[liberationtech] Signal ignores proxy censorship vulnerability, bans researchers
Harry Halpin
hhalpin at ibiblio.org
Wed Feb 24 21:00:58 CET 2021
Furthermore, the problem with these supposed "attacks" on Signal is they
ignore the nature of how censorship-resistance and obfuscation technologies
work, blaming Signal where you should just blame TLS. So, of course Moxie
deletes the bug. It just shows whoever 'discovered' it hasn't thought about
the source of the bug.
Basically, obfuscation will only work for a limited amount of time against
an adversary that figures out it's being used. TLS - including TLS
workarounds - naturally leaks all sorts of metadata, timing, and volume
information. Thus, simplistic techniques like domain fronting formerly used
by Signal eventually stop working.
So, when I look at this "bug" in Signal, it's basically a bug in how TLS
works. The same would be true for Wireguard, OpenVPN, etc. and whether or
not it was used with Airbnb or Signal if Iran started censoring Airbnb.
Sadly, the internet does not have privacy and censorship resistance on the
protocol level baked in...yet.
yours,
harry
On Wed, Feb 24, 2021 at 8:50 PM Yosem Companys <ycompanys at gmail.com> wrote:
> Excellent intervention, Shava. I would also note that Moxie used to be in
> LT (do not know if he still is), and all of us at Stanford continue to be
> big fans of his work and accomplishments. (Same goes for Tor.)
>
> On Wed, Feb 24, 2021 at 11:43 AM Shava Nerad <shava23 at gmail.com> wrote:
>
>> I am not a cryptographer myself, but I have a bit of experience with
>> anti-censorship tools.
>>
>> I know that my team, led by Roger Dingledine and Nick Mathewson, had
>> great respect for Moxie back in 2007ish for the work he was doing then,
>> including attacking Tor and helping us refine our tools -- and our
>> messaging to end users.
>>
>> Moxie's been in this space for a good 15 years or so. Why are you
>> talking about him as a newcomer?
>>
>> Respectfully,
>>
>> Shava Nerad
>> shava23 at gmail.com
>> https://patreon.com/shava23
>>
>>
>> On Wed, Feb 24, 2021 at 9:30 AM Adam Fisk <afisk at getlantern.org> wrote:
>>
>>> Irrespective of the article, the claims are just obvious to anyone with
>>> a reasonable enough knowledge of how censors detect proxies to have an
>>> opinion.
>>>
>>> The article is largely irrelevant, and its removal doesn't obviate the
>>> fact that the claims of the investigators, such as Sergey, that the Signal
>>> proxies are vulnerable to active probes is, again, just there in plain
>>> sight.
>>>
>>> This is, of course, not surprising, as the Signal team has almost no
>>> experience with building effective anti-censorship tech. The idea that they
>>> could realistically deploy a new proxy in a matter of days that would be
>>> effective in those environments is frankly naive. That's all fine and good.
>>> I don't have the experience they do with designing secure messaging
>>> algorithms. It's cool, but we should have illusions about the reality of
>>> the situation.
>>>
>>> -Adam
>>>
>>>
>>> On Wed, Feb 24, 2021 at 4:57 AM Charles M. Ess <charles.ess at media.uio.no>
>>> wrote:
>>>
>>>> the most recent version of the article indicates that the original
>>>> claims have been disputed and removed by BleepingComputer.
>>>>
>>>> Truth is difficult ...
>>>> best,
>>>> -charles
>>>>
>>>> On 24/02/2021 06:59, Myles Horton wrote:
>>>> > Just for the record, the people who posted the vulnerability are
>>>> hardly
>>>> > trollers. First, the vulnerability is obvious and doesn't really need
>>>> > any formal proof. Second, one of the researchers is Sergey Frolov,
>>>> one
>>>> > of the top people in the field.
