>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
That they interpret AWS and Google as "the rest of the Internet" is pretty sad, too.
That's the entire point. By making it impossible for censors to distinguish Signal traffic from other web traffic going to AWS, domain fronting forces the government censors to either 1) stop censoring, or 2) censor many important websites that people rely upon. The associated economic cost has the tendency to discourage censors, and as shown by Signal, is actually quite an effective deterrent against many oppressive regimes. This concept is known as collateral freedom.
Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible. Someone here at HN pointed out that it is very difficult for someone under an oppressive regimes to speak out; this makes it all the more important for those of us who can to assist dissidents and support freedom of expression.
Any one of these federated servers could use whatever tricks they like to circumvent censorship, and yes they'd risk getting banned themselves if their circumvention measures are violating TOS of where they're hosted, but they wouldn't have to demand special treatment in the light of that, like Moxie Marlinspike did, because it doesn't happen to block the entire Signal network at once.
Their lack of federation is their censorship weak spot. I haven't heard a single reason for holding off federation from Moxie (and the "best" reason I currently can come up with is that he has issues letting go of "his baby", other reasons being more nefarious). There's a lot of strongly principled wording about why Signal should or should not do certain things, because Signal doesn't want to rely on anything but the protocol itself to guarantee its security, privacy and censorship resistance.
But really, what are these principles worth if Signal is in fact reliant on a third party (Amazon) closing their eyes to violation of their own TOS? They shouldn't be, and federation allows for that property.
And to add one more reason, it's not entirely fair to Amazon. By using the load balancing trick, the only thing that Signal risks is getting banned from Amazon, they can rent another server from someone else and set up shop there. However, by allowing Signal to continue to use their load balancing service in this manner, Amazon is risking having their entire service banned by an oppressive regime. It's not really cool of Signal/Moxie to ask Amazon to take this risk for them.
I mean, there's no need to speculate here. There's an entire blog post on signal written about why they chose not to federate just a quick google search for 'signal federation' away, and the reasons, whether you agree with them or not, are pretty solid and sound.
Your argument is that Signal should erase its differences and become like other open source crypto tools. But as you pointed out, the tool you're asking for already exists! If Matrix is already doing it right, then what's the problem? Surely everyone will switch over to the superior infrastructure and not look back.
I have a different explanation: Signal is successful specifically because of controversial decisions like refusing federation, and the reason other tools do not enjoy the same success is because of the usability compromises they have made.
The more interesting question is, how does this influence our engagement with Amazon, as members of the tech community and the business community? From hackers to founders to dev leads to CEOs we're all individuals with some degree of influence. Most of us hopefully value the idea of a free society to a great degree, because without one our industry wouldn't exist.
I have no problem with saying that the business I own will think twice about making further investments in AWS because of this. I'm less likely to recommend AWS to our customers because of it.
Businesses which host hate speech get punished by advertisers who don't want to be associated with that kind of drivel. I'd like to see businesses which enable dictators be punished in a similar way.
By the market and this community. I'd like to see more hackers and founders say hey, this company enables dictators so we are re-evaluating/freezing/reducing our investment in their products. (Pick whatever level presents an acceptable cost to you.)
The good news is that that's a myth, apparently:
"How is it the interest of Github stockholders to not censor certain projects when China starts DDoSing the whole site?"
"How is it in the interest of Cloudflare to raise the prices for all of its customers, just to protect a site Russia doesn't like?"
It can't all be about money. Companies that think only about money fail in the long term. If you don't believe that, then I urge you to watch this Simon Sinek video:
Isn't it begging the question to parent's point?
Slavery? Fine. Assisting with genocide? Ok. Human trafficking. Sure, as long as we’re making money. Now consider the likes of Facebook or Google. If Iran wanted to purge an ethnic minority from their country and offered a government contract to Facebook to help identify said minority, how is it in the interests of Facebook stockholders to prevent genocide in countries ruled by dictatorial regimes?
Finally, if what you say is correct - that in the current system the wealth of the shareholders is what matters most - I think the broader question becomes: “Why should western democracies continue to permit Laisser-faire capitalism if it refuses to impose any ethical or moral boundaries on itself?”
Google was ballsy to exit from China, but I doubt others are the same.
Wall Street judges a company by how much money it makes. GDP is how countries and govts are judged. The metric is delivering the result.
