Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Joint Statement on Recent Events Between Signal and the Anti-Censorship Community #63

Open
database64128 opened this issue Feb 9, 2021 · 38 comments

Comments

@database64128
Copy link

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

A Joint Statement on Recent Events Between Signal and the Anti-Censorship Community

Sorry to bother you all, but in light of recent events that have happened between Signal and some of our anti-censorship community members, it is my belief that we, a community that's dedicated to censorship circumvention and Internet freedom, must come together. In case you didn't know, here's a quick recap.

After raising an issue about Signal's new proxy implementation designed to circumvent Iranian government's censorship, @DuckSoft and @studentmain have been repeatedly dismissed by Signal and its co-founder Moxie. They have found that Signal's simple TLS-in-TLS proxy is subject to simple active probes, and can be detected by conventional DPI systems.

Our community have been silent for too long. We are the underdogs, doing the real work, and yet unappreciated by many people. Our opinions are underrepresented. That's what makes me believe that we must speak out this time, that we should release a joint statement, to condemn Signal's dismissive and irresponsible attitude to the anti-censorship community, and to call for our unity as a community and their immediate action on the matter.

Timeline

  1. 2021-02-05 01:30 I saw the Signal post from Hacker News and forwarded it to them, thinking they might be interested. @DuckSoft immediately realized it's a simple TLS-in-TLS proxy without any authentication, which is vulnerable to active probing.
  2. 2021-02-05 02:00 @DuckSoft posted his doubts at https://github.com/signalapp/Signal-TLS-Proxy/issues/3. @studentmain wrote and tested a PoC, which was later added to the issue. A few hours later, they received a generic, dismissive reply from Moxie, only to inform them that they don't use issues for discussions like this, that the Signal forum should be used instead. Moxie closed the issue, then immediately disabled the repository's issues, rendering the issue page "404".
  3. 2021-02-05 08:00 Frustrated by Signal's dismissive response, @DuckSoft reposted at Signal's TLS Proxy Failed to be Probing Resistant and seems leaky #60, receiving support from the community.
  4. 2021-02-05 09:00 @DuckSoft attempted to post at Signal community, getting banned immediately. Irritated, @DuckSoft added a meme in the net4people issue and called out Signal for an explanation.
  5. 2021-02-06 12:00 @DuckSoft sended a pull request that adds the PoC to Signal TLS proxy's repository. It has since been deleted and both @DuckSoft and @studentmain were banned by the Signal organization on GitHub in the afternoon. A repost by @U-v-U was later closed and locked.
  6. 2021-02-07 01:00 A reporter from BleepingComputer contacted @DuckSoft and did an email interview.
  7. 2021-02-07 06:00 Another researcher reported an issue with Signal's Android app on Signal community that could expose users to censors.
  8. 2021-02-07 17:00 The news article went live on BleepingComputer.
  9. 2021-02-08 00:00 Moxie responded to the article on Twitter, calling it absurd.
  10. 2021-02-08 02:00 In a phone call with BleepingComputer, Moxie made false accusations and baseless claims. BleepingComputer updated their article with Moxie's response.
  11. 2021-02-08 Later in the afternoon: BleepingComputer removed the original article under pressure from Moxie, citing "conflicting information" they have received. The original article can still be found in archive.

Our statement

Who we are and what we stand for

We are a group of volunteers from around the world, working together for the same goal of helping with censorship circumvention. We believe everyone should have equal access to a free Internet.

V2Fly maintains V2Ray, a proxy and routing tool that helps people behind China's GFW and Iran's Internet firewall stay connected to the internet.

The Qv2ray workgroup is a research group that focuses on the security of censorship circumvention tools. The workgroup has helped discovered several flaws in V2Ray that could lead to detection by adversaries. The workgroup also maintains Qv2ray, a GUI frontend for V2Ray.

Shadowsocks for Windows is a cross-platform Shadowsocks client implementation in C#. We are a part of the Shadowsocks organization.

Why Signal should have listened to us

Signal might have their reputation rightfully earned with end-to-end encryption for all chats. But they are apparently no experts in the field of censorship circumvention.

With years of engineering experience fighting China's GFW, our community have the expertise in designing a proxy protocol that can circumvent firewalls and censors by keeping the traffic unidentifiable from normal Internet traffic.

What Signal has done wrong

Signal's proxy implementation has several critical flaws.

  • It's leaky. Signal's Android app leaks DNS queries when the built-in proxy is enabled.
  • It's prone to active probes. Without authentication mechanisms, the simple TLS-in-TLS proxy can be probed by sending 2 requests, one to Signal's server, one to a non-Signal server.
  • It can be easily detected by conventional DPI systems. Signal's unique TLS fingerprint can be picked up due to the absence of ALPN. DPI systems are also able to detect traffic patterns of a TLS-in-TLS proxy.

And this is not the first time that Signal ignores researcher's findings and voices from the community.

Sergey Frolov shared his experience when reporting Signal Android app's TLS fingerprint issues. Multiple emails sent to Signal were all ignored. In the end they posted an issue in their repository and the issue has also been deleted.

A developer in the open source community contributed this PR for the Signal's repository. In the end he only got a response from Moxie asking the contributor to start from smaller bug fixes to "get a feel for the project". The reply from Moxie has gotten 45 downvotes from the community so far.

A former Wayland maintainer also shared his insight on Signal, over Moxie's hostility on the community and unwillingness of federation.

Since the takedown of the BleepingComputer article, Moxie has been claiming multiple times on Twitter, that a proxy is always identifiable, ignoring evidence suggested by anti-censorship researchers and our community members.

What we ask Signal to do

We urge Signal to issue a statement that informs its users of potential risks caused by the flaws of its proxy implementation. Signal must stop advising people in Iran to use its fragile, temporary solution. Instead, Iranian people should seek for other well-established solutions, like the ones from our community.

On a community level, we ask all of us to stop attacking each other.

We ask our community members to stay united, while keeping the conversations civil. Do not initiate personal attacks. Do not make up or spread conspiracy theories. Support our findings and explain with facts, instead of forcing our mindset onto other people.

We ask Moxie to apologize for his dismissive response and baseless claims. Let the people who understand the subject speak. Stop making false claims when you are not at all familiar with the subject.

We ask Signal to stop treating the anti-censorship community like adversaries. We are not your enemy. Treat the community with respect, by taking issue reports from the community seriously, by responding to our inqueries instead of deliberately ignoring us. Together we can fight censors and help build a better Internet.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL
AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9
jGlj3AfW9lK797p7AFuo1CXlRteFgwc=
=j1jf
-----END PGP SIGNATURE-----

@database64128
Copy link
Author

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm a maintainer on https://github.com/shadowsocks/shadowsocks-windows. I approve this message.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJBmwAKCRAconVGvtuL
AdrQAQC7dJA3qiRtM3abzZWHFlNhAYi56NWe+T1DVcUmI9ndkQD8DuBveRJ7LeRS
/hIImh8cuZF8Zt/tv8WWaXjxQdIKqAY=
=RclQ
-----END PGP SIGNATURE-----

@DuckSoft
Copy link

DuckSoft commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am DuckSoft from Qv2ray Developer Community and I prove my identity by GPG signing this message.

