I get why the signal team wanted something to use HTTPS, even networks with completely insane firewalls accept it and they get to reuse existing domain fronting code, but existing tools continues to viable in Iran and would have made much more sense in the circumstances.
[1] https://blog.torproject.org/learning-more-about-gfws-active-...
[2] https://github.com/Yawning/obfs4/blob/master/doc/obfs4-spec....
Some projects don't want to discuss issues on GitHub and prefer a forum they have control over; that's totally understandable.
I'm not gonna sign up to the fivetrillionth forum or bug tracker for your special snowflake software. If you don't allow bug reports via github issues, you won't get mine.
I am DuckSoft on GitHub and I prove my identity by GPG signing this message.
I am not typing too fast, nor pasting all my stuffs into the comment area. I just put a link to the GitHub issue. The discussion board even automatically extracted title and abstract for me, where I thought, 'pretty cool huh'.
Then I got banned. -----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE2H0QtOEy/6QN7CMrejqfpuT9So0FAmAdx9IACgkQejqfpuT9 So1KrQf+M8VzJBj4FgNZB/KZZ/suxNBF9DEkcfR66mwf/YzGGK9Gf2QDBqNoHUJs jJGvRai4ygqtZE3oX3GZmkjRT8LzEiNgmOM+B39SehL7F9rhMGz4lHMrRV5ZnSxp w5ALHSs3L6Gyg5hwNOQV73+STg9Vc2TsWSCS+Xr+BuNYbbLwiKWV9M1pxOynaWx0 J5+JswXaZkEONcKyGKbwc2FrgH1EXRgv+TipHucAkz+1HVMRd9NZ5W38vjASWEwO dEXXmCWyH8rQ69rLU+M7lXiKY0IBVrvVirzC97TpS22A74FDTdEG4xpGHSzPaDFp 3DRJvymGOlHDqhlotR8ox1ndFPzR9A== =ib+f -----END PGP SIGNATURE-----
They're generally dismissive, especially so about design problems that cause a big amount of bugs that are strewn throughout Signal, like their handling of message timestamps/sync and dismissal of the IME concerns.
Although i do wonder why signal didn't reuse the work tor did with obfuscated bridges.
TLDR: DuckSoft got autobanned because they typed too fast (copy pasted their post into the forum) and had a false positive from spam detection. No comment yet from devs on issue.
Edit: removed my personal preference that seems to be being confused as saying Signal should use GitHub. Signal can do what they want, that's fine. But be clear.
https://community.signalusers.org/t/tls-proxy-server-unable-...
Some people would prefer to use their own issue tracker or discussion forum. I don't see that as strange at all, given that with GH issues you don't have full control over the data or experience.
func send(addr, server, sni string) int {
c0, e := net.Dial("tcp", addr)
if e != nil {
log.Fatal(e)
}
c1 := tls.Client(c0, &tls.Config{
ServerName: server,
InsecureSkipVerify: true,
})
c2 := tls.Client(c1, &tls.Config{
ServerName: sni,
InsecureSkipVerify: true,
})
c2.SetDeadline(time.Now().Add(2 * time.Minute))
s := fmt.Sprintf("GET / HTTP/1.1\r\nHost: %s\r\nUser-Agent: curl/7.68.0\r\n\r\n", sni)
//b := make([]byte, 4096)
l, _ := c2.Write([]byte(s))
log.Println(l)
if e != nil {
return 0
}
log.Printf("%s->%s->%s\n", addr, server, sni)
return l
}Afaict, its not like they are reporting a drop everything issue. Did anyone actually think that a determined adversary would not be able to distinguish between one of their proxies and a generic TLS server, given sufficient resources?
Because people aren't clairvoyant and it is reasonable to assume that people that post stuff on GitHub accept issues, just like the main Signal account does. The generic message, without original clarity in how to note an issue, is easy to interpret as being ignored. Especially as they had a false positive ban being flagged as spam. I understand Signal's pov and I understand DuckSoft's. I think Signal has the higher responsibility in clarity than some random person trying to note a flaw they found.
Look, you can like Signal and still think they made the wrong move. I've used it every day for years and converted the majority of my friends. No one expects Signal to be perfect.
Luckily they have a generic message to read. No clairvoyancey required.
I'm not defending signal here because i just like signal. Almost any other open source project would have responded the same way. Many would probably have been less polite about it. If you send a personalized note to everyone who reports a bug incorretly, you won't have any time to actually fix bugs.
Edit: i agree though that the false positive spam ban is a bit unfortunate. Shit happens sometimes. I maintain the generic message was totally reasonable and they should not do anything different in that regard if they could do it over again. The spam ban however was understandable but obviously should not have happened.
If you are serious about privacy and secure messenger, you just can't brush off such issues.
[1] https://twitter.com/realsexycyborg/status/119769536810582425... [2] https://community.signalusers.org/t/signal-should-warn-users... [2] https://www.theverge.com/22249391/signal-app-abuse-messaging...
Signal should focus on problems they can realistically solve.