“Signal is being blocked in Venezuela and Russia. The app is a popular choice for encrypted messaging and people trying to avoid government censorship, and the blocks appear to be part of a crackdown on internal dissent in both countries…”

  • freedomsailor
    link
    fedilink
    arrow-up
    191
    arrow-down
    8
    ·
    edit-2
    4 months ago

    It’s like a medal of honor for a privacy preserving app 😄

  • whyNotSquirrel@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    52
    ·
    4 months ago

    could matrix.org be as easily blocked, since it’s decentralized I’m wondering?

    At least it means that Signal is working as intended if they are blocking it, I guess that they don’t have back doors.

      • TarantulaFudge@startrek.website
        link
        fedilink
        arrow-up
        27
        ·
        4 months ago

        I can answer this! All matrix calls are over https APIs. Ports and addresses are stored in a text file on the base domain or in DNS txt entry.

        • ivn@jlai.lu
          link
          fedilink
          English
          arrow-up
          5
          ·
          4 months ago

          Thanks, nice to have someone knowledgeable.

          Would you say matrix is censorship resistant? I’ve very limited knowledge of it but given what you said I imagine that if I was trying to block matrix I would just need to query the url of the text file and check the DNS text entry, if either exist just add the domain to the blocklist.

          • ArcaneSlime@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            4 months ago

            I was trying to block matrix I would just need to query the url of the text file

            Ok this raises a question for me. How do you find a url like this which wouldn’t be like, “linked on their site” or something? I know it must be possible to like dump a URL list for a site to a textfile, I’m just wondering how.

            Like say I want to find all the super secret pages on www.subgenius.com, they link some but say www.subgenius.com/pam1/pamphlet.html wasn’t directly linked (it is, but pretend lol) but could be accessed by the URL, how would I find that URL? Can you just run like someprogram -a www.subgenius.com -o subgenius.txt because that would be cool.

            • ivn@jlai.lu
              link
              fedilink
              English
              arrow-up
              4
              ·
              edit-2
              4 months ago

              Maybe I’ve misunderstood how it works. I thought that when connecting to a matrix instance you would point to the domain name and the text file would be on a standard location (as with /robots.txt or all the files in /.well-known/) so it would be easily discoverable. In fact I just checked and matrix does use /.well-known/ so one should be able to identify matrix servers by querying these URLs. Unless their is a way to use a non-standard location, but that would require further configuration on the client I guess.

              And just to answer your question, the only way to find some hidden file would be to brute force. This could obviously be extremely time consuming if the URL is long and random enough, especially if you add rate limiting (this last thing could be circumvented by using multiple IPs to scan, which would be easy for a state actor).

              Edit: I’ve just realized I wasn’t answering to the same person, the first part of the message was more for @[email protected]

              • TarantulaFudge@startrek.website
                link
                fedilink
                arrow-up
                2
                ·
                4 months ago

                Yeah the main thing is that the ports and addresses can change and it’s nbd. From a firewall perspective, it’s impossible to block them all. Especially when the clients are doing mundane https requests. Even if the server goes down or partial connectivity, the channel can still be used.

                • ivn@jlai.lu
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  4 months ago

                  But this seems easy to automatically block, no? If a client is querying an unknown domain check for some Matrix related data in /.well-known/ and add it to the block list if there is. And since the servers are publicly advertising the port used you just need to periodically check the list of known matrix domains you are creating in the first step.

                  Russia is already doing DPI and blocking ESNI so that seems easy. A more widespread usage of ECH would help everyone, as is Signal advocating, but that’s not the case yet.

    • foremanguy@lemmy.ml
      link
      fedilink
      arrow-up
      18
      arrow-down
      1
      ·
      4 months ago

      Matrix is in fact decentralized but in reality it is not so much, I don’t know the number exactly but the majority of users use the matrix.org server

              • ivn@jlai.lu
                link
                fedilink
                English
                arrow-up
                5
                ·
                4 months ago

                I mean, that’s not specific to Matrix. Telemetry is the tool used to get the numbers, so I don’t see how you would collect numbers on servers that don’t report numbers.

                • CaptainSpaceman@lemmy.world
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  4 months ago

                  Im surprised there are zero calls to any official matrix server(s) from those instances.

                  Not even random API for metadata, update status, etc?

                  Telemtry is a word. It only means as much as it means in each context, and without full context it means little atm.

                  Do you have a resource where I could learn more about what data Matrix considers telemetry?

