran reconnect to Signal Author : arkadiyt Score : 663 points Date : 2021-02-04 16:42 UTC (6 hours ago) (HTM) web link (signal.org) (TXT) w3m dump (signal.org) | Ericson2314 wrote: | Doesn't this chip away at the benefits of Signal not being | federated? Say the proxies need to be updated? | grandchild wrote: | Not really. There's not much Signal-protocol-specific | technology involved on the proxy, other than dropping traffic | that doesn't go towards the Signal server itself. | Ericson2314 wrote: | Fair enough. | londons_explore wrote: | This is going to be a game of cat and mouse... | | And if you're the mouse, you really don't want to be hobbled by | not having an auto-update mechanism in your proxy servers... | | At the very least they could have made it load the config from | https://signal.org on startup, or made an apt package that | sysadmins can easily update with everything else. | eatbitseveryday wrote: | I do not know anyone in Iran but have spare cash to host a VPS or | two. How can I help anyone without broadcasting my proxy for the | censors to eventually get ahold of? | | edit: https://twitter.com/alsdkjflasdkjf1 | | edit2: You can drop me a mail here, too: | jegzc4na8j7@temp.mailbox.org | mr_woozy wrote: | Happy to spin up a proxy, but now what? | | how do I offer it to others for use if I don't use twitter? | realducksoft wrote: | This proxy failed to be probing resistant. The PoC code is | released by studentmain: https://github.com/signalapp/Signal-TLS- | Proxy/issues/3#issue... | 2Gkashmiri wrote: | this is fine and dandy but when you have a state actor operating | with such offensive tactics like india is currently engaged in | kashmir, there isnt much these "proxies" can do. sorry. the idea | of these proxies is all fun and nice but when a government can | just whitelist the entire fucking internet and none of these | nonsense works | | https://www.theguardian.com/world/2020/jan/15/internet-parti... | | https://thewire.in/rights/kashmir-internet-white-list-net-ne... | | https://thewire.in/rights/modis-thought-control-firewall-in-... | | >The reason the government wants to keep blocking full access to | the internet in the Valley is its fear of civil disobedience. | | and the ban is still in place although it is on high speed mobile | internet today. | | https://thekashmirwalla.com/2020/12/high-speed-internet-ban-... | | not to forget there were reports of CISCO being brought in to | build this fucking firewall | f430 wrote: | its weird that all the criticisms of the technique in this | article is being downvoted without any rebuttal | | people underestimate the security intelligence service of | countries in this region. They have far more capacity than | people in the West estimate. | | It's irresponsible of HN to put people in potential harms way, | Iran is at a breaking point, they have nothing to lose and will | stop at nothing to stop exfiltration and access to internet. | 2Gkashmiri wrote: | yes. back after 5 august, i think i got my first crack at | internet in february 2020 with 2G internet and a whitelist of | "allowed websites". i found out in my own tests that ssh | tunneling over random ports used to work. i had managed to | set up a server on amazon aws, and i did a dirty ssh tunnel | to that to get access to blocked websites. even that failed | after some tries and changing networks. | | >It's irresponsible of HN to put people in potential harms | way, Iran is at a breaking point, they have nothing to lose | and will stop at nothing to stop exfiltration and access to | internet. | | yes. shocked pikachu face gets a random HN reader nothing but | people can die as a result of this. heck i have records of | people who are locked up since last year because of "social | media misuse" aka dissent | f430 wrote: | I think people on HN are mostly North Americans, they are | generally very ignorant of the workings outside their own | suburbs/city (we live in the best part of the world they | say!) | | So there is this bias towards other 3rd world countries. To | many they are still a backwards, technologically illiterate | countries yet somehow North Korea routinely dominates other | wealthier nations in cyber security. | | India's intelligence agency has always been competing with | Pakistani, very much like the Iranian security forces & | Israeli intelligence, these guys have been fighting battles | the rest of the world will never hear about, so its foolish | to underestimate their capabilities like we do on HN. | Thorentis wrote: | Well, well. Just a week ago [0] I was lamenting the fact that | Signal was _too_ centralised. This comment was made in the | context of P2P not being the best solution (due to other privacy | issues), but that something in between was needed. When will | Signal realise that the centralised approach to hosting is not | going to last forever? The code is open source. The server code | is supposedly open source, but on closer inspection it is missing | some features and is very out of date. The actual server code is | clearly still kept close to their chests. | | There needs to be a way for the same Signal application to, in an | emergency, connect to a different server. Perhaps even some form | of federation so that once somebody switches server, they can | still reach people on a different server if need be. I would | absolutely love to see some work done on making a Matrix/Signal | hybrid. | | [0] https://news.ycombinator.com/item?id=25976914 | est31 wrote: | In the long run, starlink will make it even harder for autocrat | regimes to censor the internet. Russian authorities already try | to ban connections to Starlink. | AndrewBissell wrote: | Yes I'm sure Starlink would never do something like censor | traffic at some regime's behest. Elon Musk is famously | independent and not at all beholden to funding from the U.S. | and China. | sschueller wrote: | /sarcasm | mr_woozy wrote: | This is the only benefit that comes to mind when weighing | against obscuring the night sky. Heck even freeing Australians | from Telestra's Iron grip would be an accomplishment. | quenix wrote: | Unfortunately, it's easy for governments to criminalise owning | Starlink terminal equipment. Also, Starlink may be legally | forced to deny service to users in certain geographical | regions. | roywiggins wrote: | Iran's been having a tough time shutting down illicit | satellite receivers. | | > One woman in the Iranian capital, whose satellite dish was | demolished by the police several months ago, told "Persian | Letters" that the first thing she did the day after her | apartment complex was raided was order a new dish and | receiver. | | > "That's the only fun we have here. There's nothing worth | watching on [state television]," she said. "They can come and | take my dish away. I will get a new one." | | https://www.rferl.org/a/persian_letters_satellite_dishes_ira. | .. | est31 wrote: | Unless the government can seize Starlink's assets, or shut | down/harm their operations, they can't really tell Starlink | to do anything. E.g. if they can shoot down satellites, | they'd have influence. | | This is especially true for economies that are as | disconnected from the US as the Iranian one is. | | The only thing a state has control over is payments from | users. But if smuggling in transceiver equipment with pre | paid traffic isn't that hard. | rohit89 wrote: | Starlink will need a license to broadcast in the country. | And the dishes also need to transmit which will give away | your position. | est31 wrote: | Dishes don't _have_ to transmit, only if you want an | upload channel. It 's entirely thinkable that important | content like websites or feeds by important influencers | is pushed to all users. | not2b wrote: | If everyone announces their proxies the Iranian government will | be monitoring those announcements and will be able to block | traffic to them. It may be better for those with friends and | family in Iran to run proxies and quietly inform only people they | trust. | monadic3 wrote: | Not to mention you can get into significant legal trouble | helping people sanctioned by the US. | aendruk wrote: | > You can share your proxy with friends and family using this URL | format: https://signal.tube/#<your_domain_name> [...] The latest | beta release of the Android app is registered to handle links | from signal.tube. | | This scheme is convenient for those with correctly configured | devices, but comes at the cost to everyone else of increased risk | of inadvertent leaks of the fact that they're attempting to | circumvent the block. I'd be interested to hear more about what | factored into the decision to make this trade-off. | remram wrote: | Good point! I wonder why they didn't reverse the scheme, e.g. | https://mydomain.example.org/#is-a-signal-proxy | mhils wrote: | AFAIK you can register URL handlers for a specific domain | (signal.tube), but not for a specific hash. And you don't | want Signal to appear as an alternative browser on every | link. | | Edit: On a second thought, I wonder if a custom scheme would | have worked, e.g. signal-proxy://example.com? | remram wrote: | You can set the host to "*" on Android, but maybe not on | iOS? | | For example, my Mastodon app pops up to open all links that | look like a Mastodon profile | (https://example.org/@somename). | | https://github.com/tateisu/SubwayTooter/blob/4cf16c6ee890a7 | d... | LinuxBender wrote: | How would you let users know about this proxy without letting | their government know about it? Instead of platforms like | twitter, how about randomly giving out random proxies in some | header that the app could query on cloudflare or google or | akamai? Does Signal already make use of any CDN's for out-of-band | signalling and fail-over? If the Signal proxy could expose an | obfuscated load metric, then the CDN could pick another proxy via | health checks. The proxy could advertise itself via CDN's as | well. | mholt wrote: | That's the trick isn't it: having an entire population know | something an oppressive government doesn't. | | Even if you teach everyone how to deploy their own servers, | then that's the knowledge the government will start targeting. | You can make blocks expensive, i.e. blocking other major, | useful services that would disrupt society too much for them to | want to deal with, but this of course has its own costs. | | It's censorship and surveillance all the way down. | roywiggins wrote: | As far as I know, Iran is much too open an society to | actually prevent its citizens from knowing anything in | particular. | | That's not to say it's a free society or that censorship | doesn't exist there, just that it's not the sort of regime | that is particularly good at it. | | If I had to guess, Iranian expats would be a likely set of | people to start up proxy servers for their family and friends | back home. | not2b wrote: | Yes, which is why Signal is doing a disservice by telling | people to announce their proxies on Twitter. The expats | should just tell their friends and family, and tell them to | pass the word on only to people they trust. | ALittleLight wrote: | But this doesn't stop them from doing that. If you have | an expat friend or family member with a proxy, use | theirs, if not, check the latest tweet with the hashtag | and use that. | [deleted] | polishdude20 wrote: | At some point, the easier option is for there to be a | revolution or some sort of governmental change. | upofadown wrote: | True but not everyone is keen to experience the civil war | that often accompanies such a change. | TedDoesntTalk wrote: | Easy to say when it is not your life or your families' | lives at risk. | sixstringtheory wrote: | Communication is key to both of those things. | LinuxBender wrote: | That is precisely why I am suggesting using a CDN. Old school | CDN that is. Back in the day, if you had Akamai, your site | would just use one (or many) of their generic names. Nowadays | you can use your own domain to front their network, but you | don't have to. If Signal was using a few CDN's and cycled | through many generic end-point names, then Iran would have to | block all the CDN's which would be nearly the same as | shutting off the internet. This would not have to be the | default mode of Signal. It could be an option that the client | suggests. "Hey, it appears we are blocked. Use alternate | proxies?" Then cycle through many different CDN's using many | generic end-point names. Some of the CDN's can also do layer | 4 vips and not have to decrypt anything. They can just act as | a TCP tunnel if need be, just costs more. | RL_Quine wrote: | Generally speaking censorship by a government needs to be | pretty poorly done at best. Taking out the bulk of the usage of | Signal is easy, removing it completely is hard. Much better to | apply minimum cost and effort where it counts most. | ip26 wrote: | Yup, I would run one but I don't know any Iranians... | bijoo wrote: | > How would you let users know about this proxy without letting | their government know about it? | | From the blog post, "A more discrete approach would be to only | send the link via a DM or a non-public message." | | > how about randomly giving out random proxies in some header | that the app could query on cloudflare or google or akamai | | That would "..increases the chance that Iranian censors will | simply add those IPs to their block list" | | It looks like the solution provided in the blog post is limited | to helping folks run their own proxy for people they know. | cmroanirgo wrote: | I think Signal is clearly recognising that nearly sny server or | system they create will be blocked, which is why they | recommended this being done on an individual layer. | | From the article: | | > A more discrete approach would be to only send the link via a | DM or a non-public message. You can post something like this on | your favorite social network: | | > * #IRanASignalProxy Reply to this thread if you want the | connection details, and follow me so I can DM you the link.* | [deleted] | not2b wrote: | No good; people working for the Iranian state will DM. Signal | didn't think this through. No one should announce proxies via | social media. Tell people how to set one up for friends and | family. | DangerousPie wrote: | There are plenty of people that don't have friends of | family in Iran but would still like to help. | ufmace wrote: | > No good; people working for the Iranian state will DM. | | They'll probably try, but it's not very scalable. It's | tough to build and maintain a Twitter account with a | history that looks like a real regular person, much less | create a bunch of them fast with history that dates back | before the day you started. If most of them make a modest | effort to verify users, most of them should remain | unblocked. It's all pretty decentralized, so it's not that | big as deal if a few of them do get discovered and blocked. | boomboomsubban wrote: | People working for the Iranian state generally would be | discernible from their Twitter account, and by controlling | the information you hand out you can also flag the hidden | accounts that aren't easily recognized. | | You also overestimate how committed Iran is to stopping | this. Doing this in public risks the state finding out, but | outside of times of crisis the state is usually pretty slow | to respond. Keeping it private tanks participation rates. | not2b wrote: | There are about 700,000 people of Iranian descent in the | Los Angeles area alone (the largest such community in the | US). Most of them are in the US to escape the regime, and | most of friends and family in Iran who they keep in touch | with. The people in Iran also have their own networks. | | So a down-low friends and family approach could reach a | lot of people. | boomboomsubban wrote: | If you just filter the amount of those 700,000 down to | how many are aware Signal exists, I bet we'd already be | at a low enough number to see the problem with your plan. | ariosto wrote: | This is inspiring. I am going spin one up and also look into | contributing to your source code. | S53Vflnr4n wrote: | Hey Signal, your next contender will be Narendra Modi's Hindu | nationalist Indian govt. But Modi is one step ahead, blocked the | whole internet in Delhi. | Jkvngt wrote: | What if political dissidents don't want to give their phone | numbers to the former head of Twitter security on the eve of | President Biden's re-engagement with the Islamic theocracy of | Iran? | SandunFernando wrote: | The login code you entered doesn't match the one sent to your | phone. Please check the number and try again. | | It looks like you haven't logged in from this browser before. | Please enter the login code from your phone below. | | NOT COMING MY PHONE CODE | elif wrote: | I would keep in mind that the US has weird antiterror laws about | assisting enemies and also laws which construe bypassing system | designs as hacking. | | For instance, Virgil Griffith is being held and charged for | giving a high level description of bitcoin transactions at an | academic conference in North Korea. | | This is incredibly more specific and more technical of an act. | | https://www.coindesk.com/usa-v-virgil-griffith-what-we-know-... | x86ARMsRace wrote: | This law is trivially easy to get on the wrong side of. | Something like this would be definitely in scope of the anti- | terror law you're talking about. American HN users beware. | eatbitseveryday wrote: | Can someone who is a lawyer comment on this, please? | | edit: further.. how is Signal shielded (if at all) from | providing services to anyone in Iran? Wouldn't they be a target | in such a case? The blog post is an explicit call for | assistance specifically to do so. | AnthonyMouse wrote: | I wonder how many First Amendment lawyers would be champing at | the bit to take a case where a prosecutor was dumb enough to | charge someone with a crime for assisting dissidents to | communicate. | pmlnr wrote: | So... federate but not really? | | I'd heavily advise instead to run as many xmpp servers* as | possible, and let people/friends use them. | | *not matrix, unless one configures it to forget the data and only | act as a message broker, like XMPP. For this specific use, it's | better. | djl0 wrote: | If Iran is blocking Signal but not other apps, namely Whatsapp, | does this mean Iran has access to Whatsapp data? | | I fully expect the US govt to have access to fb/whatsapp data (at | least the metadata), but it's a bit surprising to me that Iran | would too. | danenania wrote: | I think FB's policy is to comply with local laws regardless of | ethical