-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

A Joint Statement on Recent Events Between Signal and the Anti-Censorship Community

Sorry to bother you all, but in light of recent events that have happened between Signal and some of our anti-censorship community members, it is my belief that we, a community that's dedicated to censorship circumvention and Internet freedom, must come together. In case you didn't know, here's a quick recap.

After raising an issue about Signal's new proxy implementation designed to circumvent Iranian government's censorship, @ducksoft and @studentmain have been repeatedly dismissed by Signal and its co-founder Moxie. They have found that Signal's simple TLS-in-TLS proxy is subject to simple active probes, and can be detected by conventional DPI systems.

Our community have been silent for too long. We are the underdogs, doing the real work, and yet unappreciated by many people. Our opinions are underrepresented. That's what makes me believe that we must speak out this time, that we should release a joint statement, to condemn Signal's dismissive and irresponsible attitude to the anti-censorship community, and to call for our unity as a community and their immediate action on the matter.

Timeline

2021-02-05 01:30 I saw the Signal post from Hacker News and forwarded it to them, thinking they might be interested. @ducksoft immediately realized it's a simple TLS-in-TLS proxy without any authentication, which is vulnerable to active probing.
2021-02-05 02:00 @ducksoft posted his doubts at https://github.com/signalapp/Signal-TLS-Proxy/issues/3. @studentmain wrote and tested a PoC, which was later added to the issue. A few hours later, they received a generic, dismissive reply from Moxie, only to inform them that they don't use issues for discussions like this, that the Signal forum should be used instead. Moxie closed the issue, then immediately disabled the repository's issues, rendering the issue page "404".
2021-02-05 08:00 Frustrated by Signal's dismissive response, @ducksoft reposted at https://github.com/net4people/bbs/issues/60, receiving support from the community.
2021-02-05 09:00 @ducksoft attempted to post at Signal community, getting banned immediately. Irritated, @ducksoft added a meme in the net4people issue and called out Signal for an explanation.
2021-02-06 12:00 @ducksoft sended a pull request that adds the PoC to Signal TLS proxy's repository. It has since been deleted and both @ducksoft and @studentmain were banned by the Signal organization on GitHub in the afternoon. A repost by @U-v-U was later closed and locked.
2021-02-07 01:00 A reporter from BleepingComputer contacted @ducksoft and did an email interview.
2021-02-07 06:00 Another researcher reported an issue with Signal's Android app on Signal community that could expose users to censors.
2021-02-07 17:00 The news article went live on BleepingComputer.
2021-02-08 00:00 Moxie responded to the article on Twitter, calling it absurd.
2021-02-08 02:00 In a phone call with BleepingComputer, Moxie made false accusations and baseless claims. BleepingComputer updated their article with Moxie's response.
2021-02-08 Later in the afternoon: BleepingComputer removed the original article under pressure from Moxie, citing "conflicting information" they have received. The original article can still be found in archive.

Our statement

Who we are and what we stand for

We are a group of volunteers from around the world, working together for the same goal of helping with censorship circumvention. We believe everyone should have equal access to a free Internet.

V2Fly maintains V2Ray, a proxy and routing tool that helps people behind China's GFW and Iran's Internet firewall stay connected to the internet.

The Qv2ray workgroup is a research group that focuses on the security of censorship circumvention tools. The workgroup has helped discovered several flaws in V2Ray that could lead to detection by adversaries. The workgroup also maintains Qv2ray, a GUI frontend for V2Ray.

Shadowsocks for Windows is a cross-platform Shadowsocks client implementation in C#. We are a part of the Shadowsocks organization.

Why Signal should have listened to us

Signal might have their reputation rightfully earned with end-to-end encryption for all chats. But they are apparently no experts in the field of censorship circumvention.

With years of engineering experience fighting China's GFW, our community have the expertise in designing a proxy protocol that can circumvent firewalls and censors by keeping the traffic unidentifiable from normal Internet traffic.

What Signal has done wrong

Signal's proxy implementation has several critical flaws.

It's leaky. Signal's Android app leaks DNS queries when the built-in proxy is enabled.
It's prone to active probes. Without authentication mechanisms, the simple TLS-in-TLS proxy can be probed by sending 2 requests, one to Signal's server, one to a non-Signal server.
It can be easily detected by conventional DPI systems. Signal's unique TLS fingerprint can be picked up due to the absence of ALPN. DPI systems are also able to detect traffic patterns of a TLS-in-TLS proxy.