My opinion is consistent with what is listed in the article. Here goes the signature of the article:

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL
AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9
jGlj3AfW9lK797p7AFuo1CXlRteFgwc=
=j1jf

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE2H0QtOEy/6QN7CMrejqfpuT9So0FAmAiQdgACgkQejqfpuT9
So2UNgf9GEPlsDiXpGnPSwwtEVh/SGmfOhYSBf8+Uh0/+9dRZY8jHwk1K9jmz2J1
ajhcDjw4Ekzv9+hqIMDiqhWyW4xT21A44ec29MZgznTqg1gX+4tFJ09tVvvE23pP
cyyGG5wb+TCdjnWzOAnpYsE5rntRrg5SKp76l0H4fj/TRvrWQD2JWNufhK2p/81b
St/eyIzWNUeZyLSVq8A3m5YdUQvZbaMvYsSgMEwvv7uFtKB6f1j7+3isy5D52imc
CtZpvs+jk/8hOfGThnCGNxANgb46ZMcbaUBorsrHv1GKNzDj/dSbvCr+h2Ni3Alr
G9ckym+lfWFR5jqnzW9PjZhwSJnUHQ==
=Kg9o
-----END PGP SIGNATURE-----

@EpLiar
Copy link

EpLiar commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm a member of Qv2ray and V2Fly. I approve of this message.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmv4l7LcjjtnhUIuOFw4dozLu9z4FAmAiRJwACgkQFw4dozLu
9z5dQBAAmMd+AONp1zIlomFsD2u8b0BxnbnlBKSml3PfI2mJG1U/bojdUtq6ktBh
dTm10GA28r8zW81q/dUWrFcp1NegumLlKCs9LD1MxpzmqZKz34+8MtRCptmK+00w
TUwO+jO02zj2AChCk/5wdyK/w2TvNuc6rebLr8Buk2vceVpFiV27kRQLpKrTx26w
FeftF6twZqeOjptR7dS2mli6hMh/6fTPY+1vXgZafhItvo4tBh6EN7ZBSsRYN36O
hayOXQK8obcVwHzHn5r6YMwa/bEvzTXyQVhOrP6hWTHZVgzjzDeP+Ods5AyPOyi/
OcFdpqBO2Q5PFLKMTOyLekelEVocK6q9quVVcOhczt8ynoQTBUXFAAjg0VyE5KsQ
0qb8VxNGqYigZvCITsOL5xX0N+/olIvUk5rMmDRq0QaW0Rjom8sXy5Qv7LEPjVdg
SdfHmdBreFDUMcGha464oJ1MNoABqjw+gGqZl2DavL8aDlNG7HTjW6RyEUQ0kZ/9
ZQu2RMCtHUUX7eKfoDGPl744o08eZwNOSVh0TK7O4q2SrhddplLaz6qsYMuMn+Pa
OrDaoT4ZwL9FsNucHV7Ze6VaVn7bvjsdu2K0wSEDybmeEU1kdHPoC/6BueXqGkAY
FRsslq51OcHKIQ4m13SqCK3PnLBlU3bxcE4LA4zP/c8QYrSqrRM=
=POwc
-----END PGP SIGNATURE-----

@ghost
Copy link

ghost commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

+1

- -----
Signature from DuckSoft

iQEzBAEBCAAdFiEE2H0QtOEy/6QN7CMrejqfpuT9So0FAmAiQdgACgkQejqfpuT9
So2UNgf9GEPlsDiXpGnPSwwtEVh/SGmfOhYSBf8+Uh0/+9dRZY8jHwk1K9jmz2J1
ajhcDjw4Ekzv9+hqIMDiqhWyW4xT21A44ec29MZgznTqg1gX+4tFJ09tVvvE23pP
cyyGG5wb+TCdjnWzOAnpYsE5rntRrg5SKp76l0H4fj/TRvrWQD2JWNufhK2p/81b
St/eyIzWNUeZyLSVq8A3m5YdUQvZbaMvYsSgMEwvv7uFtKB6f1j7+3isy5D52imc
CtZpvs+jk/8hOfGThnCGNxANgb46ZMcbaUBorsrHv1GKNzDj/dSbvCr+h2Ni3Alr
G9ckym+lfWFR5jqnzW9PjZhwSJnUHQ==
=Kg9o

Signature from EpLiar

iQIzBAEBCAAdFiEEmv4l7LcjjtnhUIuOFw4dozLu9z4FAmAiRJwACgkQFw4dozLu
9z5dQBAAmMd+AONp1zIlomFsD2u8b0BxnbnlBKSml3PfI2mJG1U/bojdUtq6ktBh
dTm10GA28r8zW81q/dUWrFcp1NegumLlKCs9LD1MxpzmqZKz34+8MtRCptmK+00w
TUwO+jO02zj2AChCk/5wdyK/w2TvNuc6rebLr8Buk2vceVpFiV27kRQLpKrTx26w
FeftF6twZqeOjptR7dS2mli6hMh/6fTPY+1vXgZafhItvo4tBh6EN7ZBSsRYN36O
hayOXQK8obcVwHzHn5r6YMwa/bEvzTXyQVhOrP6hWTHZVgzjzDeP+Ods5AyPOyi/
OcFdpqBO2Q5PFLKMTOyLekelEVocK6q9quVVcOhczt8ynoQTBUXFAAjg0VyE5KsQ
0qb8VxNGqYigZvCITsOL5xX0N+/olIvUk5rMmDRq0QaW0Rjom8sXy5Qv7LEPjVdg
SdfHmdBreFDUMcGha464oJ1MNoABqjw+gGqZl2DavL8aDlNG7HTjW6RyEUQ0kZ/9
ZQu2RMCtHUUX7eKfoDGPl744o08eZwNOSVh0TK7O4q2SrhddplLaz6qsYMuMn+Pa
OrDaoT4ZwL9FsNucHV7Ze6VaVn7bvjsdu2K0wSEDybmeEU1kdHPoC/6BueXqGkAY
FRsslq51OcHKIQ4m13SqCK3PnLBlU3bxcE4LA4zP/c8QYrSqrRM=
=POwc
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdbyjO018JNZhjd2SqnhRnCCMh0IFAmAiTBoACgkQqnhRnCCM
h0KsQg/+LTQGOfIouVHEyL+zqlahEJOVRyr5YdwizUKoB0DEIzLqZxWthFrRR0DZ
RNyPY7hEm5fKi3dCXOraMmV/zbL06/BRdJVWZlnlRAg5OHdFa3t+qADhiVk9WgVJ
INUT6U1m40uiAxHlQzOvt7UM/x/wSt2t342i+URgWxoqIrzuUq5CpKxdc8Yzd4rl
tJlNKvRFOq4pqNS/ovN8plKL7DDp3au//jNIBiyzJsLqM4YqyhHKMrSaRr+w38Xu
heE1+eD+znwnrvN3HcV9pRhHvhLAxHJ0zjenbMNI4ZO6j6YAwGO3f2QbogajrtqA
E/C9Z292r+QqI3BNsu6wpkZQANv3dd9fhh4qstofnv1jq+H7EqpH8UwL8TmPP6V6
b0Pc6M1OC6aQpwtMwblXvciLNJU7SEcb4d5jS7byQrFjK7dVJ+mhi0TqigG/oJZO
Jp1ykSpLkuZ1WYPCthQB1Bw9vq6blxLLc6cI25gccT1X3oSeoQth2X40BLgdtotz
VmuTp/3ZTP3MPn/djHUYm0SOPQoLy754t6gWjg6pcxZt/+dVrO4vgTpjERsrPwyi
IjA1FRd699a6sDAu2eHFSCbQBjm2ov4JFvFlyR83BVCjYHxarWyrJlVKN0/hibAL
Ligl6orkQDJ1HDkYfHk/s15new6siVeBgq34y/MaWUKg4puFP7A=
=TSTs
-----END PGP SIGNATURE-----

