[liberationtech] if you are a circuvmention tool developer, please FREE it now for Iranian

Sat Mar 15 16:24:49 PDT 2014

Hi Nariman,

I also don't want to waste your time, so I'll also get straight to the
point.

1. It's awesome that you're helping people in Iran regain access to the
Internet, because I think this should be a universal right.

2. I know very little about the situation in Iran, don't speak or read
the language and am probably badly informed (so I appreciate the info
you relayed).

3. You're basically saying that your website is acting as a portal for
people to regain access to the Internet. If that's so, you really should
not give them a false sense of security:
https://www.ssllabs.com/ssltest/analyze.html?d=secure.filtershekanha.com

Currently, this SSL configuration is easily circumvented, allowing to
man-in-the-middle all of your visitors. (Please message me off-list if I
can help you fix your webserver configuration.)

4. You seem to currently recommend closed-source adware supported
single-hop VPN clients as a workaround.
This most likely means that

 - the companies providing these VPNs can perfectly tell what the users
using them are doing, may also log it, and are thus susceptible to
traffic and log recovery by means of governmental interventions and hacking

 - you can't really tell what this software does and where it and the
servers it connects to may send all the traffic to (in addition to the
intended locations)

 - you can't really tell whether the sites you access through these VPNs
are really the sites you want to access

 - the ads allow the advertisement networks (and anyone who can convince
them to share this information) to track precisely what the users are doing

That is to say, while those tools may seem to provide a great way to
overcome the censorship, using them may very well play into the hands of
"security forces", enabling them to keep track of what activists (or
just anyone with a non-official opinion) are doing, and to build files
on them.

People in other countries have been displaced, incarcerated, tortured
and even killed due to exactly these mistakes (recommendation and use of
bad censorship circumvention tools) in the past. I really hope this is
not going to happen this time around.

5. I fully understand that recommending against something is of no use
if no alternative is provided. I think Tor makes a great alternative if
people care about both circumventing censorship and remaining anonymous
(if used as documented). Yes, it does slow things down. But if you
compare to the previous paragraph then it might be worth this?

There may be other options, possibly including single and multi hop VPNs
which are just not as bad as the ones currently in use. If you are
willing to consider other options, I bet the contributors to this
mailing list will be happy to provide more suggestions.

Alster