And this is not the first time that Signal ignores researcher's findings and voices from the community.

https://github.com/net4people/bbs/issues/60#issuecomment-773794570

Sergey Frolov shared his experience when reporting Signal Android app's TLS fingerprint issues. Multiple emails sent to Signal were all ignored. In the end they posted an issue in their repository and the issue has also been deleted.

https://github.com/signalapp/libsignal-service-java/pull/21#issuecomment-269930947

A developer in the open source community contributed this PR for the Signal's repository. In the end he only got a response from Moxie asking the contributor to start from smaller bug fixes to "get a feel for the project". The reply from Moxie has gotten 45 downvotes from the community so far.

https://drewdevault.com/2018/08/08/Signal.html

A former Wayland maintainer also shared his insight on Signal, over Moxie's hostility on the community and unwillingness of federation.

https://twitter.com/moxie/status/1358928060809027587
https://twitter.com/moxie/status/1358835853867425792
https://twitter.com/moxie/status/1358823241238806528
https://twitter.com/moxie/status/1358821482688700416

Since the takedown of the BleepingComputer article, Moxie has been claiming multiple times on Twitter, that a proxy is always identifiable, ignoring evidence suggested by anti-censorship researchers and our community members.

What we ask Signal to do

We urge Signal to issue a statement that informs its users of potential risks caused by the flaws of its proxy implementation. Signal must stop advising people in Iran to use its fragile, temporary solution. Instead, Iranian people should seek for other well-established solutions, like the ones from our community.

On a community level, we ask all of us to stop attacking each other.

We ask our community members to stay united, while keeping the conversations civil. Do not initiate personal attacks. Do not make up or spread conspiracy theories. Support our findings and explain with facts, instead of forcing our mindset onto other people.

We ask Moxie to apologize for his dismissive response and baseless claims. Let the people who understand the subject speak. Stop making false claims when you are not at all familiar with the subject.

We ask Signal to stop treating the anti-censorship community like adversaries. We are not your enemy. Treat the community with respect, by taking issue reports from the community seriously, by responding to our inqueries instead of deliberately ignoring us. Together we can fight censors and help build a better Internet. -----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9 jGlj3AfW9lK797p7AFuo1CXlRteFgwc= =j1jf -----END PGP SIGNATURE-----

Feb 09 '21 07:02 database64128

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

I'm a maintainer on https://github.com/shadowsocks/shadowsocks-windows. I approve this message. -----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJBmwAKCRAconVGvtuL AdrQAQC7dJA3qiRtM3abzZWHFlNhAYi56NWe+T1DVcUmI9ndkQD8DuBveRJ7LeRS /hIImh8cuZF8Zt/tv8WWaXjxQdIKqAY= =RclQ -----END PGP SIGNATURE-----

Feb 09 '21 08:02 database64128

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

I am DuckSoft from Qv2ray Developer Community and I prove my identity by GPG signing this message.

My opinion is consistent with what is listed in the article. Here goes the signature of the article:

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9 jGlj3AfW9lK797p7AFuo1CXlRteFgwc= =j1jf

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE2H0QtOEy/6QN7CMrejqfpuT9So0FAmAiQdgACgkQejqfpuT9 So2UNgf9GEPlsDiXpGnPSwwtEVh/SGmfOhYSBf8+Uh0/+9dRZY8jHwk1K9jmz2J1 ajhcDjw4Ekzv9+hqIMDiqhWyW4xT21A44ec29MZgznTqg1gX+4tFJ09tVvvE23pP cyyGG5wb+TCdjnWzOAnpYsE5rntRrg5SKp76l0H4fj/TRvrWQD2JWNufhK2p/81b St/eyIzWNUeZyLSVq8A3m5YdUQvZbaMvYsSgMEwvv7uFtKB6f1j7+3isy5D52imc CtZpvs+jk/8hOfGThnCGNxANgb46ZMcbaUBorsrHv1GKNzDj/dSbvCr+h2Ni3Alr G9ckym+lfWFR5jqnzW9PjZhwSJnUHQ== =Kg9o -----END PGP SIGNATURE-----