@ghost
Copy link

ghost commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @U-v-U, the founder of Qv2ray, signed using Qv2ray official PGP Key, as can be found at:

https://github.com/Qv2ray/debian/blob/master/pubkey.gpg

Previous Signature from StudentMain

iQIzBAEBCAAdFiEEdbyjO018JNZhjd2SqnhRnCCMh0IFAmAiTBoACgkQqnhRnCCM
h0KsQg/+LTQGOfIouVHEyL+zqlahEJOVRyr5YdwizUKoB0DEIzLqZxWthFrRR0DZ
RNyPY7hEm5fKi3dCXOraMmV/zbL06/BRdJVWZlnlRAg5OHdFa3t+qADhiVk9WgVJ
INUT6U1m40uiAxHlQzOvt7UM/x/wSt2t342i+URgWxoqIrzuUq5CpKxdc8Yzd4rl
tJlNKvRFOq4pqNS/ovN8plKL7DDp3au//jNIBiyzJsLqM4YqyhHKMrSaRr+w38Xu
heE1+eD+znwnrvN3HcV9pRhHvhLAxHJ0zjenbMNI4ZO6j6YAwGO3f2QbogajrtqA
E/C9Z292r+QqI3BNsu6wpkZQANv3dd9fhh4qstofnv1jq+H7EqpH8UwL8TmPP6V6
b0Pc6M1OC6aQpwtMwblXvciLNJU7SEcb4d5jS7byQrFjK7dVJ+mhi0TqigG/oJZO
Jp1ykSpLkuZ1WYPCthQB1Bw9vq6blxLLc6cI25gccT1X3oSeoQth2X40BLgdtotz
VmuTp/3ZTP3MPn/djHUYm0SOPQoLy754t6gWjg6pcxZt/+dVrO4vgTpjERsrPwyi
IjA1FRd699a6sDAu2eHFSCbQBjm2ov4JFvFlyR83BVCjYHxarWyrJlVKN0/hibAL
Ligl6orkQDJ1HDkYfHk/s15new6siVeBgq34y/MaWUKg4puFP7A=
=TSTs
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsTEUHwpqo99I2jhKJfhASNcAcIUFAmAiTTAACgkQJfhASNcA
cIX9YxAAwWj+VyCAKI8tAM2Kz8GzAwYaxpraWWC3Y9BxyPwDQWs4nQj3fgHA0H58
O0MrAfDQ8+HABvPt4Uxu1243MUK/4jJdpK+mf0Iu8Zv9XNDQ8PSzgw/5oLXO7hI/
ir6pJIE6DdSrxjmN9bInQKmpuOTjbb00z5fb2xQcJXrU9Lx/EIC8utjr5YQkXABU
JuTHABWQWo6ES3ej3M/HjKsRyE5pNqlAiugm+2S2i/ut8rMC/n/xwnPIdgBD3a/V
y2i2t+s4XuMFxgLnC6EQ6CmGDvfn0so2lHow2R+T3wuATFuVEk2ymh+YNcMH8IZd
sKsNtGIONBuYXHGUmyMaSpe6xREekB1vVZBWzKJ8wdpqBzvuQQtHCmmrPu/o3nHO
yFXbpcjzC/+kRi+FEi0ubkX/ah9lrGFnJzhUsOF8mcqfJtwufrVrlyA0wfgNwqhV
Naz6KeweDbMZ+OFShF8lQMpyvAQL6IOPUkv73/sxlHkxlrRZNlIM35wC3k+X5Ijb
U8KqwB0SWZi0N77Se7G9MhB+4S12EU48iMudjPnj3dywUhk0kjZq61B7+Nh9lzt3
wZ0kiDLGfLlZz08tzfYTvzB+vQvDJONb9YIneWhiNxUi52jGb7GMSkyUa6jN89WW
yQ5yEEmcNyQO9717W/6aLLFGpeK6W7yObZ9FWHWiEgZ9h3Tz1CM=
=2KBt
-----END PGP SIGNATURE-----

@ghost
Copy link

ghost commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @U-v-U, this message was signed using my personal key.

Previous Signature

iQIzBAEBCAAdFiEEsTEUHwpqo99I2jhKJfhASNcAcIUFAmAiTTAACgkQJfhASNcA
cIX9YxAAwWj+VyCAKI8tAM2Kz8GzAwYaxpraWWC3Y9BxyPwDQWs4nQj3fgHA0H58
O0MrAfDQ8+HABvPt4Uxu1243MUK/4jJdpK+mf0Iu8Zv9XNDQ8PSzgw/5oLXO7hI/
ir6pJIE6DdSrxjmN9bInQKmpuOTjbb00z5fb2xQcJXrU9Lx/EIC8utjr5YQkXABU
JuTHABWQWo6ES3ej3M/HjKsRyE5pNqlAiugm+2S2i/ut8rMC/n/xwnPIdgBD3a/V
y2i2t+s4XuMFxgLnC6EQ6CmGDvfn0so2lHow2R+T3wuATFuVEk2ymh+YNcMH8IZd
sKsNtGIONBuYXHGUmyMaSpe6xREekB1vVZBWzKJ8wdpqBzvuQQtHCmmrPu/o3nHO
yFXbpcjzC/+kRi+FEi0ubkX/ah9lrGFnJzhUsOF8mcqfJtwufrVrlyA0wfgNwqhV
Naz6KeweDbMZ+OFShF8lQMpyvAQL6IOPUkv73/sxlHkxlrRZNlIM35wC3k+X5Ijb
U8KqwB0SWZi0N77Se7G9MhB+4S12EU48iMudjPnj3dywUhk0kjZq61B7+Nh9lzt3
wZ0kiDLGfLlZz08tzfYTvzB+vQvDJONb9YIneWhiNxUi52jGb7GMSkyUa6jN89WW
yQ5yEEmcNyQO9717W/6aLLFGpeK6W7yObZ9FWHWiEgZ9h3Tz1CM=
=2KBt
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpoezCQNpmTEnbq7WDbeRUBbQnNIFAmAiTfUACgkQDbeRUBbQ
nNLW4hAAlNeY3kU9dq5F7VRSX3zAPSd+Ax5rURAXTjp3Llr4kJch0duZZqvI1vuH
q5E0UP06TGQUZyAiHhWQuqv71Wr9GZL4QDYBeSFpFVAnU2fwwGvum6Nc5KGuypU6
LdMVSqL/IMR7EGE//bAJOVAiMUNPe4TD7y7WBd+ZweS/vkpGucSlTWHf6XkUDAAx
oOv4AL6TwRkbbc/1STKSBmT/jAE10IuziEp+M0wxVxENjCJ5hJPvW5cTKtyyGfua
73D3YfkFaHOoux2o3A9jf5E+brUVaXNlOFYF1kL4hIZK21DTdPzW6o/RQwwZzYjK
hngZUYUReUbKX1nimzdmm7k/8UNNz7a8QVz8FltR4vwg2OAqijRv0t/XB6fsOTb4
3o3aLw2pqssOWUm9t4m28BFX4Ou3XYDkMv9qBU4Y01+ejy0vfSSi3RqoXIRihFL2
f2lJR6jLpjLPnmDH0bq82OftLo+5NmVbl98L43DfDGuc212EUuXmpEmEqjp13Ulm
rLXAnRjT8WpgoF2RUwfNgORFyaejTIj1xw+scYTOLr/Ai5aM8tL8v7fQcO/x/hx7
MmVV7nWN7TD6eRbK/1Q1jfxWcduGRTe7ebErWrW4thnuTSIyL0AS/H+nJlM9u1Ii
Mq69Bpu5fJ1LDSK4xoWsOaAfdFyXN7COHkD1nv0RNgEHSzNfvDo=
=jVk7
-----END PGP SIGNATURE-----

@SekiBetu
Copy link

SekiBetu commented Feb 9, 2021

additions: if something is dangerous, people can should point it out in anytime on public, it's not offensive to projects against censorship, it's very important to let people to know before it's too late.
for example:
v2ray/discussion#704
v2ray/v2ray-core#2523
v2ray/v2ray-core#2530
v2ray/v2ray-core#2542

@KevinZonda
Copy link

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @KevinZonda, founder of FastGit.org. I approve of this message.

