Submitted by southerntofu in Tech (edited )

Yet another instance of Signal making very wrong technological choices placing people in dangerous situations. Previously, in "Signal fails":

  • Signal uses phone numbers, which are both uniquely-identifiable (and are further tied to a unique IMEI number per device) and easily hackable (thanks to SS7 known vulnerabilities)
  • Signal refuses to federate with other servers, claiming they know security better than everyone else and so everyone on this planet should trust them for their privacy because everyone else is incompetent
  • Signal actively bans 3rd party clients implementing their protocols, or forks trying to remove anti-features (such as LibreSignal did years ago by removing Google Play Services malware dependency)
  • Signal publicizes everyone's phone numbers in public chatrooms, so perfect strangers can end up harrassing you on the phone just because you were in the same room as them

And now, in this episode of #SignalFails:

  • A: the Iranian government just decided to ban Signal by dropping packets to the Signal servers
  • B: quick, deploy a TLS proxy!
  • A: done! But we still advertise "signal.org" destination in plaintext SNI headers, because we don't want to terminate TLS on the proxy itself. Won't this put people at risk? (EDIT: this was a wrong assumption on my part)
  • B: noooooo way lol and if it happens we'll just say it's the fault of the government and we had no way to know
  • C: hi i'd like to report a life-threatening bug in your proxy for iranian folks
  • A: close ticket, remove Github issues entirely
  • C: (on forums) hi i'd like to report a life-threatening bug in your proxy for iranian folks... CENSORED BY AUTO-MODERATOR BOT
  • D/E/F: (on forums) why is signal doing it this way? there's plenty of good proxies like Tor for such situations, and the method you use is highly insecure! (EDIT: the method is not "highly" insecure, though the server can be proved to be a signal proxy (see comments))
  • G: we cannot do anything against powerful attackers, and they can't know what we're doing with this HTTPS trafic without doing weird complicated stuff
  • D/E/F: WTF G? we told you that's not how SNI header works and they can just record/block anything SUPER easily. They know what service your proxy is serving to users because that's what the SNI header was invented for in the first place, and that's why in the past years there's been a push to encrypt SNI headers (with ESNI). Why don't you facilitate usage of Tor with Signal, and keep on working what you know how to do? (EDIT: not entirely true, see comments)
  • H: we're never gonna use Tor network or its obfuscation methods (obfs4/snowflake) because why the hell would we?

In the next episode of #SignalFails...

7

Comments

You must log in or register to comment.

86944 wrote

why are you endangering people

Because it's being used outside of it's designed use case. Signal is just a more secure replacement for SMS and normal telephone calls. It wasn't meant to provide perfect anonymity, it wasn't meant for use in oppressive regimes like Tor and tails are.

Signal makes a fine replacement for standard SMS and phone calls. the signal foundation and people in general need to stop pretending it's ready for anything more in it's current state.

That said they claim they're working on removing the phone number requirement.

6

Hibiscus_Syrup wrote

My main interest is just, what is the safest messaging platform?

I assume nothing's completely safe, and where I live it's not uncommon for people to steal your communication tech at gunpoint and use that to know all of your networks, plans, actions.

But if we have to use something, and it has to have minimum buy-in from the broader population, what do we use?

4

southerntofu OP wrote

Like you said, nothing is completely safe. No system can truly protect us from "evil maid" attacks, or from a 5$ wrench attack. For the second case, some encryption systems like Veracrypt support hidden volumes for plausible deniability: you have two passphrases, and are free to reveal one to a non-compromising volume (while existence of the second partition cannot be proven). Few systems support this though this is a very useful property.

Actual security has a lot of practical downsides. Tails will protect you from most attacks (though not the two mentioned before), but you have to:

  • be sure noone has altered your Tails key
  • be sure noone has planted a microphone/camera where you are using the computer

About instant chat, there is no magical solution. Jabber/XMPP is really good against passive observers because it's so Tor-friendly, but no client will protect you from someone gaining access to your system. Encrypted local storage of settings/logs (with a passphrase to open the app) is possible to implement, but nobody did it yet (to my knowledge).