Feb 09 '21 08:02 DuckSoft

Feb 09 '21 08:02 EpLiar

Feb 09 '21 08:02 ghost

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @U-v-U, the founder of Qv2ray, signed using Qv2ray official PGP Key, as can be found at:

https://github.com/Qv2ray/debian/blob/master/pubkey.gpg

Previous Signature from StudentMain

iQIzBAEBCAAdFiEEdbyjO018JNZhjd2SqnhRnCCMh0IFAmAiTBoACgkQqnhRnCCM
h0KsQg/+LTQGOfIouVHEyL+zqlahEJOVRyr5YdwizUKoB0DEIzLqZxWthFrRR0DZ
RNyPY7hEm5fKi3dCXOraMmV/zbL06/BRdJVWZlnlRAg5OHdFa3t+qADhiVk9WgVJ
INUT6U1m40uiAxHlQzOvt7UM/x/wSt2t342i+URgWxoqIrzuUq5CpKxdc8Yzd4rl
tJlNKvRFOq4pqNS/ovN8plKL7DDp3au//jNIBiyzJsLqM4YqyhHKMrSaRr+w38Xu
heE1+eD+znwnrvN3HcV9pRhHvhLAxHJ0zjenbMNI4ZO6j6YAwGO3f2QbogajrtqA
E/C9Z292r+QqI3BNsu6wpkZQANv3dd9fhh4qstofnv1jq+H7EqpH8UwL8TmPP6V6
b0Pc6M1OC6aQpwtMwblXvciLNJU7SEcb4d5jS7byQrFjK7dVJ+mhi0TqigG/oJZO
Jp1ykSpLkuZ1WYPCthQB1Bw9vq6blxLLc6cI25gccT1X3oSeoQth2X40BLgdtotz
VmuTp/3ZTP3MPn/djHUYm0SOPQoLy754t6gWjg6pcxZt/+dVrO4vgTpjERsrPwyi
IjA1FRd699a6sDAu2eHFSCbQBjm2ov4JFvFlyR83BVCjYHxarWyrJlVKN0/hibAL
Ligl6orkQDJ1HDkYfHk/s15new6siVeBgq34y/MaWUKg4puFP7A=
=TSTs
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsTEUHwpqo99I2jhKJfhASNcAcIUFAmAiTTAACgkQJfhASNcA
cIX9YxAAwWj+VyCAKI8tAM2Kz8GzAwYaxpraWWC3Y9BxyPwDQWs4nQj3fgHA0H58
O0MrAfDQ8+HABvPt4Uxu1243MUK/4jJdpK+mf0Iu8Zv9XNDQ8PSzgw/5oLXO7hI/
ir6pJIE6DdSrxjmN9bInQKmpuOTjbb00z5fb2xQcJXrU9Lx/EIC8utjr5YQkXABU
JuTHABWQWo6ES3ej3M/HjKsRyE5pNqlAiugm+2S2i/ut8rMC/n/xwnPIdgBD3a/V
y2i2t+s4XuMFxgLnC6EQ6CmGDvfn0so2lHow2R+T3wuATFuVEk2ymh+YNcMH8IZd
sKsNtGIONBuYXHGUmyMaSpe6xREekB1vVZBWzKJ8wdpqBzvuQQtHCmmrPu/o3nHO
yFXbpcjzC/+kRi+FEi0ubkX/ah9lrGFnJzhUsOF8mcqfJtwufrVrlyA0wfgNwqhV
Naz6KeweDbMZ+OFShF8lQMpyvAQL6IOPUkv73/sxlHkxlrRZNlIM35wC3k+X5Ijb
U8KqwB0SWZi0N77Se7G9MhB+4S12EU48iMudjPnj3dywUhk0kjZq61B7+Nh9lzt3
wZ0kiDLGfLlZz08tzfYTvzB+vQvDJONb9YIneWhiNxUi52jGb7GMSkyUa6jN89WW
yQ5yEEmcNyQO9717W/6aLLFGpeK6W7yObZ9FWHWiEgZ9h3Tz1CM=
=2KBt
-----END PGP SIGNATURE-----

Feb 09 '21 08:02 ghost

Feb 09 '21 08:02 ghost

additions: if something is dangerous, people ~~can~~ should point it out in anytime on public, it's not offensive to projects against censorship, it's very important to let people to know before it's too late. for example: https://github.com/v2ray/discussion/issues/704 https://github.com/v2ray/v2ray-core/issues/2523 https://github.com/v2ray/v2ray-core/issues/2530 https://github.com/v2ray/v2ray-core/issues/2542

Feb 09 '21 09:02 SekiBetu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @KevinZonda, founder of FastGit.org. I approve of this message.

