A Statement on Recent Events Between Signal and the Anti-Censorship Community

243 点作者 1una超过 4 年前

26 条评论

hiq超过 4 年前

The answer from Moxie to these people: <a href="https://github.com/signalapp/Signal-TLS-Proxy/pull/15#issuecomment-774982590" rel="nofollow">https://github.com/signalapp/Signal-TLS-Proxy/pull/15#issuec...</a>I think that says it all.I'm also a bit concerned that "security researchers" don't seem to understand the threat model. Signal has never claimed to be able to hide that it was being used. The TLS proxy is only meant to help circumvent censorship, not obfuscate its protocol. And indeed, as a temporary solution, it's not ideal even to circumvent censorship. But they're apparently working on something better, and all this distraction is not helping.

评论 #26078324 未加载

评论 #26077660 未加载

评论 #26080533 未加载

评论 #26077630 未加载

评论 #26082023 未加载

评论 #26080706 未加载

评论 #26081105 未加载

nexthash超过 4 年前

It seems that a couple of security researchers from this community felt that Signal's implementation of a TLS-in-TLS proxy to allow its use in censored Iran didn't live up to their standards (it can be detected by censors and blocked). However, after Signal rejected this issue, they turned toxic and were prevented from posting anymore [1].The above post is their reaction, which feels more like them lashing out rather than attempting to uphold the greater values of the anti-censorship community. I feel that it doesn't benefit anyone that they behaved this way, choosing to attack the Signal team and the reporter of the article below, rather than resolving the issue productively while allowing the community to continue focusing on their mission.[1] <a href="https://www.bleepingcomputer.com/news/security/removal-notice-for-signal-article/" rel="nofollow">https://www.bleepingcomputer.com/news/security/removal-notic...</a>

评论 #26076149 未加载

评论 #26076728 未加载

评论 #26076055 未加载

评论 #26077615 未加载

评论 #26077321 未加载

评论 #26078561 未加载

评论 #26082620 未加载

评论 #26076063 未加载

评论 #26077683 未加载

edent超过 4 年前

Moxie - and the Signal team - seems to have a real issue taking feedback from outside experts. See the way he has been completely dismissive of the IME vulnerability highlighted by Naomi Wu and others.I remember back when it was TextSecure - I tried to raise some usability and security issues. First I was ignored, then dismissed, then - a few years later - they implemented some of the changes.I still use Signal. But the way the project is run is, dare I say, arrogant and dismissive.

评论 #26079196 未加载

评论 #26076342 未加载

评论 #26079464 未加载

评论 #26076758 未加载

评论 #26077116 未加载

评论 #26077970 未加载

smokey_circles超过 4 年前

Sorry, where's the vulnerability in _signal_ here?The TLS proxy is not sufficient. Marlinspike addressed this in their incredibly childish PR [0]:>As we said in the blog post, it is nothing more than a simple TLS proxy as an interim solution to help people while we're working on something more scalable and more robustI'm not so sure they made it clear they were working on another solution in that blog post [1], but it's a known problem that proxies can be fingered. I don't see the value add here and I can't read this as anything other than "boo hoo, we weren't listened to" (which is not surprising, given their behavior)[0]: <a href="https://github.com/signalapp/Signal-TLS-Proxy/pull/15#issuecomment-774982590" rel="nofollow">https://github.com/signalapp/Signal-TLS-Proxy/pull/15#issuec...</a>[1]: <a href="https://signal.org/blog/help-iran-reconnect/" rel="nofollow">https://signal.org/blog/help-iran-reconnect/</a>

评论 #26081118 未加载

henearkr超过 4 年前

Yes, indeed, I'm baffled that the people from Signal who dismiss these critics think that the only people possibly "endangered" are the proxy owners.It does not cross their mind that the users are immediately endangered too.They don't understand that it is very easy to identify the proxy users once the Signal proxies themselves are detected?I'm here replying on the top level to this comment, because I think this is very important: <a href="https://news.ycombinator.com/item?id=26076113" rel="nofollow">https://news.ycombinator.com/item?id=26076113</a>Edit:Actually it is because it is a different problem they are trying to solve.What Signal is solving by these additional proxies is to avoid being blocked. So this is orthogonal to avoiding the detection of users.The real way to avoid detection of users is going through something like Tor.Edit 2:The real problem is that, in countries where Signal is blocked, it is ALSO forbidden and illegal.If it was just blocked and not forbidden, nothing wrong in working around the blocking.But actually permitting users to work around the blocking when it is illegal is not helping them, unless there is also a way to hide them. Else it helps them commit (overtly) the crime for which they risk many troubles.

