Signal Vs Anti-Censorship Community

[BkG_Mercy]

Summary

Issue arrising from an implementation of Signal's (Messaging Application) new proxy, this was intended to be used to circumnavigate restricted state implemented "National Internets", specifically Iran.

Members of the Anti-Censorship Community challenged said implementation, stating that it was insecure and exploitable.

Moxie (Co-founder of Signal) has very adamantly defended both the removal of github issues and the implementation of the proxy itself.

 

Quotes

Quote

 Our community have been silent for too long. We are the underdogs, doing the real work, and yet unappreciated by many people. Our opinions are underrepresented. That's what makes me believe that we must speak out this time, that we should release a joint statement, to condemn Signal's dismissive and irresponsible attitude to the anti-censorship community, and to call for our unity as a community and their immediate action on the matter.

Quote

 We are not scared that someone might figure out you can determine this set of nginx configs is a proxy by connecting to it as a proxy. That is obvious. - Moxie on Twitter

My thoughts

 I think this is an interesting view from both sides, Anti-Censorship community members have commonly been quite quiet, so this has clearly riled them up. Signal who have become more and more a positive beacon of security and encryption, but possibly making a large misstep by some poor implementation? Generally an interesting read and look at anti-censorship opinions in the community.

Also hi LTT Forum

 

 

Sources

https://github.com/net4people/bbs/issues/63

https://www.bleepingcomputer.com/news/security/removal-notice-for-signal-article/

[LAwLz]

I'd like to remind everyone that encryption techniques are often targeted by misinformation campaigns in order to try spread FUD and make people not use them.

If Signal implements something that can circumvent censorship in countries like Iran, China, etc, then those countries will not just sit still and watch it happen. They will start spreading doubts about Signal online so that users stop using the tools that can circumvent censorship. 

 

I am not saying this is for sure what is happening here, but don't blindly trust what who might have a hidden agenda is telling you to think. 

 

 

 

Edit:

 

From what I can tell (yes I am now going to do what I warned you about), this is what happened.

1) Iran starts blocking all Signal traffic.

2) Signal responds by releasing a way for people to set up a proxy, which means Signal users in Iran and other censored countries can send traffic to a community run proxy, and thus get around the censorship.

3) A couple of Chinese developers raised concern about the way the proxy worked on GitHub. I can't see what the original said, but according to several people I have seen, including those not related to Signal, says the original poster was being rude and threatening. Not something I have a hard time believing after seeing some of his posts on Twitter. Also, he titled it "fuck-signal-tls-proxy".

4) Signal informed the Chinese developer that they don't use Github for that type of discussion and linked the user to their community forum instead, and closed the issue on Github.

5) People lost their shit, saying Signal are censoring people, that they are compromised, etc.

6) BleepingComputer was contacted and they posted an article.

7) Moxie reached out and explained the situation to BleepingComputer, which pulled the article down.

8 ) People are now saying Moxie pressured BleepingComputer to remove the article, even though it seems to me like the article was removed because it is just a lot of "he said, she said" going around.

 

 

 

Also, the "vulnerability" is not really a vulnerability if I understand it correctly.

The "security issue" is that if you connect to a Signal proxy server, it is possible to tell that it is a Signal proxy by looking at the web server configuration. The logic by the Chinese developer was "if you can tell that a server is a Signal proxy, then it is possible for the Iran government to go:

Quote

Hm, this Iran-Person1 is sending strange traffic to this address, let's look up what that adress is. Oh it's a Signal proxy, then we know Iran-Person1 is using Signal and can go after them.

and thus the Iranian government can tell if someone uses Signal or not.

 

Sounds like a big deal, but realistically, it's not really.

1) You can already tell if someone uses Signal by looking at the traffic. You can't see what the messages contains but you can see "this person uses Signal" by looking at metadata. This has not changed. It was that way before, and it is that way with the proxy.

2) It is impossible to cloak a proxy because even if Signal implemented something like uniquely generated nginx configs, you can still check if a particular server is a Signal proxy by just sending a Signal message to it and see if the message gets delivered.

There is no way for someone to set up a Signal proxy that only works when there a connection from a legitimate users, and block a connection from someone who just uses it to see if a Signal message gets delivered through it.

[StDragon]

29 minutes ago, LAwLz said:

I'd like to remind everyone that encryption techniques are often targeted by misinformation campaigns in order to try spread FUD and make people not use them.

If Signal implements something that can circumvent censorship in countries like Iran, China, etc, then those countries will not just sit still and watch it happen. They will start spreading doubts about Signal online so that users stop using the tools that can circumvent censorship. 

Iran and China specifically don't bother to dance around issues. They will outright block the protocol and public IPs of any services that are deemed a threat to national security. Psyops need not apply. As in, they're up and front about their authoritarianism; proudly so I might add.

[Doobeedoo]

Ah yes when certain they don't like encryption and circumvention and try to paint others bad.

[Mach-O]

Let the people who understand the subject speak.

Stop making false claims when you are not at all familiar with the subject.

 

Quoted from: https://github.com/net4people/bbs/issues/63

 

<Redacted by staff>

Edited February 11, 2021 by wkdpaul

[WkdPaul]

* thread cleaned *

 

Please avoid spamming (see the forum rules) and stay on-topic, quoting walls of text from github isn't being on-topic, if you're here to discuss, then do so instead of quoting others and posting links (you can refer to @LAwLz reply to see an exemple of how you can explain your POV and discuss it).

[TheReal1980]

This app needs my phone number, otherwise I can not register.

Enough said.

[CarlBar]

18 hours ago, StDragon said:

Iran and China specifically don't bother to dance around issues. They will outright block the protocol and public IPs of any services that are deemed a threat to national security. Psyops need not apply. As in, they're up and front about their authoritarianism; proudly so I might add.

