The best comment on the Signal Iran thing is from N-Gate:

"A chat app based on a protocol that supports federation wants to borrow your computer instead of allowing federation."

Previously, previously, previously, previously, previously.

Tags: , , , ,

5 Responses:

  1. Not Frank says:

    I agree it's the best comment, though I thought this was the best part: "It turns out it's regarded as a useful testing platform from which to launch a truly censorship-resistant communications network for even more vulnerable populations, such as American white supremacists."

  2. Kyzer says:

    Per the first "previously", Drew still has a few valid points but Nick is still entirely right. You don't want to stand out to a hostile regime. Centralised beats federated hands down, and APNs or Google Play delivery (mixing all types of traffic into one stream) is even better.

    Signal recommending a personal proxy flies in the face of this wisdom. Sure, I'll set up a Signal-specific proxy and tell my friends to use it. Once the Iranian govt scans it and sees it responds to https://DISSIDENTS-TO-JAIL.FEDERATED.NET:4433/signal-service/, so it's unmistakably a Signal proxy, they can make a nice social graph of everyone who ever connects to it.

    Tor is also banned in Iran, and the Tor project has a lot more experience fighting state actors attempting to detect proxies [PDF]

    Signal should have shown Iranians how to use Signal through Tor, and recommend Tor volunteering/donations, rather than promote a NIH solution that makes their most vulnerable users stand out

    • jwz says:

      I've never used Tor and haven't been following it, but isn't it widely assumed to be compromised by NSA?

      • Kyzer says:

        Tor is partly an academic research project providing cat-and-mouse games between deanonymisers and deanonymiser-thwarters, and partly a way for US spies to exfiltrate data from foreign internets by not standing out from other privacy-conscious upstanding citizens.

        Every site you visit in Tor has a chance the NSA will know you visited (if you're unlucky enough to get both an entry and exit node controlled by them), but this is less than the 100% chance the NSA will know if you visit directly or through a normal VPN service - especially the ones that swear they don't keep logs

        In the known cases where US agencies deanonymised Tor users, they used endpoint attacks (e.g. Firefox zero-day exploits, or exploiting poor code to get the server to print its real IP address), which suggests they can only make targetted attacks.

        As far as I know, Tor is imperfect, but not fundamentally compromised. You're more likely to unmask yourself than Tor is to unmask you, and if you're being directly targetted, all bets are off. It's easier to break into your home and point a spy camera at your computer screen than it is to break Tor's basic security model. As the NSA said in their internal presentations, Tor is "the king of high-secure, low-latency internet anonymity"

  3. tfb says:

    I do wonder what Signal's game plan is. They go on endlessly about how they're set up as a non-profit and can't be bought, so I suppose it's not 'get bought by evil corp'. They go on endlessly about how secure they are, and yet their contact discovery algorithm is a gift to stalkers, when random IDs instead of phone numbers would have been trivial to arrange (and you could still opt to attach your phone number / name / whatever to your ID to allow contact discovery.)

    I don't think this, but if they were TLA front they'd kind of behave the way they do.

  • Previously