6

[deleted] wrote (edited )

3

yam wrote

due to the systemd problem.

Are you aware of any security issues or freedom issues Tails' use of systemd?

I'd rather go for Heads than Tails

Latest release is 2 years ago. Latest update to the Heads website was March 2018.

I used to run Dyne:bolic, also published by dyne.org but, as you can see, latest release is from 2011, and it's still up there. The dyne.org team have an issue around publishing out-of-date software, which is fine with a multimedia distro like Dyne:bolic, but disconcerting with a security focused distro like Heads.

2

[deleted] wrote

1

celebratedrecluse wrote

why not? I assume it periodically uploads data of interest whenever online.

3

[deleted] wrote

1

celebratedrecluse wrote

Eh, with gigabit becoming more common in many places, and 5G mobiles, it's trivial for network operators with root access to your device to upload whatever they want in the background. There are even economic contractual ways that this has been priced into agreements, eg youtube or spotify making deals with a mobile provider to not charge data for their traffic on the user's data account.

2

yam wrote

For more permanent distros, tho, those like Whonix, Gentoo and FreeBSD are paranoid-level of security.

Totally! Or QubesOS. Or Alpine.

Alpine is very secure while also having a crazy fast package manager, and you can run the whole system in pure memory so large apps boot instantly, although you can not have too many large apps installed that way.

Tails should be the better tradeoff between security and out-of-the-box usability.

Yea.

I'd say it also depends on the person and the use case. I see some people coming straight from Windows to Tails, because they heard it's secure, but they are bound to be surprised by the home folder being wiped on every boot.

In my experience, also some people will like the talk about "paranoid-level of security" while still using some of the popular pre-compromised apps, like Zoom, Google Docs or Slack. For those people, I'd say the first step is to get off those.

Let's never forget about the Intel ME backdoor too. Even though that doesn't mean everyone's being watched 24/7 on their computer.

It's so messed up. In some twisted way, it's kinda cool that pretty much all laptops run Minix though.

In my guesstimate, human error, like posting something on a forum like this, or emails sent to Gmail addresses, is way more likely to be the source of compromise than IME hack.

I'd love to be free of IME but I've given up on using 32-bit laptops.

I could of course buy a new laptop with Libreboot online, but I also think there's value to re-using old hardware, and it's much cheaper. A way to fight planned obsolescence. I have to use Debian Testing with non-free drivers for the backlight to work, so not super compatible with 100% free drivers. That Crimethinc post that was pinned also makes about about recycling computers:

»1. Manufacture no new computers, but use existing resources to maintain current machines.«

Any experience getting rid of IME? Or finding laptops without it? (It's only 32-bit ones, right? With max 2GB mem, right?! Ouch)

The issues with systemd should be the same than on Debian or any other systemd based Linux.

My main issue with systemd is that it's not fast. Alpine's Openrc is super fast, but you have to add the startup apps on the commandline. That's not for everyone.

I don't run modern Gnome because it makes my laptop crawl. mpv dropped Gnome support for a while and just refused to run. But for people who have newish laptops, Gnome is really slick, and everything just works: backlight brightness, bluetooth, redshift, dark theme, laptop lid settings, volume buttons, multiple speakers and screens, even window tiling layout (where xfce and lxde and all non-tiling window managers are just shite), keyboard layout with multilingual compose key, advanced touchpad config, package management "app store"-lookalike. I think Gnome developers are doing interesting stuff, and I'm glad it exists, but I wouldn't use it myself.

2

[deleted] wrote

5

southerntofu OP wrote

Element is a web application, so a server getting compromised will not only compromise all your metadata, but can also compromise your e2e-encrypted content retroactively (by compromising your private keys). Matrix as a protocol does not have this problem, but all web-clients (of all protocols) share this property.

