[HN Gopher] Help users in Iran reconnect to Signal
___________________________________________________________________
Help users in Iran reconnect to Signal
Author : arkadiyt
Score : 663 points
Date : 2021-02-04 16:42 UTC (6 hours ago)
(HTM) web link (signal.org)
(TXT) w3m dump (signal.org)
| Ericson2314 wrote:
| Doesn't this chip away at the benefits of Signal not being
| federated? Say the proxies need to be updated?
| grandchild wrote:
| Not really. There's not much Signal-protocol-specific
| technology involved on the proxy, other than dropping traffic
| that doesn't go towards the Signal server itself.
| Ericson2314 wrote:
| Fair enough.
| londons_explore wrote:
| This is going to be a game of cat and mouse...
|
| And if you're the mouse, you really don't want to be hobbled by
| not having an auto-update mechanism in your proxy servers...
|
| At the very least they could have made it load the config from
| https://signal.org on startup, or made an apt package that
| sysadmins can easily update with everything else.
| eatbitseveryday wrote:
| I do not know anyone in Iran but have spare cash to host a VPS or
| two. How can I help anyone without broadcasting my proxy for the
| censors to eventually get ahold of?
|
| edit: https://twitter.com/alsdkjflasdkjf1
|
| edit2: You can drop me a mail here, too:
| jegzc4na8j7@temp.mailbox.org
| mr_woozy wrote:
| Happy to spin up a proxy, but now what?
|
| how do I offer it to others for use if I don't use twitter?
| realducksoft wrote:
| This proxy failed to be probing resistant. The PoC code is
| released by studentmain: https://github.com/signalapp/Signal-TLS-
| Proxy/issues/3#issue...
| 2Gkashmiri wrote:
| this is fine and dandy but when you have a state actor operating
| with such offensive tactics like india is currently engaged in
| kashmir, there isnt much these "proxies" can do. sorry. the idea
| of these proxies is all fun and nice but when a government can
| just whitelist the entire fucking internet and none of these
| nonsense works
|
| https://www.theguardian.com/world/2020/jan/15/internet-parti...
|
| https://thewire.in/rights/kashmir-internet-white-list-net-ne...
|
| https://thewire.in/rights/modis-thought-control-firewall-in-...
|
| >The reason the government wants to keep blocking full access to
| the internet in the Valley is its fear of civil disobedience.
|
| and the ban is still in place although it is on high speed mobile
| internet today.
|
| https://thekashmirwalla.com/2020/12/high-speed-internet-ban-...
|
| not to forget there were reports of CISCO being brought in to
| build this fucking firewall
| f430 wrote:
| its weird that all the criticisms of the technique in this
| article is being downvoted without any rebuttal
|
| people underestimate the security intelligence service of
| countries in this region. They have far more capacity than
| people in the West estimate.
|
| It's irresponsible of HN to put people in potential harms way,
| Iran is at a breaking point, they have nothing to lose and will
| stop at nothing to stop exfiltration and access to internet.
| 2Gkashmiri wrote:
| yes. back after 5 august, i think i got my first crack at
| internet in february 2020 with 2G internet and a whitelist of
| "allowed websites". i found out in my own tests that ssh
| tunneling over random ports used to work. i had managed to
| set up a server on amazon aws, and i did a dirty ssh tunnel
| to that to get access to blocked websites. even that failed
| after some tries and changing networks.
|
| >It's irresponsible of HN to put people in potential harms
| way, Iran is at a breaking point, they have nothing to lose
| and will stop at nothing to stop exfiltration and access to
| internet.
|
| yes. shocked pikachu face gets a random HN reader nothing but
| people can die as a result of this. heck i have records of
| people who are locked up since last year because of "social
| media misuse" aka dissent
| f430 wrote:
| I think people on HN are mostly North Americans, they are
| generally very ignorant of the workings outside their own
| suburbs/city (we live in the best part of the world they
| say!)
|
| So there is this bias towards other 3rd world countries. To
| many they are still a backwards, technologically illiterate
| countries yet somehow North Korea routinely dominates other
| wealthier nations in cyber security.
|
| India's intelligence agency has always been competing with
| Pakistani, very much like the Iranian security forces &
| Israeli intelligence, these guys have been fighting battles
| the rest of the world will never hear about, so its foolish
| to underestimate their capabilities like we do on HN.
| Thorentis wrote:
| Well, well. Just a week ago [0] I was lamenting the fact that
| Signal was _too_ centralised. This comment was made in the
| context of P2P not being the best solution (due to other privacy
| issues), but that something in between was needed. When will
| Signal realise that the centralised approach to hosting is not
| going to last forever? The code is open source. The server code
| is supposedly open source, but on closer inspection it is missing
| some features and is very out of date. The actual server code is
| clearly still kept close to their chests.
|
| There needs to be a way for the same Signal application to, in an
| emergency, connect to a different server. Perhaps even some form
| of federation so that once somebody switches server, they can
| still reach people on a different server if need be. I would
| absolutely love to see some work done on making a Matrix/Signal
| hybrid.
|
| [0] https://news.ycombinator.com/item?id=25976914
| est31 wrote:
| In the long run, starlink will make it even harder for autocrat
| regimes to censor the internet. Russian authorities already try
| to ban connections to Starlink.
| AndrewBissell wrote:
| Yes I'm sure Starlink would never do something like censor
| traffic at some regime's behest. Elon Musk is famously
| independent and not at all beholden to funding from the U.S.
| and China.
| sschueller wrote:
| /sarcasm
| mr_woozy wrote:
| This is the only benefit that comes to mind when weighing
| against obscuring the night sky. Heck even freeing Australians
| from Telestra's Iron grip would be an accomplishment.
| quenix wrote:
| Unfortunately, it's easy for governments to criminalise owning
| Starlink terminal equipment. Also, Starlink may be legally
| forced to deny service to users in certain geographical
| regions.
| roywiggins wrote:
| Iran's been having a tough time shutting down illicit
| satellite receivers.
|
| > One woman in the Iranian capital, whose satellite dish was
| demolished by the police several months ago, told "Persian
| Letters" that the first thing she did the day after her
| apartment complex was raided was order a new dish and
| receiver.
|
| > "That's the only fun we have here. There's nothing worth
| watching on [state television]," she said. "They can come and
| take my dish away. I will get a new one."
|
| https://www.rferl.org/a/persian_letters_satellite_dishes_ira.
| ..
| est31 wrote:
| Unless the government can seize Starlink's assets, or shut
| down/harm their operations, they can't really tell Starlink
| to do anything. E.g. if they can shoot down satellites,
| they'd have influence.
|
| This is especially true for economies that are as
| disconnected from the US as the Iranian one is.
|
| The only thing a state has control over is payments from
| users. But if smuggling in transceiver equipment with pre
| paid traffic isn't that hard.
| rohit89 wrote:
| Starlink will need a license to broadcast in the country.
| And the dishes also need to transmit which will give away
| your position.
| est31 wrote:
| Dishes don't _have_ to transmit, only if you want an
| upload channel. It 's entirely thinkable that important
| content like websites or feeds by important influencers
| is pushed to all users.
| not2b wrote:
| If everyone announces their proxies the Iranian government will
| be monitoring those announcements and will be able to block
| traffic to them. It may be better for those with friends and
| family in Iran to run proxies and quietly inform only people they
| trust.
| monadic3 wrote:
| Not to mention you can get into significant legal trouble
| helping people sanctioned by the US.
| aendruk wrote:
| > You can share your proxy with friends and family using this URL
| format: https://signal.tube/#<your_domain_name> [...] The latest
| beta release of the Android app is registered to handle links
| from signal.tube.
|
| This scheme is convenient for those with correctly configured
| devices, but comes at the cost to everyone else of increased risk
| of inadvertent leaks of the fact that they're attempting to
| circumvent the block. I'd be interested to hear more about what
| factored into the decision to make this trade-off.
| remram wrote:
| Good point! I wonder why they didn't reverse the scheme, e.g.
| https://mydomain.example.org/#is-a-signal-proxy
| mhils wrote:
| AFAIK you can register URL handlers for a specific domain
| (signal.tube), but not for a specific hash. And you don't
| want Signal to appear as an alternative browser on every
| link.
|
| Edit: On a second thought, I wonder if a custom scheme would
| have worked, e.g. signal-proxy://example.com?
| remram wrote:
| You can set the host to "*" on Android, but maybe not on
| iOS?