- ------
Signature from DuckSoft

iQEzBAEBCAAdFiEE2H0QtOEy/6QN7CMrejqfpuT9So0FAmAiQdgACgkQejqfpuT9
So2UNgf9GEPlsDiXpGnPSwwtEVh/SGmfOhYSBf8+Uh0/+9dRZY8jHwk1K9jmz2J1
ajhcDjw4Ekzv9+hqIMDiqhWyW4xT21A44ec29MZgznTqg1gX+4tFJ09tVvvE23pP
cyyGG5wb+TCdjnWzOAnpYsE5rntRrg5SKp76l0H4fj/TRvrWQD2JWNufhK2p/81b
St/eyIzWNUeZyLSVq8A3m5YdUQvZbaMvYsSgMEwvv7uFtKB6f1j7+3isy5D52imc
CtZpvs+jk/8hOfGThnCGNxANgb46ZMcbaUBorsrHv1GKNzDj/dSbvCr+h2Ni3Alr
G9ckym+lfWFR5jqnzW9PjZhwSJnUHQ==
=Kg9o

Signature from studentmain

iQIzBAEBCAAdFiEEdbyjO018JNZhjd2SqnhRnCCMh0IFAmAiTBoACgkQqnhRnCCM
h0KsQg/+LTQGOfIouVHEyL+zqlahEJOVRyr5YdwizUKoB0DEIzLqZxWthFrRR0DZ
RNyPY7hEm5fKi3dCXOraMmV/zbL06/BRdJVWZlnlRAg5OHdFa3t+qADhiVk9WgVJ
INUT6U1m40uiAxHlQzOvt7UM/x/wSt2t342i+URgWxoqIrzuUq5CpKxdc8Yzd4rl
tJlNKvRFOq4pqNS/ovN8plKL7DDp3au//jNIBiyzJsLqM4YqyhHKMrSaRr+w38Xu
heE1+eD+znwnrvN3HcV9pRhHvhLAxHJ0zjenbMNI4ZO6j6YAwGO3f2QbogajrtqA
E/C9Z292r+QqI3BNsu6wpkZQANv3dd9fhh4qstofnv1jq+H7EqpH8UwL8TmPP6V6
b0Pc6M1OC6aQpwtMwblXvciLNJU7SEcb4d5jS7byQrFjK7dVJ+mhi0TqigG/oJZO
Jp1ykSpLkuZ1WYPCthQB1Bw9vq6blxLLc6cI25gccT1X3oSeoQth2X40BLgdtotz
VmuTp/3ZTP3MPn/djHUYm0SOPQoLy754t6gWjg6pcxZt/+dVrO4vgTpjERsrPwyi
IjA1FRd699a6sDAu2eHFSCbQBjm2ov4JFvFlyR83BVCjYHxarWyrJlVKN0/hibAL
Ligl6orkQDJ1HDkYfHk/s15new6siVeBgq34y/MaWUKg4puFP7A=
=TSTs
-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAdFiEEhnx9RN/fYDrJcYUFb/TNwtQEnAoFAmAiYfAACgkQb/TNwtQE
nAruGA/yArDSzzNXZ88hmSW4ccODatRnNg9DAsG8O+onl43v/AhNxbDUp4Z5LNVF
m70FM26gTJnDHP8xTYXSfKp/Xp/FHMJep2RMWsV1fsrYjkusDnNJsspDNQxE0gxU
7aKR2VUoUH7+mczyjJbrJOy5SPzGZnCkfAO9qfQmCQSHoOX78SsSjvmw7eBL0KTg
wNZZCJv7lCwCzgMKWFC9sOwGI0/+hs7RT4YPY4ugQeSKGAgRgGZDboOA3kNB0cRt
VqCN58pcvo9cg0z36hbTH/a7ttZ4aGHbGgOlX3/8Ql0dB8MxJRzuS9ObaEFMzltk
a6qKByx9ZW2a0YID7tGS6jfxmcIBjr/kEGVhqX9HJ71wsizVquSANSgI+SN9zgad
sVtoGdnPth39yLiTisxs2/JfuDkLGAx39a7ENeSUIS2nGqTTfkaczRTX2zj6+Nda
6vYtHvVuogg+RBZ+Tnju6/2weW1YNhB9TRWeNlIm2aLeMRY3zVozvuhIpkGOiTmB
rpT/aWj5MStWdmjxrBTvd+ardgyjFRhYxngUUEznNt9MKy78CvLCZE2+KH5i3M2T
KqB0kz/NQ1SesGejBMy4BO7/uh8g+qQj5xNco5SymHSf2K6jtaeDx0hVDuWmrXHX
xzyaBG8A4hX3VIQPJSzfnjDNOvmpGe+fOU5xMr/sK6SEICvXYQ==
=sQ52
-----END PGP SIGNATURE-----

@sneak
Copy link

sneak commented Feb 9, 2021

There's no exploit or vulnerability here (despite your misleading use of the "PoC" and "responsible disclosure" terms that apply to such things). The fact that you can detect a Signal proxy as a Signal proxy isn't a vulnerability; if it gets censored you're no worse off than you were if that proxy didn't exist: the main Signal servers are censored in Iran already. Indeed, this is the Signal circumvention proxy working precisely as designed.

Pretending it's dangerous or that there is an "exploit" is terribly misleading.

This transparent attempt at attention-seeking (including your bogus claims of some coverup) is an unnecessary distraction from the real, important work.

@ghost
Copy link

ghost commented Feb 9, 2021

working precisely as designed

Then they should learn how to design.

@DuckSoft
Copy link

DuckSoft commented Feb 9, 2021

@sneak

Let the people who understand the subject speak. Stop making false claims when you are not at all familiar with the subject.

@Nek0kawa1
Copy link

Nek0kawa1 commented Feb 9, 2021

@sneak

There's no exploit or vulnerability here (despite your misleading use of the "PoC" and "responsible disclosure" terms that apply to such things). The fact that you can detect a Signal proxy as a Signal proxy isn't a vulnerability; if it gets censored you're no worse off than you were if that proxy didn't exist: the main Signal servers are censored in Iran already. Indeed, this is the Signal circumvention proxy working precisely as designed.

Pretending it's dangerous or that there is an "exploit" is terribly misleading.

This transparent attempt at attention-seeking (including your bogus claims of some coverup) is an unnecessary distraction from the real, important work.

i don't care if it is a exploit or vulnerability or whatever you guys naming it, it doesn't matter, it can be detected right? you just need to answer me that, if it can be detected, in my eyes, it is a trash, useless thing, putting people in danger.

can be detected = useless proxy tools against censorship
can be detected = useless proxy tools against censorship
can be detected = useless proxy tools against censorship

(why i can say that? i lived in china, i used proxy tools to break the censorship since 2008, i used lots of them, let me count for you: S​hadowsocks、S​hadowsocksR、SSCap、Brook、Goflyway、PipeSocks、XX-Net、GoAgent、Tor Browser、v2ray、Trojan、Xray, any of these is better than this signal proxy)
why you guys don't understand it? when people go to jail or died because of this, you guys still saying "it doesn't matter being detected, it's safe, just use it", what's wrong with you guys?

you are not focusing on the issue that it can be detected, you are leading people to personal attack those whistleblowers, what you are saying is a big distraction.

Pretending it's dangerous

hope you can take responsibility for what you are saying, cause i've seen lots of people go to jail in china just because their server be detected and their real IP be found.

one more thing, WTF is working precisely as designed, your design is putting people in danger? that's so sick
and, i'm rude doesn't mean what i said is not true, you guys doesn't even know this, funny.

@itshaadi
Copy link

itshaadi commented Feb 9, 2021

@sneak sorry, but Signal did not "design" anything. okay? it's a stupid SNI Proxy. and, that is fine with me if this was just recognized as a simple PoC or an attempt to demonstrate another use-case for Nginx.

in the end, you are not the one who has to use such proxies on daily basis. so trust me, there is A lot to be done here if they actually intended to help.

@p410n3
Copy link

p410n3 commented Feb 9, 2021

As someone who has had the privilege to speak with people behind the GFW and the Iranian Firewall, I too support this statement. These people often go through great technical efforts to provide safe solutions for them and people around them and avoid detection. If detected, real life consequences are a possibility. And while I personally haven't heard of anything drastic, I heard of people getting fined and intimidated.

Providing Signal Users in Iran with an easy to detect proxy might be equivalent to letting them run into an open blade. ISPs are able to see the proxies, and they're able to see who connects to them.

I'm just hoping that

A) These people won't face any dire consequences

B) Signal eventually provides a better solution

Good luck to everyone here!

@HMBSbige
Copy link

HMBSbige commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I am HMBSbige, I am sending this representing myself and prove my identity by GPG signing this message.

My opinion is consistent with what is listed in the article.

Here goes the signature of the article:
iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL
AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9
jGlj3AfW9lK797p7AFuo1CXlRteFgwc=
=j1jf
-----BEGIN PGP SIGNATURE-----

iLUEARMKAB0WIQS07MfX6hjn43QzxkRtOWCX8FBRvwUCYCJz8wAKCRBtOWCX8FBR
vwKFAf0ebY630YkNyPE/NmoTcxo2gtfnQy0zbZmKzsO3JIiHvJeoYHmM5kfv25Qq
EIQS4nJ2RpsCCjaLUcrawxCwDbSeAf9PiqZMFb8kB67Hd3jNO1iLDBRiLac8MuJG
jQmKbioN/3vDKbgKcrC9qm5ypIeHnXzOBSTKrmKmdartTL56ZbuJ
=EqI4
-----END PGP SIGNATURE-----

@xiaokangwang
Copy link

I am Xiaokang Wang.

