An totalitarian state would not need to run a packet inspecting firewall to find out who is using Signal. They have this information already in the plaintext SMS Signal broadcasts in order to collect verified phone numbers of their users. It is most likely in their power to turn off cell service for these endpoints, or even locate them and let the security service round them up.
It's a great service in many ways, but if you are revolting an authoritarian state, it's something to be careful of. At the very least, please be mindful of this and take care of yourself.
And while you'd think that senseless violence against civilians do not scale, times of civil protests in totalitarian regimes is not good time to be naive.
Shutting down routing for the entire country is pretty much par for the course. There's not such thing as collateral damage when the regime itself gets scared.
Not all of those are in the same country, though, and it’s worth thinking about how the install base would change after a particular country banned an app. The first time someone gets an official warning a lot of people are going to say “not worth it”.
A few random examples:
* Ottoman genocide of Armenians, on ethnic/religious grounds. The Ottoman Three Pashas regime was as far from left as possible, but plenty totalitarian.
* US internment of "foreign elements", including those with US citizenship, during both World Wars. US was never even center-left, let alone farther, and totalitarian is a stretch. Less bad than the other examples here, but still.
* The many White and Red terrors in the Interwar and post-WW2 years, where vague association was guilt and execution.
* Of course Jews, Roma, Gypsy, dissident in Nazi concentration camps.
* The Herero and Namaqua genocide by the rightist totalitarian-ish Imperial Germany.
* UK mass internment of Boers. Not leftist, not really totalitarian.
Need i go on? Why did you feel the need to pain totalitarian leftist as worse than any other totalitarians?
Unless that information makes the statement seem extremely biased, which it does?
> During the 1900s the left killed people on a scale never seen before in human history
And during the 1900s totalitarian rightist killed people on a scale never before seen in human history. Industrial murder factories, with brutal precision, murdering thousands per day by the trainload, with an assembly line of transportation, robbing, murder through poison gas, cremation? Never has humanity sunken so low. Brutal ad-hoc genocides of people murdering another group with their hands due to hatred or misinformation or whatever is more understandable and explainable than cold blooded mechanised precision mass murder on an industrial scale.
Famines due to ethnic cleansing, stupidity, mismanagement and ignorance are aplenty. The Bengali famine is comparable to the Holodomor in scale and reasons, even if the Holodomor was probably more intentional. Nobody has done what the Nazis did at that scale.
So yes, it's extremely stupid to single out totalitarian leftist regimes for their crimes against humanity, as if it's a uniquely leftist thing. It's obvious the people doing that have an anti-left agenda, which is honestly just being stupid.
I wonder why you feel that it is necessary to attempt to be insulting?
Pol Pot, Mao, Hitler - these are figureheads that became objects of popular worship. If Monarchies were a thing, they would have been monarchs. If Theocracies were a thing, they would have been theocrats. If corporations were a thing, they would have been admirable profiteers.
Violent self-righteousness is just that.
You chose to ignore that, blathering on about the middle ages is off-topic.
This assumes one is using the phone number attached to the handset running Signal as their Signal number. Personally, I don't do this: I have used Google Voice and even a basic Twilio number that sends SMS messages to me via Email to register a number with Signal. There are many reasons to do it this way, not least of which is that I can publish my Signal number without needing to worry about people direct-calling my phone. Until Signal drops the requirement for a phone number (verified by SMS) to spin up service, this is the most secure way to use Signal.
Google Voice doesn't need to be installed on a mobile device. I have my Google Voice accounts (yes, multiple) set to forward SMS to me via email.
"I personally no longer trust Signal. Moxie's departure stinks like a canary."
I never really trusted Moxie to begin with but events like this make me wonder all the more if Signal is really being run from Fort Meade. Fortunately for me I used Signal as my "non-secure" messaging platform and use other messenger options for secure comms.
Which events are you referring to here?
Personally I really liked Wickr Messenger (no phone number required) but they were recently acquired by AWS :-(
Also looking up Wickr now it seems like they ended up specializing in providing secure messaging FOR the government (and even are the only ones to pass some NSA specific test) so maybe that was not the best choice.....
I don't get this "totalitarian state" b.s., subverting legitimate government's policies seems silly and dangerous. If I was a dictator or something I would have people's phone's searched randomly by street cops, if they see signal then you are a subverter and a traitor so off with your head. I can't imagine security against that.
Security and privacy against nation state actors are one thing but against your nation state actor is a whole different ball game.
> The proxy is extremely lightweight. An inexpensive and tiny VPS can easily handle hundreds of concurrent users. Here’s how to make it work:
SSH into the server.
Install Docker, Docker Compose, and git:
Anyway, the proxy is just an nginx with a custom config file. You can check that file and just add it yourself to an nginx you manage, probably with little changes.
For one, this is 5 versions behind (1.18 vs 1.23).
In general seems caddy or haproxy might be a better fit - but nginx is a perfectly fine choice I suppose.
Providing a statically linked binary is even simpler, without all that extra complexity that comes with docker.
