[liberationtech] if you are a circuvmention tool developer, please FREE it now for Iranian

[Alster]

Nariman Gharib:
>> 3. You're basically saying that your website is acting as a portal for
>> people to regain access to the Internet. If that's so, you really should
>> not give them a false sense of security:
>> https://www.ssllabs.com/ssltest/analyze.html?d=secure.filtershekanha.com
>>
>> Currently, this SSL configuration is easily circumvented, allowing to
>> man-in-the-middle all of your visitors. (Please message me off-list if I
>> can help you fix your webserver configuration.)
>>
> 
> I'll message to you about that in privately. but a quick note: I just used
> the free SSL certificate not to encrypt the communication in website but
> just for give a un-censored url to Iranian people. which is government
> block my main domain not https:// secure.filtershekanha .com - and also I'm
> emailing people circumvention tools via Mailchimp and those circumvention
> tools are not hosted in my websites. just there is a link in emails.

Links in e-mails can be problematic, too, since e-mails are easily
forged. So if you train people to download tools from locations placed
in e-mails it will be easy for a third party to send them similarly
looking e-mails to malware. So be careful about this, too, don't post
deep links to direct downloads and sign your e-mails so that people at
least have a chance to verify that their origin, namely you, remained
the same all the time.

The free SSL certificate you're using on your website is issued by an
Israeli company. I don't mean to say this means anything, in fact I
think this company is one of the less problematic CAs, but you should be
aware of this nevertheless, since there can always be pressure which
companies cannot resist. But then, as you say, you are only using HTTPS
as a censorship workaround - are your users aware that by using HTTPS
you do not mean to provide any of the guarantees usually connected to
HTTPS (authentication, confidentiality, integrity)? They might be
mislead in assuming that you are trying to protect them from something
when you are not.

>> 4. You seem to currently recommend closed-source adware supported
>> single-hop VPN clients as a workaround.
>> This most likely means that
>>
>>  - the companies providing these VPNs can perfectly tell what the users
>> using them are doing, may also log it, and are thus susceptible to
>> traffic and log recovery by means of governmental interventions and hacking
>>
>>  - you can't really tell what this software does and where it and the
>> servers it connects to may send all the traffic to (in addition to the
>> intended locations)
>>
>>  - you can't really tell whether the sites you access through these VPNs
>> are really the sites you want to access
>>
>>  - the ads allow the advertisement networks (and anyone who can convince
>> them to share this information) to track precisely what the users are doing
>>
>> That is to say, while those tools may seem to provide a great way to
>> overcome the censorship, using them may very well play into the hands of
>> "security forces", enabling them to keep track of what activists (or
>> just anyone with a non-official opinion) are doing, and to build files
>> on them.
>>
>> People in other countries have been displaced, incarcerated, tortured
>> and even killed due to exactly these mistakes (recommendation and use of
>> bad censorship circumvention tools) in the past. I really hope this is
>> not going to happen this time around.
>>
> 
> I know about that and it's going to be dangerous for Iranian or other
> people in similar country to Iran, but most of people in Iran doesn't CARE
> about these things. they just want to go facebook,youtube,twitter and...(
> actually most of websites are blocked :) ) . even we know who behind of
> these tools,Personally actually from last week after I talked to a expert I
> decided to give users all options/all tools and just saying that the
> trusted and secure tool at this moment just is TOR.​​

It's great that you have taken the decision to not only recommend those
problematic tools, but also those which have been reviewed and are known
to be safe and to work. I think that's a really good decision you made
there.

Regarding ignorance for privacy and anonymity tools: Not always, but
quite often, people do not care about something because they have not
had a chance to rest and learn about it. If you make the people you are
in contact with aware that there are real and serious risks involved in
them not protecting their privacy when they circumvent governmental
controls, they might rest and take the time to learn about those, and
might end up being safer. Surely times like these may not seem to be the
best time to study, but on the other hand, if there are no other times
when people will, then this is actually a really good time. Since it
matters now, more than ever.


>> 5. I fully understand that recommending against something is of no use
>> if no alternative is provided. I think Tor makes a great alternative if
>> people care about both circumventing censorship and remaining anonymous
>> (if used as documented). Yes, it does slow things down. But if you
>> compare to the previous paragraph then it might be worth this?
>>
> ​I recommended to people using TOR and for example from a week ago until
> now thousands people now using ORBOT and TOR via my newsletter. ( I'm not
> sure about the users but the clicks number goo.gl gave it to me are up to
> 10k clicks for these to tools )​

It's great that so many use it now. (But it's not as good that there is
a central website unrelated to these tools which has a full log of whom
you convinced to use them - maybe you can get around URL shortening when
it comes to circumventing censorship.)

> TOR is Good. but for example when government blocked the some TOR's ip, we
> should provide bridges for users( IF  AM IF RIGHT). so Imagine I emailed to
> my subscribers these new bridges so after 2days they will blocked, so
> what's the next and good option?

Yes, bridges are the right way to go when you cannot access Tor anymore
(and only then).

There are several strategies how bridges can be used, as discussed here:

https://www.torproject.org/docs/bridges.html.en

Bridges need to be provided by people in locations which are not
affected by censorship, or to a lesser degree. So this is a

CALL TO ALL READERS of this mailing list to PROVIDE MORE TOR BRIDGES!

Many bridges are already available, though, and people can request more
unblocked bridges from the Tor folks at any time, including by e-mail
(again, read the page above for details).

>> There may be other options, possibly including single and multi hop VPNs
>> which are just not as bad as the ones currently in use. If you are
>> willing to consider other options, I bet the contributors to this
>> mailing list will be happy to provide more suggestions.
>>
> 
> Yes, I'm in.​​

Do you know TextSecure? https://whispersystems.org/#privacy

My (again, very limited) understanding is that many of the Iranians use
mobile devices for Internet access and communication in general. While
this is bad in terms of making it easy to track who is talking to whom
most of the time, if users are going to use mobile phones to communicate
no matter what then TextSecure is a really great tool.

TextSecure is very easy to use free and open source encrypted text
messaging application by (amongst other) renowned crypto geek Moxie
Marlinspike (the guy who, amongst others, warned people about how
corporations and government agencies have developed tools to easily
strip SSL off many websites, and who proved that this is actually
possible by providing the tool "sslstrip").

It is a lot easier to setup and use than other encryption systems (such
as GPG/PGP - which is still a very good tool to use), so it can really
be used by everybody to communicate to one another. It can also work
over Tor. You could also use it in addition or as a replacement for the
unencrypted e-mails you send currently.

Alster