What does that have to do with other nations and their laws? The censoring issue here is in a foreign state and not caused by capitalism but a lack of it. AWS is not international police so you should focus on government if you want to see political changes.
Wow. Is this not but a new form of political asylum?
I'm not saying Amazon is evil or anything, but if a bunch of hugely important customers started getting their traffic blocked by huge geographic segments due to another unrelated customer.... business is business.
This is a real shame and I wish there was a viable option open to Signal, it's an important app that provides a valuable service, but they really should have seen this coming.
Amazon's general stance seems to be "spoofing is bad and makes the internet less reliable, so we're opposing it even here". It's understandable, but I think also thoroughly unjustified. If the objection is "Signal plans to impersonate us without our permission for a good cause", one obvious response is "so let's give them permission".
(Not coincidentally, this is a reasonable alternative to a lot of corporate heavy-handedness. Fighting trademark erosion by slapping down small businesses falls into much the same category - an alternative to coercing harmless-but-unauthorized users is to authorize them.)
Not always. For example, the Foreign Corrupt Practices Act prohibits U.S. companies from bribing foreign officials, even if the practice is accepted or prevalent in a foreign nation. Just because another country has a particular policy does not mean we have to allow our companies to play along.
Er, no; in every "free" country, trade/export restrictions are still a thing. US corporations can't sell to North Korean citizens, or even Cuban citizens, despite not being in a state of war against either. And "munitions" (e.g. what encryption algorithms used to be) can be traded hardly anywhere. Just call censorship-enabling technologies "munitions" and it neatly solves the problem of who exactly US corporations can give them to.
That regulation is only in place to protect the established players ... and to ensure the CIA decides who gets the weapons.
Nonetheless, among such regulations, designed to make private companies somewhat work for the general public interest, we can include not aiding censorship.
I guess you meant "duty" instead of "right"; and respecting the sovereignty of other nations means they can block any site they like or even internet itself if they desire, but it doesn't mean we have to allow local companies to comply with laws from those countries.
>As you note, private companies are typically free to do as they please in free countries...that's kinda the point.
That's not the point at all; lets put it this way, companies are NOT free to poison the water we drink or even poison the water of other countries drink just because their governments tell them to do so.
This nearly made me cough my lunch over my keyboard.
Countries tend to have the habit of respecting other countries sovereignty right up until they don’t, at which point they will invade and occupy the other. Or carry out a proxy war, etc.
Even that is too generous. Which country of any influence doesn’t at least a few spies getting about doing their spying. Which major players aren’t subverting the course of things in at least a handful of regions at any time.
Except Google isn't in China, and least I heard important events still happen there...the world isn't as FANG centric as western media would want us to believe.
Stands for Facebook, Amazon, Netflix, Google, apparently.
So you do use it for search.
And two of these companies are probably hosting some of the websites you visit.
Perhaps some of the sites I visit are hosted on Google, but since I stopped visiting reddit (the awful redesign was the last straw), I see very little traffic hitting AWS or GCP IP ranges. Part of that is probably uBlock Origin doing its thing though!
where did you hear about this? :)
Not sure what you mean, I didn't see Napster fighting for censorship nor Craigslist fighting for FOSTA.
How is that a liberal fantasy? I thought the standard liberal belief is in heavy regulation of business?
Or do you mean "liberal" in the general "lots of liberty" sense and not "in the liberal political camp"?
This is a difficult bit. There are many different ideas about conflicting rights. Without going into these ongoing debates it is enough to say that liberalism is a big tent philosophy. It encompasses "left wingers" in one end where the state has many responsibilities to uphold individual liberties. At the other end are libertarians who say there is no need for government intervention for individuals to pursue their own ends. People can argue about rights and still be correct in calling themselves liberals.
It is the dominant overarching ideology in America (the American “founding fathers” were mostly devoted liberals) and Western Europe, and there are many disagreements among different sorts of liberals.
Edit for the downvoters: I'm not saying I agree with how Libertarians are seen, just reporting what I've observed. I tend to lean Libertarian on a lot of issues (freedom of movement, freedom of and from religion, live and let live, the right to be left alone, and so on), while also being a socially progressive liberal.
Terms like "liberal" and "conservative" are virtually meaningless.