concerns? | xirbeosbwo1234 wrote: | I think FB's policy is to _____(verb)_____ regardless of | ethical concerns. | | They certainly aren't complying with U.S. antitrust laws. | They comply if it makes them money and don't comply if it | doesn't make them money. | benlivengood wrote: | There are a few requests reported: | | https://transparency.facebook.com/government-data- | requests/c... | mzs wrote: | which you can't read without a FB account! In any case 6 | users/accounts in fist half of 2020 | beermonster wrote: | Well... | | https://www.nytimes.com/2020/09/18/world/middleeast/iran-hac... | ParanoidShroom wrote: | I doubt it. By the same reasoning they would also have access | to iMessage and other apps that aren't banned. Not sure what | WhatsApp or fb has to do with this. | 2cb wrote: | Considering Apple put all data of Chinese users on Chinese | servers to keep the CCP happy I have no doubt they're | perfectly happy and willing to comply with government | requests elsewhere too. | twhb wrote: | Iran blocks _every_ major foreign messaging app, except | WhatsApp. Signal escaped it until now only because they had so | few users. Also keep in mind that while WhatsApp claims to use | the Signal protocol, they installed a backdoor that allows them | to MITM conversations. So yes, I'd say it's virtually | guaranteed that WhatsApp is sending unencrypted message data to | Iran, and of course to the US too. | oarsinsync wrote: | > [WhatsApp] installed a backdoor that allows them to MITM | conversations | | Citation? | [deleted] | kolmogorov wrote: | https://signal.org/blog/there-is-no-whatsapp-backdoor/ | egberts wrote: | "There's no backdoor." | | -- Perhaps the door is cracked (or ajar) and a microphone | is listening in ... still? | twhb wrote: | HN discussion of that post: | https://news.ycombinator.com/item?id=13394900 | | I guess I'm coming down hard on one side of a controversial | question, but in my mind, if it allows the server to | intercept messages without users knowing about it under the | default configuration, it's a backdoor. | cgb223 wrote: | Could the Iranian government also run a Signal proxy? | | Can they then read said proxy traffic since it's on their | machine? | NotEvil wrote: | No, Nobody even signal can't, that's the whole point of e2e | drummer wrote: | They could certainly do this, but they would only see which | local IP is trying to communicate with Signal (and thus trace | the user). The traffic itself is end to end encrypted so they | cant read it. | blintz wrote: | What is the state of the art on censorship resistance right now? | This cat-and-mouse proxy fight never seems to go great for the | good guys. | | My last in-depth reading on it was the excellent 2016 SoK paper | "Towards grounding censorship circumvention in empiricism" | (http://www.cs.umd.edu/class/fall2018/cmsc818O/papers/sok-cen...) | | The high level takeaway then seemed to be that researchers were | not focusing efforts on measures that can actually help more | people resist censors. Have we made progress since then? | meibo wrote: | Telegram got around Russian censors by constantly pushing new | IPs for their servers with Google Cloud. Of course this is a | cat and mouse game as well, but it worked out well for them, | since Russia didn't want to block all of Google/AWS. | | https://news.ycombinator.com/item?id=26028415 | ignoramous wrote: | I keep an eye on the work censorship.ai does as they are | usually at the cutting edge of it: | https://geneva.cs.umd.edu/papers/ | | Tor, Jigsaw's Outline, and V2RayNG are worth keeping tabs on as | they're FOSS projects and do much of their development in the | open. | | Lantern's development whilst it was still open source was | fascinating to see as well. Since 2016 (I believe) they stopped | doing so out of security concerns: | https://twitter.com/adamfisk/status/1316569766832869377 | robert_foss wrote: | There are relatively good solutions like dns fronting on Amazon | or Google, but they frown upon being used that way. | [deleted] | notsureaboutpg wrote: | Hmm, I have a family member going to seminary in Iran and he has | been in contact with me over Signal (he moved our family chat to | it over WhatsApp because of recent events). | | Did this happen like literally today? Because otherwise I haven't | heard of such a thing... | whalesalad wrote: | Where is the 'deploy to heroku' button when you need it | nrvn wrote: | Signal could learn a lot from Telegram in this regard. | | Russian govt had tried to block Telegram but telegram servers | just keep jumping over various cidrs and users got the ip | addresses for connecting over push updates and the only thing the | govt succeeded in was blocking a wide range of subnets including | AWS ranges and GCP ranges thus disrupting a whole lot of | businesses and even some government services. | | They gave up and lifted the ban eventually. | | https://www.schneier.com/blog/archives/2018/06/russian_censo... | derefr wrote: | Feels like there could be a good business in providing this | CIDR-hopping push-updating proxy as a service other apps could | embed. Like what CloudFlare does for DDoS protection, but as a | forward-proxy + client middleware, instead of a reverse-proxy. | mywittyname wrote: | Depends on your definition of "good." | | Dealing with hostility from government bodies is probably no | fun. | agnosticmantis wrote: | I believe telegram itself is blocked in Iran, though. | smnrchrds wrote: | It is indeed. Iran does not shy away from blocking large | swaths of the internet in order to make sure the parts they | want blocked will remain blocked. For example, before 2009, | there were specific blogs on wordpress.com which were blocked | and making sure the content the government wanted | inaccessible would remain inaccessible had turned into a | whack-a-mole game. In 2009, they simply blocked the entirety | of Wordpress, Facebook, YouTube, etc. and made their jobs | much easier. | | Iran would not hesitate to block all AWS IP addresses as a | solution (I don't know if that is how they block Telegram | now). GCP resources would not load in Iran anyway because | Google has a very strict (much more strict than AWS and | Azure) interpretation of the sanctions, so they don't have to | worry about them. | eternalban wrote: | > It is indeed. Iran does not shy away from blocking large | swaths of the internet | | > ran would not hesitate to block all AWS IP addresses as a | solution | | DNS will not resolve _any_ .ir (.coms that are iranian) | domains here in US, afaikt. | whimsicalism wrote: | Not at all true. Try http://www.president.ir/en | sigmar wrote: | That article notes that Signal has been domain fronting since | 2016. I think google has cracked down on it more recently | though, and hence Signal has had to circumvent censors in a new | way | windthrown wrote: | Correct, both Google and Amazon told Signal not to use them | for domain fronting: https://signal.org/blog/looking-back-on- | the-front/ | rzz3 wrote: | What about Cloudflare? | capableweb wrote: | Answer from Cloudflare team seems to be "No" - | https://community.cloudflare.com/t/could-cloudflare- | support-... | aftbit wrote: | Gross! I wonder what motivated these decisions inside | Amazon & Google. This likely affects the Tor project domain | fronting as well. | | We really should not have let the majority of internet | traffic be served by a small handful of giant companies | without some legal protections as to what they're allowed | to do. | jaywalk wrote: | Believe me, I'm all about reigning in big tech. | | But I would be 100% against any law that required them to | allow domain fronting. It's fine if they want to, but | _requiring_ them to basically open up /leave open a hole | in their systems is not right. | hutzlibu wrote: | What I recall from the discussion back then is, that | domain fronting basically means, that Signal would | disguise itself as google or amazon traffic. So I would | say, it is understandable, that they decided this is not | good for their buisness. | | So it was not an act by google and amazon to activly harm | Signal, but rather canceling ongoing support of Signal, | that could put their buisness to harm, which is something | different. | praseodym wrote: | Probably malware using domain fronting techniques for C2 | traffic played a role in that decision. E.g. | https://threatpost.com/apt29-used-domain-fronting-tor-to- | exe... | Craighead wrote: | Yes yes, but, when will Verizon and Comcast be broken up? | 2cb wrote: | And this new way, while less convenient, is arguably superior | due to its decentralisation. They're not just going after one | service they're now going after people all around the world | running these proxies. | | Just set one up myself took 15 minutes and that includes | setting up a fresh VPS. | | Just thinking what the best way to share it is. | birdyrooster wrote: | lol i accidentally rented a decent VPS for 30 days in | switzerland and now I have a use case for it whoo | stonesweep wrote: | I've been mulling this over today, as your ability to _get_ | the name /IP of the proxy has to be censorship resistant as | well. | | The best idea I've had so far is using a CNAME response to | a very common DNS query which would pass a basic filter, | like I'd ask for "mail.mydomain.com" and it would respond | with a CNAME pointing to the actual proxy. I have dead | domains which I have configured with null records for MX | and stuff (so spammers can't abuse them), I could hide the | name of my proxies in the MX records a CNAMEs and nobody | would be the wiser... | | The trick is getting the word out on how to do it - like | "hey everyone, just ask random domains for "mx.domain.com" | and use the 30 level MX" or something which would pass as | legit traffic. Maybe... | 2cb wrote: | Using innocent sounding CNAMEs on abandoned domains is | definitely a smart idea. | | I've definitely got some old domains kicking about, I'll | see how far off they are from expiration and do something | similar if they have at least a few months left in them. | | The proxies themselves can also be hosted at normal | sounding domains and subdomains like cdn.technology.memes | or whatever. | | And when you point other domains to them as CNAMEs use | equally regular looking subdomains no algorithm would | pick up as a proxy like webmail.abandoned.tld. | stonesweep wrote: | Thought following yours, I like the CDN idea - if you add | in some dynamic DNS updates with random CNAME results it | could also help - ask for cdn.example.com, get | node182.example.com and 5 minutes later get a different | CNAME result injected from some cron job... | [deleted] | emptybits wrote: | Thank you. It's heartwarming to read about successes like this. | | Immediate recalling John Gilmore (GNU/EFF/etc.) in 1993: | | "The Net interprets censorship as damage and routes around it." | freakynit wrote: | How disgusting these governments have become it pisses me off. | rthomas6 wrote: | This is one of the best arguments for | federation/decentralization, is it not? It's not impossible to | block a protocol, but it's harder than blocking an IP. | derbOac wrote: | Yeah I was thinking this is awfully close to some kind of | federated system. It's not the same but it's pretty close to | Signal asking for people to decentralize their service a bit to | overcome censorship, which is one of the main arguments for | decentralized systems. | im3w1l wrote: | We see again and again that Americans hate freedom of speech. So | what is this but a power play? They want people to use controlled | platforms where only American-approved activism is allowed. | Actions that destabilize an enemy regime. | | Iranians who use Signal are American proxy forces. By definition | it is treason. | owl_troupe wrote: | Iranians who use Signal are Iranians. Your statement is | premised on the Iranian government having absolute authority to | surveil the communications of Iranian citizens. By that logic, | any from of end-to-end encrypted communication is treason. You | might as well say that Iranian citizens have no general right | to privacy and any expectation of such is also treason. | im3w1l wrote: | Signal is American controlled. Encryption in general is not. | MightyOwl13 wrote: | Hey, did anyone actually try to run this? I'm getting a bunch of | errors when trying to run the sudo docker-compose up --detach. | How would I know if it's running or not? Sorry, quite new to this | apart from hosting a couple of personal pages on a vps. | l1am0 wrote: | I found that simple apt-get docker does not work for me on | debian. Tried the official docker documenation and that helped: | https://docs.docker.com/engine/install/debian/ | 2Gkashmiri wrote: | hey. i just thought of something. is it not possible for india or | iran in this case to check your phone number and see if it is | active on signal? if you are online means you are somehow | bypassing their blocks. isnt then just a matter of tracking your | cellphone and relevant xkcd applies ?https://xkcd.com/538/ | | this is looking like a zero sum game unless signal account is | delinked from phone numbers because the govt can play cat and | mouse game indefinitely | monadic3 wrote: | > is it not possible for india or iran in this case to check | your phone number and see if it is active on signal? | | WTF, why does signal require PII to use? Shouldn't it give you | a public/private key pair on signup? | f430 wrote: | all they need to do is be in the approximate region of the cell | signal through triangulation to figure out the phone numbers / | unique identifiers attached to the phone. | | then its a matter of time before they link real identity to the | phone. With the wide availability of femtocells, all they need | to do is get lucky once. | | This puts operators of Signal proxies at potential harms way! | Absolutely irresponsible for people on HN to downvote and | downplay genuine security concerns. | MrMorden wrote: | How is a proxy operator in harm's way? They aren't in Iran, | and the Iranian government understands the consequences of | trying to do anything about it. Users are in no more danger | than they've always been, and substantially less than if they | didn't have communications ability. | 2Gkashmiri wrote: | oh. you are not joining all the dots here. an offensive govt | already has KYC on cellphones. they can pull your details in | a second. My reasoning. they have a list of say 100 users. | every govt has lists. they check that list against signal | users as "social graph" and voila, they know you are online | or not. second, kyc documents show who you are so you are | good as toast | realducksoft wrote: | Damn, I've read the code. This won't work against an active | probe. Censors just use signal domains and non-signal domains to | test your proxy. If signal domains get passed and non-signal | domains got denied, you are fucked. Besides, TLS in TLS is highly | identifiable by simple packet length dpi. I'd hope there's better | plan. | Diggsey wrote: | > Censors just use signal domains and non-signal domains to | test your proxy. | | If the censor already knows about your proxy they would have no | reason to test it... The whole point is that there _isn 't_ a | central list of proxies for them to easily block. | [deleted] | I_Byte wrote: | This is the very same problem that Tor faced when Tor bridge | use started to pick up in China around the late 2000s / early | 2010s. You only needed a single Chinese user to connect to | your server for it to be probed by the Chinese censors. Older | versions of the obfs Tor bridge protocol could be detected by | active probes and thus blocked very much like these Signal | proxies. This is a cat and mouse game that Signal could very | easily lose should Iran start to care about probing all new | active connections that leave Iran. | pmlnr wrote: | > there isn't | | YET. I wonder if someone will find a simple way to map these | with shodan. | chmod775 wrote: | Why can't they just ship signal with a Tor client? This is | precisely what Tor was built for. | | They can donate some money to charities running Tor nodes while | they're at it, or run some themselves. | | Iran tried to censor Tor too, but it's pretty much impossible to | do so fully. At least the Tor devs are usually on top of it, | while Signal is inexperienced dealing with things like this. | vbezhenar wrote: | What makes you think that it's hard to block Tor? Even | Kazakhstan blocked Tor many years ago. They're using DPI: | connection opens, client can write data, but can't read | anything which is frustrating from user PoV. | viro wrote: | Tor is is blocked in Iran. | [deleted] | gruez wrote: | if they block can block tor what makes you think they can't | block these proxies? furthermore if you use tor you can use | the existing network of bridges/relays as well as their | pluggable transports protocol to avoid DPI/traffic analysis. | viro wrote: | They can block these proxies. Thats why in the | #IRanASignalProxy section they say to share in more | discrete ways if you can. | woofcat wrote: | Which to me is bad. They should run a service like Tor | does to get private bridges. I don't know anyone in Iran | but I have a server I could use for this. However I know | zero people in Iran. | lacker wrote: | Iran is already blocking Tor. In general, if Signal | provides some central way to use Tor together with Signal, | the Iranian government can just run it on their machine, | and block every IP address that it tries to connect to. | | Iran can block these proxies, too, but this way there isn't | any centralized listing of proxies. This proxy setup is | simple enough that a single person could run a proxy for a | few dozen of their friends, and the Iranian government | might just never find out about it. | gruez wrote: | there are public and private bridges. | f430 wrote: | exactly, this article is exceptionally egregious at | estimating state actor's tools agumented by HUMINT | capabilities to hunt down anybody trying to subvert their | iron curtain. | | I fear that some naive Western expat will participate and | find themselves in a hostage. Many countries in this | don't have any treaties with Western nations, they dont | have high regard for human rights either. | milofeynman wrote: | Tor has a very similar proxy setup that can be used to get | around blocks like this. | | https://2019.www.torproject.org/docs/bridges.html.en#Plugga | b... | sporksmith wrote: | Yup. I just tested ~~the fdroid~~ signal (the non-google- | play apk from signal's web site) with orbot (a tor VPN | for android) and verified it works correctly for