|
| For example, my Mastodon app pops up to open all links that
| look like a Mastodon profile
| (https://example.org/@somename).
|
| https://github.com/tateisu/SubwayTooter/blob/4cf16c6ee890a7
| d...
| LinuxBender wrote:
| How would you let users know about this proxy without letting
| their government know about it? Instead of platforms like
| twitter, how about randomly giving out random proxies in some
| header that the app could query on cloudflare or google or
| akamai? Does Signal already make use of any CDN's for out-of-band
| signalling and fail-over? If the Signal proxy could expose an
| obfuscated load metric, then the CDN could pick another proxy via
| health checks. The proxy could advertise itself via CDN's as
| well.
| mholt wrote:
| That's the trick isn't it: having an entire population know
| something an oppressive government doesn't.
|
| Even if you teach everyone how to deploy their own servers,
| then that's the knowledge the government will start targeting.
| You can make blocks expensive, i.e. blocking other major,
| useful services that would disrupt society too much for them to
| want to deal with, but this of course has its own costs.
|
| It's censorship and surveillance all the way down.
| roywiggins wrote:
| As far as I know, Iran is much too open an society to
| actually prevent its citizens from knowing anything in
| particular.
|
| That's not to say it's a free society or that censorship
| doesn't exist there, just that it's not the sort of regime
| that is particularly good at it.
|
| If I had to guess, Iranian expats would be a likely set of
| people to start up proxy servers for their family and friends
| back home.
| not2b wrote:
| Yes, which is why Signal is doing a disservice by telling
| people to announce their proxies on Twitter. The expats
| should just tell their friends and family, and tell them to
| pass the word on only to people they trust.
| ALittleLight wrote:
| But this doesn't stop them from doing that. If you have
| an expat friend or family member with a proxy, use
| theirs, if not, check the latest tweet with the hashtag
| and use that.
| [deleted]
| polishdude20 wrote:
| At some point, the easier option is for there to be a
| revolution or some sort of governmental change.
| upofadown wrote:
| True but not everyone is keen to experience the civil war
| that often accompanies such a change.
| TedDoesntTalk wrote:
| Easy to say when it is not your life or your families'
| lives at risk.
| sixstringtheory wrote:
| Communication is key to both of those things.
| LinuxBender wrote:
| That is precisely why I am suggesting using a CDN. Old school
| CDN that is. Back in the day, if you had Akamai, your site
| would just use one (or many) of their generic names. Nowadays
| you can use your own domain to front their network, but you
| don't have to. If Signal was using a few CDN's and cycled
| through many generic end-point names, then Iran would have to
| block all the CDN's which would be nearly the same as
| shutting off the internet. This would not have to be the
| default mode of Signal. It could be an option that the client
| suggests. "Hey, it appears we are blocked. Use alternate
| proxies?" Then cycle through many different CDN's using many
| generic end-point names. Some of the CDN's can also do layer
| 4 vips and not have to decrypt anything. They can just act as
| a TCP tunnel if need be, just costs more.
| RL_Quine wrote:
| Generally speaking censorship by a government needs to be
| pretty poorly done at best. Taking out the bulk of the usage of
| Signal is easy, removing it completely is hard. Much better to
| apply minimum cost and effort where it counts most.
| ip26 wrote:
| Yup, I would run one but I don't know any Iranians...
| bijoo wrote:
| > How would you let users know about this proxy without letting
| their government know about it?
|
| From the blog post, "A more discrete approach would be to only
| send the link via a DM or a non-public message."
|
| > how about randomly giving out random proxies in some header
| that the app could query on cloudflare or google or akamai
|
| That would "..increases the chance that Iranian censors will
| simply add those IPs to their block list"
|
| It looks like the solution provided in the blog post is limited
| to helping folks run their own proxy for people they know.
| cmroanirgo wrote:
| I think Signal is clearly recognising that nearly sny server or
| system they create will be blocked, which is why they
| recommended this being done on an individual layer.
|
| From the article:
|
| > A more discrete approach would be to only send the link via a
| DM or a non-public message. You can post something like this on
| your favorite social network:
|
| > * #IRanASignalProxy Reply to this thread if you want the
| connection details, and follow me so I can DM you the link.*
| [deleted]
| not2b wrote:
| No good; people working for the Iranian state will DM. Signal
| didn't think this through. No one should announce proxies via
| social media. Tell people how to set one up for friends and
| family.
| DangerousPie wrote:
| There are plenty of people that don't have friends of
| family in Iran but would still like to help.
| ufmace wrote:
| > No good; people working for the Iranian state will DM.
|
| They'll probably try, but it's not very scalable. It's
| tough to build and maintain a Twitter account with a
| history that looks like a real regular person, much less
| create a bunch of them fast with history that dates back
| before the day you started. If most of them make a modest
| effort to verify users, most of them should remain
| unblocked. It's all pretty decentralized, so it's not that
| big as deal if a few of them do get discovered and blocked.
| boomboomsubban wrote:
| People working for the Iranian state generally would be
| discernible from their Twitter account, and by controlling
| the information you hand out you can also flag the hidden
| accounts that aren't easily recognized.
|
| You also overestimate how committed Iran is to stopping
| this. Doing this in public risks the state finding out, but
| outside of times of crisis the state is usually pretty slow
| to respond. Keeping it private tanks participation rates.
| not2b wrote:
| There are about 700,000 people of Iranian descent in the
| Los Angeles area alone (the largest such community in the
| US). Most of them are in the US to escape the regime, and
| most of friends and family in Iran who they keep in touch
| with. The people in Iran also have their own networks.
|
| So a down-low friends and family approach could reach a
| lot of people.
| boomboomsubban wrote:
| If you just filter the amount of those 700,000 down to
| how many are aware Signal exists, I bet we'd already be
| at a low enough number to see the problem with your plan.
| ariosto wrote:
| This is inspiring. I am going spin one up and also look into
| contributing to your source code.
| S53Vflnr4n wrote:
| Hey Signal, your next contender will be Narendra Modi's Hindu
| nationalist Indian govt. But Modi is one step ahead, blocked the
| whole internet in Delhi.
| Jkvngt wrote:
| What if political dissidents don't want to give their phone
| numbers to the former head of Twitter security on the eve of
| President Biden's re-engagement with the Islamic theocracy of
| Iran?
| SandunFernando wrote:
| The login code you entered doesn't match the one sent to your
| phone. Please check the number and try again.
|
| It looks like you haven't logged in from this browser before.
| Please enter the login code from your phone below.
|
| NOT COMING MY PHONE CODE
| elif wrote:
| I would keep in mind that the US has weird antiterror laws about
| assisting enemies and also laws which construe bypassing system
| designs as hacking.
|
| For instance, Virgil Griffith is being held and charged for
| giving a high level description of bitcoin transactions at an
| academic conference in North Korea.
|
| This is incredibly more specific and more technical of an act.
|
| https://www.coindesk.com/usa-v-virgil-griffith-what-we-know-...
| x86ARMsRace wrote:
| This law is trivially easy to get on the wrong side of.
| Something like this would be definitely in scope of the anti-
| terror law you're talking about. American HN users beware.
| eatbitseveryday wrote:
| Can someone who is a lawyer comment on this, please?
|
| edit: further.. how is Signal shielded (if at all) from
| providing services to anyone in Iran? Wouldn't they be a target
| in such a case? The blog post is an explicit call for
| assistance specifically to do so.
| AnthonyMouse wrote:
| I wonder how many First Amendment lawyers would be champing at
| the bit to take a case where a prosecutor was dumb enough to
| charge someone with a crime for assisting dissidents to
| communicate.
| pmlnr wrote:
| So... federate but not really?
|
| I'd heavily advise instead to run as many xmpp servers* as
| possible, and let people/friends use them.
|
| *not matrix, unless one configures it to forget the data and only
| act as a message broker, like XMPP. For this specific use, it's
| better.
| djl0 wrote:
| If Iran is blocking Signal but not other apps, namely Whatsapp,
| does this mean Iran has access to Whatsapp data?
|
| I fully expect the US govt to have access to fb/whatsapp data (at
| least the metadata), but it's a bit surprising to me that Iran
| would too.
| danenania wrote:
| I think FB's policy is to comply with local laws regardless of
| ethical concerns?
| xirbeosbwo1234 wrote:
| I think FB's policy is to _____(verb)_____ regardless of
| ethical concerns.
|
| They certainly aren't complying with U.S. antitrust laws.
| They comply if it makes them money and don't comply if it
| doesn't make them money.