      • wurstgulasch3000@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        4 months ago

        People who live in countries where DNS and IP blocks are common probably use a different server. I’ve been running my own for over a year and it works like a dream

      • TarantulaFudge@startrek.website
        link
        fedilink
        arrow-up
        12
        arrow-down
        3
        ·
        4 months ago

        It cannot be easily blocked especially if you use your own homeserver every homeserver replicates the channel and it can operate without the original server! That’s why signal and telegram are inherently flawed.

    • ArcaneSlime@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      4 months ago

      To be devils advocate in a sense, this may mean that it doesn’t have any backdoors that Russia or Venezuela can use, but the NSA or something still could have one of their own.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        4 months ago

        Matrix doesn’t have encryption as the default

        Also Signal doesn’t have any backdoors. I can say that with high certainty as it has been audited more than any other messager.

        • TarantulaFudge@startrek.website
          link
          fedilink
          arrow-up
          4
          ·
          4 months ago

          It doesn’t matter if it is a business entity operating under a government then you can never really know because gag orders. Centralized servers can be blocked. Telegram and Signal apps could have a back door. This is why open stack is important. And not just the code. Also encryption is default for p2p one on one conversations. It’s not in channels by default because it can complicate public use.

    • CaptainSpaceman@lemmy.world
      link
      fedilink
      arrow-up
      24
      arrow-down
      3
      ·
      4 months ago

      WhatsApp supposedly uses Signal protocol.

      Why is THAT not blocked? Certainly they wouldnt roll their own encryption and bypass Signal security protocols after having Moxie come in, right? Right???

    • ivn@jlai.lu
      link
      fedilink
      English
      arrow-up
      16
      ·
      4 months ago

      Telegram is not secure, I guess if you can listen to it better not block it.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      edit-2
      4 months ago

      I mean it was blocked before Signal was blocked. Russia somewhat famously badly broke their Internet trying to shutdown telegram… and eventually gave up.

      I’m guessing Signal finally has enough market share to get the Russian government’s attention but not enough market share that they think the web of proxies that kept Telegram online will keep Signal online.

    • rdri@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      4 months ago

      On April 16, 2018, the Russian government began blocking access to Telegram, an instant messaging service. The blocking led to interruptions in the operation of many third-party services, but practically did not affect the availability of Telegram in Russia. It was officially unblocked on June 19, 2020

      Some say it was unblocked because they made a deal with Durov. Another opinion is that too many people and services including officials continued to rely on it even during the time it was blocked. Regardless, Telegram did a huge job on circumventing those blocks.

    • UnderpantsWeevil@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      You need a certain market saturation before a ban becomes useful. If very few people are using the service, there’s little incentive to invest time/energy in a block.

      I suspect the recent wave of riots in the wake of the election is driving the urgency.

    • Dessalines@lemmy.ml
      link
      fedilink
      arrow-up
      14
      arrow-down
      3
      ·
      4 months ago

      I wrote this, but I’d also like to add Drew Devault - Why I don’t trust signal. There’s a huge disconnect between what privacy advocates are saying about signal, and what reddit “privacy” communities think about it. If you read the article I linked, you’ll see its because the Open Technology Fund (a US state-run entity), actively pushes signal in privacy spaces.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        8
        ·
        4 months ago

        Signal is secure and anyone who says it isn’t needs to have very strong evidence. It has been audited by hundreds of people at this point.

        • Dessalines@lemmy.ml
          link
          fedilink
          arrow-up
          11
          arrow-down
          3
          ·
          edit-2
          4 months ago

          Source: trust me bro.

          Seriously tho, that’s been most of the defense of signal advocates, with zero backup other than signal’s own claims. Signal is not self-hostable, and all the data lives on a centralized, US-domiciled server, subject to NSL requests (the US issues ~ 60 of them per day).

          Unfortunately you can’t verify what their server stores, nor the metadata that they are legally required to share with the US government (which includes phone numbers, and your name and address).

          BTW if signal is secure, can you give us your phone number, so we can use it with you?

          • Possibly linux@lemmy.zip
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            Signal is end to end encrypted. Everything related to encryption happens inside the app. It doesn’t matter if the server is in mainland China it would still be secure. However, that doesn’t mean it is anonymous. Signal is pretty bad from that perspective.

          • ivn@jlai.lu
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            4 months ago

            You don’t need the phone number to contact someone with Signal.

              • ivn@jlai.lu
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                edit-2
                4 months ago

                Yes, to create an account, but not to contact someone. You have an habit of being off the mark.

                Also there is a difference between giving your phone number to some service and giving it to some random on the internet.