- ------
Signature from DuckSoft

iQEzBAEBCAAdFiEE2H0QtOEy/6QN7CMrejqfpuT9So0FAmAiQdgACgkQejqfpuT9
So2UNgf9GEPlsDiXpGnPSwwtEVh/SGmfOhYSBf8+Uh0/+9dRZY8jHwk1K9jmz2J1
ajhcDjw4Ekzv9+hqIMDiqhWyW4xT21A44ec29MZgznTqg1gX+4tFJ09tVvvE23pP
cyyGG5wb+TCdjnWzOAnpYsE5rntRrg5SKp76l0H4fj/TRvrWQD2JWNufhK2p/81b
St/eyIzWNUeZyLSVq8A3m5YdUQvZbaMvYsSgMEwvv7uFtKB6f1j7+3isy5D52imc
CtZpvs+jk/8hOfGThnCGNxANgb46ZMcbaUBorsrHv1GKNzDj/dSbvCr+h2Ni3Alr
G9ckym+lfWFR5jqnzW9PjZhwSJnUHQ==
=Kg9o

Signature from studentmain

iQIzBAEBCAAdFiEEdbyjO018JNZhjd2SqnhRnCCMh0IFAmAiTBoACgkQqnhRnCCM
h0KsQg/+LTQGOfIouVHEyL+zqlahEJOVRyr5YdwizUKoB0DEIzLqZxWthFrRR0DZ
RNyPY7hEm5fKi3dCXOraMmV/zbL06/BRdJVWZlnlRAg5OHdFa3t+qADhiVk9WgVJ
INUT6U1m40uiAxHlQzOvt7UM/x/wSt2t342i+URgWxoqIrzuUq5CpKxdc8Yzd4rl
tJlNKvRFOq4pqNS/ovN8plKL7DDp3au//jNIBiyzJsLqM4YqyhHKMrSaRr+w38Xu
heE1+eD+znwnrvN3HcV9pRhHvhLAxHJ0zjenbMNI4ZO6j6YAwGO3f2QbogajrtqA
E/C9Z292r+QqI3BNsu6wpkZQANv3dd9fhh4qstofnv1jq+H7EqpH8UwL8TmPP6V6
b0Pc6M1OC6aQpwtMwblXvciLNJU7SEcb4d5jS7byQrFjK7dVJ+mhi0TqigG/oJZO
Jp1ykSpLkuZ1WYPCthQB1Bw9vq6blxLLc6cI25gccT1X3oSeoQth2X40BLgdtotz
VmuTp/3ZTP3MPn/djHUYm0SOPQoLy754t6gWjg6pcxZt/+dVrO4vgTpjERsrPwyi
IjA1FRd699a6sDAu2eHFSCbQBjm2ov4JFvFlyR83BVCjYHxarWyrJlVKN0/hibAL
Ligl6orkQDJ1HDkYfHk/s15new6siVeBgq34y/MaWUKg4puFP7A=
=TSTs
-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAdFiEEhnx9RN/fYDrJcYUFb/TNwtQEnAoFAmAiYfAACgkQb/TNwtQE
nAruGA/yArDSzzNXZ88hmSW4ccODatRnNg9DAsG8O+onl43v/AhNxbDUp4Z5LNVF
m70FM26gTJnDHP8xTYXSfKp/Xp/FHMJep2RMWsV1fsrYjkusDnNJsspDNQxE0gxU
7aKR2VUoUH7+mczyjJbrJOy5SPzGZnCkfAO9qfQmCQSHoOX78SsSjvmw7eBL0KTg
wNZZCJv7lCwCzgMKWFC9sOwGI0/+hs7RT4YPY4ugQeSKGAgRgGZDboOA3kNB0cRt
VqCN58pcvo9cg0z36hbTH/a7ttZ4aGHbGgOlX3/8Ql0dB8MxJRzuS9ObaEFMzltk
a6qKByx9ZW2a0YID7tGS6jfxmcIBjr/kEGVhqX9HJ71wsizVquSANSgI+SN9zgad
sVtoGdnPth39yLiTisxs2/JfuDkLGAx39a7ENeSUIS2nGqTTfkaczRTX2zj6+Nda
6vYtHvVuogg+RBZ+Tnju6/2weW1YNhB9TRWeNlIm2aLeMRY3zVozvuhIpkGOiTmB
rpT/aWj5MStWdmjxrBTvd+ardgyjFRhYxngUUEznNt9MKy78CvLCZE2+KH5i3M2T
KqB0kz/NQ1SesGejBMy4BO7/uh8g+qQj5xNco5SymHSf2K6jtaeDx0hVDuWmrXHX
xzyaBG8A4hX3VIQPJSzfnjDNOvmpGe+fOU5xMr/sK6SEICvXYQ==
=sQ52
-----END PGP SIGNATURE-----