| benlivengood wrote:
| There are a few requests reported:
|
| https://transparency.facebook.com/government-data-
| requests/c...
| mzs wrote:
| which you can't read without a FB account! In any case 6
| users/accounts in fist half of 2020
| beermonster wrote:
| Well...
|
| https://www.nytimes.com/2020/09/18/world/middleeast/iran-hac...
| ParanoidShroom wrote:
| I doubt it. By the same reasoning they would also have access
| to iMessage and other apps that aren't banned. Not sure what
| WhatsApp or fb has to do with this.
| 2cb wrote:
| Considering Apple put all data of Chinese users on Chinese
| servers to keep the CCP happy I have no doubt they're
| perfectly happy and willing to comply with government
| requests elsewhere too.
| twhb wrote:
| Iran blocks _every_ major foreign messaging app, except
| WhatsApp. Signal escaped it until now only because they had so
| few users. Also keep in mind that while WhatsApp claims to use
| the Signal protocol, they installed a backdoor that allows them
| to MITM conversations. So yes, I'd say it's virtually
| guaranteed that WhatsApp is sending unencrypted message data to
| Iran, and of course to the US too.
| oarsinsync wrote:
| > [WhatsApp] installed a backdoor that allows them to MITM
| conversations
|
| Citation?
| [deleted]
| kolmogorov wrote:
| https://signal.org/blog/there-is-no-whatsapp-backdoor/
| egberts wrote:
| "There's no backdoor."
|
| -- Perhaps the door is cracked (or ajar) and a microphone
| is listening in ... still?
| twhb wrote:
| HN discussion of that post:
| https://news.ycombinator.com/item?id=13394900
|
| I guess I'm coming down hard on one side of a controversial
| question, but in my mind, if it allows the server to
| intercept messages without users knowing about it under the
| default configuration, it's a backdoor.
| cgb223 wrote:
| Could the Iranian government also run a Signal proxy?
|
| Can they then read said proxy traffic since it's on their
| machine?
| NotEvil wrote:
| No, Nobody even signal can't, that's the whole point of e2e
| drummer wrote:
| They could certainly do this, but they would only see which
| local IP is trying to communicate with Signal (and thus trace
| the user). The traffic itself is end to end encrypted so they
| cant read it.
| blintz wrote:
| What is the state of the art on censorship resistance right now?
| This cat-and-mouse proxy fight never seems to go great for the
| good guys.
|
| My last in-depth reading on it was the excellent 2016 SoK paper
| "Towards grounding censorship circumvention in empiricism"
| (http://www.cs.umd.edu/class/fall2018/cmsc818O/papers/sok-cen...)
|
| The high level takeaway then seemed to be that researchers were
| not focusing efforts on measures that can actually help more
| people resist censors. Have we made progress since then?
| meibo wrote:
| Telegram got around Russian censors by constantly pushing new
| IPs for their servers with Google Cloud. Of course this is a
| cat and mouse game as well, but it worked out well for them,
| since Russia didn't want to block all of Google/AWS.
|
| https://news.ycombinator.com/item?id=26028415
| ignoramous wrote:
| I keep an eye on the work censorship.ai does as they are
| usually at the cutting edge of it:
| https://geneva.cs.umd.edu/papers/
|
| Tor, Jigsaw's Outline, and V2RayNG are worth keeping tabs on as
| they're FOSS projects and do much of their development in the
| open.
|
| Lantern's development whilst it was still open source was
| fascinating to see as well. Since 2016 (I believe) they stopped
| doing so out of security concerns:
| https://twitter.com/adamfisk/status/1316569766832869377
| robert_foss wrote:
| There are relatively good solutions like dns fronting on Amazon
| or Google, but they frown upon being used that way.
| [deleted]
| notsureaboutpg wrote:
| Hmm, I have a family member going to seminary in Iran and he has
| been in contact with me over Signal (he moved our family chat to
| it over WhatsApp because of recent events).
|
| Did this happen like literally today? Because otherwise I haven't
| heard of such a thing...
| whalesalad wrote:
| Where is the 'deploy to heroku' button when you need it
| nrvn wrote:
| Signal could learn a lot from Telegram in this regard.
|
| Russian govt had tried to block Telegram but telegram servers
| just keep jumping over various cidrs and users got the ip
| addresses for connecting over push updates and the only thing the
| govt succeeded in was blocking a wide range of subnets including
| AWS ranges and GCP ranges thus disrupting a whole lot of
| businesses and even some government services.
|
| They gave up and lifted the ban eventually.
|
| https://www.schneier.com/blog/archives/2018/06/russian_censo...
| derefr wrote:
| Feels like there could be a good business in providing this
| CIDR-hopping push-updating proxy as a service other apps could
| embed. Like what CloudFlare does for DDoS protection, but as a
| forward-proxy + client middleware, instead of a reverse-proxy.
| mywittyname wrote:
| Depends on your definition of "good."
|
| Dealing with hostility from government bodies is probably no
| fun.
| agnosticmantis wrote:
| I believe telegram itself is blocked in Iran, though.
| smnrchrds wrote:
| It is indeed. Iran does not shy away from blocking large
| swaths of the internet in order to make sure the parts they
| want blocked will remain blocked. For example, before 2009,
| there were specific blogs on wordpress.com which were blocked
| and making sure the content the government wanted
| inaccessible would remain inaccessible had turned into a
| whack-a-mole game. In 2009, they simply blocked the entirety
| of Wordpress, Facebook, YouTube, etc. and made their jobs
| much easier.
|
| Iran would not hesitate to block all AWS IP addresses as a
| solution (I don't know if that is how they block Telegram
| now). GCP resources would not load in Iran anyway because
| Google has a very strict (much more strict than AWS and
| Azure) interpretation of the sanctions, so they don't have to
| worry about them.
| eternalban wrote:
| > It is indeed. Iran does not shy away from blocking large
| swaths of the internet
|
| > ran would not hesitate to block all AWS IP addresses as a
| solution
|
| DNS will not resolve _any_ .ir (.coms that are iranian)
| domains here in US, afaikt.
| whimsicalism wrote:
| Not at all true. Try http://www.president.ir/en
| sigmar wrote:
| That article notes that Signal has been domain fronting since
| 2016. I think google has cracked down on it more recently
| though, and hence Signal has had to circumvent censors in a new
| way
| windthrown wrote:
| Correct, both Google and Amazon told Signal not to use them
| for domain fronting: https://signal.org/blog/looking-back-on-
| the-front/
| rzz3 wrote:
| What about Cloudflare?
| capableweb wrote:
| Answer from Cloudflare team seems to be "No" -
| https://community.cloudflare.com/t/could-cloudflare-
| support-...
| aftbit wrote:
| Gross! I wonder what motivated these decisions inside
| Amazon & Google. This likely affects the Tor project domain
| fronting as well.
|
| We really should not have let the majority of internet
| traffic be served by a small handful of giant companies
| without some legal protections as to what they're allowed
| to do.
| jaywalk wrote:
| Believe me, I'm all about reigning in big tech.
|
| But I would be 100% against any law that required them to
| allow domain fronting. It's fine if they want to, but
| _requiring_ them to basically open up /leave open a hole
| in their systems is not right.
| hutzlibu wrote:
| What I recall from the discussion back then is, that
| domain fronting basically means, that Signal would
| disguise itself as google or amazon traffic. So I would
| say, it is understandable, that they decided this is not
| good for their buisness.
|
| So it was not an act by google and amazon to activly harm
| Signal, but rather canceling ongoing support of Signal,
| that could put their buisness to harm, which is something
| different.
| praseodym wrote:
| Probably malware using domain fronting techniques for C2
| traffic played a role in that decision. E.g.
| https://threatpost.com/apt29-used-domain-fronting-tor-to-
| exe...
| Craighead wrote:
| Yes yes, but, when will Verizon and Comcast be broken up?
| 2cb wrote:
| And this new way, while less convenient, is arguably superior
| due to its decentralisation. They're not just going after one
| service they're now going after people all around the world
| running these proxies.
|
| Just set one up myself took 15 minutes and that includes
| setting up a fresh VPS.
|
| Just thinking what the best way to share it is.
| birdyrooster wrote:
| lol i accidentally rented a decent VPS for 30 days in
| switzerland and now I have a use case for it whoo
| stonesweep wrote:
| I've been mulling this over today, as your ability to _get_
| the name /IP of the proxy has to be censorship resistant as
| well.