They're not pretending to be Amazon, they're pretending to initiate a connection to an Amazon domain. The "conversation" goes like so:
Clear text request: "Hello, I would like to speak TLS with souq.com"
Clear text response: "Why yes, let us do that with these parameters"
Encrypted request: "Please give me the page for signal.org/api/whatever"
There is nothing on the server side which is masquerading as Amazon or Google. There is no impersonation or spoofing whatsoever.
This is akin to making a DNS lookup for a different domain to find the IP of a service which you know is hosted on the same machine.
While it seems to me that this is clearly not actually violating Amazon ToS, I can understand why Signal must give up on this approach.
As an aside, I’m not sure why this doesn’t break SNI, or exactly when or how the certificate gets switched out over to Signal’s cert and private key. The whole point of putting the domain in the ‘Client Hello’ is to get hooked up to the right cert for the rest of the negotiation when there isn’t a 1:1 mapping of IP->Cert so to switch the GET domain/path later on would, I assume, require restarting the key agreement, which I’m surprised doesn’t blow up the TLS session and require a new clear text ‘Client Hello’.
They way I understand it, the connection really _is_ using amazon’s cert+key, not Signal’s cert+key.
Is signal (the server side) using amazons’s cert+key? Not technically.
I also found this paper on domain fronting to be a very good read - Blocking-resistant communication through domain fronting 
 - https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...
 - https://www.bamsoftware.com/papers/fronting/
How might this be noticeable? Like so:
- (irrelevant) the SNI and certificate presented by the server don't match the request -- only the hoster can see this, so what might they care?
- (serious) metering: if the hoster uses SNI for metering... then Signal would be stealing the fronter's bandwidth
- (mild) DNS metering: the fronter's domains will see more DNS lookups not related to serving the fronter's content
3 seems just wrong. Where does the DNS lookup take place? Why would the fronting server look up the SNI entry?
Are you 100% confirming that the encryption takes place using Souq's cert? Obviously it isn't going to display in a browser, but I'd wonder if there was something else you could do with it.
- This most definitely is against the CloudFront terms of service. See the linked article if you disagree - the ToS is quoted there.
- One direct impact to the owners of the SOUQ.COM domain is that their DNS query volume will increase drastically. They have to pay for those queries. Would you like it if your side project all of a sudden got a 6 figure DNS bill because Signal decided they want to piggy back on your domain to route around censorship?
In this hypothetical example, is my side project doing $178,000,000,000 of annual revenue like Amazon.com? If so, I'd like to think I'd be honored help subvert censorship by oppressive regimes.
It's souq.com, which is a wholly-owned subsidiary of Amazon. https://en.wikipedia.org/wiki/Souq.com It's an e-commerce site targeted at the middle east that Amazon bought as their play for that market.
Signal deliberately chose it because it's an Amazon domain, so governments would be reluctant to block it.
For the record, I'm of the opinion that the US should insist that American companies not help dictators abroad in their censorship efforts. But it's hardly unreasonable for Amazon to say, "this type of stuff is illegal in Egypt. We don't want any trouble, so please stop using us as a means of circumventing Egyptian law."
Just unethical, hence the discussion.
They don't want customers breaking terms of service, whatever those terms are, and especially when it means the rest of their customers are affected. It's not a single company involved here and they're looking out for everyone else they serve.
I think maybe you're trying to express that under a free market ethical framework, AWS has done nothing wrong here. Which is true, and an insightful indictment of the free market as an inherently liberatory force.
Signal had an strategy, but it involves breaking the terms of service, so that vendor has no reason to comply and put the other customers at risk. Signal just needs to figure out another option. It's a technical issue and nobody is stopping Signal itself. AWS will still host them just fine as long as they follow the terms.
By the way, the free market is what allowed companies like AWS and Signal to exist in the first place, and lets you contributed effort and money if you'd like, so perhaps you should widen your context before throwing around indictments.
I don't think Amazons reasoning was "oh, lets help dictators dictate", but more "hey, isn't this a potential security hole ripe for abuse that would make us look incompetent?".
Asking a private corporation to be international police is not good for anyone, as well intentioned as it may seem.
> Asking a private corporation to be international police
This implies only police can and does enforce cultural and moral norms. This is the exact opposite of the correct order of things - the police should be preventing or punishing crimes, like theft, robbery, rape, murder, etc. - and people themselves - individually or in organized groups, like companies, NGOs, voluntary societies, etc. - should be creating and enforcing moral norms. You can not just delegate this to "the police", being it national or international.
