[liberationtech] Signal ignores proxy censorship vulnerability, bans researchers
Richard Brooks
rrb at g.clemson.edu
Thu Feb 25 16:07:07 CET 2021
Just to mention it, massive online surveillance and self-censorship
is not limited to the developing world.
Bad tech used to enslave the impoverished is almost always coming
back to "democratic" countries.
Privacy preserving, and censorship circumvention tech is not
only aiding others, it is essential to the "developed" world.
That is, if anyone would like to have
real journalism and not just 24/7 ratings driven
propaganda/pablum.
Remember when the TV watching you in 1984 was eerie and
futuristic instead of de rigeur? I predict that in 10 years
Black Mirror will still be watched, but as a set of
Pollyannaish utopian films.
On 2/25/21 3:26 AM, Shava Nerad wrote:
>> Yup totally agreed Collin. There is a real world consequence here in
> an increasingly impoverished region where marginalized groups are at
> real risk.
>
> And the general alternative for the marginalized is Telegram (or, God
> help us all, WhatsApp). Anyone care to compare and contrast?
>
> This is a real world consequence of a lack of funding, respect, and
> outreach for circumvention tools, these days. In 2006, Tor went from
> broke to $3M+ in funding in one year, and the difference was outreach to
> non-technical funders who cared about the marginalized and deceived --
> and came to understand, how these ultra-geeky and previously opaque and
> shadowy tools could help good people on the ground.
>
> The aughties are calling and asking the folks today to explain to these
> increasingly impoverished regions, in plain language and not in elite
> technical discussions, what their alternatives are and how they impact
> all of our futures. There's a lot more trust and perspective to be
> built in a lot more contexts.
>
> yrs,
>
> Shava Nerad
> shava23 at gmail.com <mailto:shava23 at gmail.com>
> https://patreon.com/shava23 <https://patreon.com/shava23>
>
>
> On Wed, Feb 24, 2021 at 9:38 PM Adam Fisk <afisk at getlantern.org
> <mailto:afisk at getlantern.org>> wrote:
>
> Yup totally agreed Collin. There is a real world consequence here in
> an increasingly impoverished region where marginalized groups are at
> real risk.
>
> On Wed, Feb 24, 2021 at 11:01 PM Collin Anderson
> <collin at averysmallbird.com <mailto:collin at averysmallbird.com>> wrote:
>
> All this debate over whether Signal could use a better bridge
> protocol is fine, but distracts from the core problem — Signal
> Proxy is of little consequence and is a slight of hand trick to
> avoid taking on further burdens to address 80 million vulnerable
> people (a community Signal was long funded to support) being cut
> off.
>
> Signal could invest that time into providing another cloud
> service for meek-style circumvention. It did not. Instead it
> told users, who generally have no connection to Iran to run
> bridge and post solicitations on blocked social media. How is
> that a serious idea to pitch to people?
>
> The aughts called and it wants its internet freedom agenda back.
>
> On Wed, Feb 24, 2021 at 11:41 PM Adam Fisk <afisk at getlantern.org
> <mailto:afisk at getlantern.org>> wrote:
>
>
> On Wed, Feb 24, 2021 at 8:19 PM Harry Halpin
> <hhalpin at ibiblio.org <mailto:hhalpin at ibiblio.org>> wrote:
>
> Again, if Sergey - who seems to be a perfectly nice
> Ph.D. student - wants to fix TLS, that's fine. I would
> support fixes to TLS as would any sensible person,
> including Moxie.
>
>
> So just so we're on the same page, Sergey is a perfectly
> nice Ph.D. student whose code was deployed on more phones
> globally than Moxie's up until a few months ago. It's
> deployed almost exclusively in censored regions, in contrast
> to Signal which is deployed almost exclusively in uncensored
> regions.
>
> Making TLS more censorship resistant at the IETF level is
> great. I'm not sure what vulnerabilities you specifically
> have in mind, but to me the most promising is Encrypted
> Client Hellos
> (https://tools.ietf.org/html/draft-ietf-tls-esni-09
> <https://tools.ietf.org/html/draft-ietf-tls-esni-09>) that
> especially Nick Sullivan at Cloudflare has been pushing with
> great success.
>
> While I agree we should vigorously pursue approaches like
> that, it won't help people in the most censored regions
> today. Sergey's code is actually a core piece of bypassing
> real world censorship now.
>
>
> But that's not Signal's problem - TLS bugs are a
> lower-level network level protocol whose bugs Signal
> inherits when it tries to use TLS. Sergey should
> approach the TLS 1.3 Working Group at the IETF, no try
> to garner attention for himself via media releases over
> his github comments. This reminds me of the Israeli
> "security" firm that claimed they had "hacked" Signal by
> simply accessing the keys in the phone, which can be
> done to *any* app on phone that has a rootkit that
> doesn't use some-yet-not-really-working secure enclave.