|
| The best idea I've had so far is using a CNAME response to
| a very common DNS query which would pass a basic filter,
| like I'd ask for "mail.mydomain.com" and it would respond
| with a CNAME pointing to the actual proxy. I have dead
| domains which I have configured with null records for MX
| and stuff (so spammers can't abuse them), I could hide the
| name of my proxies in the MX records a CNAMEs and nobody
| would be the wiser...
|
| The trick is getting the word out on how to do it - like
| "hey everyone, just ask random domains for "mx.domain.com"
| and use the 30 level MX" or something which would pass as
| legit traffic. Maybe...
| 2cb wrote:
| Using innocent sounding CNAMEs on abandoned domains is
| definitely a smart idea.
|
| I've definitely got some old domains kicking about, I'll
| see how far off they are from expiration and do something
| similar if they have at least a few months left in them.
|
| The proxies themselves can also be hosted at normal
| sounding domains and subdomains like cdn.technology.memes
| or whatever.
|
| And when you point other domains to them as CNAMEs use
| equally regular looking subdomains no algorithm would
| pick up as a proxy like webmail.abandoned.tld.
| stonesweep wrote:
| Thought following yours, I like the CDN idea - if you add
| in some dynamic DNS updates with random CNAME results it
| could also help - ask for cdn.example.com, get
| node182.example.com and 5 minutes later get a different
| CNAME result injected from some cron job...
| [deleted]
| emptybits wrote:
| Thank you. It's heartwarming to read about successes like this.
|
| Immediate recalling John Gilmore (GNU/EFF/etc.) in 1993:
|
| "The Net interprets censorship as damage and routes around it."
| freakynit wrote:
| How disgusting these governments have become it pisses me off.
| rthomas6 wrote:
| This is one of the best arguments for
| federation/decentralization, is it not? It's not impossible to
| block a protocol, but it's harder than blocking an IP.
| derbOac wrote:
| Yeah I was thinking this is awfully close to some kind of
| federated system. It's not the same but it's pretty close to
| Signal asking for people to decentralize their service a bit to
| overcome censorship, which is one of the main arguments for
| decentralized systems.
| im3w1l wrote:
| We see again and again that Americans hate freedom of speech. So
| what is this but a power play? They want people to use controlled
| platforms where only American-approved activism is allowed.
| Actions that destabilize an enemy regime.
|
| Iranians who use Signal are American proxy forces. By definition
| it is treason.
| owl_troupe wrote:
| Iranians who use Signal are Iranians. Your statement is
| premised on the Iranian government having absolute authority to
| surveil the communications of Iranian citizens. By that logic,
| any from of end-to-end encrypted communication is treason. You
| might as well say that Iranian citizens have no general right
| to privacy and any expectation of such is also treason.
| im3w1l wrote:
| Signal is American controlled. Encryption in general is not.
| MightyOwl13 wrote:
| Hey, did anyone actually try to run this? I'm getting a bunch of
| errors when trying to run the sudo docker-compose up --detach.
| How would I know if it's running or not? Sorry, quite new to this
| apart from hosting a couple of personal pages on a vps.
| l1am0 wrote:
| I found that simple apt-get docker does not work for me on
| debian. Tried the official docker documenation and that helped:
| https://docs.docker.com/engine/install/debian/
| 2Gkashmiri wrote:
| hey. i just thought of something. is it not possible for india or
| iran in this case to check your phone number and see if it is
| active on signal? if you are online means you are somehow
| bypassing their blocks. isnt then just a matter of tracking your
| cellphone and relevant xkcd applies ?https://xkcd.com/538/
|
| this is looking like a zero sum game unless signal account is
| delinked from phone numbers because the govt can play cat and
| mouse game indefinitely
| monadic3 wrote:
| > is it not possible for india or iran in this case to check
| your phone number and see if it is active on signal?
|
| WTF, why does signal require PII to use? Shouldn't it give you
| a public/private key pair on signup?
| f430 wrote:
| all they need to do is be in the approximate region of the cell
| signal through triangulation to figure out the phone numbers /
| unique identifiers attached to the phone.
|
| then its a matter of time before they link real identity to the
| phone. With the wide availability of femtocells, all they need
| to do is get lucky once.
|
| This puts operators of Signal proxies at potential harms way!
| Absolutely irresponsible for people on HN to downvote and
| downplay genuine security concerns.
| MrMorden wrote:
| How is a proxy operator in harm's way? They aren't in Iran,
| and the Iranian government understands the consequences of
| trying to do anything about it. Users are in no more danger
| than they've always been, and substantially less than if they
| didn't have communications ability.
| 2Gkashmiri wrote:
| oh. you are not joining all the dots here. an offensive govt
| already has KYC on cellphones. they can pull your details in
| a second. My reasoning. they have a list of say 100 users.
| every govt has lists. they check that list against signal
| users as "social graph" and voila, they know you are online
| or not. second, kyc documents show who you are so you are
| good as toast
| realducksoft wrote:
| Damn, I've read the code. This won't work against an active
| probe. Censors just use signal domains and non-signal domains to
| test your proxy. If signal domains get passed and non-signal
| domains got denied, you are fucked. Besides, TLS in TLS is highly
| identifiable by simple packet length dpi. I'd hope there's better
| plan.
| Diggsey wrote:
| > Censors just use signal domains and non-signal domains to
| test your proxy.
|
| If the censor already knows about your proxy they would have no
| reason to test it... The whole point is that there _isn 't_ a
| central list of proxies for them to easily block.
| [deleted]
| I_Byte wrote:
| This is the very same problem that Tor faced when Tor bridge
| use started to pick up in China around the late 2000s / early
| 2010s. You only needed a single Chinese user to connect to
| your server for it to be probed by the Chinese censors. Older
| versions of the obfs Tor bridge protocol could be detected by
| active probes and thus blocked very much like these Signal
| proxies. This is a cat and mouse game that Signal could very
| easily lose should Iran start to care about probing all new
| active connections that leave Iran.
| pmlnr wrote:
| > there isn't
|
| YET. I wonder if someone will find a simple way to map these
| with shodan.
| chmod775 wrote:
| Why can't they just ship signal with a Tor client? This is
| precisely what Tor was built for.
|
| They can donate some money to charities running Tor nodes while
| they're at it, or run some themselves.
|
| Iran tried to censor Tor too, but it's pretty much impossible to
| do so fully. At least the Tor devs are usually on top of it,
| while Signal is inexperienced dealing with things like this.
| vbezhenar wrote:
| What makes you think that it's hard to block Tor? Even
| Kazakhstan blocked Tor many years ago. They're using DPI:
| connection opens, client can write data, but can't read
| anything which is frustrating from user PoV.
| viro wrote:
| Tor is is blocked in Iran.
| [deleted]
| gruez wrote:
| if they block can block tor what makes you think they can't
| block these proxies? furthermore if you use tor you can use
| the existing network of bridges/relays as well as their
| pluggable transports protocol to avoid DPI/traffic analysis.
| viro wrote:
| They can block these proxies. Thats why in the
| #IRanASignalProxy section they say to share in more
| discrete ways if you can.
| woofcat wrote:
| Which to me is bad. They should run a service like Tor
| does to get private bridges. I don't know anyone in Iran
| but I have a server I could use for this. However I know
| zero people in Iran.
| lacker wrote:
| Iran is already blocking Tor. In general, if Signal
| provides some central way to use Tor together with Signal,
| the Iranian government can just run it on their machine,
| and block every IP address that it tries to connect to.
|
| Iran can block these proxies, too, but this way there isn't
| any centralized listing of proxies. This proxy setup is
| simple enough that a single person could run a proxy for a
| few dozen of their friends, and the Iranian government
| might just never find out about it.
| gruez wrote:
| there are public and private bridges.
| f430 wrote:
| exactly, this article is exceptionally egregious at
| estimating state actor's tools agumented by HUMINT
| capabilities to hunt down anybody trying to subvert their
| iron curtain.
|
| I fear that some naive Western expat will participate and
| find themselves in a hostage. Many countries in this
| don't have any treaties with Western nations, they dont
| have high regard for human rights either.
| milofeynman wrote:
| Tor has a very similar proxy setup that can be used to get
| around blocks like this.
|
| https://2019.www.torproject.org/docs/bridges.html.en#Plugga
| b...
