
Egypt has blocked encrypted messaging app Signal - subliminalpanda
https://www.engadget.com/2016/12/20/egypt-blocks-signal/
======
vog
With XMPP and federated messaging servers they would have at least working
infrastructure within their country.

But ...

What exactly happened that XMPP lost on mobile phones? What did they do wrong?
XMPP was there before smartphones came, had working clients, and had (for that
time) pretty decent encryption.

While I understand that big players like WhatsApp want to bind all users to
their own infrastructure, I don't understand why even the niche instant
messangers go through the burden of creating their own infrastructure (or
relying on Google's) instead of just concentrating on the client side to
provide better XMPP clients.

Is XMPP so bad that nobody wants to do that? If so, why?

~~~
moxie
> With XMPP and federated messaging servers they would have at least working
> infrastructure within their country.

Why do you think this is true? I can't see how federation is an answer to
censorship. They would simply censor access to all the XMPP providers, just as
they're censoring access to all the non-federated messengers.

Is your idea that people would spin up new providers so quickly that the
censors wouldn't be able to keep up? Every time people switched, they'd have
to rediscover their entire social network all over again, and there's an
asymmetry between how difficult it is to get everyone over to different hosts
while rediscovering where everyone is vs how easy it is for the censors to add
a single line to their block list.

It'd be way easier just to have a centralized host and have people switch VPN
providers as they get blocked, since then they don't have to rediscover each-
other, but that isn't a great user experience either.

Just like with metadata hiding, really effective censorship circumvention is
going to require new protocols and new techniques, so we're going to be more
likely to see those emerge in centralized rather than federated systems (that
are by their nature difficult to update). I think we'll be able to respond in
Signal very quickly.

~~~
apichat
> They would simply censor access to all the XMPP providers

First we already know this situation with email, and we see that as a federate
protocol email is not censorable. At least not as easy to censor as Signal is.

Secondly it's not possible because their is not a finish list of providers. By
the way 1) everybody should-could be its own provider 2) everybody must use
its own domain name DNS to make addresses like greeting@name.

Solution for 1) [https://yunohost.org](https://yunohost.org) &
[https://wiki.debian.org/FreedomBox](https://wiki.debian.org/FreedomBox) &
[http://modoboa.org/en](http://modoboa.org/en)

2) for this point see
[https://account.conversations.im/domain](https://account.conversations.im/domain)
AND if the DNS is to centralize lets see for GnuNameSystem
[https://gnunet.org/gns](https://gnunet.org/gns) for the address like
greaing@name see [https://linuxfr.org/users/apichat/journaux/salut-toto-
saluta...](https://linuxfr.org/users/apichat/journaux/salut-toto-salutation-
regle-editoriale-et-nom-sur-internet)

~~~
moxie
> Secondly it's not possible because their is not a finish list of providers.
> By the way 1) everybody should-could be its own provider 2) everybody must
> use its own domain name DNS to make addresses like greeting@name.

Just to be clear, this is never going to happen. We do not live in a world
where computers are for "computer people" anymore. I've been running my own
mail server since 1995, and I would not wish it on anyone.

Running my own mail server has _not_ helped me with:

1) Metadata protection. Every email that I send or receive either has Google
or Yahoo on the other end of it. Running my own mail server does not help me
"own" my data at all.

2) Data protection. Federated protocols can almost never change (look at the
history of IRC, XMPP, SMTP, HTTP). Email is stuck in time, which is why emails
are still not encrypted. WhatsApp, on the other hand, had the freedom to
deploy e2e encryption to over a billion people very quickly.

3) Censorship circumvention. Email is very easy to identify and filter using
DPI. In a world where people are only doing host-based filtering, blocking 100
or 1000 hosts is no more difficult than blocking one. Whether or not there is
"a finished list," if people can discover these services, so can the censors.
It is much easier for the censors to add a single line to a block list than it
is for people to switch to an entirely different provider with an entirely
different namespace and try to rediscover all their friends.

If your idea is that every time a host gets blocked, everyone could move to a
new one and somehow rediscover their entire social network, it would be _way_
easier just to use a centralized service and access it with different VPNs as
they are successively blocked instead. That would prevent you from having to
rebuild your entire social network each time, but is still a terrible UX.