text | messaging. As you say, using a bridge _should_ make it | difficult for iran to block. I wouldn 't be surprised | though if voice/video was too high latency or doesn't | work at all. https://mobile.twitter.com/sporksmith/status | /135738175783478... | ignoramous wrote: | Signal is taking a leaf out of Telegram's book here in | crowd-sourcing censorship circumvention which has worked so | well for Telegram in Russia, especially. | | One could use censorship evading VPNs like Tor, Lantern, | Shadowsocks, Psiphon in addition to using these proxies. | They all have different evasion mechanisms. | | The thing that works for user-run proxies is, it is like a | hydra, you censor one proxy another crops up. | kelnos wrote: | I'm worried that Iran is less concerned about collateral | damage. Russia gave up because successfully banning | Telegram would also ban significant parts of the internet | that Russian businesses (etc.) depend on, so that was | unworkable. I expect that Iran won't care quite as much. | | Regardless, I hope this does actually end up working, and | allows Iranians to use Signal without a prolonged cat- | and-mouse game. | benlivengood wrote: | https://github.com/signalapp/Signal-TLS-Proxy/issues/3 is the | major issue with the current proxy and hopefully it's fixed | quickly before a bunch of folks set up a proxy and forget about | it. | [deleted] | [deleted] | MayeulC wrote: | Hmm, looks like these are just a few nginx rules, they might as | well publish those. | | Internet is a bad fit for this. I wish everyone was using | yggdrasil, I2P, tor or something similar. | | I mean: I could provide as many yggdrasil addresses as I wanted | to. It would be possible to setup a few VPNs to connect separate | networks (though potentially traceable). | superkuh wrote: | What happens when Iran's government itself runs a bunch of these | proxies? | IncludeSecurity wrote: | Even worse, what happens when they MITM all of the installs | because the docker container has really bad security such as: | | RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz | | https://github.com/signalapp/Signal-TLS-Proxy/blob/master/ng... | | Installing via HTTP, with no verification of installer seems | like a reallyyyyy bad idea. | RL_Quine wrote: | That's awful. | gspr wrote: | I noticed the same thing, and filed an issue [1]. The first | reply does not fill me with a lot of confidence (but it's | unclear to me whether the person is affiliated with the | project or not). | | [1] https://github.com/signalapp/Signal-TLS-Proxy/issues/6 | aftbit wrote: | They have completely disabled issues on that repository. | Wow I used to really like Signal... | kelnos wrote: | And it seems they've fixed the issue, without any kind of | public comment.... still not great: | https://github.com/signalapp/Signal-TLS- | Proxy/commit/39a97da... | kdunglas wrote: | I (partially) fixed this issue, and I'm not affiliated in | any way with Signal. It's public | (https://github.com/signalapp/Signal-TLS-Proxy/pull/2), | and it looks like they welcome contributions, because | they merged mine. | sneak wrote: | You'd be building and running these outside of Iran for them | to work, which would limit the Iranian government's ability | to perform the attack you describe. | harg wrote: | If all the traffic going via the proxies is e2e encrypted is | there much that can happen? | TedDoesntTalk wrote: | But the fact that you are in Iran and using Signal may get | you added to a watchlist. They can trace the IP addresses | connecting to the proxy server back to a household or phone, | no? | tannhauser23 wrote: | This is the kind of privacy initiatives we need. While we argue | in America about deplatforming, Iran, China, and other | authoritarian countries around the world are actually suppressing | and punishing free communication. Kudos to Signal for this | initiative. | notsureaboutpg wrote: | America suppresses and punishes free communication, you just | aren't aware of it because they control what you see when you | live there. | hikerclimber wrote: | i hope this doesn't work. | isoprophlex wrote: | Almost everyone in these comments is asking questions of various | degrees of pedantry or outright dissing signal/moxie/no | federation/whatever... | | Just spin up a server if you can spare the expense and help some | people out. | | Action > inaction. | | edit: you can get the connection details via @appliedlambdas on | twitter! | isoprophlex wrote: | Considering that there's plenty of people also sharing these on | Twitter I've decided to openly share mine as a canary..: | | https://signal.tube/#instafax.nl | koheripbal wrote: | Talk is cheap. | 2cb wrote: | You can literally spin this up on a $5 a month VPS as well, not | like you need to break the bank. And with so many TLDs there's | plenty of dirt cheap domains too. I just spun one up in 15 mins | and if it gets blocked I'll happily spin up more. | mzs wrote: | Whoa whoa whoa... there can be legal consequences for spinning- | up a proxy in countries sanctioning Iran. This is a case where | action can in fact be way worse for someone than inaction. I | still can't find any discussion about that and it's worth | investigating. | thefifthsetpin wrote: | I imagine that you're right, but it feels like a really weird | case to choose to prosecute. | stonesweep wrote: | During the EFF "run a tor node" challenge a few years back, | I learned that many cloud providers (a) hold you | responsible for any traffic transgressing your proxy, and | (b) generally were OK with running a relay node but not an | exit node. Responses varied provider by provider, some have | written rules some do not. | | Point being there are already discussions about the relay | topic with cloud providers and it's not a weird edge case | to me (and the law in your jurisdiction may have a strong | opinion on this), I imagine there are legal things about | where you live vs. where the server lives which also | matter. | [deleted] | dijit wrote: | How flippant. | | "Almost everyone in these comments is asking questions of | various degrees of pedantry or outright dissing | hospitals/insurance/medical bankruptcy/whatever... | | Just donate to a charity if you can spare the expense and help | some people out. | | Action > inaction." | | Healthcare and communication aren't comparable. But my point is | that you can criticise institutions for their (contested) | faults. | | If you place yourself on the mantle of non-federation, then | availability and censorship resistance are your cross to bear, | frankly. | | The notion that I should help them workaround their | architectural failure when it's been widely criticised (and | criticism openly dismissed) multiple times is a little wild. | ampdepolymerase wrote: | It is not. Healthcare and communications are very much | comparable if your life and livelihood are on the line. If | the downside risk for both is a dead person then they are | very much morally equivalent. | isoprophlex wrote: | Your neighbor asks you to drive them to the hospital. Do you | lecture them on the failures of privatized healthcare? No, | you defer your opinion to the relevant place and time. | | This right now is about people having their access to | uncensored communication cut off, and moxie asking people to | help out. If you think their architecture is doomed, you're | free to codify your opinion somewhere in a pull request or | comment under an article about signal's protocol philosophy. | dijit wrote: | The analogy falls a bit flat because this forum contains, | mostly, the arbiter of the root problem- namely that signal | is not censorship resistant by itself. And we should | criticise them for that because it was a warning delivered | in a timely manner and never heeded. | | Helping my neighbour in this case means allowing them to | use my social insurance. Namely by using xmpp/matrix. It is | low/no cost to them (unlike moving countries for socialised | medicine.) | 2cb wrote: | > signal is not censorship resistant by itself. And we | should criticise them for that because it was a warning | delivered in a timely manner and never heeded. | | I don't believe Signal ever claimed to be censorship | resistant to begin with. I just looked at their | description on the App Store and nothing there mentions | bypassing censorship. | | Signal in fact did used to be censorship resistant before | they were prevented from using domain fronting by third | parties outside of their control. | | Now the Iranian people need help and Signal has made it | extremely easy for anyone who visits sites like this to | kick in and provide that help. It's likely proxies are a | stopgap solution but that's okay. Iranians are having | their messages blocked now and Signal has managed to | release a working fix rapidly. | dijit wrote: | You write this as if I contested anything you said. Maybe | signal didn't _claim_ to be censorship resistant but it's | _essentially_ marketed as such by well meaning people. | It's "the secure messenger", what is it secure against if | not governments? Your ISP? | | Or does security of access not get covered by this | definition? | | If people had chosen a federated system instead, then | instead of _needing_ this very quick solution to be | hacked together, the system would have dynamically moved | around it. | | But, it's a future we'll never know now. Signal has the | mindshare (and certainly the favour!) of the people, so | the ship has sailed and I'm tilting at windmills. | | I think it's ridiculous that we have to patchwork _their_ | broken system that _we_ warned them of, but that's the | reality and I am not one to put principles before people. | TheJoYo wrote: | Everyone complaining this is just a cat-and-mouse game, it's not | a game these people choose to play. They either play it or their | movement dies. | ncallaway wrote: | Of course it's a cat and mouse game. | | That doesn't mean it's unwinnable. That means you create a lot | of evasive mice and win. | | Perfect is the enemy of the good. This is the kind of thing | where winning is more important than a perfect strategy. | | Be water. | teekert wrote: | I'd be happy to run this, but I don't really feel like spreading | this (for everyone I know) useless info into my social network | (which would be via email for me?) | | I would gladly sent a link to Signal for my proxy though so they | can forward it to people that need it? Hmm, I'm beginning to see | the problem now.. | wheybags wrote: | Agreed, I'd happily run a server but I would need some kind of | aggregator service to post my proxy on. Surprisingly enough I | don't have many contacts in Iran lol | teekert wrote: | But, I do understand that it is otherwise difficult to reach | Iranians and not hand their government a list of urls to | block. But I think my reach is useless. If your reach is not, | then maybe you'll also reach the Iranian government easily. | | Moreover, should I run this from my personal server? Could it | become a target for nefarious stuff? I feel the same as I do | when I think about running a TOR exit node. I want to be like | my hero Edward Snowden but... I'm afraid of the stuff that | gets associated with my IP address. | | Also, a https://www.linuxserver.io/ Docker image would be | cool ;) | notsureaboutpg wrote: | I have contacts in Iran but none of them are having trouble | accessing Signal (I'm talking to them with it right now!) | realducksoft wrote: | Here is an interesting discussion: | https://github.com/signalapp/Signal-TLS-Proxy/issues/3 | dunefox wrote: | Wouldn't Briar be a good choice? https://briarproject.org/ | aendruk wrote: | Not yet. https://code.briarproject.org/briar/briar/-/issues/445 | upofadown wrote: | Apple devices are fairly rare in Iran. | pmlnr wrote: | There was an article in 2014: "Imagining a Rebel Firefox" ( | https://medium.com/@efrensandoval/imagining-a-rebel-firefox-... ) | which played with the idea if every firefox node would become | tor(ish) gateway. | | Is there no way to build this in the Signal clients themselves? | Eg. on is on a wifi, try to upnp, ask the user if they'd wish to | help. | circularfoyers wrote: | Similar to the Tor Project's Snowflake[1] Firefox addon? | | [1] https://addons.mozilla.org/en-US/firefox/addon/torproject- | sn... | sergiosgc wrote: | Signal should be federated. This censorship problem would not | exist, or would be organically routed around, were the service | federated. | | Without federation, Signal is just another stepping stone in the | long path of eventually abandoned instant messengers, all the way | back from ICQ. We will get to an SMTP-like protocol, and email- | like service, at some point. If not Signal, some other one. | vineyardmike wrote: | > organically routed around | | Do any SMTP servers still allow organic routing? I was under | the impression that all modern servers have extremely | cumbersome auth/dkim and its hard to not be GMail and still | send a real msg and have it arrive | ignoramous wrote: | Signal was federated at one point: | https://lwn.net/Articles/687294/ | | Moxie, one of the original authors of the Signal protocol, said | federation severely restricted flexibility and so they had to | move on: https://news.ycombinator.com/item?id=11668912 | WookieRushing wrote: | I'm not so sure. Moxies reasons about how federation leads to | protocol development slowing and then freezing are solid. | | It's why we re not using smtp for chat. SMTP can't be extended | enough so replacements are built instead. Similarly if signal | federated, eventually it would freeze and a few years later | users would move to wherever they could get new features. | | Federation is a good thing but only when the protocol is | finished or if there is a forcing mechanism to allow updates to | the protocol. ethereum/Bitcoin are good examples as they have | flag days that force the value of currency to be in the balance | to keep the protocol moving forward. | rthomas6 wrote: | I don't see what prevents updating as long as you don't care | about fragmentation. You probably can't compile all brand new | software on a very old Linux kernel, but who cares. I mean | yeah, you'll have to care more about fragmentation, but it's | not all or nothing. You'll still be able to update the | protocol, you just have to make breaking changes less often. | | I think XMPP is a better comparison than SMTP. In its heyday, | XMPP had several clients, some with different proprietary | extensions, and all the core functionality basically worked | across all the clients. Though it turns out some of the | messengers I thought were XMPP were actually different | protocols that XMPP could work with. Imagine that. People | still use it too, though it's not as popular as it was in the | 2000s. | admax88q wrote: | Honestly deltachat works great and its chat over smtp and | imap. | | Im not sure "chat" needs this much constant "innovation" at | the protocol level. Most of the issues with email are client | UX more so than actual protocol limitations. | beermonster wrote: | Not really kept up with the latest with this, but chat over | IMAP is a thing | | https://archive.fosdem.org/2020/schedule/event/coi/ | doublestandard2 wrote: | It's an irony how American companies try circumvents another | country's law (regardless of whether you call it censorship or | not, it is still a law) and boast about it. | | Yet, in the US these companies help the mainstream narrative to | enforce censorship by banning (Google and Apple App market) or | simply not offering other point of views basic hosting services | (AWS). | | I am an Iranian and don't agree with all of our government | actions but I can clearly see a tech neo-colonialism/neo- | imperialism here. I am sure Signal's intention and people wanting | to help is genuinely good but this does not change this double- | standard. | | I would like to see your supportive reaction if an Iranian | company offers hosting to Parler. I imagine you would call it | foreign intervention! | pre wrote: | Well. A Russian company, DDos-Guard, did host Parler in the end | didn't they? | | And sure enough, the FBI is investigating. | | Signal is a charity rather than a company, but dunno if that | makes any actual difference. | l1am0 wrote: | While you are on it. There is a similiar easy to use docker- | compose file for setting up a tor bridge :) | https://community.torproject.org/relay/setup/bridge/docker/ | [deleted] | shervin01 wrote: | Hi, from Iran with love! | | First of all, thank you moxie and signal team for this proxy. | | Until 2018, many Iranians used telegram but Iran's regime after | Russia blocked this messenger. telegram released mtproxy and this | proxy was helpful. Russia lifted the ban on telegram but this app | is still blocked on my country. but with VPNs, many iranians | still use this app. after 2018, second most popular messaging app | in iran was whatsapp, until facebook's new privacy policy, like | all of you, many iranians switch from whatsapp to signal. | mullah's regime removed signal app from the iranian app stores | and started blocking all signal traffic in the country, but they | don't block whatsapp. I'm not a paranoid but it is difficult to | understand for me why they didn't block whatsapp after 2018? can | they break whatsapp encryption? | | I have a suggestion for signal team: please put tor in the | signal, tor is better than any proxys or vpns. | baxtr wrote: | Thx Sherwin! Just out of curiosity: is iMessage working ok in | Iran? | spullara wrote: | I'm surprised that Tor isn't integrated already. Moxie was | pushing that at Twitter - a prototype was even built. | elif wrote: | Blocking tor exit nodes is considerably easier than an | arbitrary proxy server. Tor provides a list, in fact. | lights0123 wrote: | No, it's the opposite--if Signal _wants_ exit nodes, they | obviously won 't block them. It's the entry nodes that need | to be blocked. Some are easy to find, but others require | you to send an email from a unique email address from a | trusted provider to get lists of IPs. | 7357 wrote: | Love back! | 2cb wrote: | I just set up one of these Signal proxies. Hope it helps you | and others in your country communicate freely and safely. [1] | | Regarding Tor: if you want a Signal-like app that uses an onion | router look at Session. [2] | | It uses the same encryption protocol and very similar UI to | Signal but routes all traffic through the Loki network so your | traffic passes through three nodes. It is an onion network like | Tor. | | One other benefit of Session is the lack of metadata inherent | to its design. No phone numbers or even usernames