| sporksmith wrote:
| Yup. I just tested ~~the fdroid~~ signal (the non-google-
| play apk from signal's web site) with orbot (a tor VPN
| for android) and verified it works correctly for text
| messaging. As you say, using a bridge _should_ make it
| difficult for iran to block. I wouldn 't be surprised
| though if voice/video was too high latency or doesn't
| work at all. https://mobile.twitter.com/sporksmith/status
| /135738175783478...
| ignoramous wrote:
| Signal is taking a leaf out of Telegram's book here in
| crowd-sourcing censorship circumvention which has worked so
| well for Telegram in Russia, especially.
|
| One could use censorship evading VPNs like Tor, Lantern,
| Shadowsocks, Psiphon in addition to using these proxies.
| They all have different evasion mechanisms.
|
| The thing that works for user-run proxies is, it is like a
| hydra, you censor one proxy another crops up.
| kelnos wrote:
| I'm worried that Iran is less concerned about collateral
| damage. Russia gave up because successfully banning
| Telegram would also ban significant parts of the internet
| that Russian businesses (etc.) depend on, so that was
| unworkable. I expect that Iran won't care quite as much.
|
| Regardless, I hope this does actually end up working, and
| allows Iranians to use Signal without a prolonged cat-
| and-mouse game.
| benlivengood wrote:
| https://github.com/signalapp/Signal-TLS-Proxy/issues/3 is the
| major issue with the current proxy and hopefully it's fixed
| quickly before a bunch of folks set up a proxy and forget about
| it.
| [deleted]
| [deleted]
| MayeulC wrote:
| Hmm, looks like these are just a few nginx rules, they might as
| well publish those.
|
| Internet is a bad fit for this. I wish everyone was using
| yggdrasil, I2P, tor or something similar.
|
| I mean: I could provide as many yggdrasil addresses as I wanted
| to. It would be possible to setup a few VPNs to connect separate
| networks (though potentially traceable).
| superkuh wrote:
| What happens when Iran's government itself runs a bunch of these
| proxies?
| IncludeSecurity wrote:
| Even worse, what happens when they MITM all of the installs
| because the docker container has really bad security such as:
|
| RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz
|
| https://github.com/signalapp/Signal-TLS-Proxy/blob/master/ng...
|
| Installing via HTTP, with no verification of installer seems
| like a reallyyyyy bad idea.
| RL_Quine wrote:
| That's awful.
| gspr wrote:
| I noticed the same thing, and filed an issue [1]. The first
| reply does not fill me with a lot of confidence (but it's
| unclear to me whether the person is affiliated with the
| project or not).
|
| [1] https://github.com/signalapp/Signal-TLS-Proxy/issues/6
| aftbit wrote:
| They have completely disabled issues on that repository.
| Wow I used to really like Signal...
| kelnos wrote:
| And it seems they've fixed the issue, without any kind of
| public comment.... still not great:
| https://github.com/signalapp/Signal-TLS-
| Proxy/commit/39a97da...
| kdunglas wrote:
| I (partially) fixed this issue, and I'm not affiliated in
| any way with Signal. It's public
| (https://github.com/signalapp/Signal-TLS-Proxy/pull/2),
| and it looks like they welcome contributions, because
| they merged mine.
| sneak wrote:
| You'd be building and running these outside of Iran for them
| to work, which would limit the Iranian government's ability
| to perform the attack you describe.
| harg wrote:
| If all the traffic going via the proxies is e2e encrypted is
| there much that can happen?
| TedDoesntTalk wrote:
| But the fact that you are in Iran and using Signal may get
| you added to a watchlist. They can trace the IP addresses
| connecting to the proxy server back to a household or phone,
| no?
| tannhauser23 wrote:
| This is the kind of privacy initiatives we need. While we argue
| in America about deplatforming, Iran, China, and other
| authoritarian countries around the world are actually suppressing
| and punishing free communication. Kudos to Signal for this
| initiative.
| notsureaboutpg wrote:
| America suppresses and punishes free communication, you just
| aren't aware of it because they control what you see when you
| live there.
| hikerclimber wrote:
| i hope this doesn't work.
| isoprophlex wrote:
| Almost everyone in these comments is asking questions of various
| degrees of pedantry or outright dissing signal/moxie/no
| federation/whatever...
|
| Just spin up a server if you can spare the expense and help some
| people out.
|
| Action > inaction.
|
| edit: you can get the connection details via @appliedlambdas on
| twitter!
| isoprophlex wrote:
| Considering that there's plenty of people also sharing these on
| Twitter I've decided to openly share mine as a canary..:
|
| https://signal.tube/#instafax.nl
| koheripbal wrote:
| Talk is cheap.
| 2cb wrote:
| You can literally spin this up on a $5 a month VPS as well, not
| like you need to break the bank. And with so many TLDs there's
| plenty of dirt cheap domains too. I just spun one up in 15 mins
| and if it gets blocked I'll happily spin up more.
| mzs wrote:
| Whoa whoa whoa... there can be legal consequences for spinning-
| up a proxy in countries sanctioning Iran. This is a case where
| action can in fact be way worse for someone than inaction. I
| still can't find any discussion about that and it's worth
| investigating.
| thefifthsetpin wrote:
| I imagine that you're right, but it feels like a really weird
| case to choose to prosecute.
| stonesweep wrote:
| During the EFF "run a tor node" challenge a few years back,
| I learned that many cloud providers (a) hold you
| responsible for any traffic transgressing your proxy, and
| (b) generally were OK with running a relay node but not an
| exit node. Responses varied provider by provider, some have
| written rules some do not.
|
| Point being there are already discussions about the relay
| topic with cloud providers and it's not a weird edge case
| to me (and the law in your jurisdiction may have a strong
| opinion on this), I imagine there are legal things about
| where you live vs. where the server lives which also
| matter.
| [deleted]
| dijit wrote:
| How flippant.
|
| "Almost everyone in these comments is asking questions of
| various degrees of pedantry or outright dissing
| hospitals/insurance/medical bankruptcy/whatever...
|
| Just donate to a charity if you can spare the expense and help
| some people out.
|
| Action > inaction."
|
| Healthcare and communication aren't comparable. But my point is
| that you can criticise institutions for their (contested)
| faults.
|
| If you place yourself on the mantle of non-federation, then
| availability and censorship resistance are your cross to bear,
| frankly.
|
| The notion that I should help them workaround their
| architectural failure when it's been widely criticised (and
| criticism openly dismissed) multiple times is a little wild.
| ampdepolymerase wrote:
| It is not. Healthcare and communications are very much
| comparable if your life and livelihood are on the line. If
| the downside risk for both is a dead person then they are
| very much morally equivalent.
| isoprophlex wrote:
| Your neighbor asks you to drive them to the hospital. Do you
| lecture them on the failures of privatized healthcare? No,
| you defer your opinion to the relevant place and time.
|
| This right now is about people having their access to
| uncensored communication cut off, and moxie asking people to
| help out. If you think their architecture is doomed, you're
| free to codify your opinion somewhere in a pull request or
| comment under an article about signal's protocol philosophy.
| dijit wrote:
| The analogy falls a bit flat because this forum contains,
| mostly, the arbiter of the root problem- namely that signal
| is not censorship resistant by itself. And we should
| criticise them for that because it was a warning delivered
| in a timely manner and never heeded.
|
| Helping my neighbour in this case means allowing them to
| use my social insurance. Namely by using xmpp/matrix. It is
| low/no cost to them (unlike moving countries for socialised
| medicine.)
| 2cb wrote:
| > signal is not censorship resistant by itself. And we
| should criticise them for that because it was a warning
| delivered in a timely manner and never heeded.
|
| I don't believe Signal ever claimed to be censorship
| resistant to begin with. I just looked at their
| description on the App Store and nothing there mentions
| bypassing censorship.
|
| Signal in fact did used to be censorship resistant before
| they were prevented from using domain fronting by third
| parties outside of their control.
|
| Now the Iranian people need help and Signal has made it
| extremely easy for anyone who visits sites like this to
| kick in and provide that help. It's likely proxies are a
| stopgap solution but that's okay. Iranians are having
| their messages blocked now and Signal has managed to
| release a working fix rapidly.
| dijit wrote:
| You write this as if I contested anything you said. Maybe
| signal didn't _claim_ to be censorship resistant but it's
| _essentially_ marketed as such by well meaning people.
| It's "the secure messenger", what is it secure against if
| not governments? Your ISP?
|
| Or does security of access not get covered by this
| definition?
|
| If people had chosen a federated system instead, then
| instead of _needing_ this very quick solution to be
| hacked together, the system would have dynamically moved
| around it.