Session i haven't tried, but it's really weird how their entire website doesn't talk about their cryptocurrency. You have to follow links around for that. Doesn't look very legit?

4

celebratedrecluse wrote

i agree, the following are just my thoughts

XMPP w/ OTR and with network traffic routed through Tor is better than element for individual conversations that need to be extra anonymous while still being encrypted. It is relatively straightforward for power users to set up burner XMPP profiles.

Element has more functionality for larger groups and casual conversations. However, since it is a web application, it comes with security and privacy problems, because you need to self-host and take on the responsibility of being a server administrator to really secure the platform.

4

[deleted] wrote (edited )

3

celebratedrecluse wrote

At the root, if it requires $600+ to buy a phone which even pretends to respect your privacy, then only rich people

some sort of scaling of capacity to reduce the cost of getting devices with unlocked bootloaders, would be great. failing that, we'll just have to rely on the gaps in coverage of the police state, and assume the surveillance game is pretty much lost from the get for any group over 6 people.

4

Hibiscus_Syrup wrote (edited )

Thanks. Unfortunately I would be all alone if I was using those programs in my context.

Never heard of Session, I'll guess it's not as popular as Signal because of the instability then.

4

yam wrote

Element (Riot), and good old XMPP.

Self-hosted Etherpad-lite is also good, if you have an old laptop running around, and can spend a minute forwarding the router port and getting a free cert from LetsEncrypt.

Alongside Syncthing for sending large files. XMPP is really not good at file sharing, because support and implementations vary so wildly among the clients. It often just fails.

Syncthing compares more to Dropbox but direct transfer so no artificial limits or snooping.

3

southerntofu OP wrote

So after investigating this some more, i came to the conclusion my original post was misleading. The outer HTTPS proxy only reveals the proxy's SNI, not Signal's, so passive man-in-the-middle attacks will not detect you are running Signal. It is therefore not "highly insecure".

However, as the issue on Github advertises, Signal proxies with their config can still actively be probed to check whether they are Signal proxies or not with 100% certainty. So identifying Signal traffic becomes more expensive (upon inspecting a TLS connection, need to probe the target to check whether it's a signal proxy) though not impossible. Still, it's impossible with passive monitoring tools.

However, passive monitoring tools which record SNI headers (to the proxy) will allow government services to retroactively detect who was using a Signal proxy. This is still bad, though not as bad as i thought. Such after-the-fact verification is very fast and cheap, what's more expensive is to do it in real-time as a MITM to decide whether to drop the packets or not. So as a conclusion, this Signal proxy does actively circumvent censorship, but does not protect from repercussions of doing so (repression).

Sorry for spreading misinformation. Though, many other criticisms of Signal still apply.

4

yam wrote (edited )

Signal actively bans 3rd party clients implementing their protocols,

I agree with most of your points, but I'm not sure this is an accurate description. Moxie asked LibreSignal not to use their servers (and use the word "Signal" in their app name), which I think is silly, but I'm pretty sure there's been no code implemented to actively block 3rd party clients.

LibreSignal chose themselves to adhere to Signal's request, which I don't think they should have, but there's plenty of Signal forks and alternative clients around using their servers, signal-cli being one.

But Google shouldn't be able to demand you use Chrome on their sites, and Facebook shouldn't be allowed to shut down sites called anything with "book" in it, like failbook, and similarly Signal just shouldn't be able to demand this.

(I'm currently working on an alternative Signal client for desktop, built on top of signal-cli.)

Signal publicizes everyone's phone numbers in public chatrooms, so perfect strangers can end up harrassing you on the phone just because you were in the same room as them

Signal does show a dialog box when being invited to groups though. Does Signal even operate with the idea of "public chatrooms", like Telegram does? I thought there was only groups, and groups v2 with video chat.

Harassment calls can be an issue. Many phones support sms / call blacklisting, and Signal supports blocking.

4