Feb 09 '21 10:02 KevinZonda

There's no exploit or vulnerability here (despite your misleading use of the "PoC" and "responsible disclosure" terms that apply to such things). The fact that you can detect a Signal proxy as a Signal proxy isn't a vulnerability; if it gets censored you're no worse off than you were if that proxy didn't exist: the main Signal servers are censored in Iran already. Indeed, this is the Signal circumvention proxy working precisely as designed.

Pretending it's dangerous or that there is an "exploit" is terribly misleading.

This transparent attempt at attention-seeking (including your bogus claims of some coverup) is an unnecessary distraction from the real, important work.

Feb 09 '21 10:02 sneak

working precisely as designed

Then they should learn how to design.

Feb 09 '21 10:02 ghost

@sneak

Let the people who understand the subject speak. Stop making false claims when you are not at all familiar with the subject.

Feb 09 '21 10:02 DuckSoft

@sneak

There's no exploit or vulnerability here (despite your misleading use of the "PoC" and "responsible disclosure" terms that apply to such things). The fact that you can detect a Signal proxy as a Signal proxy isn't a vulnerability; if it gets censored you're no worse off than you were if that proxy didn't exist: the main Signal servers are censored in Iran already. Indeed, this is the Signal circumvention proxy working precisely as designed.

Pretending it's dangerous or that there is an "exploit" is terribly misleading.

This transparent attempt at attention-seeking (including your bogus claims of some coverup) is an unnecessary distraction from the real, important work.

~~i don't care if it is a exploit or vulnerability or whatever you guys naming it, it doesn't matter, it can be detected right? you just need to answer me that, if it can be detected, in my eyes, it is a trash, useless thing, putting people in danger.~~

~~can be detected = useless proxy tools against censorship~~ ~~can be detected = useless proxy tools against censorship~~ ~~can be detected = useless proxy tools against censorship~~

~~(why i can say that? i lived in china, i used proxy tools to break the censorship since 2008, i used lots of them, let me count for you: Shadowsocks、ShadowsocksR、SSCap、Brook、Goflyway、PipeSocks、XX-Net、GoAgent、Tor Browser、v2ray、Trojan、Xray, any of these is better than this signal proxy)~~ ~~why you guys don't understand it? when people go to jail or died because of this, you guys still saying "it doesn't matter being detected, it's safe, just use it", what's wrong with you guys?~~

you are not focusing on the issue that it can be detected, you are leading people to personal attack those whistleblowers, what you are saying is a big distraction.

Pretending it's dangerous

hope you can take responsibility for what you are saying, cause i've seen lots of people go to jail in china just because their server be detected and their real IP be found.

~~one more thing, WTF is working precisely as designed, your design is putting people in danger? that's so sick~~ ~~and, i'm rude doesn't mean what i said is not true, you guys doesn't even know this, funny.~~

Feb 09 '21 11:02 Nek0kawa1

@sneak sorry, but Signal did not "design" anything. okay? it's a stupid SNI Proxy. and, that is fine with me if this was just recognized as a simple PoC or an attempt to demonstrate another use-case for Nginx.

in the end, you are not the one who has to use such proxies on daily basis. so trust me, there is A lot to be done here if they actually intended to help.

Feb 09 '21 11:02 itshaadi

As someone who has had the privilege to speak with people behind the GFW and the Iranian Firewall, I too support this statement. These people often go through great technical efforts to provide safe solutions for them and people around them and avoid detection. If detected, real life consequences are a possibility. And while I personally haven't heard of anything drastic, I heard of people getting fined and intimidated.

Providing Signal Users in Iran with an easy to detect proxy might be equivalent to letting them run into an open blade. ISPs are able to see the proxies, and they're able to see who connects to them.