I am in favor of the article above.

The avoidance of censorship in the authoritarian country should not only focus on speed. Dictators don't stay in power with network censorship alone, as they also have law enforcement on their side with the threat of physical violence. It is not only about access a service today, and it is also about remaining anonymous and lives another day unidentified. Some people may have unlimited chances to change protocol and make improvements as many times as needed, yet someone may have only one identity, once revealed to the dictator, can put their singular life at the mercy of the self-proclaimed overlord.

Nothing is perfect, but a better design will make it more difficult for the adversary to attack, which is the point.

Respect your user, and treat security issues seriously.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I am Xiaokang Wang.

I am in favor of the article above.

The avoidance of censorship in the authoritarian country should not only focus on speed. Dictators don't stay in power with network censorship alone, as they also have law enforcement on their side with the threat of physical violence. It is not only about access a service today, and it is also about remaining anonymous and lives another day unidentified. Some people may have unlimited chances to change protocol and make improvements as many times as needed, yet someone may have only one identity, once revealed to the dictator, can put their singular life at the mercy of the self-proclaimed overlord.

Nothing is perfect, but a better design will make it more difficult for the adversary to attack, which is the point.

Respect your user, and treat security issues seriously. 



-----BEGIN PGP SIGNATURE-----

iLUEARMKAB0WIQSzqpCZmlLsPyFkeb/E1eedIrJTFgUCYCJ7qQAKCRDE1eedIrJT
FtAMAfsHzy8yb6Xlq5feostNLJ8uul/x6ub6k2/AExb7T2lweT6WPbLsMkakfkH7
S67R/qJpz3BH/H2Qi9W6p9vUXZcPAf9A8qM7GGveVq2ybP9emAeH8bJnKAcRPtiy
jRGhn4MPoZiBDMlTUdysYNpCVd4ULY5iInaRx38IHmg4dZ588jEI
=1RnR
-----END PGP SIGNATURE-----

@chenshaoju
Copy link

chenshaoju commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This issue needs to be taken seriously.

Here goes the signature of the article:
iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL
AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9
jGlj3AfW9lK797p7AFuo1CXlRteFgwc=
=j1jf
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBzKitM5pK+KccFt2HSbFZsh6PDIFAmAifhcACgkQHSbFZsh6
PDJk/g//Wunb9j2UzrcG95pBImr5ONxN2U2m/3Vj9WZLy9+8XLH4nLwZOcPdG6tW
XFJ5WZFF4GT8zsujpKXG5zGDBbiQyEaqXg3FWXpqp4Y7tnSo+OsV1QvC68mPou/I
e12QJzPMX8ZqKVvl2Wtx3yNxjgtdFAqOzNYkrUCAPFF6c9ssCZxp/K3NWrz2kT3F
pbo3N/t7V7Bb0Qm1f/pL1zFLFGEINm4qMHK1nQe51HGcVWUv7RWYh7pS6p8+unAJ
tz6Lwmo3C/2sMmhf6wsBPn4/PEzu+NG3fdtWKKBUYXTgU1QMrWNHjUADcUgQmCkh
qxH7C0uivi8X4GK8lJ4s5tnEPHFmQXsEZypDMt6ovti6YaNVD9oMpvpSfuzLU28r
BoqXoNSAcLeYwUMy+waMvd2ODT7xUgNAin/KlxAUMZw2jNbT9ram5SsQa9MIDWGg
idTPiqOW73XHFvVyqZfyaSem6m0X/EAbJ/JYD3JgDSvo6AJpjQbI7GnmBTJheIq/
ez+Tt5PddL7B47zEUtJdH5cxlY5UYb5g678PzEHXAUGU9s1oEizY0TJ+a8xfJLK2
teUVRSojHK6CYJNSGQ68JUM7/J+gpi8DlzagUPtYSqo0I8qpbAvYh28tFNGwIeey
odNNW8rNpre08mf9VVtVmG9x0eC3e0m9UP8knkyEK75K8OS3W8k=
=Mb/r
-----END PGP SIGNATURE-----

@IceCodeNew
Copy link

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @IceCodeNew, a member of the V2Fly Community. Here I prove my identity by GPG signing this message.
My opinion is consistent with what is listed in the article.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoWsL7HKgSDTZsXkWtG92ClkSemQFAmAigFoACgkQtG92ClkS
emSiQxAAijduueyRZlNz2cunkww9DyGput3AjMmKKWWydr3UOT2cO88rC/rNYbNc
Z7qJw15TdvegEwdYlbLEuW73uR8s6QYot9Yi8F99sq4rZwZTaZgp33lTSdTIXwZa
QSp516xhiCZCsGKUnAqqllXvwaj/ohquO9eOM9R97wmmZvF09hcI4O5kFErD9d+p
vnOGGXm+c/xIQtd1SOP2BYkeC2FYM2cvIJcFzvdCJsgKgP+YMn4p6GWHxKlGSDdc
nsLEAH/MfVkQTSNndRlu6l/NZ/C271yBkBuai3tt7zdHySANTdKDiIxjuu6HB3Vc
NIM2bfpX7sQbFeqgr7mF3UW6Wf0M9tRNe1bFqfpMcng4ltsaHJ9IkBOaP3Uk1J2F
lj1si0KBgzusNSad0/m+xytN36fto1NgE8rH6241JX2yzsgT8p3m8GUL2Griuv2R
6tqUbzBtH7wZFcqRLzY/0hg5SMIh1dFmzLtQrkvDZQXS9Z0eibOws9dHMCsj37n5
eL1A0OZphZqSIMqPeWbRbwsGJ0Hhu8XpwBrDii1+lMb+ZFW9+lNXVgdpwRXP6P66
ocCYyc4vZQndh7bBMkmCqBfBBQYsNWRFPj6QTJPM1iudkAiuGluMD3ieWIFz61Ei
dIvxiWfnc3csR8ZHZhN3I/7+Jt6UlPcfmHkWzUrGXJnu/py6y0g=
=7Tzo
-----END PGP SIGNATURE-----