~~~
apichat
> I've been running my own mail server since 1995, and I would not wish it on
> anyone.

Yes but Internet still young and evolving. Here are modern solutions :

1) [https://yunohost.org](https://yunohost.org) 2)
[http://cozy.io](http://cozy.io) 3)
[https://wiki.debian.org/FreedomBox](https://wiki.debian.org/FreedomBox) 4)
[http://modoboa.org](http://modoboa.org)

And even if everyone won't selfhost one's email or XMPP service, by owning
one's domain name (DNS or GNS) he-she can switch from an hosting service to an
other. And by owning one's own domain name, he-she wont loose contact with
his-her social network. GNS is a good decentralize solution by separating
name-identifier-locator [https://gnunet.org/gns](https://gnunet.org/gns)

We have to switch from old email-JID semantic user@host to the new one
greeting@name and this is not a technical change
[https://linuxfr.org/users/apichat/journaux/salut-toto-
saluta...](https://linuxfr.org/users/apichat/journaux/salut-toto-salutation-
regle-editoriale-et-nom-sur-internet)

> If your idea is that every time a host gets blocked, everyone could move to
> a new one and somehow rediscover their entire social network, it would be
> way easier just to use a centralized service and access it with different
> VPNs as they are successively blocked instead.

This look like a joke. How many VPNs providers is there ? Won't be blocked ?
The only thing you've done is post-pone the problem and save your centralize
enclosing business.

With Signal and WhatsApp and other centralizes and enclosing social network
precisely you have to rebuild your entire social network when the service go
bankrupt / go wrong way or don't evolved / is compromize by intelligence
agencies and law / is blocked.

Switching from Signal to WhatsAPP is very expansive because you need to
rebuilt your social because you don't own your Internet name (DSN or GNS) nor
a conversation address with the semantic greeting@name.

1) actuality this is not true and even if it was it could evolve. A google-
centric world is not the end of history.

2) XMPP is an evolution of email and it solve many metadata and data
protection problems. Conversations is a good modern solution
[https://conversations.im](https://conversations.im) With Snowden revelations
and the GAFAM domination many people do hard work to solve those problems, for
example the IETF. It looks like you don't want to solve those problems because
you want Signal to become a S for GAFAMS.

3) "blocking 100 or 1000 hosts is no more difficult than blocking one." Yes it
is more difficult because censors have to discover all these hosts. They don't
already now them. Big centralize and enclose social networks as Signal,
Facebook or Gmail addresses with semantic user@host are gifts to censors and
Intelligence agencies. We've saw it with Prism.

Finally is there perfect technical solutions for political problems ? No, no
one is perfect, no one can solved political problems. But some of them are
better than other, some make more difficult to censor and spy everybody. Big
centralize solutions are the worst and are not "Internet" solutions but they
are 20th century "Minitel" Telco bad solutions.

~~~
haffenloher
> Switching from Signal to WhatsAPP is very expansive because you need to
> rebuilt your social [graph]

It's not and you don't, because your entire social graph is on your phone, in
your address book. That's precisely the point. As the identifiers and contact
lists are owned by the users and not by the messaging service providers,
switching between messaging services (taking your social graph with you) is
about as easy as it gets. See [https://whispersystems.org/blog/contact-
discovery/](https://whispersystems.org/blog/contact-discovery/)

------
pjc50
And this is why in _western_ countries the politics of encryption should be
regarded as a stopgap only. It's better than allowing the police to
opportunistically go fishing in your data, but it's no substitute for sound
democratic rule-of-law culture.

If politics gets to the point of having to rely on encryption as your only
protection then it's simply going to get banned and/or blocked.