Thus, asking Amazon to take part in helping to create an international norm of upholding free speech is reasonable. And their refusal is morally despicable.
Nobody is talking about cultural norms here. The story is about Signal being used to help those in oppressive societies with active censorship, not some differing cultures. And "police" is a form of expression, not literally a police department.
Asking Amazon to do anything political is absurd because it's a corporation that should be focused on its paying customers, none of whom would appreciate unwillingly being affected by Signal intentionally breaking their terms of service. Do they suddenly not matter?
It's morally despicable to just expect and force others to help you in your causes, no matter how noble (you think) it is.
Regardless, what actually isn't proper is expecting major corporations to do police duty. That never ends well.
Are you sure you still feel that committing a war crime and doing what philosophers and statesmen and lawyers consider the "supreme" crime is really worse than "expecting major corporations to do police duty" ?
I think part of your argument is reasonable to a point that two people could, in good conscious and respectfully, disagree. Maybe governments are better suited to handle this (via what is known as soft power).
But as long as you take such an extreme position that cannot be defended (it's better to wage of war of aggression than to have amazon stand up for Signal), you're just commenting for yourself. No one is going to engage you in meaningful discussion, because even when it gets pointed out that you're advocating for a war crime, you can't even say "well ya, maybe that was a bit extreme."
1) As noble as the cause may seem, it would be better for everyone if massive corporations just focused on business instead of politics. It's reasonable, predictable, and safer. Signal is not affected by this, it just means picking a better option than breaking terms of service.
2) The correct process for citizens of a country is through government diplomatic and military action, especially when concerning other foreign states. That's all I said, and another posted specifically asked about the military in which case the option is called war. This entire story is about oppressive powers, most of which are disabled through military action, so it's not a strange concept and nowhere is a war of aggression mentioned.
Perhaps take a step down from your moral high ground and try to comprehend the entire conversation before telling someone that they are advocating for war crimes, that would be much more helpful if you want a meaningful discussion.
I find that chilling.
What I said is that if someone has an issue with another country (oppressive or otherwise) then they should use political means to influence change through their (and foreign) governments. As the commenter specifically stated the military, war is how that change is done in that case.
Should any government coerce me into paying a large DNS bill just to sponsor freedom of speech? Even if it is a noble cause, we shouldn't coerce innocent 3rd parties into doing this.
It's more like this:
Clear text request: "Hello, I would like to speak TLS with host souq.com and encrypt my connection with a key signed by souq.com"
Encrypted request: "Actually I meant host signal.org, but please route my request anyway since both hosts are being routed by this service. Please ignore the fact that my symmetric key for this connection was encrypted and transmitted using the keypair of souq.com."
This is similar to buying a train ticket to a nearby stop, using it to get on the train, then getting off at a different stop because you know they won't check your ticket again.
Google and Amazon are now adding an additional ticket check.
There's no need for the ticket to match. They're not traveling on any rail segments they weren't supposed to be on.
It seems to me Amazon should just close their loophole rather than threaten to kick signal out of the server side.
So while they don't do anything fishy on the server side they still took care to put their servers there for a reason. And since they also write the client code it's not difficult to show that the intent is to impersonate Amazon to 3rd parties.
Interestingly it seems that amazon couldn't really complain if the people writing the client were independent from those maintaining the servers since the spoofing code is entirely in the client. Although in the end I'm sure if it turned out to be a problem for they they'd just enforce that the domains match the HTTPS query and remove the technical possibility of fronting altogether.
This might be the only possible outcome given a corporation's legal responsibilities to its shareholders etc, I don't know all that well enough, but I think it's still justified to lower my opinion of Google and Amazon because of this.
Personally this weakens my view a little, but is not enough to change it substantially.
EDIT: Not supported by Cloudflare.
It is of course up to Amazon what their servers then do when presented with such a connection, in particular whether they ensure the Host: header later presented matches the SNI data.
This doesn't seem quite accurate to me. They are not making an assertion that they ARE Amazon or Cloudfront. They are avoiding making an assertion that they are anybody, by using a shared facility. It's a bit like using a public payphone to avoid being identified. When you use a public payphone, presumably the call originates from a line owned by the phone company, but nobody accuses you of attempting to impersonate the telephone company by doing that.