|
| But, it's a future we'll never know now. Signal has the
| mindshare (and certainly the favour!) of the people, so
| the ship has sailed and I'm tilting at windmills.
|
| I think it's ridiculous that we have to patchwork _their_
| broken system that _we_ warned them of, but that's the
| reality and I am not one to put principles before people.
| TheJoYo wrote:
| Everyone complaining this is just a cat-and-mouse game, it's not
| a game these people choose to play. They either play it or their
| movement dies.
| ncallaway wrote:
| Of course it's a cat and mouse game.
|
| That doesn't mean it's unwinnable. That means you create a lot
| of evasive mice and win.
|
| Perfect is the enemy of the good. This is the kind of thing
| where winning is more important than a perfect strategy.
|
| Be water.
| teekert wrote:
| I'd be happy to run this, but I don't really feel like spreading
| this (for everyone I know) useless info into my social network
| (which would be via email for me?)
|
| I would gladly sent a link to Signal for my proxy though so they
| can forward it to people that need it? Hmm, I'm beginning to see
| the problem now..
| wheybags wrote:
| Agreed, I'd happily run a server but I would need some kind of
| aggregator service to post my proxy on. Surprisingly enough I
| don't have many contacts in Iran lol
| teekert wrote:
| But, I do understand that it is otherwise difficult to reach
| Iranians and not hand their government a list of urls to
| block. But I think my reach is useless. If your reach is not,
| then maybe you'll also reach the Iranian government easily.
|
| Moreover, should I run this from my personal server? Could it
| become a target for nefarious stuff? I feel the same as I do
| when I think about running a TOR exit node. I want to be like
| my hero Edward Snowden but... I'm afraid of the stuff that
| gets associated with my IP address.
|
| Also, a https://www.linuxserver.io/ Docker image would be
| cool ;)
| notsureaboutpg wrote:
| I have contacts in Iran but none of them are having trouble
| accessing Signal (I'm talking to them with it right now!)
| realducksoft wrote:
| Here is an interesting discussion:
| https://github.com/signalapp/Signal-TLS-Proxy/issues/3
| dunefox wrote:
| Wouldn't Briar be a good choice? https://briarproject.org/
| aendruk wrote:
| Not yet. https://code.briarproject.org/briar/briar/-/issues/445
| upofadown wrote:
| Apple devices are fairly rare in Iran.
| pmlnr wrote:
| There was an article in 2014: "Imagining a Rebel Firefox" (
| https://medium.com/@efrensandoval/imagining-a-rebel-firefox-... )
| which played with the idea if every firefox node would become
| tor(ish) gateway.
|
| Is there no way to build this in the Signal clients themselves?
| Eg. on is on a wifi, try to upnp, ask the user if they'd wish to
| help.
| circularfoyers wrote:
| Similar to the Tor Project's Snowflake[1] Firefox addon?
|
| [1] https://addons.mozilla.org/en-US/firefox/addon/torproject-
| sn...
| sergiosgc wrote:
| Signal should be federated. This censorship problem would not
| exist, or would be organically routed around, were the service
| federated.
|
| Without federation, Signal is just another stepping stone in the
| long path of eventually abandoned instant messengers, all the way
| back from ICQ. We will get to an SMTP-like protocol, and email-
| like service, at some point. If not Signal, some other one.
| vineyardmike wrote:
| > organically routed around
|
| Do any SMTP servers still allow organic routing? I was under
| the impression that all modern servers have extremely
| cumbersome auth/dkim and its hard to not be GMail and still
| send a real msg and have it arrive
| ignoramous wrote:
| Signal was federated at one point:
| https://lwn.net/Articles/687294/
|
| Moxie, one of the original authors of the Signal protocol, said
| federation severely restricted flexibility and so they had to
| move on: https://news.ycombinator.com/item?id=11668912
| WookieRushing wrote:
| I'm not so sure. Moxies reasons about how federation leads to
| protocol development slowing and then freezing are solid.
|
| It's why we re not using smtp for chat. SMTP can't be extended
| enough so replacements are built instead. Similarly if signal
| federated, eventually it would freeze and a few years later
| users would move to wherever they could get new features.
|
| Federation is a good thing but only when the protocol is
| finished or if there is a forcing mechanism to allow updates to
| the protocol. ethereum/Bitcoin are good examples as they have
| flag days that force the value of currency to be in the balance
| to keep the protocol moving forward.
| rthomas6 wrote:
| I don't see what prevents updating as long as you don't care
| about fragmentation. You probably can't compile all brand new
| software on a very old Linux kernel, but who cares. I mean
| yeah, you'll have to care more about fragmentation, but it's
| not all or nothing. You'll still be able to update the
| protocol, you just have to make breaking changes less often.
|
| I think XMPP is a better comparison than SMTP. In its heyday,
| XMPP had several clients, some with different proprietary
| extensions, and all the core functionality basically worked
| across all the clients. Though it turns out some of the
| messengers I thought were XMPP were actually different
| protocols that XMPP could work with. Imagine that. People
| still use it too, though it's not as popular as it was in the
| 2000s.
| admax88q wrote:
| Honestly deltachat works great and its chat over smtp and
| imap.
|
| Im not sure "chat" needs this much constant "innovation" at
| the protocol level. Most of the issues with email are client
| UX more so than actual protocol limitations.
| beermonster wrote:
| Not really kept up with the latest with this, but chat over
| IMAP is a thing
|
| https://archive.fosdem.org/2020/schedule/event/coi/
| doublestandard2 wrote:
| It's an irony how American companies try circumvents another
| country's law (regardless of whether you call it censorship or
| not, it is still a law) and boast about it.
|
| Yet, in the US these companies help the mainstream narrative to
| enforce censorship by banning (Google and Apple App market) or
| simply not offering other point of views basic hosting services
| (AWS).
|
| I am an Iranian and don't agree with all of our government
| actions but I can clearly see a tech neo-colonialism/neo-
| imperialism here. I am sure Signal's intention and people wanting
| to help is genuinely good but this does not change this double-
| standard.
|
| I would like to see your supportive reaction if an Iranian
| company offers hosting to Parler. I imagine you would call it
| foreign intervention!
| pre wrote:
| Well. A Russian company, DDos-Guard, did host Parler in the end
| didn't they?
|
| And sure enough, the FBI is investigating.
|
| Signal is a charity rather than a company, but dunno if that
| makes any actual difference.
| l1am0 wrote:
| While you are on it. There is a similiar easy to use docker-
| compose file for setting up a tor bridge :)
| https://community.torproject.org/relay/setup/bridge/docker/
| [deleted]
| shervin01 wrote:
| Hi, from Iran with love!
|
| First of all, thank you moxie and signal team for this proxy.
|
| Until 2018, many Iranians used telegram but Iran's regime after
| Russia blocked this messenger. telegram released mtproxy and this
| proxy was helpful. Russia lifted the ban on telegram but this app
| is still blocked on my country. but with VPNs, many iranians
| still use this app. after 2018, second most popular messaging app
| in iran was whatsapp, until facebook's new privacy policy, like
| all of you, many iranians switch from whatsapp to signal.
| mullah's regime removed signal app from the iranian app stores
| and started blocking all signal traffic in the country, but they
| don't block whatsapp. I'm not a paranoid but it is difficult to
| understand for me why they didn't block whatsapp after 2018? can
| they break whatsapp encryption?
|
| I have a suggestion for signal team: please put tor in the
| signal, tor is better than any proxys or vpns.
| baxtr wrote:
| Thx Sherwin! Just out of curiosity: is iMessage working ok in
| Iran?
| spullara wrote:
| I'm surprised that Tor isn't integrated already. Moxie was
| pushing that at Twitter - a prototype was even built.
| elif wrote:
| Blocking tor exit nodes is considerably easier than an
| arbitrary proxy server. Tor provides a list, in fact.
| lights0123 wrote:
| No, it's the opposite--if Signal _wants_ exit nodes, they
| obviously won 't block them. It's the entry nodes that need
| to be blocked. Some are easy to find, but others require
| you to send an email from a unique email address from a
| trusted provider to get lists of IPs.
| 7357 wrote:
| Love back!
| 2cb wrote:
| I just set up one of these Signal proxies. Hope it helps you
| and others in your country communicate freely and safely. [1]
|
| Regarding Tor: if you want a Signal-like app that uses an onion
| router look at Session. [2]
|
| It uses the same encryption protocol and very similar UI to
| Signal but routes all traffic through the Loki network so your
| traffic passes through three nodes. It is an onion network like
| Tor.