评论 #26076277 未加载

Gatsky超过 4 年前

Signal seems to get a lot of unfair criticism. I think this is at least partly because they made something a lot of people actually do use. This would otherwise be quite a rarity in cryptography.This ‘statement’ is quite weird. Is it normal to declare oneself an oppressed minority over a github issue?I feel like we should be a bit more charitable to people who make things. Otherwise nobody will make anything anymore...

评论 #26076937 未加载

baryphonic超过 4 年前

> Our community have been silent for too long. We are the underdogs, doing the real work, and yet unappreciated by many people. Our opinions are underrepresented. That's what makes me believe that we must speak out this time, that we should release a joint statement, to condemn Signal's dismissive and irresponsible attitude to the anti-censorship community, and to call for our unity as a community and their immediate action on the matter.What an entitled, self-serving, narcissistic framing. Even if their technical claims are 100% correct, they have almost no credibility issuing propaganda like this. Yikes.

评论 #26078797 未加载

oedmarap超过 4 年前

I think both Moxie and Signal have to be more open to criticism instead of hiding behind either a CoC or a reactive/elitist mindset.They can't eat their cake and have it. If they advise vulnerable groups to use their technology, then they're morally obligated to explore and mitigate any and all issues brought to the table.Signal has lots of funding, so getting "insulted" is not an option — in my view that only applies to FOSS maintainers who work for free.

评论 #26079227 未加载

motohagiography超过 4 年前

Even if I agree with the principles of the anti-censorship people, to be an activist to apply pressure on Signal for features instead of forking and building solutions is suspicious to me. Signal does a great job of frustrating mass interception, which I think was its original point.Inventing new criteria and re-framing their product as inadequate for this scope change as an activism play seems insincere. We can expect this kind of pressure to be applied to all BDFL-run software projects, as I think there is an emerging organized play to insert new governance over foundational internet software.

评论 #26077218 未加载

评论 #26077454 未加载

GekkePrutser超过 4 年前

Yeah moxie is the #1 reason I don't promote signal to my friends as an alternative to WhatsApp. His attitude to third party clients I find very bad too. They could have added a lot of usability too the signal ecosystemIf I move to something else it had to be fully open, not just the source of the app but the network too. Movie is just creating another walled garden. A lot less microphones hanging in the trees than WhatsApp but still a walled garden.

KingOfCoders超过 4 年前

"Who we are [...] V2Fly maintains V2Ray, a proxy and routing tool that helps people behind China's GFW and Iran's Internet firewall stay connected to the internet."

评论 #26078785 未加载

say_it_as_it_is超过 4 年前

Signal seems like a magnet for toxic avengers. It's really unfortunate because every negative interaction has a cost. It doesn't matter how valid what "net4people" is claiming because how they're saying it is unacceptable. The Signal team has its reasons for not adopting their recommendations. That's enough.

h_anna_h超过 4 年前

Reminds me of the way that signal handled RealSexyCyborg's report of how 3rd party keyboards often leak data.

评论 #26079167 未加载

jancsika超过 4 年前

Do I have it correct that the anti-censorship team refused to take the trivial step just to copy/paste their original issue on a forum as suggested by the project?

