Here are my thoughs on @signalapp TLS proxy initiative. As much as want to help, here are my concerns (Thread) (1/14)

#IRanASignalProxy

(2/14) Lets start with the metadata problem, Signal is asking untrusted third parties to pass users end-to-end encrypted signal data through their servers. Although the reference implementation disables logging, there is nothing stopping me as a bad actor re-enabling it

(3/14) Now the content and much of the message flow data is encrypted, end-to-end, so I would see nothing, but I do see hostname requests, IP addresses and the time these interactions take place.

(4/14) So for example I would be able to log that a call was initiated if a host request was made to http://sfu.voip.signal.org , or a backup was created if http://api.backup.signal.org  was called. Or how regularly a device was checking in with my proxy and sending/receiving data

(5/14) If the users IP doesn't change, an individual might be able to be identified putting them at risk (although this like doesn't change a local context, it may change their international one (i.e watchlisting, by a foreign state))

(6/14) Lets talk about the third parties hosting proxies, lets suggest @privacyint or @EFF were going to host a proxy. I would strongly argue that these are good, reputable actors, whos intention is the protection of users and data, they will do due diligence and avoid...

(7/14) ...unecessary organisational risk. There is however no way of vetting other hosts, whether they have done a good assessment of the risk and haven't put themselves or others in danger. There is, as previous point, nothing stopping them from logging user activity

(8/14) Finally the issue that arises is that of blocking, if I was Iran I would monitor the #IRanASignalProxy hashtag, everytime a link is posted on http://signal.tube  I would scrape the URL for the domain and add it to the blocklist

(9/14) This is bad for everyone, because it makes a working proxy hard to find, a proxy that is working now, might not work tomorrow, and the side effect is loss of quality of service from the users standpoint, which makes @signalapp look bad

(10/14) On the other side, the domain is blacklisted, if I were Iran I would just take the domain.tld portion along with the IP address and blacklist this. Again if I was a reputable actor this would make strategic work and information inaccessible from Iran (in this case)

(11/14) This is double edged, as for example @privacyint and @EFF have guides, and background on broader issues. These are useful for Iranian citizens. Moreover proxy providers look like they cannot provide a consistent service because they got blacklisted

(12/14) So this reflects badly on them as organisations. What are the alternatives? The only thing I can think off the top of my head is using a miniturised version of Tor, and providing Signal over a hidden service (there may be other similar distributed routing options)

(13/14) Anyway, this is just my thoughts, not @privacyint's, although internally discussions are ongoing as to what we can do to help Iranians and other marginalised Signal users.

(14/14) I really like @signalapp and I want it to be sucessful, but I feel the approach to this issue is wrong, I'm happy to work with anyone to provide a better solution, my DMs/email is open. Just my two cents.

Peace

Thread HT's: @Bendineliot @Ed_Geraghty