                • Dessalines@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  5
                  ·
                  edit-2
                  4 months ago

                  They must’ve added that recently then, but still doesn’t get around the fact that they’re required, which means signal (and likely the US government) knows exactly who you talk to and when.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      3
      ·
      4 months ago

      Signal might be one of the most audited pieces of software in existence. Any criticism is likely either coming from or is supported by countries that fear encryption such as China, Russia and Iran.

      The big downsides of Signal are that it requires a phone number and that is depends on Signals servers. That is it. You messages are completely safe as all messagers use the same underlying cryptography.

      • Dessalines@lemmy.ml
        link
        fedilink
        arrow-up
        8
        arrow-down
        1
        ·
        4 months ago

        The audits mean nothing for a server domiciled in a Five-Eyes country. Signal has your phone number, and the other phone numbers you talk to (social connection graphs), and it is 100% illegal for them to tell you that they’ve been issued a national security letter divulging that information.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 months ago

          You shouldn’t trust a server to do your computing for you. Assume any data the server has about you to be available to all.

        • fira959@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          4 months ago

          The entire protocol is build under the assumption that you do not need to trust the servers. Let the NSA have then, it doesnt matter. On the other hand 95% of Matrix users are hosted on Matrix.org which was not only hacked several times, but would be an ideal target for any agency to compromise. Its naiive to belive the big Matrix hosts arent compromised. The only effective defense is to build your system around the assumption that the server is compromised, which is what Signal did.

      • ivn@jlai.lu
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        Metadata is data. While we can be pretty sure that message contents are secure we have to rely on trust for the metadata.

        I use Signal and trust it way more than most other apps but still, one have to be careful, a state actor could still find ways.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      4 months ago

      Matrix isn’t secure depending on how you use it. It also doesn’t protect individual identities terribly well.

      Simplex Chat would be the better option however the main Simplex Chat server and matrix server could end up blocked as well.

      • Dessalines@lemmy.ml
        link
        fedilink
        arrow-up
        29
        arrow-down
        1
        ·
        edit-2
        4 months ago

        Matrix is entirely self-hostable, and you can turn off both federation, and the requirements for any linkable identifiers.

        Signal by contrast requires your phone number, isn’t self-hostable, and is based in a five-eyes country.

        • Lemongrab@lemmy.one
          link
          fedilink
          arrow-up
          11
          ·
          4 months ago

          Matrix doesn’t protect metadata, which is arguably just as (if not more) important than message data. Signal by contrast does protect metadata and proper implements Perfect Forward Secrecy for all chats. I do think Signal’s centralized design and phone number requirements problematic, but Signal still has many merits. Such as its massive user base for a AGPL-only project.

            • Lemongrab@lemmy.one
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago
              • AGPL-only is a license, I didn’t want to misrepresent the license by being general. I was just trying to say that it is surprising that a fully open source application like signal has a large user base.
              • PFS isnt enabled by default for group chats and generally feels messy as the end user to deal with. I was unaware that they have properly implemented it for group chats as well.
              • My point about metadata still stands. Matrix still does not protect metadata (one eg: reactions to messages are in unencrypted).
              • ReversalHatchery@beehaw.org
                link
                fedilink
                English
                arrow-up
                3
                ·
                4 months ago

                PFS isnt enabled by default for group chats and generally feels messy as the end user to deal with. I was unaware that they have properly implemented it for group chats as well.

                Isn’t it? Maybe I’m misunderstanding something, so let’s start from the definition. PFS is when future joined users can’t read messages sent before they have joined, right?
                In that case, it is not just implemented, but cannot be avoided and is a major hassle to deal with. In my understanding when someone joins, all members start a new olm session, meaning they now encrypt future messages with a new key. The old keys are not being sent to the joined users, not even if the room has been set up to allow reading history, and this results in them only seeing undecryptable messages, and all the metadata you’re taking about (except when the client hides these to reduce new user’s confusion).

                Former keys are not shared among clients for now because there’s no mechanism (for now, but this is planned) to verify that a new member is actually a legit member, not just someone popped in by the server admin by DB editing or whatever.
                Earlier there was a workaround mechanism, where with element clients, when you have invited someone, your client has sent keys to all the previous messages which it had, to the invited user. That was not (yet?) reimplemented in their new crypto library, but apparently they’re working on it.

                But the point is, that afaik PFS is on and cannot be disabled for encrypted rooms, new rooms are encrypted by default, you have to toggle that off by yourself if you don’t want it, and it can’t be toggled off after room creation.

                My point about metadata still stands. Matrix still does not protect metadata (one eg: reactions to messages are in unencrypted).