评论 #26080591 未加载

评论 #26080713 未加载

sneak超过 4 年前

As I wrote in a comment[1] in their other attention-seeking post[2], they keep talking about "risks" and "vulnerability".There's no exploit or vulnerability here (despite their use of the "PoC" and "responsible disclosure" terms that apply to such things). The fact that you can detect a Signal proxy as a Signal proxy isn't a vulnerability; if it gets censored you're no worse off than you were if that proxy didn't exist: the main Signal servers are censored in Iran already. Indeed, this is the Signal circumvention proxy working precisely as designed.As I understand it, these people got banned from the Signal forum for spreading this FUD there, too. Predictably, they started accusing Signal of some coverup. They managed to get an interview to further publicize their FUD, but eventually reason prevailed and that was pulled by the author, too.Sometimes I really wonder the motives and identities behind the people causing such massive and unnecessary drama and fear in the community surrounding the only mainstream, reliable, end-to-end encrypted messenger out there. iMessage and WhatsApp both got their end-to-end crypto backdoored en masse via plaintext backup/escrow systems, but Signal remains generally safe and secure (provided general endpoint security practices are followed). These sorts of FUD attacks make me wonder about why they're happening, and the motives and incentives of the people causing them.One of the people harassing Moxie about it on Twitter has <50 followers and an account that's only ~2 years old, with only a handful of posts in that time. My money's on sockpupppets.1: <a href="https://github.com/net4people/bbs/issues/60#issuecomment-775179822" rel="nofollow">https://github.com/net4people/bbs/issues/60#issuecomment-775...</a>2: <a href="https://github.com/net4people/bbs/issues/60" rel="nofollow">https://github.com/net4people/bbs/issues/60</a>

评论 #26076802 未加载

评论 #26076213 未加载

ComodoHacker超过 4 年前

What interests me more, is Signal's principal stance about censorship. If non-tech people ever come to Signal in numbers, the moderation problem will inevitably arise. Would they censor things that we currently have public consensus about? Like CP, terrorism etc.

评论 #26076604 未加载

评论 #26078600 未加载

1una超过 4 年前

relevant: <a href="https://news.ycombinator.com/item?id=26031668" rel="nofollow">https://news.ycombinator.com/item?id=26031668</a>

评论 #26077487 未加载

_carbyau_超过 4 年前

I would have thought that most any "large" complaint regarding "Your Open Source software doesn't do what I want!" could be resolved with "Well, you do it then."Doubly so if the complainants claim to be experts of some kind.

cheph超过 4 年前

Signal's architecture makes it incredibly prone to censorship on multiple levels. Rather focus your energy on something which is not as architecturally prone to censorship such as Matrix or XMPP.

ostrophonics超过 4 年前

why is instant messaging so important? why can't people use eg an encrypted tor bridge to send and receive encrypted emails? or is a mobile phone cheaper/more practical than a laptop in such a situation?

评论 #26077308 未加载

omginternets超过 4 年前

Does HN recommend a particular "getting started with Matrix" guide?

lionkor超过 4 年前

Offtopic, but what's with all the PGP signatures? One message is literally just "this message is signed with my key", followed by a key and a previous key. Is this a meta joke, automated signing (like signed emails), or am I tripping?!

评论 #26078188 未加载

评论 #26075972 未加载

评论 #26077190 未加载

评论 #26077513 未加载

评论 #26075965 未加载

评论 #26075964 未加载

jswizzy超过 4 年前

William Barr would have them all in jail.

rq1超过 4 年前

Elon Musk should tweet about Matrix.Signal team seems completely irresponsible here.Censorship in countries where this app could help puts opponents lives at risk and already led to executions.

评论 #26077991 未加载

shame_of_cndev超过 4 年前

A group of security researchers who:* Publish the exploit before vendor know it* Publish the exploit before vendor delivered the patch* Send their own opinion to every media possible (including ycombinator) without mentioning the full event, and using new account to looks more neutral* Disrespect other people* And also have their own "secure" software (v2fly, v2ray, ...)Okay, looks like we need to have a new definition of "security researcher".I think Signal did what they should do when communicate with those "trick or treat" guys: treat me with fame, or I'll trick you with a PoC. Is there a better word to shorten this review...? Oh there is: robber.

评论 #26079582 未加载

guytv超过 4 年前

Censorship and privacy are important issues. So is civilised online debate, and communities learning to work together in a nice way.I admire the people that put in time and energy to create a safer future for us all.Hope that this is not going to be taken the wrong way, but whenever I read such threads (and again - I respect all the people involved, their efforts and the importance of this issues) - I can't help but being reminded with this: <a href="https://www.youtube.com/watch?v=a0BpfwazhUA" rel="nofollow">https://www.youtube.com/watch?v=a0BpfwazhUA</a>