[liberationtech] Signal ignores proxy censorship vulnerability, bans researchers

[Adam Fisk]

Yup totally agreed Collin. There is a real world consequence here in an
increasingly impoverished region where marginalized groups are at real risk.

On Wed, Feb 24, 2021 at 11:01 PM Collin Anderson <collin at averysmallbird.com>
wrote:

> All this debate over whether Signal could use a better bridge protocol is
> fine, but distracts from the core problem — Signal Proxy is of little
> consequence and is a slight of hand trick to avoid taking on further
> burdens to address 80 million vulnerable people (a community Signal was
> long funded to support) being cut off.
>
> Signal could invest that time into providing another cloud service for
> meek-style circumvention. It did not. Instead it told users, who generally
> have no connection to Iran to run bridge and post solicitations on blocked
> social media. How is that a serious idea to pitch to people?
>
> The aughts called and it wants its internet freedom agenda back.
>
> On Wed, Feb 24, 2021 at 11:41 PM Adam Fisk <afisk at getlantern.org> wrote:
>
>>
>> On Wed, Feb 24, 2021 at 8:19 PM Harry Halpin <hhalpin at ibiblio.org> wrote:
>>
>>> Again, if Sergey - who seems to be a perfectly nice Ph.D. student -
>>> wants to fix TLS, that's fine. I would support fixes to TLS as would any
>>> sensible person, including Moxie.
>>>
>>
>> So just so we're on the same page, Sergey is a perfectly nice Ph.D.
>> student whose code was deployed on more phones globally than Moxie's up
>> until a few months ago. It's deployed almost exclusively in censored
>> regions, in contrast to Signal which is deployed almost exclusively in
>> uncensored regions.
>>
>> Making TLS more censorship resistant at the IETF level is great. I'm not
>> sure what vulnerabilities you specifically have in mind, but to me the most
>> promising is Encrypted Client Hellos (
>> https://tools.ietf.org/html/draft-ietf-tls-esni-09) that especially Nick
>> Sullivan at Cloudflare has been pushing with great success.
>>
>> While I agree we should vigorously pursue approaches like that, it won't
>> help people in the most censored regions today. Sergey's code is actually a
>> core piece of bypassing real world censorship now.
>>
>>
>>> But that's not Signal's problem - TLS bugs are a lower-level network
>>> level protocol whose bugs Signal inherits when it tries to use TLS. Sergey
>>> should approach the TLS 1.3 Working Group at the IETF, no try to garner
>>> attention for himself via media releases over his github comments. This
>>> reminds me of the Israeli "security" firm that claimed they had "hacked"
>>> Signal by simply accessing the keys in the phone, which can be done to
>>> *any* app on phone that has a rootkit that doesn't use
>>> some-yet-not-really-working secure enclave.
>>>
>>
>> Right. Signal's problem is that they were blocked in Iran. Their solution
>> to that problem attempts to use TLS in a way that doesn't work. You're
>> basically thinking of TLS in the way that Signal is thinking of TLS, which
>> is limited and the heart of the problem.
>>
>> Sergey hardly tried to garner attention for himself -- heck his last name
>> was never even mentioned anywhere I saw. I happened to realize it must be
>> him just based on his first name and the nature of the analysis.
>>
>>
>>>
>>> There are literally *no* server that is not susceptible to active probes
>>> and machine-learning based traffic analysis attacks. If Sergey had a kind
>>> of solution that actually did what Adam claimed it did "anti-censorship
>>> tools that actually work at scale in censored regions are not susceptible
>>> to active probes" then all of China would be using it. As it doesn't exist,
>>> people aren't using them.
>>>
>>
>> I never mentioned anything about machine-learning based traffic analysis,
>> which is a different problem, but the most disturbing reality is that there
>> are "anti-censorship tools that actually work at scale in censored regions
>> are not susceptible to active probes", but it turns out that a very small
>> minority of Chinese actually have much interest in the censored internet.
>> Could the tools that work in China capture more of them? Sure, but there
>> are all sorts of other issues in China too, such as distribution. It's also
>> very dangerous for people in China to work on those tools.
>>
>> One that's been growing recently is v2ray. There's a reason it has over
>> 30K stars on GitHub: https://github.com/v2ray/v2ray-core
>>
>>
>>>
>>> Censorship is a very hard problem, which is why Shava is basically
>>> right. Cutting-edge usable tech here is still I believe obfs4proxy, and
>>> it's well-known defeatable by nation-state level adversaries.
>>>
>>
>> This is actually the fundamental issue -- there is a huge asymmetry of
>> information between the more conventional security community and the people
>> who work on bypassing censorship, largely because the techniques that work
>> are largely kept secret. The "cutting-edge" usable tech at one time was
>> obfs4proxy, but it's been probably 7 years or so since that was the case.
>> The people who know what the cutting edge usable tech is are those who
>> deploy it at scale, but you're not likely to read about it anywhere.
>>
>>
>>> I do support the usage of Tor, and Tor also is susceptible to the
>>> precise same kinds of attacks Signal is and thus doesn't work in China,
>>> Iran, and many other places. Furthermore, it's not resistant to NSA-style
>>> traffic analysis. But it is by better than most shady VPNs and proxies, and
>>> I hope people use it where their nation-state hasn't starting censoring it
>>> yet. Same with Signal. Most VPNs that work in these countries work insofar
>>> as they are easily susceptible to attacks (i.e. see Moxie's older work on
>>> bugs in PPTP or the myriad of authentication issues facing OpenVPN,
>>> fingerprinting of Wireguard...). Again, more work is needed but aim work in
>>> productive way, not cheap media hit pieces on Signal or Tor.
>>>
>>
>> Yeah so that's where the asymmetry of information kicks in. The VPNs that
>> work in the most censoring countries that are easily susceptible to attacks
>> stopped working long ago. China in particular has stepped up its game in
>> crazy ways in the last couple of years.
>>
>> Tor is incredible, and I support Tor's work all day long, but as you say
>> it is not used widely in the most censoring countries. Other tools are.
>>
>> -Adam
>>
>> --
>> --
>> President
>> Brave New Software Project, Inc.
>> https://lantern.io <https://www.getlantern.org>
>> A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
>> --
>> Liberationtech is public & archives are searchable from any major
>> commercial search engine. Violations of list guidelines will get you
>> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
>> change to digest mode, or change password by emailing
>> lt-owner at lists.liberationtech.org.
>>
> --
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
>
-- 
--
President
Brave New Software Project, Inc.
https://lantern.io <https://www.getlantern.org>
A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20210224/706fb235/attachment.htm>