>
>
> Right. Signal's problem is that they were blocked in Iran.
> Their solution to that problem attempts to use TLS in a way
> that doesn't work. You're basically thinking of TLS in the
> way that Signal is thinking of TLS, which is limited and the
> heart of the problem.
>
> Sergey hardly tried to garner attention for himself -- heck
> his last name was never even mentioned anywhere I saw. I
> happened to realize it must be him just based on his first
> name and the nature of the analysis.
>
>
>
> There are literally *no* server that is not susceptible
> to active probes and machine-learning based traffic
> analysis attacks. If Sergey had a kind of solution that
> actually did what Adam claimed it did "anti-censorship
> tools that actually work at scale in censored regions
> are not susceptible to active probes" then all of China
> would be using it. As it doesn't exist, people aren't
> using them.
>
>
> I never mentioned anything about machine-learning based
> traffic analysis, which is a different problem, but the most
> disturbing reality is that there are "anti-censorship tools
> that actually work at scale in censored regions are not
> susceptible to active probes", but it turns out that a very
> small minority of Chinese actually have much interest in the
> censored internet. Could the tools that work in China
> capture more of them? Sure, but there are all sorts of other
> issues in China too, such as distribution. It's also very
> dangerous for people in China to work on those tools.
>
> One that's been growing recently is v2ray. There's a reason
> it has over 30K stars on
> GitHub: https://github.com/v2ray/v2ray-core
> <https://github.com/v2ray/v2ray-core>
>
>
>
> Censorship is a very hard problem, which is why Shava is
> basically right. Cutting-edge usable tech here is still
> I believe obfs4proxy, and it's well-known defeatable by
> nation-state level adversaries.
>
>
> This is actually the fundamental issue -- there is a huge
> asymmetry of information between the more conventional
> security community and the people who work on bypassing
> censorship, largely because the techniques that work are
> largely kept secret. The "cutting-edge" usable tech at one
> time was obfs4proxy, but it's been probably 7 years or so
> since that was the case. The people who know what the
> cutting edge usable tech is are those who deploy it at
> scale, but you're not likely to read about it anywhere.
>
>
> I do support the usage of Tor, and Tor also is
> susceptible to the precise same kinds of attacks Signal
> is and thus doesn't work in China, Iran, and many other
> places. Furthermore, it's not resistant to NSA-style
> traffic analysis. But it is by better than most shady
> VPNs and proxies, and I hope people use it where their
> nation-state hasn't starting censoring it yet. Same with
> Signal. Most VPNs that work in these countries work
> insofar as they are easily susceptible to attacks (i.e.
> see Moxie's older work on bugs in PPTP or the myriad of
> authentication issues facing OpenVPN, fingerprinting of
> Wireguard...). Again, more work is needed but aim work
> in productive way, not cheap media hit pieces on Signal
> or Tor.
>
>
> Yeah so that's where the asymmetry of information kicks in.
> The VPNs that work in the most censoring countries that are
> easily susceptible to attacks stopped working long ago.
> China in particular has stepped up its game in crazy ways in
> the last couple of years.
>
> Tor is incredible, and I support Tor's work all day long,
> but as you say it is not used widely in the most censoring
> countries. Other tools are.
>
> -Adam
>
> --
> --
> President
> Brave New Software Project, Inc.
> https://lantern.io <https://www.getlantern.org>
> A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
> --
> Liberationtech is public & archives are searchable from any
> major commercial search engine. Violations of list
> guidelines will get you moderated:
> https://lists.ghserv.net/mailman/listinfo/lt
> <https://lists.ghserv.net/mailman/listinfo/lt>. Unsubscribe,
> change to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org
> <mailto:lt-owner at lists.liberationtech.org>.
>
> --
> *Collin David Anderson*
> averysmallbird.com <http://averysmallbird.com> | @cda
> | Washington, D.C.
>
> --
> --
> President
> Brave New Software Project, Inc.
> https://lantern.io <https://www.getlantern.org>
> A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
> --
> Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://lists.ghserv.net/mailman/listinfo/lt
> <https://lists.ghserv.net/mailman/listinfo/lt>. Unsubscribe, change
> to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org
> <mailto:lt-owner at lists.liberationtech.org>.
>
>
--
R. R. Brooks
Professor
(He/Him/His)
College of Engineering Computing and Applied Science
https://www.clemson.edu/cecas
Clemson University
313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA
office: 864-656-0920
fax: 864-656-5910
voicemail: 864-986-0813
rrb at acm.org
www.clemson.edu
https://www.clemson.edu
PGP 1: 955B 3813 41C0 9101 3E6B CF05 02FB 29D6 8E1E 6137
PGP 2: FC15 BAF0 4296 B47E 932A 9DB3 D41B 81AF C6EA 90F6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20210225/982fd536/attachment.sig>
More information about the LT
mailing list