|
| One other benefit of Session is the lack of metadata inherent
| to its design. No phone numbers or even usernames are attached
| to your account. You get a set of characters that looks similar
| to a bitcoin address and a QR code to make sharing it easier.
|
| Of course this lacks the convenience of Signal but it's as hard
| to block as Tor.
|
| [1] https://signal.tube/#signal.xanny.family
|
| [2] https://getsession.org
| aftbit wrote:
| Session has:
|
| 1. An associated crypto-currency (not outright bad but weird
| smell IMO) [1]
|
| 2. Abandoned perfect forward secrecy and deniability [2]
|
| 3. Never completed an audit (though supposedly one is in
| progress) [3]
|
| There are a million and one encrypted chat programs out
| there. Why should I use this one?
|
| [1]: https://github.com/oxen-io/oxen-mobile-wallet
|
| [2]: https://getsession.org/session-protocol-technical-
| informatio...
|
| [3]: https://getsession.org/faq/
| 2cb wrote:
| I mentioned it because it has a seamlessly built in onion
| routing protocol. I read further down the thread that Tor
| is blocked in Iran, but I'm guessing the same is unlikely
| to be true of Loki/Oxen simply because it isn't nearly as
| well known.
|
| The lack of metadata is also quite a unique selling point
| in my eyes. There's a million encrypted messengers now
| sure. How many automatically connect through an onion
| router with zero config required and don't require you to
| create an account at all, but instead assign you a random
| ID disconnected entirely from your phone number, email, and
| other personal identifiers?
|
| It's certainly an option to consider is the only thing I'm
| saying. Tor was mentioned so Session popped into my head
| for the reasons mentioned above.
|
| Regarding PFS. They currently implement the Signal
| Protocol. Session is of course FOSS so anyone can check
| this. Your source does say they're planning to fork it as
| the Session Protocol later this year so it integrates with
| their network more easily. But that's an upcoming,
| unfinished project. To be honest I don't know much about it
| as it's still in development. I do know that currently
| Session uses the Signal Protocol through an onion router
| without the need to so much as create an account.
|
| And yes the network itself is a bit of a convoluted idea
| that tries to do many things at once, but the fact they run
| on a blockchain means they already have a lot of nodes set
| up in different countries around the world through which to
| route traffic, and the reason they could build a
| decentralised network quite quickly despite being a
| relatively young project is they incentivise those node
| operators with cryptocurrency.
|
| Because it is a young project they are still undergoing
| audit yes. This is absolutely something worth noting. It's
| a relatively new project. It's no longer in beta, but
| nowhere near as well established as Signal. However it's
| precisely because of this it's unlikely governments are
| bothering to target it yet.
| toyg wrote:
| _> can they break whatsapp encryption_
|
| They don't have to, they just need Facebook to cooperate.
| k3j45hkj34hkj wrote:
| I think you mean the phone vendors, as they are the ones
| holding the unencrypted chat history in the users cloud
| storage. Facebook themselves do not have access to the chat
| logs (unless they are compelled to inject keys).
| 2cb wrote:
| They could literally have a hidden function in WhatsApp
| that scoops up all your chat history and sends it to
| Facebook if the government ask them to. It's closed source.
| No one has a clue what it's doing.
|
| To be clear I'm not suggesting this is absolutely
| happening. I'm merely pointing out it's entirely possible
| from a technological perspective given it's closed source
| software owned by Facebook. That's not a recipe for
| privacy.
| josephg wrote:
| To be clear about the threat vector, there's also nothing
| stopping signal from doing the same if they wanted to.
| Its impossible to tell if the version of signal you
| download from the app store is unmodified from the code
| you can find on github. I trust signal more than I trust
| facebook, but if you use signal, even though its
| opensource you _still_ have to trust them not to put
| anything funky in the binary they upload to apple
| /google.
|
| I'd love for iOS and android to add some sort of OS-level
| application hash or something. "This app was compiled
| with xcode version X / llvm version Y with this set of
| options. The resulting binary hashes to ZZZ". That way
| with the source code you could verify that the binary on
| your phone is unchanged.
|
| (Another approach would be to get apple / google to do
| the compilation themselves from the project on github. If
| apple builds my project, they could put some signed
| metadata in the bundle saying "We (apple) compiled this
| from git SHA XXX")
| hutzlibu wrote:
| Reverse engeneering is a thing, though. I would think,
| there is fame to be gained to show such a behavior from
| whatsapp, so some hackers could feel motivated to do this
| from time to time.
| mike_d wrote:
| I have a proxy up at https://signal.tube/#s.bpj.net
|
| If you can help share more proxies to people who need them,
| please send me an email (in my HN profile).
| leptoniscool wrote:
| Is there a similar project to help Trump reconnect to twitter? /s
| xtracto wrote:
| You say it as a joke but I get sad at seeing all these efforts
| to circumvent a government policy while another government is
| allowed to obliterate a same type of service (parcel).
|
| As I have said before. I'm not in the US and I don't care about
| its politics. But I'm scared and hiw easily they can define
| Good and Bad and then manipulate the internet
| TimWolla wrote:
| I created an HAProxy configuration that should be equivalent to
| the nginx configuration within the Signal-TLS-Proxy repository:
|
| https://gist.github.com/TimWolla/457c45dfccde26fc674dde4b3c7...
|
| I could not test it with the Signal client yet, because the Beta
| is not yet available for me. However I verified that the nested
| TLS works using openssl and netcat.
| remram wrote:
| Their proxy seems to just be nginx, I'm surprised they didn't
| just share nginx or apache configurations. Most people with a
| box suitable for running this are probably already running a
| web server, so there's no reason they should be proxying from
| their existing web server to this dockerized server which just
| proxies to Signal.
|
| Looking into their repo, they also appear to be building an
| nginx image from docker.io/ubuntu:20.04 instead of using
| docker.io/nginx. They are also running two separate nginx
| processes. I wonder how they ended up with this weird intricate
| setup.
|
| I would be glad to help if they offered straightforward
| instructions.
| jlund wrote:
| The Nginx configs use modules that are not compiled by
| default, so most preexisting Nginx binaries in mainstream
| distros won't work.
| 2cb wrote:
| This is correct, just set one of these up and it uses extra
| Nginx plugins.
|
| Also the way they've done it makes it incredibly easy for
| anyone who isn't a tech expert with a web server to still
| help out with a $5 domain and a $5 VPS. You literally run
| three commands and it's done.
|
| They want as many people as possible running these so
| blocking them all is as difficult as possible. It's the
| smartest approach to have a low barrier to entry for
| something like this.
| dingoegret wrote:
| Help undermine security measures taken against seditionists in
| another country. You don't have to worry about any of the
| consequences of civil strife because you don't live there. You
| just get to pretend to be the good guy. Meanwhile a bunch of
| goofballs protest in D.C and American politicians and tech
| industry freak out that it's sedition and needs to be mercilessly
| stamped out. Seditionists wearing hollween costumes. They haven't
| even begun assassinating scientists and planting bombs in civil
| buildings yet.
| pencilcode wrote:
| Cloudflare's warp might help here
| s1artibartfast wrote:
| In light of all the government Internet shut downs in the past
| years, I'm very curious to see the impact of star link and other
| Connection methods that might bypass geographic restrictions.
| Will SpaceX and other service providers shut down access when
| local governments request it? If not,Will the governments ask on
| a perceived threat to stability
| mechnesium wrote:
| I'm betting hard against a big corporation like SpaceX to do
| the right thing. By nature, a corporation's sole purpose is to
| follow the money and make as much of it as possible.
|
| Take a look at Activision/Blizzard bending the knee to China to
| avoid losing its Chinese user base.
| stunt wrote:
| So their government is blocking Facebook, Twitter, Youtube,
| Telegram, Signal, BBC, CNN, Netflix, and probably many other
| social and media platforms.
|
| Meanwhile we are blocking Iranians to access Docker, Slack,
| Gitlab, Google Code, Github(Github until recently), Paypal, Apple
| Store, Play Store, AWS, Coursera, Adobe, Nvidia, AVG, Avast,
| Symantec, McAfee, Matlab!!, Oracle and many more.
|
| It should be really fun to use Internet in Iran.
| mholt wrote:
| I'm a big fan of the idea of independently-run proxy servers.