I'm just hoping that

A) These people won't face any dire consequences

B) Signal eventually provides a better solution

Good luck to everyone here!

Feb 09 '21 11:02 p410n3

Feb 09 '21 11:02 HMBSbige

I am Xiaokang Wang.

I am in favor of the article above.

The avoidance of censorship in the authoritarian country should not only focus on speed. Dictators don't stay in power with network censorship alone, as they also have law enforcement on their side with the threat of physical violence. It is not only about access a service today, and it is also about remaining anonymous and lives another day unidentified. Some people may have unlimited chances to change protocol and make improvements as many times as needed, yet someone may have only one identity, once revealed to the dictator, can put their singular life at the mercy of the self-proclaimed overlord.

Nothing is perfect, but a better design will make it more difficult for the adversary to attack, which is the point.

Respect your user, and treat security issues seriously.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I am Xiaokang Wang.

I am in favor of the article above.

The avoidance of censorship in the authoritarian country should not only focus on speed. Dictators don't stay in power with network censorship alone, as they also have law enforcement on their side with the threat of physical violence. It is not only about access a service today, and it is also about remaining anonymous and lives another day unidentified. Some people may have unlimited chances to change protocol and make improvements as many times as needed, yet someone may have only one identity, once revealed to the dictator, can put their singular life at the mercy of the self-proclaimed overlord.

Nothing is perfect, but a better design will make it more difficult for the adversary to attack, which is the point.

Respect your user, and treat security issues seriously. 



-----BEGIN PGP SIGNATURE-----

iLUEARMKAB0WIQSzqpCZmlLsPyFkeb/E1eedIrJTFgUCYCJ7qQAKCRDE1eedIrJT
FtAMAfsHzy8yb6Xlq5feostNLJ8uul/x6ub6k2/AExb7T2lweT6WPbLsMkakfkH7
S67R/qJpz3BH/H2Qi9W6p9vUXZcPAf9A8qM7GGveVq2ybP9emAeH8bJnKAcRPtiy
jRGhn4MPoZiBDMlTUdysYNpCVd4ULY5iInaRx38IHmg4dZ588jEI
=1RnR
-----END PGP SIGNATURE-----

Feb 09 '21 12:02 xiaokangwang

Feb 09 '21 12:02 chenshaoju

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is @IceCodeNew, a member of the V2Fly Community. Here I prove my identity by GPG signing this message.
My opinion is consistent with what is listed in the article.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoWsL7HKgSDTZsXkWtG92ClkSemQFAmAigFoACgkQtG92ClkS
emSiQxAAijduueyRZlNz2cunkww9DyGput3AjMmKKWWydr3UOT2cO88rC/rNYbNc
Z7qJw15TdvegEwdYlbLEuW73uR8s6QYot9Yi8F99sq4rZwZTaZgp33lTSdTIXwZa
QSp516xhiCZCsGKUnAqqllXvwaj/ohquO9eOM9R97wmmZvF09hcI4O5kFErD9d+p
vnOGGXm+c/xIQtd1SOP2BYkeC2FYM2cvIJcFzvdCJsgKgP+YMn4p6GWHxKlGSDdc
nsLEAH/MfVkQTSNndRlu6l/NZ/C271yBkBuai3tt7zdHySANTdKDiIxjuu6HB3Vc
NIM2bfpX7sQbFeqgr7mF3UW6Wf0M9tRNe1bFqfpMcng4ltsaHJ9IkBOaP3Uk1J2F
lj1si0KBgzusNSad0/m+xytN36fto1NgE8rH6241JX2yzsgT8p3m8GUL2Griuv2R
6tqUbzBtH7wZFcqRLzY/0hg5SMIh1dFmzLtQrkvDZQXS9Z0eibOws9dHMCsj37n5
eL1A0OZphZqSIMqPeWbRbwsGJ0Hhu8XpwBrDii1+lMb+ZFW9+lNXVgdpwRXP6P66
ocCYyc4vZQndh7bBMkmCqBfBBQYsNWRFPj6QTJPM1iudkAiuGluMD3ieWIFz61Ei
dIvxiWfnc3csR8ZHZhN3I/7+Jt6UlPcfmHkWzUrGXJnu/py6y0g=
=7Tzo
-----END PGP SIGNATURE-----

In case the GPG public key is needed:

Feb 09 '21 12:02 IceCodeNew

If an app brands itself as a secure-messaging app and intends to serve users under authoritarian regimes like Iran and China, it should consider protecting users' physical security when deploying anti-censorship technologies.