In case the GPG public key is needed:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGAieq4BEAClyzQA6nFo2FvLxRWFsicuD8xFGjUBBbXUOmpGfEFyuo/0lhkg
8d/Szr+gw6/Gl7rAt5RfpjzatIexHCy3VxEC5Zp+KCtYceP9xu++Fnz22HiCT5v0
suZIPZ4iOxukPXYhu8+OC09xbQEJEt+02y3O+/fEORXMtFRHz/eKWrg66tL9SMob
dCVS/ZuAdP/jOsuh1NBcGdkpmO3pyn8CIFCzyKzLFFkX60qQlpoZm6F8/daddzAt
2k5F/t3xSyx/lkEkOIFhJzwc7y2ceT4FEOSyFRQIfTtS9ULRVZ+dGJqEJomadgKG
eSeqUE/sf/uY4QI1zUl2m1uTqitDQYRihdz/gZtxe6u9xWmM0jDt1gOQ5S8GioBd
DlHAIBTWKOv9Xoh0BLZADCtOdnaTQPjK/mEcAKS33zJtpBDf1je8K3svPFXXKsUf
Bip08/lM1bubaZf45jidpqPZwP8+3/Vst7HCDRArEwLEqjeQdH9faCBImPF8kteI
fsTGsy5tcK4QKEvtb1aLu4OSJ5+56GNDJxNaFGYxwzxAMPL0V5ofIPDN7r1m1EAr
oEBnhxL9q4sIVP2yHa3FqdVe1lEZR2AarIxkGlk5ozhCVJOGtuXJc+h0aksQhDpp
f+tVAWImhskLZGta8UV8e5n4137PbqldoOZmnkym4Wo34L9g2fl4dhyP1wARAQAB
tEJJY2VDb2RlTmV3IChHaXRIdWIpIDwzMjU3NjI1NitJY2VDb2RlTmV3QHVzZXJz
Lm5vcmVwbHkuZ2l0aHViLmNvbT6JAk4EEwEIADgWIQShawvscqBINNmxeRa0b3YK
WRJ6ZAUCYCJ6rgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC0b3YKWRJ6
ZPXmEACkJx13QaBRWdBABATjeJryMLo1xSFRKycG+SK0jjHN2Yg3Fgdn/nB9aEO6
V+xDM7AMd5vIqfmiHMnenObfX31ySRTt4XxCyiF83DYSWVmMGQQF4CSz88/+uGOj
v8oKcXKrzUyDPJxY1MaB5EJ+wNIipm345Ui7XUiuxtshpG+6X8H3XeowYqXEWQQa
nBn07v1LwH1vdTv5IYFUc71oO+yEwHPx+uhDjKSBTpEsF7qoiSls2maNmKTg4vOm
r/t4jZ9rt95x4gbeD+4bYr4N+hoKURHDbyE49AOuWCbzs4/tVY/gETwNESk1V/oo
Iu2hyzRGG3o8zvtCI0lGgAm6zn+kfAZdvLD48VjjXR/hRLzg3bBRpWuP5SDyFwN2
h3edL+fQUtT/z5+f1TFil8R+rfvPt78NTxsoMwAAgWTlKa+ozPm7CBPa4BFwFNmG
dcqq9mXQ9addiYYGoDcY/0JsEhRnIqTy7H6WRilbgDpWZQREIa4Dtva4x1hc+DfS
kptRm/mhIvad0MEpo/tNkA8nNdiIdUpERgyDXnk8uEb3TNAXZik/9d5XQOBkyCqX
dXnoU3xhIu6GXrry1zguI/Qa6rDNpyk1Qqwwsu4SZT1fuXzPrfyrrCDsJxFaN+ej
7c2JGDAgK5wD8Jq9wmvoxCu5H1ktu9rqu4BnaNR+CrPgVoOxNrkCDQRgInquARAA
3N/0UixES4vlGrH7t7nVDsM/xfji4gCj36hWcN22HGAtwdVlQWN52dYtXn35NOTI
BCeFZK7e+cRKktTPUj2/abSHQbkeY8IuszsVC2QwS+buu6LfbGEDt1i2BYpMZ9p2
6qiId0ozjVb4arZ16jejVyCx5m6z0pGlmjqkhMoiT8WwIfuYESAxt4Juknu7mOII
CNzp5KVuiGtQxmb/32It9hV8jZPF0p3v5GZWp8apFcEmdgWFxN/aOnWju7pw9Lym
MGl7kq3WLOMvM4quhwfqRG53xpTH5Unwb3htZOzvpm5KeYqZe1nUDnKnssNE5u3i
Vwu+bhgJermCK6yJS9NCkUBRZpk8w/1IieG8Bz5Xi0O3zznnVSU5vB1S48jCcAUW
LQsFbuEn1OCUQKpFl0VF4LWN4U0x5Z9j/fkXozA6CRvWpg8J5PV5sjThUBgY3T6D
JZCCJKo4wjKePyldACrv7ps/azbZTte1vAwQQypT5oOCL+IX+BhesKqOPsHTaEol
pfv7l9r1XThMHIpihJh6YtatunDtiC4+l/edjTVSm+n2KHZABapREL21eeq/qdok
S/+mIU9fek/xLbcupmL/ox/X/ozGHZw0z/GZgEdKGMly+SfkiiwjxB+rnrqNBEr8
C/ZDx+U7G0agT5aSrZvyNg8XUmxX+AExLdd1IbLXSacAEQEAAYkCNgQYAQgAIBYh
BKFrC+xyoEg02bF5FrRvdgpZEnpkBQJgInquAhsMAAoJELRvdgpZEnpkdMIP/jKy
RJ6DbJuQSI9M8OPf1skgLZzcBcDcE45jfKFVGXllqq9EAHyGgjQiHpQ4b389onWF
NzYvcAIicp+RtuuVk/GV6KJZcHSxFMBd9mpGo4MFTIRsbshTuv07N5g3jjPl+EjD
iOcYW6ywE3O/STk185+xZxex/tRxZ4qxYgFmOGLIKlSNYUjwRATJbiKllK0xsu7h
5gcNaKBE581S28fWWFbDuUnm1WbLOzkwPErkAw8+pCGK4CKaASw6Q0ART1AtZWaA
R2ZGDmNw8NVOuPWpUgNasiOWLXG1xD2mCZGMCSmpR+Aknr8yMwRR/wsQwjsvgCoW
4tWMLHpKpmp8k7tzchBfHFO00Yx8aTKoVjVKbVN6yJvFxVcL+xytaBYtRS2hiEed
lQt06ZpGFJFttLEe6nr+8pTcjKhw7mcMFHiob7iOUECK6S3VJXM7QnAp7KvOdcWr
4xt3Fu8svlG0WKQp+MKguOR+NPm3rvi10mbNYUiyJl6rnJBUT7svWfysg0Vr77us
ttIRx26zlPTmHep1SgtFFu5Kei4gb9NCq9B0jJ4M6io7VN751g3nzK6Jsns8MFPM
E3aJSGBTsM3VfhtMOhCZ5XtDeYXURsgr9tVVyC9QvYgQULG7G+xZaLCRnNvsJ3za
iN/9rZGnr+g4dL3ksGQh6VJKyjdB/EaGFTDwd0Ni
=Iq2Y
-----END PGP PUBLIC KEY BLOCK-----

@abschluss24
Copy link

If an app brands itself as a secure-messaging app and intends to serve users under authoritarian regimes like Iran and China, it should consider protecting users' physical security when deploying anti-censorship technologies.

No physical security = no information security at all.

@klzgrad
Copy link

klzgrad commented Feb 9, 2021

I hope discussions at this place will remain academic. It is a lost cause to argue with Signal that they are wrong, for having different design goals and threat models. This is arguing from different premises and it will not end in a useful conclusion.

It's time to agree to disagree.

@RPRX
Copy link

RPRX commented Feb 9, 2021

我是 RPRX,对于 Anti-Censorship,我致力于不断将新颖、有趣的灵感付诸实践。

我客观地经历了整件事,基本认同 issue 所述的内容和观点。

一直以来,我注意到全球范围内,每天都在涌现新的代理工具,但是这些工具大多是研究型的,没有得到大规模应用、经历检验。

而在中国,有很多行之有效且流行的代理工具,它们得到了难以想象的大规模应用,并且还在对抗中不断迭代、进化。

与此同时,这带给了我们丰富的经验、敏锐的嗅觉与判断能力。

所以我想说的是,在 Anti-Censorship 领域,来自中国的研究人员的声音非常、非常、非常重要,这应当成为共识。


Machine translation added by @wkrp:

I'm RPRX, and I'm committed to constantly putting new and interesting ideas into practice for Anti-Censorship.

I've experienced the whole thing objectively and basically agree with the content and views stated in the issue.

I've been noticing that globally, new agent tools are emerging every day, but most of these tools are research-based and have not been applied and tested at scale.

In China, however, there are many proven and popular proxy tools that are being used on an unimaginably large scale, and they are iterating and evolving against each other.

At the same time, this brings us a wealth of experience, a keen sense of smell and judgment.

So I would say that the voice of researchers from China is very, very, very important in the Anti-Censorship space, and that should be the consensus.

@SekiBetu
Copy link

SekiBetu commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am SekiBetu and I prove my identity by GPG signing this message.

My opinion is consistent with what is listed in the article.
rude manner is wrong, but what moxie said
"Yes, a proxy will always be detectable as a proxy, at the very least when someone discovers the proxy link -- which is inevitable when millions of people are using them. Fortunately, it's not a secret!"
this, this is not an excuse for not fixing it, this is not what Signal aiming for, you need take responsibility to your users.