are attached | to your account. You get a set of characters that looks similar | to a bitcoin address and a QR code to make sharing it easier. | | Of course this lacks the convenience of Signal but it's as hard | to block as Tor. | | [1] https://signal.tube/#signal.xanny.family | | [2] https://getsession.org | aftbit wrote: | Session has: | | 1. An associated crypto-currency (not outright bad but weird | smell IMO) [1] | | 2. Abandoned perfect forward secrecy and deniability [2] | | 3. Never completed an audit (though supposedly one is in | progress) [3] | | There are a million and one encrypted chat programs out | there. Why should I use this one? | | [1]: https://github.com/oxen-io/oxen-mobile-wallet | | [2]: https://getsession.org/session-protocol-technical- | informatio... | | [3]: https://getsession.org/faq/ | 2cb wrote: | I mentioned it because it has a seamlessly built in onion | routing protocol. I read further down the thread that Tor | is blocked in Iran, but I'm guessing the same is unlikely | to be true of Loki/Oxen simply because it isn't nearly as | well known. | | The lack of metadata is also quite a unique selling point | in my eyes. There's a million encrypted messengers now | sure. How many automatically connect through an onion | router with zero config required and don't require you to | create an account at all, but instead assign you a random | ID disconnected entirely from your phone number, email, and | other personal identifiers? | | It's certainly an option to consider is the only thing I'm | saying. Tor was mentioned so Session popped into my head | for the reasons mentioned above. | | Regarding PFS. They currently implement the Signal | Protocol. Session is of course FOSS so anyone can check | this. Your source does say they're planning to fork it as | the Session Protocol later this year so it integrates with | their network more easily. But that's an upcoming, | unfinished project. To be honest I don't know much about it | as it's still in development. I do know that currently | Session uses the Signal Protocol through an onion router | without the need to so much as create an account. | | And yes the network itself is a bit of a convoluted idea | that tries to do many things at once, but the fact they run | on a blockchain means they already have a lot of nodes set | up in different countries around the world through which to | route traffic, and the reason they could build a | decentralised network quite quickly despite being a | relatively young project is they incentivise those node | operators with cryptocurrency. | | Because it is a young project they are still undergoing | audit yes. This is absolutely something worth noting. It's | a relatively new project. It's no longer in beta, but | nowhere near as well established as Signal. However it's | precisely because of this it's unlikely governments are | bothering to target it yet. | toyg wrote: | _> can they break whatsapp encryption_ | | They don't have to, they just need Facebook to cooperate. | k3j45hkj34hkj wrote: | I think you mean the phone vendors, as they are the ones | holding the unencrypted chat history in the users cloud | storage. Facebook themselves do not have access to the chat | logs (unless they are compelled to inject keys). | 2cb wrote: | They could literally have a hidden function in WhatsApp | that scoops up all your chat history and sends it to | Facebook if the government ask them to. It's closed source. | No one has a clue what it's doing. | | To be clear I'm not suggesting this is absolutely | happening. I'm merely pointing out it's entirely possible | from a technological perspective given it's closed source | software owned by Facebook. That's not a recipe for | privacy. | josephg wrote: | To be clear about the threat vector, there's also nothing | stopping signal from doing the same if they wanted to. | Its impossible to tell if the version of signal you | download from the app store is unmodified from the code | you can find on github. I trust signal more than I trust | facebook, but if you use signal, even though its | opensource you _still_ have to trust them not to put | anything funky in the binary they upload to apple | /google. | | I'd love for iOS and android to add some sort of OS-level | application hash or something. "This app was compiled | with xcode version X / llvm version Y with this set of | options. The resulting binary hashes to ZZZ". That way | with the source code you could verify that the binary on | your phone is unchanged. | | (Another approach would be to get apple / google to do | the compilation themselves from the project on github. If | apple builds my project, they could put some signed | metadata in the bundle saying "We (apple) compiled this | from git SHA XXX") | hutzlibu wrote: | Reverse engeneering is a thing, though. I would think, | there is fame to be gained to show such a behavior from | whatsapp, so some hackers could feel motivated to do this | from time to time. | mike_d wrote: | I have a proxy up at https://signal.tube/#s.bpj.net | | If you can help share more proxies to people who need them, | please send me an email (in my HN profile). | leptoniscool wrote: | Is there a similar project to help Trump reconnect to twitter? /s | xtracto wrote: | You say it as a joke but I get sad at seeing all these efforts | to circumvent a government policy while another government is | allowed to obliterate a same type of service (parcel). | | As I have said before. I'm not in the US and I don't care about | its politics. But I'm scared and hiw easily they can define | Good and Bad and then manipulate the internet | TimWolla wrote: | I created an HAProxy configuration that should be equivalent to | the nginx configuration within the Signal-TLS-Proxy repository: | | https://gist.github.com/TimWolla/457c45dfccde26fc674dde4b3c7... | | I could not test it with the Signal client yet, because the Beta | is not yet available for me. However I verified that the nested | TLS works using openssl and netcat. | remram wrote: | Their proxy seems to just be nginx, I'm surprised they didn't | just share nginx or apache configurations. Most people with a | box suitable for running this are probably already running a | web server, so there's no reason they should be proxying from | their existing web server to this dockerized server which just | proxies to Signal. | | Looking into their repo, they also appear to be building an | nginx image from docker.io/ubuntu:20.04 instead of using | docker.io/nginx. They are also running two separate nginx | processes. I wonder how they ended up with this weird intricate | setup. | | I would be glad to help if they offered straightforward | instructions. | jlund wrote: | The Nginx configs use modules that are not compiled by | default, so most preexisting Nginx binaries in mainstream | distros won't work. | 2cb wrote: | This is correct, just set one of these up and it uses extra | Nginx plugins. | | Also the way they've done it makes it incredibly easy for | anyone who isn't a tech expert with a web server to still | help out with a $5 domain and a $5 VPS. You literally run | three commands and it's done. | | They want as many people as possible running these so | blocking them all is as difficult as possible. It's the | smartest approach to have a low barrier to entry for | something like this. | dingoegret wrote: | Help undermine security measures taken against seditionists in | another country. You don't have to worry about any of the | consequences of civil strife because you don't live there. You | just get to pretend to be the good guy. Meanwhile a bunch of | goofballs protest in D.C and American politicians and tech | industry freak out that it's sedition and needs to be mercilessly | stamped out. Seditionists wearing hollween costumes. They haven't | even begun assassinating scientists and planting bombs in civil | buildings yet. | pencilcode wrote: | Cloudflare's warp might help here | s1artibartfast wrote: | In light of all the government Internet shut downs in the past | years, I'm very curious to see the impact of star link and other | Connection methods that might bypass geographic restrictions. | Will SpaceX and other service providers shut down access when | local governments request it? If not,Will the governments ask on | a perceived threat to stability | mechnesium wrote: | I'm betting hard against a big corporation like SpaceX to do | the right thing. By nature, a corporation's sole purpose is to | follow the money and make as much of it as possible. | | Take a look at Activision/Blizzard bending the knee to China to | avoid losing its Chinese user base. | stunt wrote: | So their government is blocking Facebook, Twitter, Youtube, | Telegram, Signal, BBC, CNN, Netflix, and probably many other | social and media platforms. | | Meanwhile we are blocking Iranians to access Docker, Slack, | Gitlab, Google Code, Github(Github until recently), Paypal, Apple | Store, Play Store, AWS, Coursera, Adobe, Nvidia, AVG, Avast, | Symantec, McAfee, Matlab!!, Oracle and many more. | | It should be really fun to use Internet in Iran. | mholt wrote: | I'm a big fan of the idea of independently-run proxy servers. | | Caddy has a secure forward proxy plugin born out of a research | project at Google that does something similar, but works