[liberationtech] Signal ignores proxy censorship vulnerability, bans researchers

Collin Anderson collin at averysmallbird.com
Thu Feb 25 23:45:42 CET 2021 

To bo0od and Shiva’s messages —

Signal has received millions of dollars in Congressionally allocated funds
to foster secure communications in Iran and similar countries. As a
taxpayer, and quite frankly as someone who actually talks to those
non-elite communities, it’s not asking much for their tools to actually
work, especially when there are real solutions.

On Thu, Feb 25, 2021 at 12:41 PM bo0od <bo0od at riseup.net> wrote:

> signal can do nothing from what you said and can do everything the
> opposite and still no problem.
>
> software developers have no liability,responsibility,guarantees of what
> you get when you use their software.
>
> its from signal devs kindness that they even typed anything to answer
> this matter.
>
> i dunno why some ppl think that software and software developers should
> take the responsibility of anything.
>
> Collin Anderson:
> > All this debate over whether Signal could use a better bridge protocol is
> > fine, but distracts from the core problem — Signal Proxy is of little
> > consequence and is a slight of hand trick to avoid taking on further
> > burdens to address 80 million vulnerable people (a community Signal was
> > long funded to support) being cut off.
> >
> > Signal could invest that time into providing another cloud service for
> > meek-style circumvention. It did not. Instead it told users, who
> generally
> > have no connection to Iran to run bridge and post solicitations on
> blocked
> > social media. How is that a serious idea to pitch to people?
> >
> > The aughts called and it wants its internet freedom agenda back.
> >
> > On Wed, Feb 24, 2021 at 11:41 PM Adam Fisk <afisk at getlantern.org> wrote:
> >
> >>
> >> On Wed, Feb 24, 2021 at 8:19 PM Harry Halpin <hhalpin at ibiblio.org>
> wrote:
> >>
> >>> Again, if Sergey - who seems to be a perfectly nice Ph.D. student -
> wants
> >>> to fix TLS, that's fine. I would support fixes to TLS as would any
> sensible
> >>> person, including Moxie.
> >>>
> >>
> >> So just so we're on the same page, Sergey is a perfectly nice Ph.D.
> >> student whose code was deployed on more phones globally than Moxie's up
> >> until a few months ago. It's deployed almost exclusively in censored
> >> regions, in contrast to Signal which is deployed almost exclusively in
> >> uncensored regions.
> >>
> >> Making TLS more censorship resistant at the IETF level is great. I'm not
> >> sure what vulnerabilities you specifically have in mind, but to me the
> most
> >> promising is Encrypted Client Hellos (
> >> https://tools.ietf.org/html/draft-ietf-tls-esni-09) that especially
> Nick
> >> Sullivan at Cloudflare has been pushing with great success.
> >>
> >> While I agree we should vigorously pursue approaches like that, it won't
> >> help people in the most censored regions today. Sergey's code is
> actually a
> >> core piece of bypassing real world censorship now.
> >>
> >>
> >>> But that's not Signal's problem - TLS bugs are a lower-level network
> >>> level protocol whose bugs Signal inherits when it tries to use TLS.
> Sergey
> >>> should approach the TLS 1.3 Working Group at the IETF, no try to garner
> >>> attention for himself via media releases over his github comments. This
> >>> reminds me of the Israeli "security" firm that claimed they had
> "hacked"
> >>> Signal by simply accessing the keys in the phone, which can be done to
> >>> *any* app on phone that has a rootkit that doesn't use
> >>> some-yet-not-really-working secure enclave.
> >>>
> >>
> >> Right. Signal's problem is that they were blocked in Iran. Their
> solution
> >> to that problem attempts to use TLS in a way that doesn't work. You're
> >> basically thinking of TLS in the way that Signal is thinking of TLS,
> which
> >> is limited and the heart of the problem.
> >>
> >> Sergey hardly tried to garner attention for himself -- heck his last
> name
> >> was never even mentioned anywhere I saw. I happened to realize it must
> be
> >> him just based on his first name and the nature of the analysis.
> >>
> >>
> >>>