>>>> >
>>>> > -Adam
>>>> >
>>>> > On Mon, Feb 8, 2021 at 6:02 PM bo0od <bo0od at riseup.net
>>>> > <mailto:bo0od at riseup.net>> wrote:
>>>> >
>>>> > Nothing is concerned just trollers want to damage the image of
>>>> signal
>>>> >
>>>> > Yosem Companys:
>>>> > > The claims in this article are concerning if true. That said, I
>>>> > will note
>>>> > > that I remain supportive of Signal's efforts, both because its
>>>> > founders and
>>>> > > key developers have not only been longtime members of our
>>>> > community but
>>>> > > also proven themselves time and again indispensable at helping
>>>> > high-risk
>>>> > > activists in need, most notably during the Arab Spring.
>>>> > >
>>>> > > ****
>>>> > >
>>>> > > Signal, an end-to-end encrypted messaging platform was recently
>>>> > blocked by
>>>> > > the Iranian government.
>>>> > >
>>>> > > To help its users bypass censorship in Iran, the company
>>>> > suggested a TLS
>>>> > > proxy workaround.
>>>> > >
>>>> > > However, multiple researchers have now discovered flaws in the
>>>> > workaround
>>>> > > that can let a censor or government authority probe into
>>>> Signal TLS
>>>> > > proxies, rendering these protections moot and potentially
>>>> bringing
>>>> > > repercussions for Signal users located in repressive regimes.
>>>> > >
>>>> > > The researchers who reported these flaws via Signal's GitHub
>>>> > repository
>>>> > > have been banned by the company with their reported issues
>>>> removed.
>>>> > >
>>>> > >
>>>> >
>>>> https://www.bleepingcomputer.com/news/security/signal-ignores-proxy-censorship-vulnerability-bans-researchers/
>>>> > <
>>>> https://www.bleepingcomputer.com/news/security/signal-ignores-proxy-censorship-vulnerability-bans-researchers/
>>>> >
>>>> > >
>>>> > >
>>>> >
>>>> > --
>>>> > Liberationtech is public & archives are searchable from any major
>>>> > commercial search engine. Violations of list guidelines will get
>>>> you
>>>> > moderated: https://lists.ghserv.net/mailman/listinfo/lt
>>>> > <https://lists.ghserv.net/mailman/listinfo/lt>. Unsubscribe,
>>>> change
>>>> > to digest mode, or change password by emailing
>>>> > lt-owner at lists.liberationtech.org
>>>> > <mailto:lt-owner at lists.liberationtech.org>.
>>>> >
>>>> >
>>>>
>>>> --
>>>> Professor Emeritus
>>>> University of Oslo
>>>> <http://www.hf.uio.no/imk/english/people/aca/charlees/index.html>
>>>>
>>>> Secretary, IFIP Working Group 9.8, Gender, Diversity, and ICT
>>>> <http://ifiptc9.org/9-8/>
>>>>
>>>> Fellow, Siebold-Collegiums Institute for Advanced Studies,
>>>> Julius-Maximilians-Universität Würzburg, Germany
>>>>
>>>> 3rd edition of Digital Media Ethics now out:
>>>> <http://politybooks.com/bookdetail/?isbn=9781509533428>
>>>>
>>>> --
>>>> Liberationtech is public & archives are searchable from any major
>>>> commercial search engine. Violations of list guidelines will get you
>>>> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
>>>> change to digest mode, or change password by emailing
>>>> lt-owner at lists.liberationtech.org.
>>>>
>>>
>>>
>>> --
>>> --
>>> President
>>> Brave New Software Project, Inc.
>>> https://lantern.io <https://www.getlantern.org>
>>> A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
>>> --
>>> Liberationtech is public & archives are searchable from any major
>>> commercial search engine. Violations of list guidelines will get you
>>> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
>>> change to digest mode, or change password by emailing
>>> lt-owner at lists.liberationtech.org.
>>>
>> --
>> Liberationtech is public & archives are searchable from any major
>> commercial search engine. Violations of list guidelines will get you
>> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
>> change to digest mode, or change password by emailing
>> lt-owner at lists.liberationtech.org.
>>
> --
> Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> change to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20210224/1c63a2f5/attachment.htm>
More information about the LT
mailing list