~~~
onion2k
That's true, and I think it means encryption not only protects speech but also
works as a simple test for flagging nation states who're failing to protect
the basic human right of privacy for their citizens. If a country tries to
stop the use of encryption by its citizens then it's failing to do a good job,
and its citizens (and other nations) should be working to make them aware of
the problem.

------
niksakl
Isn't it "weird" that they chose to block Signal app and not the signal-
protocol based Whatsapp?

If Whatsapp really implements the same kind of security and privacy measures
that Signal does, why is Whatsapp allowed to continue operating?

If signal is preventing them spy on users and they ban it, is in't it safe to
assume that Whatsapp is NOT preventing them spy on users, so they let it
operate? Wouldn't you expect Whatsapp to be also targeted, especially
considering the broad user-base it has compared to Signal?

Yes, I know they had blocked Whatsapp in the past, but they didn't block it
now. Which means that something has changed in the relationship of the
Egyptian gov and Whatsapp since 2015.

~~~
HappyTypist
I believe WhatsApp encryption is not enabled in Egypt.

~~~
dodyg
WhatsApp Encryption is enabled in Egypt - source: I live in Cairo.

------
madez
Due to cutting ties with Google and Facebook as much as possible I don't use
Signal nor WhatsApp. What alternatives are there?

I have been using Tox (qTox on Desktop and Antox on phone) and XMPP
(Conversations on phone). I also tried Ring (Desktop and phone)

My observation is that there is a lot of user inertia to make people use
another chat app, and none of which I tried is in good shape to compete right
now with WhatsApp/Signal.

XMPP and Ring share the problem that encryption was an afterthought. That
alone is enough to stop widespread adoption. There must not be unencrypted
chats nor different security levels. Encryption must be transparent to the
user.

Tox doesn't share that problem, and is what I have the highest hopes for. The
clients are not yet able to compete with WhatsApp. Antox crashes sometimes,
gets reaaaal slow, and doesn't send pseudo-offline messages reliably. Multi-
Device support and real offline messaging is still lacking in the protocol.
Multi-Device support is not needed, see WhatsApp, but real offline messaging
is a must-have. Also, messages must be reliably delivered and in the order
they are intended. Tests of mine between qTox and Antox showed problems in
that regard.

~~~
akvadrako
Maybe you have reasons, but your comment doesn't make it clear why cutting
your ties with Google and Facebook means dropping Signal.

Google and Facebook started using the same protocol as Signal in the latest
versions of their messengers, but they don't interact in any way.

By the same logic you should also stop using HN because it also uses HTTP,
just like those big guys.

~~~
madez
You can't use Signal without GCM or its siblings on other platforms. I don't
have Google's Apps on my phone, so there is no GCM.

Using GCM voids your contact privacy. So Signal right now is a no-go.

I do care about whether Google knows who I contact and when. I don't want
Google to know.

~~~
sliken
Moxie is open to someone writing an alternative to GCM, but nobody has stepped
up and do it. It's much easier to complain about GCM, then to replace it.

Signal's use of GCM does _NOT_ reveal who you are sending signals to, or what
is in the message.

~~~
madez
I didn't mean to critique anybody, but just pointed out why a specific
solution is not okay for me. Take it as an assessment of the situation to
understand what we have and were we want to go.

I might be ignorant about GCM. My understanding is that first you need to
register with GCM and have the connection stay online permanent. That requires
Google's Apps, which open the system to Google's Access, which clearly is not
acceptable. Secondly, Google knows that way always where I am. I do not want a
permanent connection to Google servers. Also, how does GCM know where to
deliver my messages when it can't know who I'm contacting? I'm not saying that
that is an impossible task, but to my knowledge Google isn't reliably
(reliable in the sense of keeping my privacy even if Google were to become the
attacker) solving it. [0]

Each of the three reasons given above are enough to not use GCM.