No physical security = no information security at all.

Feb 09 '21 12:02 abschluss24

I hope discussions at this place will remain academic. It is a lost cause to argue with Signal that they are wrong, for having different design goals and threat models. This is arguing from different premises and it will not end in a useful conclusion.

It's time to agree to disagree.

Feb 09 '21 13:02 klzgrad

我是 RPRX，对于 Anti-Censorship，我致力于不断将新颖、有趣的灵感付诸实践。

我客观地经历了整件事，基本认同 issue 所述的内容和观点。

一直以来，我注意到全球范围内，每天都在涌现新的代理工具，但是这些工具大多是研究型的，没有得到大规模应用、经历检验。

而在中国，有很多行之有效且流行的代理工具，它们得到了难以想象的大规模应用，并且还在对抗中不断迭代、进化。

与此同时，这带给了我们丰富的经验、敏锐的嗅觉与判断能力。

所以我想说的是，在 Anti-Censorship 领域，来自中国的研究人员的声音非常、非常、非常重要，这应当成为共识。

Machine translation added by @wkrp:

I'm RPRX, and I'm committed to constantly putting new and interesting ideas into practice for Anti-Censorship.

I've experienced the whole thing objectively and basically agree with the content and views stated in the issue.

I've been noticing that globally, new agent tools are emerging every day, but most of these tools are research-based and have not been applied and tested at scale.

In China, however, there are many proven and popular proxy tools that are being used on an unimaginably large scale, and they are iterating and evolving against each other.

At the same time, this brings us a wealth of experience, a keen sense of smell and judgment.

So I would say that the voice of researchers from China is very, very, very important in the Anti-Censorship space, and that should be the consensus.

Feb 09 '21 13:02 RPRX

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am SekiBetu and I prove my identity by GPG signing this message.

My opinion is consistent with what is listed in the article.
rude manner is wrong, but what moxie said
"Yes, a proxy will always be detectable as a proxy, at the very least when someone discovers the proxy link -- which is inevitable when millions of people are using them. Fortunately, it's not a secret!"
this, this is not an excuse for not fixing it, this is not what Signal aiming for, you need take responsibility to your users.

Here goes the signature of the article:

iHUEARYIAB0WIQRNztFeNG4pI7kx1vcconVGvtuLAQUCYCJAjQAKCRAconVGvtuL
AQ98AQCKAPkcLKPuaQKCXlQxejr3mww7KaM+g0Kho17RQvQLXwD/ZROq0YuPEll9
jGlj3AfW9lK797p7AFuo1CXlRteFgwc=
=j1jf
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQRM/B8hsj3UeS2E+goizTmOiNQCdwUCYCKIDAAKCRAizTmOiNQC
d0dhAP4xkOcZynZNuachvmS/cKsBhwr9b0xE9kkRkEWKzWMLJAEAjgh8Nee/LFgP
yA8LMG/eteRSFui5gPoGvaU/N5E2/LM=
=lpQz
-----END PGP SIGNATURE-----

Feb 09 '21 13:02 SekiBetu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

My opinion only represents myself. In actually I don't care it's an "exploit" or any other things.
If the software was designed for people who lived in censored country. Provide ability to keep the user in safe is required.
Especially when you take it as an important feature.
In this opinion I approve this thread.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEzjGqm4crhp/Gw4L4GhIalKIT73MFAmAiiNQACgkQGhIalKIT
73NMpA//b85ejELkFd2ebFBu4XiyIhKoWie5NSf9uUHhk09I17Iz8oaqcxfofe+m
jJ57iQvPt/BQ+JrOssIjCxEOqzdlxl3qZIU4B5aQ3SrMqW8x+kho6eLr8o5+NKYP
ke/FI2woF9eTKiGQGDYO8UMGtl/iUDBc30RY4mpRY/XeK2ynqAnWQROXEoUBtd0J
4iFGi5El19GAFaFseS2Z6B147V3KbL8N1OnVpviumI9aFv2oXojPQ+twfO8YeIbs
F124KtMw/nNZUFS4YRuAiGMHJyamf9oDRLDr7R4tYBBQj+5AtWRpmp04zYWOEigU
mMyynGpRllVdwHV03rLFpxHn4ScF6dTHa5mdSfsqkG0X9kGvgJ2y4poi4/9+7M6z
7nFv2HJl2fNglhjXCVuvbqV/Hmeb8R7HEGWtaYaS89sl1ZC1keoYTp5Y/axXR35F
BVCdpu+93P5ICsYeksQAA6qwpJnkO8UUC95DaL7g4DkUwqKSG2j5BMiYCfI6XC0I
PZzYCapzfkW5gOK9AW/oVQyOJ++UnPVj/K53et0rgGUh9SoY4yVsnAMO0uMTXaCF
YSKOo0lONbXjWvMqP8p5+8P1j+LoDsrNMU41yNcAdRjKYxNAfamdAFhldEhm2oZ2
URXSn6XWProy+7CZGvvMGyGUUHqAt9jYBYHO7TT07Nj5SaRBLRw=
=aQQv
-----END PGP SIGNATURE-----