 

Sure they will, but they still have to identify them and this is designed to make that harder from the sounds of it.

[LAwLz]

2 hours ago, CarlBar said:

Sure they will, but they still have to identify them and this is designed to make that harder from the sounds of it.

Yes, that's the concern the Chinese developer raised.

As it is right now, it is easy to identify if an IP is hosting a Signal proxy or not. The Chinese developer even included how to do it in the GitHub issue post and called it "fuck-signal-tls-proxy".

They then created multiple other accounts and posted it under the name of stuff like as can be seen here:

Quote

yeah add active prober proof of concept (PC)

That's why Signal banned them and removed their pull requests. Because they were being obnoxious, rude, threatening (haven't seen any threat but some say they did), etc. And then when they got banned they are playing the victim like "oh no, we were just trying to help".

 

 

But the "problem" is that it isn't really a design issue and there is no practical way around it. No matter how Signal designs their proxy, you will always be able to check if a specific server is hosting a Signal proxy by simply sending legitimate Signal traffic to it and see if it forwards it correctly.

 

 

If I understand it correctly, the concern raised is basically "if you send this specifically crafted request to a server and it relies in this way, it is possible to deduce that it is running a web server"... Or you can just open a browser and try browsing the website. If you get a working website then it is clearly hosting a website. No specially crafted request or deduction methods needed.

(Replace "web server" with "Signal Proxy" and "browse" with "send Signal message").

[Tristerin]

Also me:
 

Uses Google Pixel 3A and 4 with GrapheneOS and only use Signal for Text, calls, ETC ETC.  Desktop app on all my PC's.

 

Because I support encryption.  

 

Whats wrong with Signal no time to read everything.

[LAwLz]

55 minutes ago, Tristerin said:

Whats wrong with Signal no time to read everything.

If you live in a country where Signal isn't block then there is nothing wrong with it.

If you live in a country like Iran where Signal is blocked then you can use a community run proxy to get around the block, but it is possible the Iranian government could look up the server you are connected to and figure out that it's Signal, and such figure out that you are using Signal.

 

Some Chinese developer pointed out how you can look up if a server is a Signal proxy or not, started insulting people, spamming emojis etc in the bug tracker and as a result his posts were removed from Signal's Github and he was asked to post it on the community forum as a suggestion instead, and that made people lose their shit.

 

BleepingComputer published an article about it after only having heard the Chinese developer's side (as in, it was very biased). Then a Signal developer reached out and explained the situation to BleepingComputer which took down the article on their own admission, and now conspiracy theorists are claiming Signal developers threatened BleepingComputer to take the article down.

 

My guess is that it's a bunch of anti-encryption people who jumped on this opportunity to try and spread misinformation and doubt about Signal in the hopes that people will stop using it in favor of less secure communication methods.

But as I said:

23 hours ago, LAwLz said:

don't blindly trust what who might have a hidden agenda is telling you to think. 

 

[Tristerin]

22 minutes ago, LAwLz said:

If you live in a country where Signal isn't block then there is nothing wrong with it.

If you live in a country like Iran where Signal is blocked then you can use a community run proxy to get around the block, but it is possible the Iranian government could look up the server you are connected to and figure out that it's Signal, and such figure out that you are using Signal.

 

Some Chinese developer pointed out how you can look up if a server is a Signal proxy or not, started insulting people, spamming emojis etc in the bug tracker and as a result his posts were removed from Signal's Github and he was asked to post it on the community forum as a suggestion instead, and that made people lose their shit.

 

BleepingComputer published an article about it after only having heard the Chinese developer's side (as in, it was very biased). Then a Signal developer reached out and explained the situation to BleepingComputer which took down the article on their own admission, and now conspiracy theorists are claiming Signal developers threatened BleepingComputer to take the article down.

 

My guess is that it's a bunch of anti-encryption people who jumped on this opportunity to try and spread misinformation and doubt about Signal in the hopes that people will stop using it in favor of less secure communication methods.

But as I said:

 

Thank you for that.  Well its open source, amazing, and we are integrating it into some of our systems we are working on with even more intent to work with Signal.  About all I can say on the topic as I am not the programmer - but its an amazing service.

[Vishera]

In the first post of the thread i didn't understand a word,

Then i read what @LAwLz wrote,and it helped me understand the situation.

 

Seems like a result of society acting irrationally for no good reason,just following the herd.

That person who started it blew things out of proportion - because who doesn't like drama?

[Kisai]

10 hours ago, Vishera said:

In the first post of the thread i didn't understand a word,

Then i read what @LAwLz wrote,and it helped me understand the situation.

 

Seems like a result of society acting irrationally for no good reason,just following the herd.

That person who started it blew things out of proportion - because who doesn't like drama?

The two biggest weaknesses of tools like this:

a) fixed ip's and ports to block (which you avoid by engaging in torrent-like actions where the magnet uri (which itself is a hash of the content being identified) asks other devices on the network where the resource is. A proxy here is the same idea, but the proxies could be blocked and those running them in "friendly to the hostile power" could take them down.

b) backdoors in the encryption itself. Given enough time, eventually a backdoor or exploit will be found in everything. Ironically the same argument for/against guns also applies to encryption. If you ban encryption, then only bad guys will use encryption. If you put backdoors into encryption, then only bad guys will use backdoors, never good guys.

 

Like a country has to decide if it's citizens are trustworthy enough to have encryption (which I'd argue both China and USA are not) , and if not, who is trustworthy enough to use it so society doesn't collapse from bank and utility computers being wiped out because they're unable to do the most basic of security measures.