This may still be a violation of the TOS, but people should be clear about the actual intent of what is being done.
Signal is/was connecting to Google or Amazon servers with an HTTP Host header of google.com or souq.com, respectively—and only in Egypt, Oman, UAE, and Iran! Google and Amazon could have easily allowed this or even looked the other way.
So basically censorship worked, albeit not how we thought it would. Sad for people in those countries who were relying on Signal for private communication. Who will stand up for us when we lose ours due to some business decision?
AWS and Google could throw their considerable weight on the side of anti-censorship and openness. They instead chose - as businesses frequently do - to play along with oppressive dictatorial regimes so it won't cost them a couple of bucks extra. That is pretty sad.
"to be Earth’s most customer-centric company, where customers can find and discover anything they might want to buy online, and endeavors to offer its customers the lowest possible prices." - https://www.amazon.jobs/working/working-amazon
"Organize the world’s information and make it universally accessible and useful.” - https://www.google.com/about/our-company/
"Founded in 2004, Facebook's mission is to give people the power to build community and bring the world closer together. People use Facebook to stay connected with friends and family, to discover what's going on in the world, and to share and express what matters to them." - https://investor.fb.com/resources/default.aspx
Its interesting how these mission statements present vastly different goals.
At what point is something a public utility? If everyone abandons their servers for cloud providers you are at the whim of the corporate political stance of where your machine is hosted..
Somehow dozens of companies are discussing pushing for societal changes every day. Just recently a bunch of companies discussed severing ties with NRA (which didn't hurt a single living soul) and stopping selling firearms (which would not, indeed, lead to any societal change but at least the declared goal, even if unattainable, is to do exactly that). In another topic, there's a link on political manifesto by SO leadership. Social activism is everywhere in the business world. But when it's about something that may save somebody's life in Iran but cost some $$ to the company, it's suddenly "not their job". Nope, you can't do both. If companies avoided social activism altogether and were completely neutral and apolitical - I could accept that. They are not and haven't been for a long time. You can't just turn on one place and say "we do social activism everywhere but not where it can offend Iran". Or, you can, but that would be, as I said, cowardly and disgusting.
Even something seemingly innocuous like Google search's front page doodles are chosen and curated.
The cause is noble, but the mechanism is dubious: it can be viewed as, in effect, saying to oppressive regimes “to harm me, you must harm a bunch of innocent bystanders, too”.
Which, questions of morality in the abstract and consent aside, seems to gamble pretty heavily on sensitivity the regimes of concern are decidedly not known for.
Why do you think they don't?
That doesn't change the dubious nature of it. Putting other valuable services at risk for a single service's gain is clearly dubious.
Just to be clear, I am not affiliated with Signal in any way. I am just a user.
> "your freshly minted wiki page"
I am a regular contributor to Wikipedia, and I created the article on "collateral freedom" in January 2017 when I came across the topic because it satisfied Wikipedia's notability guidelines.
Point taken, I'll be more careful in the future.
> "kind of dodgy to do without mentioning that you wrote it"
The article is completely neutral, cites reliable sources, has been reviewed by another editor, and abides by all Wikipedia policies. I do not personally gain anything from posting it here.
I didn't think the fact that I initially created the article was relevant to this conversation, because for all intents and purposes, it does not make a difference. The article meets Wikipedia's standards, and anyone is free to edit it subject to the applicable content policies.
Innocent of whatever violation if local law the regime is targeting the app for.
I counter it would be more immoral to put, say, the retirement funds of firefighters and teachers arty risk to achieve what is the responsibility of, say, the State Department?
Further, the fiduciary myth is silly as a premise upon any inspection: legally who gets to decide what's the one right ideal path for optimizing shareholder value, such that if you don't follow The One True Path then you're failing shareholders. Any other path than the single best one, would be inherently defined as failing the fiduciary responsibility to maximize shareholder value (which is another way of saying: legally it's an impossible concept to implement; and logically it's stupid, it falls down instantly, no person could know the maximization path at all times). It doesn't pass even a minute of rational intellectual scrutiny.
Russia BTW bombs civilian targets like hospitals and they killed their own bank sites when they tried to block Telegram recently.