Here goes the signature of the article:

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL
AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9
jGlj3AfW9lK797p7AFuo1CXlRteFgwc=
=j1jf
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQRM/B8hsj3UeS2E+goizTmOiNQCdwUCYCKIDAAKCRAizTmOiNQC
d0dhAP4xkOcZynZNuachvmS/cKsBhwr9b0xE9kkRkEWKzWMLJAEAjgh8Nee/LFgP
yA8LMG/eteRSFui5gPoGvaU/N5E2/LM=
=lpQz
-----END PGP SIGNATURE-----

@iseki0
Copy link

iseki0 commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

My opinion only represents myself. In actually I don't care it's an "exploit" or any other things.
If the software was designed for people who lived in censored country. Provide ability to keep the user in safe is required.
Especially when you take it as an important feature.
In this opinion I approve this thread.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEzjGqm4crhp/Gw4L4GhIalKIT73MFAmAiiNQACgkQGhIalKIT
73NMpA//b85ejELkFd2ebFBu4XiyIhKoWie5NSf9uUHhk09I17Iz8oaqcxfofe+m
jJ57iQvPt/BQ+JrOssIjCxEOqzdlxl3qZIU4B5aQ3SrMqW8x+kho6eLr8o5+NKYP
ke/FI2woF9eTKiGQGDYO8UMGtl/iUDBc30RY4mpRY/XeK2ynqAnWQROXEoUBtd0J
4iFGi5El19GAFaFseS2Z6B147V3KbL8N1OnVpviumI9aFv2oXojPQ+twfO8YeIbs
F124KtMw/nNZUFS4YRuAiGMHJyamf9oDRLDr7R4tYBBQj+5AtWRpmp04zYWOEigU
mMyynGpRllVdwHV03rLFpxHn4ScF6dTHa5mdSfsqkG0X9kGvgJ2y4poi4/9+7M6z
7nFv2HJl2fNglhjXCVuvbqV/Hmeb8R7HEGWtaYaS89sl1ZC1keoYTp5Y/axXR35F
BVCdpu+93P5ICsYeksQAA6qwpJnkO8UUC95DaL7g4DkUwqKSG2j5BMiYCfI6XC0I
PZzYCapzfkW5gOK9AW/oVQyOJ++UnPVj/K53et0rgGUh9SoY4yVsnAMO0uMTXaCF
YSKOo0lONbXjWvMqP8p5+8P1j+LoDsrNMU41yNcAdRjKYxNAfamdAFhldEhm2oZ2
URXSn6XWProy+7CZGvvMGyGUUHqAt9jYBYHO7TT07Nj5SaRBLRw=
=aQQv
-----END PGP SIGNATURE-----

@MachineryEnchantress
Copy link

I hope discussions at this place will remain academic. It is a lost cause to argue with Signal that they are wrong, for having different design goals and threat models. This is arguing from different premises and it will not end in a useful conclusion.

It's time to agree to disagree.

It's easy to remain dispassionate and tone police others when it's not your people getting arrested because Signal advertises functionality it does not have.

@sneak
Copy link

sneak commented Feb 9, 2021

because Signal advertises functionality it does not have

Perhaps you could link us to where this is happening, @sexycyborg?

I doubt this claim, and if this is indeed factually accurate, it should be trivial for you to substantiate it.

@MachineryEnchantress
Copy link

Perhaps you could link us to where this is happening, @sexycyborg?

It advertises itself as a secure messenger, it is not for Chinese nationals- and attempts to mitigate those vulnerabilities had to be fought over for over a year. We've made some progress recently with disclosure of the IME problem, but Moxie, and so Signal Foundation have shown a disturbing degree of callousness towards a large group of extremely vulnerable users.

@ghost
Copy link

ghost commented Feb 9, 2021

image
image

@sneak
Copy link

sneak commented Feb 9, 2021

It advertises itself as a secure messenger, it is not for Chinese nationals- and attempts to mitigate those vulnerabilities had to be fought over for over a year.

Your claim of insecurity, versus their claim of being a secure messenger, is not "advertises functionality it does not have", as "secure" is not an objective analysis (nor is it "functionality"). You have failed to substantiate your claim that "Signal advertises functionality it does not have", which is a different claim from the one you switched to, which I think is summarized as "Signal is not secure" (an opinion I do not share).

To do so, you would have to substantiate both of:

a) Signal claimed certain functionality

b) Signal's product did not have that functionality

You've done neither. I'm going to unsub from this thread now, as I think it's degraded into a pure smear campaign, something I've no interest in participating in.

I wish all of you llamas a fun drama party.

@ghost
Copy link

ghost commented Feb 9, 2021

@sneak Signal app itself is safe, just use it. I never read it's code, so I can't figure out anything new in it's app at the moment.

Yes, you said lack some feature is by design. That's ok. If someone needs those feature, they just switch to other tools.

In case someone forget reading the doc, here's their goal.

image

@mzz2017
Copy link

mzz2017 commented Feb 9, 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am mzz2017, the maintainer of v2rayA and a member of V2Fly community.
I think the disrespect for researchers is the key point of this event.
Signal should apologize to those researchers and the public without any doubt.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEAYBOSaaCAGjVfePlp37M4iqXtrwFAmAiowkACgkQp37M4iqX
tryqJAgAwh6mSngjq9fVm7nNgcD/Kq4cr8ZLmkwZR5QSH4BG1DoL5gHxY65vTyMH
I06vTkUnM/Bjj8oGzLkrnrFmWkPATa0Kjrho1RDGVgy0p12WH4fWRhlhYuR+9wwf
MkbTEuUysPblOPS8/NZ3fnn3p2qJRQCwHh7ef7kxSIreLMeSGJWyGg/0RpRhdTME
VgSLiLHrg26ttq4k+kc1zGK2DSQNq/2FpPGQyw92xwfiZrpXtv5e4Etb0Rd9iiGR
lekh577qrTNvX4aRpZqfvBXYtOzjF+BIwJPvsAm+Ty2+ExsdIPKKTbblSt/LO9N5
4pp7zAAK24zGhbxuIpaydN8eVu+X4w==
=yMxy
-----END PGP SIGNATURE-----

@myleshorton
Copy link

Agreed with the above. I really like Moxie, and Signal is amazing, but to brush aside obvious flaws is disrespectful and harmful to users.

@awnumar
Copy link

awnumar commented Feb 9, 2021

I am Awn, I'm a security researcher and programmer who has worked on censorship resistance.

This issue has become quite inflamed. Lots of people care about this very strongly because the consequences are high. In the West we can shrug things off as good enough because our governments don't generally imprison people and threaten their lives and livelihoods over such things. The anti censorship community and researchers in this field have a wealth of knowledge and experience in creating systems that work. At the end of the day it is Signal users that matter the most, and if we all work together we can make something that will help them instead of provide them with false hope and false security.

But let's stick to the technical details. This started when Signal posted this blog post: https://signal.org/blog/help-iran-reconnect/

The blog post is titled "Help users in Iran reconnect to Signal". The blog post describes the "simple" TLS proxy as an "interim solution". So, it should be treated as such. However, the section "An unorthodox-y proxy" gives the impression that the solution is more resistant to censorship than it is. For a post that, in the title, advertises resistance to censorship in Iran, one of the most restrictive Internet censors in the world, there's a surprising (apparent) lack of research (or care) into actual censorship resistant systems.

In terms of passive attacks, this paper which studies the TLS fingerprints of widely used implementations may be useful in implementing a proxy that blends in with background traffic.

The main issue however is resistance to active probing attacks that compromise the identity of proxy servers which then compromises their lifespan and the identity of their users. I've seen some people say that resistance to being censored in-transit is orthogonal to the goal of remaining hidden as a proxy and protecting the identity of users. This is incorrect, the concepts are closely related.

If a proxy is easily discovered with a probing attack, the effort that a host went through in order to set it up has gone to waste. They have to provision a new IP address, which is more costly than adding an IP to a blocklist is. It's a bad user experience for users of the proxy, and it ruins the security properties.

Adding resistance to active probing attacks may not even be that difficult. There are a number of papers that discuss this topic.

I hope that the Signal team will start being more cooperative instead of defensive and reactionary, and I hope that the people who are inflaming the situation by becoming angry will calm down so that we can work together towards solutions.