[0] [https://developers.google.com/cloud-
messaging/gcm](https://developers.google.com/cloud-messaging/gcm)

~~~
madez
OK, if GCM delivers the data to Signal's servers, then Google doesn't know who
I'm contacting, but the administrator of Signals server does. The two other
points stay valid, though.

------
aorth
It's not clear to me why Signal was blocked, though. Other governments have
blocked messaging and chat applications before, but not for the reasons you'd
think. For example, UAE blocks access to voice and video chat applications to
protect the commercial interests of the telecoms companies who offer similar
services. I'd be curious to know if other messaging applications were blocked
in Egypt too, and why.

[http://www.thenational.ae/uae/uae-telecoms-companies-told-
to...](http://www.thenational.ae/uae/uae-telecoms-companies-told-to-free-up-
internet-calling)

~~~
dodyg
Skype voice over 3G is blocked here in Egypt.

------
HashThis
What do people think about Telegram's
([https://telegram.org](https://telegram.org)) security vs Signal?

~~~
distances
I'm not sure if you're joking, as the topic has been extensively discussed
here in HN for the last six months, at least.

Anyway, in short: encryption-wise Signal is considered to be the state of the
art, while Telegram is sneered at due to their homegrown encryption that isn't
even enabled by default.

------
trome
I can't say this is surprising, I was talking about the potential of Signal to
be blocked by regimes with my friends a few weeks back (both the initial
verification text, and client to server communication), and here we are with
Egypt being the first to block it.

------
subliminalpanda
I'm curious as to how they intend to circumvent the censorship from their end.

~~~
aorth
Moxie just committed circumvention support earlier today. Here's the commit:

[https://github.com/WhisperSystems/Signal-
Android/commit/5417...](https://github.com/WhisperSystems/Signal-
Android/commit/541718fd114a6f2336222a571869e1056cd122dd)

------
fgrte
This wouldn't be such a problem if Moxie hadn't removed the ability to
communicate using SMS.

SMS is federated and very difficult to block without disrupting essential
services.

See: [https://github.com/WhisperSystems/Signal-
Android/issues/2818](https://github.com/WhisperSystems/Signal-
Android/issues/2818)

Of course going the route of using centralized services allows later
monetization my Moxie and his brogrammers.

~~~
jagermo
A little harsh, isn't it? They have several good arguments for ditching SMS,
as explained here: [https://whispersystems.org/blog/goodbye-encrypted-
sms/](https://whispersystems.org/blog/goodbye-encrypted-sms/)

Especially this one:

SMS and MMS are a security disaster. They leak all possible metadata 100% of
the time to thousands of cellular carriers worldwide. It's common to think of
SMS/MMS as being "offline" or "peer to peer," but the truth is that SMS/MMS
messages are still processed by servers--the servers are just controlled by
the telcos. We don't want the state-run telcos in Saudi, Iran, Bahrain,
Belarus, China, Egypt, Cuba, USA, etc... to have direct access to the metadata
of TextSecure users in those countries or anywhere else.

~~~
kuschku
Yet, Signal leaks the exact same metadata, if one serves an NSL to OWS.

In a way, Moxie's argument (don't tie things to phone numbers, don't use a
centralized system for message transport) is exactly why Signal itself is so
problematic.

~~~
sliken
Whisper systems did get a subpoena: "the only information we can produce in
response to a request like this is the date and time a user registered with
Signal and the last date of a user's connectivity to the Signal service."

[https://whispersystems.org/bigbrother/eastern-virginia-
grand...](https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/)

~~~
kuschku
Retroactively, yes. But the NSA could just require them to log all messages
they relay between any two users – and they’d get the same metadata as from
TextSecure.

------
lep
Geez, if only there were a protocol with as good encryption but federated so
that everybody could host their own server which would make it way harder to
block…

[https://xmpp.org/extensions/xep-0384.html](https://xmpp.org/extensions/xep-0384.html)

~~~
trome
Eh, you'd have to operate a server in the country, and TLS in and out of Egypt
is MITMed and outright blocked in many areas from what I've seen when playing
with VOIP over there.

~~~
vog
At least they would have proper encryption within their country. Apparently,
depending on central services outside their country makes it too easy to
block.

~~~
trome
Then you have to deal with regulations inside the country itself, I doubt its
a free for all inside Egypt network wise.