with any | clients that let you configure HTTP proxies, and doesn't | terminate TLS: instead it tunnels it over TLS. The proxy server | itself can also be probe-resistant, i.e. difficult to detect that | a website is acting as a proxy. | | I'm hoping more people can help test the patch to support Caddy | v2: https://github.com/caddyserver/forwardproxy/pull/74 | | (Edit: Disclaimer - Don't use this in situations where your | personal safety or freedom could be at risk... not yet. Not until | more people with more experience can vet its implementation for | bugs, and a very clear threat profile can drawn up. If you have | experience with this, we'd love your help.) | 2Gkashmiri wrote: | how does something like this work against DPI? i guess not | great? | | >Don't use this in situations where your personal safety or | freedom could be at risk | | https://theintercept.com/2020/12/06/kashmir-social-media-pol... | https://thewire.in/media/kashmir-journalist-auqib-javeed-pol... | | reason why i have a general disregard for technologies that are | based on some sort of "link" AFK, phone number or the stupid | facebook real name policy. this is as of today being used to | crack down on dissent. what you are saying is true but | https://thenextweb.com/in/2020/01/08/kashmirs-police-want-pe... | when you have your govt do this, how can you keep your signal | account private? your phone is already listed. isnt it? cant | the police see if you are on signal and if online means you are | bypassing them somehow regardless of what you might be saying? | theptip wrote: | Does this use TCP over TCP (painful in the face of packet | loss[1]) or can you do something like using QUIC for the | forward proxy to try to avoid breaking the tunneled TLS | connection's retry timers? | | [1]: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html | mholt wrote: | Http3 support is being talked about in an issue (am mobile so | no link for you right now) but the first priority -- pending | dev resources -- is to merge the v2 PR and vet for bugs. | lxgr wrote: | It looks like a normal HTTP proxy supporting CONNECT (i.e. | TLS over TLS), which wouldn't suffer from the problem you | mention. | | Note that TLS over TLS is _not_ the same thing as TCP over | TCP. TCP over TCP is usually only a problem for VPNs or | something similar (i.e. anything that sends raw IP packets | over TCP). | theptip wrote: | Ah, that's the piece I was missing. Thanks. | turminal wrote: | Or they could just let people host their own server instances. | Would be considerably more censorship resistant from the start. | JohnBerea wrote: | Or just use Element/Matrix which already lets you do that. | hospadar wrote: | I feel like this answer to "how to make government censorship | of private communications over the internet impossible" is | more complex though than just "use element/matrix" | | It seems like both signal and matrix choose "Human- | meaningful" over "distributed" on Zooko's Triangle: | https://en.wikipedia.org/wiki/Zooko%27s_triangle | | Matrix is federated which I'd argue is pretty different than | "distributed". Certainly the fact that federation is built-in | makes matrix more resistant to lazy censors who are slow to | block popular homeservers, but a concerted check-any-IP-and- | if-it-seems-like-it-might-be-a-homeserver-then-block-it | action by a censor would be harder to deal with. | | Wouldn't a truly distributed/secure/really-super-hard-to- | block protocol rely on non-meaningful addresses (i.e. public- | key-derived like a tor hidden service) and some kind of | interesting mesh setup (i.e. like tor) to route and deliver | messages? | eeZah7Ux wrote: | > Wouldn't a truly distributed/secure/really-super-hard-to- | block protocol rely on non-meaningful addresses (i.e. | public-key-derived like a tor hidden service) and some kind | of interesting mesh setup (i.e. like tor) to route and | deliver messages? | | Yes. You just described Briar. | notme77 wrote: | Found the PM | awestroke wrote: | You're welcome to either use such a decentralised service or | fork signal and add decentralisation / federation. Centralised | services get more users by having a lower threshold of | adoption. | pmlnr wrote: | > You're welcome to either use such a decentralised service | or fork signal and add decentralisation / federation. | | It's called XMPP. It predates Signal by ~15 years. | TedDoesntTalk wrote: | And the clients for XMPP still suck, 15 years later. You | might find a good one on one OS after trying out several | (install, test for a few days, repeat), but then when you | want a client on your phone or another OS, you have to try | the install/test cycle all over again. | | In my experience, most of the clients just don't do WEll | everything a modern IM client needs.... group chat without | needing to know a FQDN address, alerting on new | messages/mentions, image and attachment support, encryption | without wonky key management, multisession support | (connecting simultaneously from multiple devices not | leading to problems), on and on... | | I used XMPP for years on iOS, android, Mac, windows, and | linux. Hated it every day. | pmlnr wrote: | Conversations and it's forks are all very good clients, | and their voice/video chat works perfectly once the XMPP | server configures the turn server. Gajim got a lot better | recently. I even managed to get Pidgin to a decent, | albeit not perfect level. | awestroke wrote: | And yet it hasn't become big yet. | pmlnr wrote: | It did, then the google reader effect kicked in. Google | talk, whatsapp, facebook were all xmpp at one point, | deliberately crippled, then nearly killed. See RSS. | turminal wrote: | What's the purpose of signal? Is it taking over the world or | providing a service to people that care about their privacy | and free (as in freedom) communication? | sa1 wrote: | There are lots of purposes but dismantling mass | surveillance is a major one. This requires 'taking over the | world'. | fourthark wrote: | ... Creating a central point of failure / censorship? | TedDoesntTalk wrote: | Yeah so this latest attempt seems to want to "fix" that. | | "Hey, let's distribute connections (proxy servers) to our | central point of failure so that we can get around the | central point of failure. Genius!" /s | im3w1l wrote: | They want to have a monopoly on points of failure. We can | censor but no one else. | eeZah7Ux wrote: | Creating yet another walled garden. | danShumway wrote: | Well... except in Iran, hence the strategy of decentralizing | proxy servers. | ekianjo wrote: | Too bad, the Signal devs love centralization. One day people | will realize Signal is just not the right solution for what | they actually need. | Spivak wrote: | The problem with this is that Signal is a huge success _right | now_ where other federated chat platforms have fallen. Sure, | something like Matrix might win the war eventually but by | being centralized Signal shipped and is providing a useful | service to millions of people today. | turminal wrote: | There are lots of problems in matrix that hinder its | adoption, federation is likely not the biggest of them. | tleb_ wrote: | As if it was that simple; no it's not as simple as | decentralization > centralisation. You might not agree with | everything (I don't) but this video provides some good points | https://www.youtube.com/watch?v=Nj3YFprqAr8 | | I trust Signal to try their hardest to solve communication, | spitting on them is not the solution. | baybal2 wrote: | It's simple, very simple. | | XMPP is by far more fluid, and "productive" when it comes | adding new protocol features, or at least if you compare it | with Signal. | | Marlinspike is making up the problem. | | A messaging client is as agile as its developers are, and | in case of Signal, not that much. | | Evolving a protocol, and developing new features is done by | doing programming, and not by some philosophical | discourses, and pooing over the competition on tech events. | pseudalopex wrote: | I didn't watch the video but his article with the same | title is almost entirely bad points.[1] | | Email is end to end encrypted for people who make it a | priority. It would be end to end encrypted for everyone if | Google or Microsoft made it a priority. | | The difference between XMPP and Signal is funding. Signal | supports video on all platforms because Open Whisper | Systems hired people to work on it. XMPP didn't because the | popular clients are developed by volunteers. | | People don't like using lots of messaging apps. So | switching apps is much harder than changing your email | address because you have to convince other people to | switch. | | Even Signal is moving away from using phone numbers. | | [1] https://signal.org/blog/the-ecosystem-is-moving/ | jampekka wrote: | Signal's been "moving away from using phone numbers" for | almost as long as it's been developed. They've burned | tens of millions of dollars and have nothing to show for | it on that front. | | Also they insist of making piece of shit bloatware | clients and actively kill every attempt for someone to | fix it. Because Moxie is always right apparently. | | I really hope the situation is just due to incompetence | and hubris. ___________________________________________________________________ (page generated 2021-02-04 23:00 UTC)