After raising an issue about Signal’s new proxy implementation designed to circumvent Iranian government’s censorship, @DuckSoft and @studentmain have been repeatedly dismissed by Signal and its co-founder Moxie. They have found that Signal’s simple TLS-in-TLS proxy is subject to simple active probes, and can be detected by conventional DPI systems.
Hmmm… Moxie’s posts seem to indicate that this isn’t a surprise and that this is all self evident. I have yet to see someone respond to that and explain why that is the wrong idea about this.
Personally Signal’s dependency on your cell number is already giving up your anonymity.
However, just trying to convince people to use something more secure is such a pain in the butt, that I can understand their reasoning for using it. Cryptography is incredibly complex and diifcult. Most of the reasons I’ve seen Moxie give for using the number makes sense.
I’m just glad I can roll my own secure chat services, and don’t have to hope Moxie’s pretty radical opinions don’t one day negatively affect Signal.
The way I understand this so far, is that it’s rather about lulling users in a false sense of security. (Meaning, Iranian dissidents might trust these proxies (full encryption!) without understanding how easy it is to probe that encrypted proxy to figure out what kind of business you’re doing when connecting to it).
I saw a side-argument on Twitter about how much messengers do or don’t inform their users that their Chinese Android on-screen-keyboard WILL spy on them.
Admittedly, similar problem. But will Signal always leak it?
Yeah, you are right. Fortunately, username auth is on its way and there are already parts of it upstream! Shouldn’t take too long until finished.
I can understand that. However, I had the impression so far, the Signal devs just labeled their measurements as circumvention of blocking - so Signal works again. Not as something anonymous. I agree, that could lead to serious problems in some countries…
I am not aware of how the Deep Packet Inspection works in Iran. But we could ask Nokia or Siemens, they sold their interception system to the Iran over ten years ago. I think the answer to your question depends on how Signal adresses and transmits data to end devices. We would have to assume that this metadata can somehow be leaked.
No, I was not talking about DPI. If that would leak your phone number, it would mean the encryption is useless
I mean, can authorities probe “this phone number uses signal” just as easily as “this IP connected to a hidden Signal proxy”.
IOW, can you effectively turn off the disclosure of your phone number via Signal? E.g. not found via contact search, and not offering to start a chat to that number.
Yeah you are right, I wanted to refer to general interception mechanisms in that sentence.
No that’s not possible.
I abandoned Signal long time ago, when I understood that they don’t care about decentralization and are creating another walled garden. By the way, where is the server source code with the latest updates?
Good thing is that Purism chose Matrix for Librem 5 native communications.