|
| Caddy has a secure forward proxy plugin born out of a research
| project at Google that does something similar, but works with any
| clients that let you configure HTTP proxies, and doesn't
| terminate TLS: instead it tunnels it over TLS. The proxy server
| itself can also be probe-resistant, i.e. difficult to detect that
| a website is acting as a proxy.
|
| I'm hoping more people can help test the patch to support Caddy
| v2: https://github.com/caddyserver/forwardproxy/pull/74
|
| (Edit: Disclaimer - Don't use this in situations where your
| personal safety or freedom could be at risk... not yet. Not until
| more people with more experience can vet its implementation for
| bugs, and a very clear threat profile can drawn up. If you have
| experience with this, we'd love your help.)
| 2Gkashmiri wrote:
| how does something like this work against DPI? i guess not
| great?
|
| >Don't use this in situations where your personal safety or
| freedom could be at risk
|
| https://theintercept.com/2020/12/06/kashmir-social-media-pol...
| https://thewire.in/media/kashmir-journalist-auqib-javeed-pol...
|
| reason why i have a general disregard for technologies that are
| based on some sort of "link" AFK, phone number or the stupid
| facebook real name policy. this is as of today being used to
| crack down on dissent. what you are saying is true but
| https://thenextweb.com/in/2020/01/08/kashmirs-police-want-pe...
| when you have your govt do this, how can you keep your signal
| account private? your phone is already listed. isnt it? cant
| the police see if you are on signal and if online means you are
| bypassing them somehow regardless of what you might be saying?
| theptip wrote:
| Does this use TCP over TCP (painful in the face of packet
| loss[1]) or can you do something like using QUIC for the
| forward proxy to try to avoid breaking the tunneled TLS
| connection's retry timers?
|
| [1]: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
| mholt wrote:
| Http3 support is being talked about in an issue (am mobile so
| no link for you right now) but the first priority -- pending
| dev resources -- is to merge the v2 PR and vet for bugs.
| lxgr wrote:
| It looks like a normal HTTP proxy supporting CONNECT (i.e.
| TLS over TLS), which wouldn't suffer from the problem you
| mention.
|
| Note that TLS over TLS is _not_ the same thing as TCP over
| TCP. TCP over TCP is usually only a problem for VPNs or
| something similar (i.e. anything that sends raw IP packets
| over TCP).
| theptip wrote:
| Ah, that's the piece I was missing. Thanks.
| turminal wrote:
| Or they could just let people host their own server instances.
| Would be considerably more censorship resistant from the start.
| JohnBerea wrote:
| Or just use Element/Matrix which already lets you do that.
| hospadar wrote:
| I feel like this answer to "how to make government censorship
| of private communications over the internet impossible" is
| more complex though than just "use element/matrix"
|
| It seems like both signal and matrix choose "Human-
| meaningful" over "distributed" on Zooko's Triangle:
| https://en.wikipedia.org/wiki/Zooko%27s_triangle
|
| Matrix is federated which I'd argue is pretty different than
| "distributed". Certainly the fact that federation is built-in
| makes matrix more resistant to lazy censors who are slow to
| block popular homeservers, but a concerted check-any-IP-and-
| if-it-seems-like-it-might-be-a-homeserver-then-block-it
| action by a censor would be harder to deal with.
|
| Wouldn't a truly distributed/secure/really-super-hard-to-
| block protocol rely on non-meaningful addresses (i.e. public-
| key-derived like a tor hidden service) and some kind of
| interesting mesh setup (i.e. like tor) to route and deliver
| messages?
| eeZah7Ux wrote:
| > Wouldn't a truly distributed/secure/really-super-hard-to-
| block protocol rely on non-meaningful addresses (i.e.
| public-key-derived like a tor hidden service) and some kind
| of interesting mesh setup (i.e. like tor) to route and
| deliver messages?
|
| Yes. You just described Briar.
| notme77 wrote:
| Found the PM
| awestroke wrote:
| You're welcome to either use such a decentralised service or
| fork signal and add decentralisation / federation. Centralised
| services get more users by having a lower threshold of
| adoption.
| pmlnr wrote:
| > You're welcome to either use such a decentralised service
| or fork signal and add decentralisation / federation.
|
| It's called XMPP. It predates Signal by ~15 years.
| TedDoesntTalk wrote:
| And the clients for XMPP still suck, 15 years later. You
| might find a good one on one OS after trying out several
| (install, test for a few days, repeat), but then when you
| want a client on your phone or another OS, you have to try
| the install/test cycle all over again.
|
| In my experience, most of the clients just don't do WEll
| everything a modern IM client needs.... group chat without
| needing to know a FQDN address, alerting on new
| messages/mentions, image and attachment support, encryption
| without wonky key management, multisession support
| (connecting simultaneously from multiple devices not
| leading to problems), on and on...
|
| I used XMPP for years on iOS, android, Mac, windows, and
| linux. Hated it every day.
| pmlnr wrote:
| Conversations and it's forks are all very good clients,
| and their voice/video chat works perfectly once the XMPP
| server configures the turn server. Gajim got a lot better
| recently. I even managed to get Pidgin to a decent,
| albeit not perfect level.
| awestroke wrote:
| And yet it hasn't become big yet.
| pmlnr wrote:
| It did, then the google reader effect kicked in. Google
| talk, whatsapp, facebook were all xmpp at one point,
| deliberately crippled, then nearly killed. See RSS.
| turminal wrote:
| What's the purpose of signal? Is it taking over the world or
| providing a service to people that care about their privacy
| and free (as in freedom) communication?
| sa1 wrote:
| There are lots of purposes but dismantling mass
| surveillance is a major one. This requires 'taking over the
| world'.
| fourthark wrote:
| ... Creating a central point of failure / censorship?
| TedDoesntTalk wrote:
| Yeah so this latest attempt seems to want to "fix" that.
|
| "Hey, let's distribute connections (proxy servers) to our
| central point of failure so that we can get around the
| central point of failure. Genius!" /s
| im3w1l wrote:
| They want to have a monopoly on points of failure. We can
| censor but no one else.
| eeZah7Ux wrote:
| Creating yet another walled garden.
| danShumway wrote:
| Well... except in Iran, hence the strategy of decentralizing
| proxy servers.
| ekianjo wrote:
| Too bad, the Signal devs love centralization. One day people
| will realize Signal is just not the right solution for what
| they actually need.
| Spivak wrote:
| The problem with this is that Signal is a huge success _right
| now_ where other federated chat platforms have fallen. Sure,
| something like Matrix might win the war eventually but by
| being centralized Signal shipped and is providing a useful
| service to millions of people today.
| turminal wrote:
| There are lots of problems in matrix that hinder its
| adoption, federation is likely not the biggest of them.
| tleb_ wrote:
| As if it was that simple; no it's not as simple as
| decentralization > centralisation. You might not agree with
| everything (I don't) but this video provides some good points
| https://www.youtube.com/watch?v=Nj3YFprqAr8
|
| I trust Signal to try their hardest to solve communication,
| spitting on them is not the solution.
| baybal2 wrote:
| It's simple, very simple.
|
| XMPP is by far more fluid, and "productive" when it comes
| adding new protocol features, or at least if you compare it
| with Signal.
|
| Marlinspike is making up the problem.
|
| A messaging client is as agile as its developers are, and
| in case of Signal, not that much.
|
| Evolving a protocol, and developing new features is done by
| doing programming, and not by some philosophical
| discourses, and pooing over the competition on tech events.
| pseudalopex wrote:
| I didn't watch the video but his article with the same
| title is almost entirely bad points.[1]
|
| Email is end to end encrypted for people who make it a
| priority. It would be end to end encrypted for everyone if
| Google or Microsoft made it a priority.
|
| The difference between XMPP and Signal is funding. Signal
| supports video on all platforms because Open Whisper
| Systems hired people to work on it. XMPP didn't because the
| popular clients are developed by volunteers.
|
| People don't like using lots of messaging apps. So
| switching apps is much harder than changing your email
| address because you have to convince other people to
| switch.
|
| Even Signal is moving away from using phone numbers.
|
| [1] https://signal.org/blog/the-ecosystem-is-moving/
| jampekka wrote:
| Signal's been "moving away from using phone numbers" for
| almost as long as it's been developed. They've burned
| tens of millions of dollars and have nothing to show for
| it on that front.
|
| Also they insist of making piece of shit bloatware
| clients and actively kill every attempt for someone to
| fix it. Because Moxie is always right apparently.
|
| I really hope the situation is just due to incompetence
| and hubris.
___________________________________________________________________
(page generated 2021-02-04 23:00 UTC)