Feb 09 '21 13:02 iseki0

I hope discussions at this place will remain academic. It is a lost cause to argue with Signal that they are wrong, for having different design goals and threat models. This is arguing from different premises and it will not end in a useful conclusion.

It's time to agree to disagree.

It's easy to remain dispassionate and tone police others when it's not your people getting arrested because Signal advertises functionality it does not have.

Feb 09 '21 13:02 MachineryEnchantress

because Signal advertises functionality it does not have

Perhaps you could link us to where this is happening, @sexycyborg?

I doubt this claim, and if this is indeed factually accurate, it should be trivial for you to substantiate it.

Feb 09 '21 13:02 sneak

Perhaps you could link us to where this is happening, @sexycyborg?

It advertises itself as a secure messenger, it is not for Chinese nationals- and attempts to mitigate those vulnerabilities had to be fought over for over a year. We've made some progress recently with disclosure of the IME problem, but Moxie, and so Signal Foundation have shown a disturbing degree of callousness towards a large group of extremely vulnerable users.

Feb 09 '21 13:02 MachineryEnchantress

Feb 09 '21 13:02 ghost

It advertises itself as a secure messenger, it is not for Chinese nationals- and attempts to mitigate those vulnerabilities had to be fought over for over a year.

Your claim of insecurity, versus their claim of being a secure messenger, is not "advertises functionality it does not have", as "secure" is not an objective analysis (nor is it "functionality"). You have failed to substantiate your claim that "Signal advertises functionality it does not have", which is a different claim from the one you switched to, which I think is summarized as "Signal is not secure" (an opinion I do not share).

To do so, you would have to substantiate both of:

a) Signal claimed certain functionality

b) Signal's product did not have that functionality

You've done neither. I'm going to unsub from this thread now, as I think it's degraded into a pure smear campaign, something I've no interest in participating in.

I wish all of you llamas a fun drama party.

Feb 09 '21 13:02 sneak

@sneak Signal app itself is safe, just use it. I never read it's code, so I can't figure out anything new in it's app at the moment.

Yes, you said lack some feature is by design. That's ok. If someone needs those feature, they just switch to other tools.

In case someone forget reading the doc, here's their goal.

Feb 09 '21 14:02 ghost

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am mzz2017, the maintainer of v2rayA and a member of V2Fly community.
I think the disrespect for researchers is the key point of this event.
Signal should apologize to those researchers and the public without any doubt.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEAYBOSaaCAGjVfePlp37M4iqXtrwFAmAiowkACgkQp37M4iqX
tryqJAgAwh6mSngjq9fVm7nNgcD/Kq4cr8ZLmkwZR5QSH4BG1DoL5gHxY65vTyMH
I06vTkUnM/Bjj8oGzLkrnrFmWkPATa0Kjrho1RDGVgy0p12WH4fWRhlhYuR+9wwf
MkbTEuUysPblOPS8/NZ3fnn3p2qJRQCwHh7ef7kxSIreLMeSGJWyGg/0RpRhdTME
VgSLiLHrg26ttq4k+kc1zGK2DSQNq/2FpPGQyw92xwfiZrpXtv5e4Etb0Rd9iiGR
lekh577qrTNvX4aRpZqfvBXYtOzjF+BIwJPvsAm+Ty2+ExsdIPKKTbblSt/LO9N5
4pp7zAAK24zGhbxuIpaydN8eVu+X4w==
=yMxy
-----END PGP SIGNATURE-----

Feb 09 '21 14:02 mzz2017

bbs bbs copied to clipboard