Signal ignores proxy censorship vulnerability, bans researchers (opens in new tab)

(bleepingcomputer.com)

36 pointsrealducksoft5y ago6 comments

6 comments

I'm not part of the Signal project, and I do want a full explanation for this (eventually), but let's remember that people's lives are literally on the line here. Getting caught using Signal by the regime could get you imprisoned or killed.

I'm extremely anti-censorship, yet I could see myself doing something similar (deleting comments) because there is serious risk of imminent danger here, and this report does not follow responsible disclosure. It's bad enough when irresponsible disclosure affects people's data security or identity, but consider when it affects their ability to live free or to live at all.

I've been a security researcher and very much subscribe to the theory that burying exploit/vulnerability information mostly helps the black hats, but not only does this NOT follow responsible disclosure, but this one is also an unusual and imminent/real time situation. Helping the regime catch people is no doubt an unintended consequence, but it's an unintended consequence I would never want on me.

I hope that Signal immediately reached out privately to work with these researchers. If not, Signal is in the wrong here. I tend to worry that if the researchers spoke to media, then Signal either didn't reach out or didn't explain things well. Both are not good.

The cat is out of the bag, and as mentioned before I hope to get a full explanation, but I'd rather be patient than endanger lives.

nirui5y ago

In case anybody still wonders, I guess realducksoft (the poster of this thread) is the DuckSoft on GitHub, who discovered this problem with help from another GitHub user studentmain.

They are both developers from China, which is why their English isn't very good (My English is bad too, sorry). However, based on my observation, they've spend years on the related field (Let's just call it "Secured Data Transmission"), that makes them the pros here.

So personally, I trust their discovery and believe what they have found is indeed a critical security vulnerability that could threatens people's safety, especially when the service/program was designed to put a middle finger in their government's face. I hope Signal can make something better than this (, and it seems they are trying [0]).

[0] https://github.com/signalapp/Signal-TLS-Proxy/pull/15#issuec...

Off topic: There are only 2 useful posts in the issue #15, one was the #issue-568737654 and another was #issuecomment-774982590, the others were mostly spams. I don't think it helped the situation isn't it?

Oh, by the way, I encountered studentmain once. He was the one who "recovered" the few comments that I replied to an issue under Shadowsocks's GitHub repository from the his email record. The word "recovered" is because I intentionally deleted those comments to protect myself from been exposed too much, and he just pasted everything back on including my name and ask me "why so careful". So he cares about the Privacy of the others now? Well, kudos to him ;)

eznzt5y ago

https://www.bleepstatic.com/images/news/u/1164866/2021/Feb%2...

Isn't this automatic because too many people reported your posts?

SecurityLagoon5y ago

This article could do with a little more editorial review. Apologies, I'm sure the author tried their hardest; but, it needs a good proof read.

It has many examples of weird grammar and additional or misplaced words that means sometimes the meaning of sentences is confusing.

axsharma5y ago

Added more information to the article from both Signal and the researchers.

wdb5y ago

Didn't expect anything else from Signal.

j / k navigate · click thread line to collapse