I didn't look at the image size but you might be paying a ~100 MB storage penalty to bundle dependencies.
It won't be rootless in this case as far as I know because you will need privileged ports 80 and 443 but good habit in general.
On beefcake supreme machines it's just usually not significant enough to worry about, because the perceived benefits outweigh the downsides.
- if you use docker nat, it about doubles connection time, if you only have extremely short connections this can be quite visible.
- If you need FS access, this can come at a high cost depending on your usage pattern, docker’s layered FS is not cheap.
- Finally Docker enables features which don’t come for free and which you may not be enabling separately e.g. seccomp (this can result in a 15+% performance hit in the worst case)
could it be done leaner? sure
is it worth it if it raises the barrier of entry of getting people to run the proxy? doubtful
Meanwhile, you can just install Docker, which you might already have if you do self-hosting often, and run one command. The overhead of containers is tiny, so you really won't notice it. Bonus points for using Podman, which doesn't even have a daemon.
glibc doesn't support static linking, so it's probably going to be musl. Running a musl binary on an otherwise glibc system isn't an issue.
Containers are more consistent and have less side effects than packages.
> I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.
There's very little overhead and it takes a one liner to install it.
: curl -sSL https://get.docker.com/ | sh
- Single core 1GHz CPU
- 640 MB RAM
- 10 GB storage ( default size )
I'd say docker is pretty light.
There are so many project READMEs out there that never bother to explain what the code is or does, it's frustrating.
The Signal client establishes a normal TLS connection with the proxy, and the proxy simply forwards any bytes it receives to the actual Signal service. Any non-Signal traffic is blocked. Additionally, the Signal client still negotiates its standard TLS connection with the Signal endpoints through the tunnel.
This means that in addition to the end-to-end encryption that protects everything in Signal, all traffic remains opaque to the proxy operator.
Probably helpful context: [Help people in Iran reconnect to Signal – a request to our community] https://signal.org/blog/run-a-proxy/
And the people that are protesting and hurting right now are not the most tech savvy one - so expect a lot of naivete about opsec. I doubt that the majority of them even know signal exists.
Would some network analysis then not clearly indicate the social graph of people by virtue of connecting the dots of who connects to which proxy domain?
Edit: as a follow up question. Do the people of Iran need messaging access to people outside of Iran or more likely their friends and family within Iran. Most of these messaging services are centralised so blocking them means cutting off communication within the country as well. Maybe they'd benefit from running private messaging servers themselves?
The way I understand it people need special licenses in order to operate in iran (meta) and therfore the probability of being sued is very high?
The Treasury source they cite (https://home.treasury.gov/news/press-releases/sm0322) seems to check out:
> Section 560.540 of the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. Part 560, authorizes the exportation from the United States or by U.S. persons, wherever located, to persons in Iran of certain publicly available, no-cost services incident to the exchange of personal communications over the Internet and certain publicly available, no-cost software necessary to enable such services.
extra territorial example: it may be a crime to do things/speak ill of a foreign government. If you lived there you’d get arrested. What if you did this while sitting in your bedroom overseas?
But then in that sense Iran can do whatever it wants once they get their hands on you, laws or not
E.g. BNP Paribas, a French bank, were fined for doing business in Iran. A Ukrainian was extradited from Poland to the US for hosting a pirate website.
I know Android is much more popular in Iran, but I wanted to give my friends instructions for both platforms, just in case.
hope this might help someone: https://signal.tube/#testnotest.mooo.com
Ever since Signal started collecting and permanently storing sensitive user data in the cloud (your name, photo, number, a list of everyone you contact using Signal) it's become much more dangerous for people who want to protect themselves and the people they are in contact with. Because Signal insists on keeping your contacts in the cloud it's possible in some cases for someone to collect a list of your contacts simply by brute forcing a 4 digit pin.
It would be horrible to end up in trouble or see your friends and family hurt because Signal wasn't forthcoming about the fact that they were collecting your info and keeping it on their servers.
None of this FUD is true. None of the information you listed is collected or stored by Signal. You can verify this yourself by looking at the various government warrants and subpoenas, and Signal's responses: https://signal.org/bigbrother/
That's a lie. I don't blame you for not knowing the truth though, Signal has gone to some trouble to make things unclear, but reality is reality.
Signal has the data, but they've set up their system in a way that would require either an exploit (we've already seen examples of these) or a brute force attack to get the data requested and it's doubtful that a standard subpoena would compel them to use those methods. That said, it does leave the data vulnerable to the NSA or any other three letter agency who is willing to employ those types of methods. Signal would surely not be posting about any national security letters they were handed on their website.
Similarly anyone who can guess or brute force a four digit pin could also get the data of some users. I've posted other links with more information on all of this further down, you can check my recent comments for them, but here's this to get you started.
In Signal, Contacts’ multiple phone numbers are strictly computed each into its hashed value before only hashes of contacts being store on Signal. You can always turn that off via “Settings->Chat->Share Contact with iOS/Android” option (and it is recommended but it puts the onus of adding contacts on you, which is fine for OpSec mode). Failure to turn that off and you also get that “surprise” User just joined Signal message.