@awnumar
Copy link

awnumar commented Feb 9, 2021

Hello. Is a fork of signal called Molly-IM. It provides local database encryption and socks5 proxy support. It works with regular signal network.

Forks of the Signal codebase that use Signal servers are against Signal's terms of service. Unfortunately Signal themselves have to solve this issue, or change their terms of service.

Edit: The user who I am replying to deleted their comment.

@sneak
Copy link

sneak commented Feb 9, 2021

Forks of the Signal codebase that use Signal servers are against Signal's terms of service.

The software copyright license is what determines the rights afforded to forks of the code.

The Terms of Service (entirely distinct from the software copyright license) apply only to end users of the web service, not software publishers.

My understanding of copyright law is that due to the free software license that Signal is released under, anyone may fork it and specify Signal's official servers in it, against Signal's wishes. Doing so would not violate the software copyright license, and distributing such a fork would not fall under the terms of service for the Signal service, as that applies to the end users accessing that service, not the publisher of free software.

Don't confuse Signal the application source code (which is free to fork and modify), governed ONLY by the GPL under which it is licensed, with Signal the web API service, which has a separate and unrelated terms of service that applies to the people who connect to and use it.

The beauty of the GPL is that you can't restrict forks or features or publication of free software simply because it has your URL in it.

@Dorson
Copy link

Dorson commented Feb 9, 2021

Just make it an official goal and vision of the app.

Censorship proof communication can serve humanity to save the few real democracies that exist.

In the real terms it will be a hard compromise and always a balance between different methods that will change over time.

Privacy as the basic vision does indirectly include censorship resistance.

@nicholascw
Copy link

nicholascw commented Feb 9, 2021

Hi,

I am Nicholas from the V2Fly community who focuses more on the technical writing and translations than the actual codebase. After reviewed the event and talked with a few first-parties, I personally had the following conclusion of my thoughts about this event, which solely on behalf of myself and based on my limited point of view.

In this event, both our researchers and Signal's administrators did not acted in very professional manner.

Firstly, it is never a right move to release a PoC without prior notifications to related parties and a reasonable response time, and I am not justifying for that. I am also not surprised at all that a critical criticism on their products' security, what they've always been advertising for, would irritate an 501c3 organization who run on donations and value their public image, and therefore make irrational decisions.

However, after reviewing their initial blog post, even though there are multiple paragraphs indicating it is a temporary, workaround-alike, not sophisticated designed at all, and not even fully tested solution published as a beta version, it is still looked to be too promising to the end users, especially for its intended users. They did not warn the end users about the risk beforehand, and they also did not treat the raised issue seriously enough after-hand. Yes, I even agreed with the Moxie's tweets that "Yes, a proxy will always be detectable as a proxy" when we encountered with the Qv2ray's probing issue against v2ray-core, but I believe that it's not hard to warn users the proxy which "is designed to blend into the background as much as possible" is not working as fine as it would probably need to be, and let those who are "setting up a Signal proxy and letting the world know" also learn about the potential risks they may have if they are in some degree being governed by those they are against with.

It is never that simple to work on security related issues in any field, and I believe everyone from both our community and the Signal community are having similar initiations that is to work for a free internet environment. I am looking forward to see Signal releasing security advisories and follow-up fixes about the issue raised, and at the same time everyone who found security-related issues could disclose the details in a more responsible, more professional manner.

Nicholas [email protected]

Signature
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I am Nicholas from the V2Fly community who focuses more on the technical writing and translations than the actual codebase. After reviewed the event and talked with a few first-parties, I personally had the following conclusion of my thoughts about this event, which solely on behalf of myself and based on my limited point of view.

In this event, both our researchers and Signal's administrators did not acted in very professional manner.

Firstly, it is never a right move to release a PoC without prior notifications to related parties and a reasonable response time, and I am not justifying for that. I am also not surprised at all that a critical criticism on their products' security, what they've always been advertising for, would irritate an 501c3 organization who run on donations and value their public image, and therefore make irrational decisions.

However, after reviewing their initial blog post, even though there are multiple paragraphs indicating it is a temporary, workaround-alike, not sophisticated designed at all, and not even fully tested solution published as a beta version, it is still looked to be too promising to the end users, especially for its intended users. They did not warn the end users about the risk beforehand, and they also did not treat the raised issue seriously enough after-hand. Yes, I even agreed with the Moxie's tweets that "Yes, a proxy will always be detectable as a proxy" when we encountered with the Qv2ray's probing issue against v2ray-core, but I believe that it's not hard to warn users the proxy which "is designed to blend into the background as much as possible" is not working as fine as it would probably need to be, and let those who are "setting up a Signal proxy and letting the world know" also learn about the potential risks they may have if they are in some degree being governed by those they are against with.

It is never that simple to work on security related issues in any field, and I believe everyone from both our community and the Signal community are having similar initiations that is to work for a free internet environment. I am looking forward to see Signal releasing security advisories and follow-up fixes about the issue raised, and at the same time everyone who found security-related issues could disclose the details in a more responsible, more professional manner.

Nicholas <[email protected]>
-----BEGIN PGP SIGNATURE-----

iQFHBAEBCAAxFiEEpTBz/HBQZa1ai/74wkkopWHEb9MFAmAjC9MTHG5pY2hvbGFz
QHYyZmx5Lm9yZwAKCRDCSSilYcRv0699CACNp/IzDpLY7GfeLzcAa1A49Ube5py/
F+e4AGghtMthgBN21UHLkcH5RIC2FbXzAveXFMX87qSTfoHr6c5An7rJZzdhgRZ/
dhvwo5bhpzq0ZLdHBlW2+P3u9ikEGJWpBIvacvf56FlwFfO883BvG6uw87jzgQtv
HvMXQgpnXXYh+9c6/MasPCZqnmJ3FWM3ibBvxRqcM9qN45D1Jzgu8Qr0fkw06OlW
BWo/NFDWdhO+pZ/YfsvvTcdgB6yLUN6hqxPJeBRcggmvHkB8E2kId0wtfcu8jvrw
193VXMqcBofIMpa0SmsrhMJV3gK5iJu/f+McBRpwLuJSHQDmVTpWPXFb
=J5Kz
-----END PGP SIGNATURE-----

@dylanbabel
Copy link

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I approve this message.
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwKRxEeWxhbiBCYXJsb3dlIEFiZWwgPGR5bGFuQGR5bGFuYmFiZWwu
dGs+BQJgbjwGAAoJEGmFOFrZNJMJcD4P/0IRHQ7mb0WBD59N0YR3a6vQf88SLXmb
tjta7PnMiaiks9u62JjhrzhwGcVeYQ42MUeC5ET25Kfun1hqeL2ugh7heXH0A2n+
v0XtNeiIJisF6Y4HRIJ9Cr0An1/WS5sWAAfHe04+Le8dwaeu8kROEQZdCCVWvPSh
n8DJINtJysvj0uauweHE44XZ0YXy1uM/lqt3d5nhO3D57w+mHbshyogwrrsL4IAL
Xa3riBxohdXk763GaQhq1PHfLmKeQzRyS5OdvfGTy9Qcbb57tgVSlIH0ClVqCHhA
ThYB9Lj1M+A43qpY4hEVbA1etvv5kIkWn/6V0VzQYdK/ff201q/PyIE3yPRuOdIY
MtM8etTLi30/WYgEOx6qs76Qu4n/6wBeQGnGEN8+PyjVhY2yceRbgg9kQYneFsmG
bo7JOzV5x0Fp+1aqYq9DHRkWavhqv9/9HQ/v6KnAOFPNPhzk4fHxgH3GFMAuTXV5
NXtt0VR1i6I/zWUaVdSdnQPRKj5dklVlHvv1EkyUOvpPclOLrvZ6WqZ5NADTqc7K
tBhtS/SViyliMB6L2WNGKCr4C0ADQKjTSXRMi4OpduhuMcZokXxOSO0LmqxRNa4s
swA1F8wR1FVEA64CZx6OcJpD/owXR+YF4OecAdL9jfvh22qlkLYgWVn0aIMHVs2E
8iWziD3B/IDl
=dllK
-----END PGP SIGNATURE-----

@UjuiUjuMandan

This comment was marked as abuse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests