First of all, thank you moxie and signal team for this proxy.
Until 2018, many Iranians used telegram but Iran's regime after Russia blocked this messenger. telegram released mtproxy and this proxy was helpful. Russia lifted the ban on telegram but this app is still blocked on my country. but with VPNs, many iranians still use this app. after 2018, second most popular messaging app in iran was whatsapp, until facebook's new privacy policy, like all of you, many iranians switch from whatsapp to signal. mullah's regime removed signal app from the iranian app stores and started blocking all signal traffic in the country, but they don't block whatsapp. I'm not a paranoid but it is difficult to understand for me why they didn't block whatsapp after 2018? can they break whatsapp encryption?
I have a suggestion for signal team: please put tor in the signal, tor is better than any proxys or vpns.
I'm a big fan of the idea of independently-run proxy servers.
Caddy has a secure forward proxy plugin born out of a research project at Google that does something similar, but works with any clients that let you configure HTTP proxies, and doesn't terminate TLS: instead it tunnels it over TLS. The proxy server itself can also be probe-resistant, i.e. difficult to detect that a website is acting as a proxy.
(Edit: Disclaimer - Don't use this in situations where your personal safety or freedom could be at risk... not yet. Not until more people with more experience can vet its implementation for bugs, and a very clear threat profile can drawn up. If you have experience with this, we'd love your help.)
reason why i have a general disregard for technologies that are based on some sort of "link" AFK, phone number or the stupid facebook real name policy. this is as of today being used to crack down on dissent. what you are saying is true but https://thenextweb.com/in/2020/01/08/kashmirs-police-want-pe...
when you have your govt do this, how can you keep your signal account private? your phone is already listed. isnt it? cant the police see if you are on signal and if online means you are bypassing them somehow regardless of what you might be saying?
Does this use TCP over TCP (painful in the face of packet loss[1]) or can you do something like using QUIC for the forward proxy to try to avoid breaking the tunneled TLS connection's retry timers?
It's an irony how American companies try circumvents another country's law (regardless of whether you call it censorship or not, it is still a law) and boast about it.
Yet, in the US these companies help the mainstream narrative to enforce censorship by banning (Google and Apple App market) or simply not offering other point of views basic hosting services (AWS).
I am an Iranian and don't agree with all of our government actions but I can clearly see a tech neo-colonialism/neo-imperialism here. I am sure Signal's intention and people wanting to help is genuinely good but this does not change this double-standard.
I would like to see your supportive reaction if an Iranian company offers hosting to Parler. I imagine you would call it foreign intervention!
So their government is blocking Facebook, Twitter, Youtube, Telegram, Signal, BBC, CNN, Netflix, and probably many other social and media platforms.
Meanwhile we are blocking Iranians to access Docker, Slack, Gitlab, Google Code, Github(Github until recently), Paypal, Apple Store, Play Store, AWS, Coursera, Adobe, Nvidia, AVG, Avast, Symantec, McAfee, Matlab!!, Oracle and many more.
It is not fun. Trust me. I am an Iranian and I used to sell VPN back in Iran when I was in high school. I had hundreds of users and I was threatened with prosecution and I left the country. Literally everything is blocked except government or university websites. On the positive side, you can Torrent as much as you want or download any music or hack websites and it is completely fine :)
Spot on! This is the 21st century's version of being born into a poor African American family.
Jokes aside it's truely painful. I was lucky to have a job that got me out easily. Though it felt embarrassing when I was seeing everyone uses Docker and AWS extensively at my new job while I had never used them properly not because I wasn't smart enough but just because of where I born :(
Why can't they just ship signal with a Tor client? This is precisely what Tor was built for.
They can donate some money to charities running Tor nodes while they're at it, or run some themselves.
Iran tried to censor Tor too, but it's pretty much impossible to do so fully. At least the Tor devs are usually on top of it, while Signal is inexperienced dealing with things like this.
What makes you think that it’s hard to block Tor? Even Kazakhstan blocked Tor many years ago. They’re using DPI: connection opens, client can write data, but can’t read anything which is frustrating from user PoV.
Of course it's hard to censor Tor, but is it really hard to outright block it? Last time I looked into it, you could just fetch the list of edge nodes that have to be public by design and block all of those.
Damn, I've read the code. This won't work against an active probe. Censors just use signal domains and non-signal domains to test your proxy. If signal domains get passed and non-signal domains got denied, you are fucked. Besides, TLS in TLS is highly identifiable by simple packet length dpi. I'd hope there's better plan.
I could not test it with the Signal client yet, because the Beta is not yet available for me. However I verified that the nested TLS works using openssl and netcat.
Signal should be federated. This censorship problem would not exist, or would be organically routed around, were the service federated.
Without federation, Signal is just another stepping stone in the long path of eventually abandoned instant messengers, all the way back from ICQ. We will get to an SMTP-like protocol, and email-like service, at some point. If not Signal, some other one.
I’m not so sure. Moxies reasons about how federation leads to protocol development slowing and then freezing are solid.
It’s why we re not using smtp for chat. SMTP can’t be extended enough so replacements are built instead.
Similarly if signal federated, eventually it would freeze and a few years later users would move to wherever they could get new features.
Federation is a good thing but only when the protocol is finished or if there is a forcing mechanism to allow updates to the protocol. ethereum/Bitcoin are good examples as they have flag days that force the value of currency to be in the balance to keep the protocol moving forward.
Moxie, one of the original authors of the Signal protocol, said federation severely restricted flexibility and so they had to move on: https://news.ycombinator.com/item?id=11668912
Do any SMTP servers still allow organic routing? I was under the impression that all modern servers have extremely cumbersome auth/dkim and its hard to not be GMail and still send a real msg and have it arrive
FWIW right now to any Iranian friends on here. We have Umbrella in Persian/Fa now available. It's a massive open source guide to digital and physical security. Everything from how to use Signal to how to deal with arrest.
How would you let users know about this proxy without letting their government know about it? Instead of platforms like twitter, how about randomly giving out random proxies in some header that the app could query on cloudflare or google or akamai? Does Signal already make use of any CDN's for out-of-band signalling and fail-over? If the Signal proxy could expose an obfuscated load metric, then the CDN could pick another proxy via health checks. The proxy could advertise itself via CDN's as well.
That's the trick isn't it: having an entire population know something an oppressive government doesn't.
Even if you teach everyone how to deploy their own servers, then that's the knowledge the government will start targeting. You can make blocks expensive, i.e. blocking other major, useful services that would disrupt society too much for them to want to deal with, but this of course has its own costs.
It's censorship and surveillance all the way down.
I think Signal is clearly recognising that nearly sny server or system they create will be blocked, which is why they recommended this being done on an individual layer.
From the article:
> A more discrete approach would be to only send the link via a DM or a non-public message. You can post something like this on your favorite social network:
> * #IRanASignalProxy Reply to this thread if you want the connection details, and follow me so I can DM you the link.*
Generally speaking censorship by a government needs to be pretty poorly done at best. Taking out the bulk of the usage of Signal is easy, removing it completely is hard. Much better to apply minimum cost and effort where it counts most.
The high level takeaway then seemed to be that researchers were not focusing efforts on measures that can actually help more people resist censors. Have we made progress since then?
I do not know anyone in Iran but have spare cash to host a VPS or two. How can I help anyone without broadcasting my proxy for the censors to eventually get ahold of?
Signal could learn a lot from Telegram in this regard.
Russian govt had tried to block Telegram but telegram servers just keep jumping over various cidrs and users got the ip addresses for connecting over push updates and the only thing the govt succeeded in was blocking a wide range of subnets including AWS ranges and GCP ranges thus disrupting a whole lot of businesses and even some government services.
That article notes that Signal has been domain fronting since 2016. I think google has cracked down on it more recently though, and hence Signal has had to circumvent censors in a new way
Feels like there could be a good business in providing this CIDR-hopping push-updating proxy as a service other apps could embed. Like what CloudFlare does for DDoS protection, but as a forward-proxy + client middleware, instead of a reverse-proxy.
> §560.204 Prohibited exportation, reexportation, sale, or supply of goods, technology, or services to Iran.
> Except as otherwise authorized pursuant to this part, and notwithstanding any contract entered into or any license or permit granted prior to May 7, 1995, the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any goods, technology, or services to Iran or the Government of Iran is prohibited, including the exportation, reexportation, sale, or supply of any goods, technology, or services to a person in a third country undertaken with knowledge or reason to know that:
> (a) Such goods, technology, or services are intended specifically for supply, transshipment, or reexportation, directly or indirectly, to Iran or the Government of Iran; or
> (b) Such goods, technology, or services are intended specifically for use in the production of, for commingling with, or for incorporation into goods, technology, or services to be directly or indirectly supplied, transshipped, or reexported exclusively or predominantly to Iran or the Government of Iran.
For US citizens, does helping folks in Iran in this way with a Signal proxy fall under these terms?
I would keep in mind that the US has weird antiterror laws about assisting enemies and also laws which construe bypassing system designs as hacking.
For instance, Virgil Griffith is being held and charged for giving a high level description of bitcoin transactions at an academic conference in North Korea.
This is incredibly more specific and more technical of an act.
Virgil Griffith was told not to enter North Korea by the US government, and snuck in through China anyway. He admitted to specifically talking about how to use cryptocurrencies to avoid sanctions, and admitted he knew at the time that that was illegal.
Can someone who is a lawyer comment on this, please?
edit: further.. how is Signal shielded (if at all) from providing services to anyone in Iran? Wouldn't they be a target in such a case? The blog post is an explicit call for assistance specifically to do so.
This law is trivially easy to get on the wrong side of. Something like this would be definitely in scope of the anti-terror law you're talking about. American HN users beware.
I wonder how many First Amendment lawyers would be champing at the bit to take a case where a prosecutor was dumb enough to charge someone with a crime for assisting dissidents to communicate.
[+] [-] shervin01|5 years ago|reply
First of all, thank you moxie and signal team for this proxy.
Until 2018, many Iranians used telegram but Iran's regime after Russia blocked this messenger. telegram released mtproxy and this proxy was helpful. Russia lifted the ban on telegram but this app is still blocked on my country. but with VPNs, many iranians still use this app. after 2018, second most popular messaging app in iran was whatsapp, until facebook's new privacy policy, like all of you, many iranians switch from whatsapp to signal. mullah's regime removed signal app from the iranian app stores and started blocking all signal traffic in the country, but they don't block whatsapp. I'm not a paranoid but it is difficult to understand for me why they didn't block whatsapp after 2018? can they break whatsapp encryption?
I have a suggestion for signal team: please put tor in the signal, tor is better than any proxys or vpns.
[+] [-] mholt|5 years ago|reply
Caddy has a secure forward proxy plugin born out of a research project at Google that does something similar, but works with any clients that let you configure HTTP proxies, and doesn't terminate TLS: instead it tunnels it over TLS. The proxy server itself can also be probe-resistant, i.e. difficult to detect that a website is acting as a proxy.
I'm hoping more people can help test the patch to support Caddy v2: https://github.com/caddyserver/forwardproxy/pull/74
(Edit: Disclaimer - Don't use this in situations where your personal safety or freedom could be at risk... not yet. Not until more people with more experience can vet its implementation for bugs, and a very clear threat profile can drawn up. If you have experience with this, we'd love your help.)
[+] [-] 2Gkashmiri|5 years ago|reply
>Don't use this in situations where your personal safety or freedom could be at risk
https://theintercept.com/2020/12/06/kashmir-social-media-pol... https://thewire.in/media/kashmir-journalist-auqib-javeed-pol...
reason why i have a general disregard for technologies that are based on some sort of "link" AFK, phone number or the stupid facebook real name policy. this is as of today being used to crack down on dissent. what you are saying is true but https://thenextweb.com/in/2020/01/08/kashmirs-police-want-pe... when you have your govt do this, how can you keep your signal account private? your phone is already listed. isnt it? cant the police see if you are on signal and if online means you are bypassing them somehow regardless of what you might be saying?
[+] [-] theptip|5 years ago|reply
[1]: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html
[+] [-] graaCHa|5 years ago|reply
[deleted]
[+] [-] doublestandard2|5 years ago|reply
Yet, in the US these companies help the mainstream narrative to enforce censorship by banning (Google and Apple App market) or simply not offering other point of views basic hosting services (AWS).
I am an Iranian and don't agree with all of our government actions but I can clearly see a tech neo-colonialism/neo-imperialism here. I am sure Signal's intention and people wanting to help is genuinely good but this does not change this double-standard.
I would like to see your supportive reaction if an Iranian company offers hosting to Parler. I imagine you would call it foreign intervention!
[+] [-] stunt|5 years ago|reply
Meanwhile we are blocking Iranians to access Docker, Slack, Gitlab, Google Code, Github(Github until recently), Paypal, Apple Store, Play Store, AWS, Coursera, Adobe, Nvidia, AVG, Avast, Symantec, McAfee, Matlab!!, Oracle and many more.
It should be really fun to use Internet in Iran.
[+] [-] amir734jj|5 years ago|reply
[+] [-] 319e82aff522|5 years ago|reply
Jokes aside it's truely painful. I was lucky to have a job that got me out easily. Though it felt embarrassing when I was seeing everyone uses Docker and AWS extensively at my new job while I had never used them properly not because I wasn't smart enough but just because of where I born :(
[+] [-] Siira|5 years ago|reply
[+] [-] notsureaboutpg|5 years ago|reply
[deleted]
[+] [-] pmlnr|5 years ago|reply
Is there no way to build this in the Signal clients themselves? Eg. on is on a wifi, try to upnp, ask the user if they'd wish to help.
[+] [-] chmod775|5 years ago|reply
They can donate some money to charities running Tor nodes while they're at it, or run some themselves.
Iran tried to censor Tor too, but it's pretty much impossible to do so fully. At least the Tor devs are usually on top of it, while Signal is inexperienced dealing with things like this.
[+] [-] vbezhenar|5 years ago|reply
[+] [-] viro|5 years ago|reply
[+] [-] franga2000|5 years ago|reply
[+] [-] realducksoft|5 years ago|reply
[+] [-] djl0|5 years ago|reply
I fully expect the US govt to have access to fb/whatsapp data (at least the metadata), but it's a bit surprising to me that Iran would too.
[+] [-] TimWolla|5 years ago|reply
https://gist.github.com/TimWolla/457c45dfccde26fc674dde4b3c7...
I could not test it with the Signal client yet, because the Beta is not yet available for me. However I verified that the nested TLS works using openssl and netcat.
[+] [-] sergiosgc|5 years ago|reply
Without federation, Signal is just another stepping stone in the long path of eventually abandoned instant messengers, all the way back from ICQ. We will get to an SMTP-like protocol, and email-like service, at some point. If not Signal, some other one.
[+] [-] WookieRushing|5 years ago|reply
It’s why we re not using smtp for chat. SMTP can’t be extended enough so replacements are built instead. Similarly if signal federated, eventually it would freeze and a few years later users would move to wherever they could get new features.
Federation is a good thing but only when the protocol is finished or if there is a forcing mechanism to allow updates to the protocol. ethereum/Bitcoin are good examples as they have flag days that force the value of currency to be in the balance to keep the protocol moving forward.
[+] [-] ignoramous|5 years ago|reply
Moxie, one of the original authors of the Signal protocol, said federation severely restricted flexibility and so they had to move on: https://news.ycombinator.com/item?id=11668912
[+] [-] vineyardmike|5 years ago|reply
Do any SMTP servers still allow organic routing? I was under the impression that all modern servers have extremely cumbersome auth/dkim and its hard to not be GMail and still send a real msg and have it arrive
[+] [-] robertfw|5 years ago|reply
[+] [-] secfirstmd|5 years ago|reply
More info: https://www.secfirst.org.
iOS: https://apps.apple.com/us/app/umbrella-security/id1453715310
Android: https://play.google.com/store/apps/details?id=org.secfirst.u...
Web (Beta): https://umbrella.secfirst.org
Github: https://github.com/securityfirst/
[+] [-] LinuxBender|5 years ago|reply
[+] [-] mholt|5 years ago|reply
Even if you teach everyone how to deploy their own servers, then that's the knowledge the government will start targeting. You can make blocks expensive, i.e. blocking other major, useful services that would disrupt society too much for them to want to deal with, but this of course has its own costs.
It's censorship and surveillance all the way down.
[+] [-] cmroanirgo|5 years ago|reply
From the article:
> A more discrete approach would be to only send the link via a DM or a non-public message. You can post something like this on your favorite social network:
> * #IRanASignalProxy Reply to this thread if you want the connection details, and follow me so I can DM you the link.*
[+] [-] bijoo|5 years ago|reply
From the blog post, "A more discrete approach would be to only send the link via a DM or a non-public message."
> how about randomly giving out random proxies in some header that the app could query on cloudflare or google or akamai
That would "..increases the chance that Iranian censors will simply add those IPs to their block list"
It looks like the solution provided in the blog post is limited to helping folks run their own proxy for people they know.
[+] [-] RL_Quine|5 years ago|reply
[+] [-] ip26|5 years ago|reply
[+] [-] blintz|5 years ago|reply
My last in-depth reading on it was the excellent 2016 SoK paper “Towards grounding censorship circumvention in empiricism” (http://www.cs.umd.edu/class/fall2018/cmsc818O/papers/sok-cen...)
The high level takeaway then seemed to be that researchers were not focusing efforts on measures that can actually help more people resist censors. Have we made progress since then?
[+] [-] ignoramous|5 years ago|reply
Tor, Jigsaw's Outline, and V2RayNG are worth keeping tabs on as they're FOSS projects and do much of their development in the open.
Lantern's development whilst it was still open source was fascinating to see as well. Since 2016 (I believe) they stopped doing so out of security concerns: https://twitter.com/adamfisk/status/1316569766832869377
[+] [-] pmlnr|5 years ago|reply
I'd heavily advise instead to run as many xmpp servers* as possible, and let people/friends use them.
*not matrix, unless one configures it to forget the data and only act as a message broker, like XMPP. For this specific use, it's better.
[+] [-] eatbitseveryday|5 years ago|reply
edit: https://twitter.com/alsdkjflasdkjf1
edit2: You can drop me a mail here, too: [email protected]
[+] [-] realducksoft|5 years ago|reply
[+] [-] dunefox|5 years ago|reply
[+] [-] nrvn|5 years ago|reply
Russian govt had tried to block Telegram but telegram servers just keep jumping over various cidrs and users got the ip addresses for connecting over push updates and the only thing the govt succeeded in was blocking a wide range of subnets including AWS ranges and GCP ranges thus disrupting a whole lot of businesses and even some government services.
They gave up and lifted the ban eventually.
https://www.schneier.com/blog/archives/2018/06/russian_censo...
[+] [-] sigmar|5 years ago|reply
[+] [-] emptybits|5 years ago|reply
Immediate recalling John Gilmore (GNU/EFF/etc.) in 1993:
"The Net interprets censorship as damage and routes around it."
[+] [-] agnosticmantis|5 years ago|reply
[+] [-] derefr|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] Triv888|5 years ago|reply
[+] [-] eatbitseveryday|5 years ago|reply
> Except as otherwise authorized pursuant to this part, and notwithstanding any contract entered into or any license or permit granted prior to May 7, 1995, the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any goods, technology, or services to Iran or the Government of Iran is prohibited, including the exportation, reexportation, sale, or supply of any goods, technology, or services to a person in a third country undertaken with knowledge or reason to know that:
> (a) Such goods, technology, or services are intended specifically for supply, transshipment, or reexportation, directly or indirectly, to Iran or the Government of Iran; or
> (b) Such goods, technology, or services are intended specifically for use in the production of, for commingling with, or for incorporation into goods, technology, or services to be directly or indirectly supplied, transshipped, or reexported exclusively or predominantly to Iran or the Government of Iran.
For US citizens, does helping folks in Iran in this way with a Signal proxy fall under these terms?
https://www.ecfr.gov/cgi-bin/text-idx?SID=f384a46ec1b04cc7b2...
[+] [-] elif|5 years ago|reply
For instance, Virgil Griffith is being held and charged for giving a high level description of bitcoin transactions at an academic conference in North Korea.
This is incredibly more specific and more technical of an act.
https://www.coindesk.com/usa-v-virgil-griffith-what-we-know-...
[+] [-] iudqnolq|5 years ago|reply
https://www.nytimes.com/2019/12/02/nyregion/north-korea-virg...
[+] [-] eatbitseveryday|5 years ago|reply
edit: further.. how is Signal shielded (if at all) from providing services to anyone in Iran? Wouldn't they be a target in such a case? The blog post is an explicit call for assistance specifically to do so.
[+] [-] x86ARMsRace|5 years ago|reply
[+] [-] AnthonyMouse|5 years ago|reply