People don't realize doing stuff like this is just going to make lives worse once these regimes block Amazon/Google/whatever.
In this case it's just like being in a city. They're not trying to take advantage of any particularly sensitive institution.
They are. Amazon. And previously, Google.
The worst-case consequence is not people losing access to Amazon store, but losing access to anything that's powered by Amazon cloud. People operating all kinds of services hosted on Amazon servers are the patients and hospital staff from my example.
A ban of a cloud service affects everything else that depends on it. The more popular a service, the more damage. That's the point of "collateral freedom".
(Note the name of the term. It's no accident. It comes from "collateral damage".)
But if they were going to nuke the city? Fuck them, don't negotiate, it is absolutely not the fault of any group that is merely located somewhere inside the city.
My point is - by employing domain fronting against censorship, you bet that the adversary will not ban the service you're using as a front. But they very well might just do that. At this point, everyone else using the service suffers. So that service, by refusing to be used as a domain front, is not just protecting its own interest - it's protecting interests of all the others who depend on it. You, on the other hand, are unilaterally putting those other people at risk. This does not make you a hero, it makes you a villain (even if a lesser one).
The domain fronting could be set up in a way that doesn't spoof domains, and the risks would be exactly the same. The spoofing is a red herring. The issue is the mere idea that a censor would be unable to tell what domain a connection is for. The actual thing that puts people at risk is ridiculous to attack on a moral basis. It's the same as just existing in a crowd. Not grabbing someone to be your shield.
It's like helping Assad to find targets where people with opposing views live.
I mean, that made the shareholders money, right?
"Databases" is maybe not the right word?
Not a historian.
Whatever Amazon's reason is it's not that they lost some Russian banks for a week.
Since the plain text has the fake address while the encryption has the true address, I see no issue with this.
The core point being: Signal isn't using Amazon as a shield - it's using every single customer of Amazon as a shield.
In a regular connection (even using a CDN), those two will match. Using domain fronting, you put a popular domain in the unencrypted part, and the real domain in a encrypted HTTP header.
Due to how they're implemented, the load balancers at Google and Amazon will ignore the first (unencrypted) layer, and will send the traffic to the correct server based only on the encrypted HTTP header.
Regular browsers always send the same domain in both layers, only a custom app like Signal can perform domain fronting.
Or curl, or openssl s_client. I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?
I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?
Well, the current conflict is with Amazon; your CDN might or might not object to domain fronting.
Amazon is not saying that they must match, they're saying that you can't use someone else's domain for domain fronting without their permission. That is, if the domains don't match, whoever owns the domain indicated in the TLS server name must give express permission to do that.
I don't think their infrastructure can actually block it, they just ban your Cloudfront account if they happen to know this is going on. So you can probably get away with it if you keep quiet and nobody finds out.
Yeah, understood, I meant CloudFront specifically.
> I don't think their infrastructure can actually block it
If I terminate TLS at CloudFront they can certainly compare SNI with the Host header and block on any mismatches. This is silly of course, since there are legit reasons to do this.
You answered my question though. Thanks!
Want to censor the internet, fine, send your citizens back to the dark ages; see how long it is until they protest or move.
They aren't going "to realize that they are being an oppressive regime" and have an epiphany where they realize, "Hey maybe I'm an evil dictator?"
If you are up for reading, I highly recommend Michael Malice's book, Dear Reader: The Unauthorized Autobiography of Kim Jong Il . After reading that you will completely understand why "see how long it is until they protest or move" is a silly thing to say.
> We simply need to shift the incentives by making it financially expensive to censor. This is known as "collateral freedom"
In this context, "making it financially expensive" means "banning us would also mean banning lots of other unrelated services, which will have negative impact on both economy and morale of the population".
In the same way, in warfare, using civilians as human shields is "shifting incentives", making it PR-expensive to strike you down.
In both cases, an authoritarian government may be willing to eat the loss and deal with you anyway. And in both cases, you're the one putting innocent people in harm's way.
Refusing to put those labels on packets is not putting anyone in harm's way. It's a refusal to help them treat certain classes above others.
> They aren't going "to realize that they are being an oppressive regime" and have an epiphone where they realize, "Hey maybe I'm an evil dictator?"
Not to mention that, in a truly oppressive regime, people don't have the liberty to either move or protest.