Metadata of you being stored on Signal server can be just a single user ID and heavily-ratchet encrypted before sent over network. But you would have to clear/omit your primary self contact info at OS level also.
Avatar Photo of you is problematic. Easiest not to use it in the first place. Turn off “Settings->Chat->Use System Contact Photos” option as well.
once settings are done, relevancy of PIN is reduced to (rubber-hose) OpSec and remaining forensic footprint (outside of User ID) to just within your Phone and others’ phone (and not the server, much less over network).
Turn everything off under “Settings->Privacy->Advanced” except “Circumvention” and only this one under extreme Internet duress.
What is painfully clear is while the cleartext content of your message is never stored on Signal server in any form at most states and never has your key to these content (a good thing), the association with other User ID remains forensically extractable, which is why burner phones are most helpful there there. This is where “timer” for deleting message can protect you even further (less the phone falls into the hand of an adversary within that period before timed message deletion).
If you do not mind the obtuse associativity with others, this app is excellent in keeping the actual content of your conservation off of and away from servers, network, and nation-states outside of said phones involved. Which is just fine for me and my family and close friends.
If you are striving for absolute anonymous in the area of association with others, I weakly recommended Telegram but the message is plain as day and can be read by nation-state simply because Telegram holds the encryption keys of yours.
In short, you have only one choice:
- near-absolute anonymity of message content
- near-absolute anonymity of association
It remains a hard problem.
Wait, are you saying only a hash is ever sent to signal's servers and stored there? How then are you able to install signal on a totally new device and have your contacts downloaded to it? You seem to think this is about contact discovery, but the data collection was about contact recovery. I've got links in other comments that describe this usage.
Data is uploaded as soon as you set a pin or opt out of setting one. If you do disable "everything" under “Settings->Privacy->Advanced” is all of the data that has been uploaded to the cloud then deleted?
PIN is Not easy to extract in phone OSes, digital forensically or not, except perhaps with a rubber hose.
Sure, PIN may not delayed at bad guesses. But PIN is only there to prevent casual borrower from changing Signal preference or prevent some form of evil-maid tactic.
Signal PIN is not designed nor intended to be a prevention mean during interrogation but to keep those settings in maximum privacy mode. This PIN is an excellent complement to OpSec array of protections while using Signal app.
Which is why you disable contact.
It asked up front if you want Signal to access contact at install time.
If you say yea, then only a hashed value of each phone number found in each contact is sent. Nothing else from each and all of your contacts in your contact address book.
If you say no, then nothing of contact address book is looked at.
In a new phone, typically contact address book is empty.
If backup is restored at new phone, then it becomes important to ensure that you say no at Signal install time when prompted and asked for permission to access your contact address book.
For example see:
I haven't seen that documented anywhere. Do you have a source?
Signal contact address book is wholly kept separate from your phone OS contact address book, even when you say yes to permission to share the OS contact address book.
If you say no to the sharing of contact, then ONLY those contacts created WITHIN Signal’s own contact address book would have each Signal contact’s phone number as numerically big-hashed (within your own phone), then only those hash value of your limited Signal contact address book would be (naturally) sent to Signal server.
This is why I said “if you don’t mind the obtuse associativity”. And that is OK for most OpSec.
What is most important here is whatever you typed, only that other contact’s phone would be able to see this, no place else. That is, until the adversary gets their hand on one of the phone before its timed message deletion period.
This is all in the source code here
In the short term, preserving association seems paramount over the longer-term required to crack SVR … regularly.
I’m using PIN (and thusly SVR) because most of my contacts within Signal contact address book are named with family nicknames). So, SVR is filled with avatar, phone, last access, creation time, and its computed hash UserID values is that weak point but SVR is not that weak enough to prevent its practical usage for near-perfect message content anonymity. That’s why I ask family members not to bother with avatar and keeping real name off of OS primary user contact info.
If you are pushing the envelope of OpSec, then disabling PIN is fine too.
It doesn’t matter as long as the phone is not in the hand of adversary but steps above will make it harder, forensically.
It seems like the real problem for someone in Iran would be SVR since if you were suspected of breaking the law they could brute force your pin and get a list of your contacts then go after them. Well, I'd also consider it a problem that signal will promote itself to people whose freedom/lives are at risk without being upfront and very clear about the risks.
That's why I suspect that signal is telling its users as loudly as they can the service is compromised. although I do wish they'd stop promoting the app to highly vulnerable people who are at real risk if their contacts are discovered.
As for alternatives, I really don't know enough about the situation in Iran to say what would be safe. After they stated collecting data I personally switched to Jami for secure communications, but I'm not a whistleblower or a journalist or a freedom fighter or anything and to be honest, I haven't found anything as polished as Signal that handles both secure messaging and plain old SMS/MMS. I was a fan. It's been years and I'm still hugely disappointed.