                That’s right. I don’t think that’ll ever change, but it’s for sure that it’ll not change for a long time, because fundamental changes would be needed.
                But! For when that is a concern, you are not entirely unprotected. For example you can set up a room to never federate, or only federate with specific homeservers. If your group runs their own, on owned real hardware, information can’t really leak from your control.

          • poVoq@slrpnk.net
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            4 months ago

            for a AGPL-only project.

            Citation needed. It is undisputed that the software that runs on their servers is not identical to the code they release; if they release at all because sometimes they just stop for a year, until people complain 🫠

          • poVoq@slrpnk.net
            link
            fedilink
            arrow-up
            11
            ·
            edit-2
            4 months ago

            This is false. You still need a phone number to sign up and it is used as an internal identifier.

            All they did is to allow you to hide your phone number from other users.

  • Railcar8095@lemm.ee
    link
    fedilink
    arrow-up
    14
    arrow-down
    4
    ·
    edit-2
    4 months ago

    Why countries that do not prosecute political dissent bock apps used by political dissenters? /s

  • Dessalines@lemmy.ml
    link
    fedilink
    arrow-up
    24
    arrow-down
    29
    ·
    4 months ago

    Smart move, considering Signal is a US-hosted centralized service that has to comply with US NSL laws.

    These comments below seem to be unaware of all the issues privacy advocates have of signal.

    • ivn@jlai.lu
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      2
      ·
      4 months ago

      I don’t get it, are you really arguing that Russia and Venezuela are blocking Signal to protect their citizens from American snooping?

        • QuadratureSurfer@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          4 months ago

          Isn’t the whole point of something like End-to-End Encryption so that not even the company themselves can read your messages?

          In that case it wouldn’t matter even if they did turn the info over.

          Edit: I read more into the page you linked. Looks like those NSLs can’t even be used to request the contents either way:

          Can the FBI obtain content—like e-mails or the content of phone calls—with an NSL?

          Not legally. While each type of NSL allows the FBI to obtain a different type of information, that information is limited to records—such as “subscriber information and toll billing records information” from telephone companies.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          4
          ·
          edit-2
          4 months ago

          Mass censorship is never good for civil liberties. Let people decide on there own.

          Also Signal is cryptographically sound. Many other messagers use a similar protocol

          • Dessalines@lemmy.ml
            link
            fedilink
            arrow-up
            5
            arrow-down
            5
            ·
            edit-2
            4 months ago

            As I commented below, US security forces aren’t that interested in message content anyway, since they don’t have time to parse through every message to construct meaning. Signal does require your phone number tho, as well as message timestamps, meaning they can build social graphs of real people. Tons of metadata living on a single US-based server.

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              2
              ·
              4 months ago

              It doesn’t matter if it is US based. You shouldn’t trust the server.

              Signal has known issues. That doesn’t mean it is entirely bad though. Saying things like Signal is insecure is simply untrue. It has weaknesses but it also has the benefit of protecting your messages completely and being well established.

        • ivn@jlai.lu
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 months ago

          My question was more about the motives in this case.

            • ivn@jlai.lu
              link
              fedilink
              English
              arrow-up
              6
              ·
              4 months ago

              The question of what should be done can be interesting, but that was not my question. It’s obvious this is not the motive here.

              If you are in your own country opposition it’s better to use a foreign tool, even better if it’s in a country that’s not gonna collaborate with yours.

              • LarmyOfLone@lemm.ee
                link
                fedilink
                arrow-up
                3
                ·
                4 months ago

                I imagine just using metadata you can look for people who are discontent, then provides list of those people to the opposition to contact and mobilize them and get them to protest.

                Or target them with stories and bots to turn them into a revolutionary force, but that would be more useful for social media networks instead of signal.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      Signal has strong cryptographic protocols that are not easily broken. It pioneered the use of double ratchet encryption. (Different keys for each message)

      It does expose phone numbers to Signal and the US government but that may or may no be a concern depending on what your threat model is.

    • marcie (she/her)@lemmy.ml
      link
      fedilink
      arrow-up
      6
      arrow-down
      5
      ·
      edit-2
      4 months ago

      they hated him because he spoke the truth smh

      use matrix, briar, simplex in that order

      also what email platforms + vpns do you recommend, out of curiosity?

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        4 months ago

        Matrix isn’t as good as Simplex Chat. Briar is good as it is very hard to censor but it does use battery and requires you to be only all the time. (unless you count Briar mailbox)

        • marcie (she/her)@lemmy.ml
          link
          fedilink
          arrow-up
          2
          arrow-down
          2
          ·
          edit-2
          4 months ago

          sure, simplex is very private, but its also a pain in the ass to use currently. i feel like matrix makes a decent tradeoff between easy use and privacy