I wonder if you could give TL;DR on this, assuming there is something else than the basic prisoner's dilemma going on?
There are a few factors involved (and please bear in mind I'm leaving out a lot of detail here, and this is nowhere near a comprehensive list).
1. There is extensive "brainwashing" regarding the great leader. He is praised for everything. There's a famous story about a western optometrist that performs surgery routine every where else in the world, but rare in N Korea that restores eye sight. The first thing people often do after receiving their sight is not thank the doctor, but to praise a poster of the great leader, thanking him for restoring their sight (I think this was a Nat Geo thing but I don't remember exactly).
2. There is a culture of tattling that heavily incentivizes ratting out your friends and family to the authorities. You will be punished for even having unclean thoughts, let alone taking bad actions. The pervasiveness of this makes it such that people often self-report themselves for thought crimes due to feelings of guilt or concern over getting turned in by friends/family (you may do less time in the prison camp for self-reporting).
3. Families are harshly punished for actions taken by their family members. This means that if you escape, your family will be likely killed or sent to prison camp. If you die in camp, your son/daughter/father/mother will have to take your place to finish your sentence. Thus even suicide/death in prison camp is a betrayal of your family. There is no way out.
IIRC you couldn't tell if they were genuinely thanking the Dear Leader or putting on a show for the secret police.
A difference would be like America and North Korea and taking away the internet. The vast majority of Americans use the internet and it is an integral part to their lives. You take it away and they would riot in a heartbeat. On the other hand if you have a regime where the majority of people never had access to the internet (or any whatever), taking it away does not cause a riot. The small groups of people that had access won't have the critical mass needed to cause such a riot.
The point is not to make a dictator to realize "Hey, maybe I'm the baddie" but "If I take this away then someone will stage a coup." Dictatorships tend not to be very stable regimes. It is hard to balance the line of power and being overthrown.
TLDR: People care much more when you remove something that is already integral to their life. Not so much if it isn't.
I'm not certain that this is true.
No American Dictator would just outright ban the internet, no they'd say they were protecting children and blocking terrorists, and require internet providers to block that content.
Anyone arguing that this is censorship would be branded as a supporter of child pornography and terrorists.
A few more steps along that line and what you have is no longer the internet as we know it, but PatriotNet(tm) (insert waving flag, anthem, etc).
Do it enough subtle steps and they'd get away with it without anything more than a few grumpy "libtards" complaining on TV.
If you want Amazon to stop doing business with oppressive regimes, contact your politicians about sanctions.
And if the solution was to force Amazon to block any access from their servers to those oppressive regimes, that wouldn't help Signal at all, because they too would be blocked.
For the record, U.S. politicians have voted on sanctions on Russia for cyber crimes and brought representatives to the UN raising the issue of their human rights records.
Indeed, the US nearly destroyed Russia's largest aluminum company - Rusal - recently in a sanctions move against an oligarch close to Putin (Oleg Deripaska, who owns the majority of Rusal).
The best way to deal with oppressive regimes, is generally to go through powerful political bodies/groups, whether the UN, G7, or US Congress. The impact a company like Amazon (or Google, Facebook, etc) can make is very trivial. So trivial as to be meaningless to a typical oppressive regime. Congress, in tandem with large allies, can hammer eg Russia's primitive industrial economy, by comparison, with targeted sanctions on steel, aluminum, whatever.
"On April 23, however, the US government gave Rusal's American customers "more time to comply with sanctions", even saying it would "consider lifting them if United Company Rusal Plc’s major shareholder, Russian tycoon Oleg Deripaska, ceded control of the company." Department of the Treasury gave these clients until October 23, 2018 to comply with (wind down business) the Rusal sanctions."
For the record, Deripaska is no friend of Putin, who forced him to start paying tax and stay out of politics.
Look at how Putin humiliated him several years ago during an industrial dispute, when Putin took the side of workers against Deripaska.
 - https://www.youtube.com/watch?v=0XfbWnDXCx8
Look to Mikhail Khodorkovsky to see what happens to those that aren't Putin's friends.
They simply don't care.
Cuba defied an aggressive embargo by the US for ~50 years, which is partially responsible for Cubans typically having present incomes of about $20 per month.  By contrast, Haiti, which is one of the poorest nations on earth, has a higher median income than Cuba. The Castro brothers were simply unmoved by the extreme financial consequences (and the people of Cuba also did not topple them across more than half a century).
Similarly it didn't work against North Korea across 60 years. Even while the North watched South Korea develop and grow into one of the 20 or so richest nations.
It also didn't work very well against the USSR. The West heavily limited its trade and economic cooperation with the USSR across the entire post WW2 era until their collapse. The West rapidly developed advanced technological economies, the USSR did not, their people suffered extraordinary poverty and backwardness. The regimes in Moscow didn't care. What finally brought down the USSR, was the collapse of the price of oil brought on by a strong dollar shock in the late 1980s (by contrast they were doing far better economically in the 1970s and early 1980s as the price of oil was very high).
Hoping that they'll throw their hands in the air and give-up instead of blocking AWS etc is naive. The people making the decision don't suffer the consequences as do their subjects.
Imagine how much worse it would be if it was under an oppressive regime, with strict internet censorship.
Also, AFAIK, China hasn't been able to recreate GitHub. Since GitHub is HTTPS-only and China needs it enough to not block it, a lot of censorship circumvention tools are available in China through GitHub.
As a side channel dns over https still works even with tls to google.com and then putting Host: dns.google.com into the header. Frequent updates to applications and push notifications can be used as side channels too. You can also register a bunch of domain names ahead of time using hash of a current day, month, year and then let the app generate domains names to query on the fly and query them over normal dns. The censor would need to reverse engineer the app to figure out the domain generation algorithm.
To make proxies hard to enumerate you can shard the mapping of ids/phone_numbers to proxies in a such way, that each id receives multiple proxies using multiple different sharding schemes. This not only makes it harder to enumerate, but also lowers the chances of someone else obtaining the same set of proxies as the censor and rendering the app unusable. Changing IPs then forces the censor to chase you, but never really catch you to censor the app.
But I do think building peer-to-peer network instead of proxies is a better idea for circumvetion.
But yeah, having seeds sharded per id/phone_number same way I proposed above could make it pretty much unblockable.
The same thing just happened with Telegram in Russia which explains the preemptive messages: https://arstechnica.com/information-technology/2018/04/in-ef...
Right, because of the risk of being blocked.
It is their right, but to say it's not motivated by a risk of censorship is pretty disingenuous.
(I have no horse in this race. I'm merely contextualizing the debate)
It's entirely their right of course.
It's not a single company here, thousands of businesses rely on AWS and don't want their service disrupted because of Signal.
Time to look for another option then, like any other technical challenge. I support Signal's work here but unfortunately we can't just enlist every other business to help (otherwise censorship wouldn't be much of a problem in the first place).
But we should! Telex and other solutions based on collateral freedom have huge potential to disrupt censorship from the outside.
That's the plan. This is covered briefly in the second-to-last paragraph.
> so it was never really viable
Signal remained running for more than a year and a half in several countries that were actively trying to censor the service.
How do you encrypt SNI for cold start? For a future connection, I could see how, but at that point you may as well simply do a resumption.
... is the current state of work on this problem.
It's true that encryption (within the desirable parameters discussed in that ID) costs us a round trip, but it might be worth it for most of us most of the time.
Keep in mind the TLS you're using today for most sites has 2RTT setup, and we put up with that (if you have a modern browser and go to some major sites you end up using TLS 1.3 draft 23 and thus 1RTT)
The doc you sent is titled SNI encryption, but is really about tunneling a client hello through a proxy, and provides for the proxy to not send its own server hello, but only send the origin server's server hello. That's interesting, and should be useful for domain fronting and as a general purpose TLS proxy with fewer layers, but it's not really encrypted SNI.
In TLS 1.3 that 1RTT completes the handshake so as the client we know who we're taking to.
That SNI draft is the result of interested parties coming up with a list of desirable properties for SNI encryption. If you have a better idea that satisfies those properties you absolutely should propose it.
When a server has multiple identities to choose from, and the client has not previously communicated with (and has no no out of band information), as far as I can tell, either the SNI has to be in plain text, or it could be encrypted with an untrusted DHE key (which only eliminates passive detection).
Way upthread, bscphil wondered if [big companies] will oppose encrypted SNI to avoid having their IP ranges banned, but their business reasons don't really flow into a decision not to do impossible things.