> >>> There are literally *no* server that is not susceptible to active
> probes
> >>> and machine-learning based traffic analysis attacks. If Sergey had a
> kind
> >>> of solution that actually did what Adam claimed it did "anti-censorship
> >>> tools that actually work at scale in censored regions are not
> susceptible
> >>> to active probes" then all of China would be using it. As it doesn't
> exist,
> >>> people aren't using them.
> >>>
> >>
> >> I never mentioned anything about machine-learning based traffic
> analysis,
> >> which is a different problem, but the most disturbing reality is that
> there
> >> are "anti-censorship tools that actually work at scale in censored
> regions
> >> are not susceptible to active probes", but it turns out that a very
> small
> >> minority of Chinese actually have much interest in the censored
> internet.
> >> Could the tools that work in China capture more of them? Sure, but there
> >> are all sorts of other issues in China too, such as distribution. It's
> also
> >> very dangerous for people in China to work on those tools.
> >>
> >> One that's been growing recently is v2ray. There's a reason it has over
> >> 30K stars on GitHub: https://github.com/v2ray/v2ray-core
> >>
> >>
> >>>
> >>> Censorship is a very hard problem, which is why Shava is basically
> right.
> >>> Cutting-edge usable tech here is still I believe obfs4proxy, and it's
> >>> well-known defeatable by nation-state level adversaries.
> >>>
> >>
> >> This is actually the fundamental issue -- there is a huge asymmetry of
> >> information between the more conventional security community and the
> people
> >> who work on bypassing censorship, largely because the techniques that
> work
> >> are largely kept secret. The "cutting-edge" usable tech at one time was
> >> obfs4proxy, but it's been probably 7 years or so since that was the
> case.
> >> The people who know what the cutting edge usable tech is are those who
> >> deploy it at scale, but you're not likely to read about it anywhere.
> >>
> >>
> >>> I do support the usage of Tor, and Tor also is susceptible to the
> precise
> >>> same kinds of attacks Signal is and thus doesn't work in China, Iran,
> and
> >>> many other places. Furthermore, it's not resistant to NSA-style traffic
> >>> analysis. But it is by better than most shady VPNs and proxies, and I
> hope
> >>> people use it where their nation-state hasn't starting censoring it
> yet.
> >>> Same with Signal. Most VPNs that work in these countries work insofar
> as
> >>> they are easily susceptible to attacks (i.e. see Moxie's older work on
> bugs
> >>> in PPTP or the myriad of authentication issues facing OpenVPN,
> >>> fingerprinting of Wireguard...). Again, more work is needed but aim
> work in
> >>> productive way, not cheap media hit pieces on Signal or Tor.
> >>>
> >>
> >> Yeah so that's where the asymmetry of information kicks in. The VPNs
> that
> >> work in the most censoring countries that are easily susceptible to
> attacks
> >> stopped working long ago. China in particular has stepped up its game in
> >> crazy ways in the last couple of years.
> >>
> >> Tor is incredible, and I support Tor's work all day long, but as you say
> >> it is not used widely in the most censoring countries. Other tools are.
> >>
> >> -Adam
> >>
> >> --
> >> --
> >> President
> >> Brave New Software Project, Inc.
> >> https://lantern.io <https://www.getlantern.org>
> >> A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
> >> --
> >> Liberationtech is public & archives are searchable from any major
> >> commercial search engine. Violations of list guidelines will get you
> >> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> >> change to digest mode, or change password by emailing
> >> lt-owner at lists.liberationtech.org.
> >>
> >>
>
> --
> Liberationtech is public & archives are searchable from any major
> commercial search engine. Violations of list guidelines will get you
> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe,
> change to digest mode, or change password by emailing
> lt-owner at lists.liberationtech.org.
>
-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20210225/ae64a44b/attachment.htm>

More information about the LT mailing list