Signal has managed to gain a huge number of active users after Elon Musk’s tweet and numerous other recommendations from key personalities that also include Edward Snowden who usually recommends using Signal.
Undoubtedly, Signal is one of the most private WhatsApp alternatives available out there.
However, some recent events that involved some security researchers from the Anti-Censorship community reporting a critical flaw for Signal’s censorship circumvention technique for Iran has led me to think how Signal as a company responds and presents itself to the open-source community in general.
Are they doing something wrong? Should they work on improving their communication with the community? What exactly is going on?
In this article, I will try to share my opinion (limited to my point of view and research) on how Signal addressed the issue and how I think they should have.
Note: Of course, I understand that they have a small team and aren’t obliged to respond to everything considering their brilliant work on the app. I’ve tried to reach out to them in the past to create content that could have helped our readers know more about Signal while being a user since 2014 and did not get a response. So, that’s no surprise for me.
Additional note: This is completely my opinion and raised as a concern to get a proper official response from the Signal team.
Here’s What Happened: The Situation
- Signal announced their implementation of a simple TLS proxy for the users in Iran to be able to re-connect to Signal bypassing the censorship.
- A researcher DuckSoft immediately noticed a flaw with the simple proxy (which basically meant that the proxy can be detected and blocked – which could expose users to censors) and reported it via GitHub issues on Signal’s repository
- Another researcher studentmain wrote and tested a PoC (Proof of Concept) wich was later posted in the same thread.
- The GitHub issue was supposedly closed by Moxie (co-founder of Signal) by mentioning that they do not discuss such issues here on GitHub and suggested them to post it for discussion on Signal’s community forum.
- Frustrated by the response the researchers furiously tried to repost the issue and submit a pull request to add the PoC to Signal’s TLS proxy repository.
- The original GitHub thread was deleted and the researchers were allegedly banned from the Signal’s GitHub repository.
- A security concern for Signal app leaking DNS queries was also posted in the Signal community forum.
Now, you can find the issue reposted on a separate GitHub page by DuckSoft which is also being confirmed and backed by multiple other researchers in the thread.
However, Moxie believes that it isn’t technically a flaw but how the technique is by design:
Here’s What I Think About It
Yes, I’ve noticed that the researchers who reported the flaw of using this proxy technique were toxic in some point of time after the initial GitHub issue was closed, making them frustrated.
Any kind of toxicity should not be tolerated and that’s right.
But, I don’t see a reason to delete the GitHub issue that was originally reported. Moxie mentions in some of his tweets that he closed the issue to keep the GitHub issue section clean because that’s not the place for discussion and the thread started a rollercoaster of fake PRs and gibberish in general:
However, to disable the “Issues” section completely or potentially deleting the entire thread is not a good sign to me.
Moreover, considering that exposing users to censorship can be dangerous in the future (even with a 0.01% chance), redirecting a serious concern from a GitHub issue thread to Signal’s community thread? Seriously?
Especially, when someone puts the effort to prepare a PoC along with potential solutions to help Signal implement a better censorship circumvention technique?
The community thread is meant for user discussions or feature requests, not to discuss immediate security concerns. Not to forget, that’s not a place get an official response.
As my colleague, Avimanyu Bandyopadhyay mentions the open-source philosophy, that was founded with humility, love and compassion.
Honestly, I don’t see that in this situation. The situation could have been handled better and probably Moxie knows it too.
I even had a chat with a Cybersecurity Professional (Roshan Raj Mishra) who believes that even if we consider that the security flaw wasn’t reported politely, not acknowledging a flaw reported with a PoC makes the behavior by Signal unprofessional. So, there’s that.
Also, I don’t see someone raising a concern in the GitHub issues as a problem? That could have been discussed there as an exception. There’s a first time for everything.
What’s the point of keeping the GitHub issues squeaky clean without properly discussing or closing the concern?
Quoting the reference thread from the Anti-Censorship community, they demand:
We urge Signal to issue a statement that informs its users of potential risks caused by the flaws of its proxy implementation. Signal must stop advising people in Iran to use its fragile, temporary solution. Instead, Iranian people should seek for other well-established solutions, like the ones from our community.
Of course, one would argue that Signal mentioned the proxy implementation as an “interim solution“.
But, even then, why can’t they properly address a concern by security researchers? An official tweet about the concern? A blog post to clarify (with a disclaimer) that the proxy implementation isn’t the best solution and is potentially risky for the future or a tougher censorship system?
Especially, when it’s not just a single guy going paranoid about something but many researchers from the Anti-censorship community.
Not to dismiss the fact that yet another security researcher Sergey Frolovalso claims that he reported some concerns for Signal’s app in the past but did not receive any response either. That does not sound excellent to me.
As we say, nothing’s ever perfect in this world. So, surely there could be something wrong with Signal as an open-source company as well? Maybe they need to work on a quick and transparent communication?
Professionally, I think they should definitely work on presenting, addressing or replying to the concerns raised by the community efficiently. No matter how small the team is, considering the growing user base of Signal (for all the right reasons, which is why I use it as well), responding to the community concerns should be a priority now.
The FOSS community deserves to discuss this in a civilized manner rather than just discarding the issues unprofessionally, it’s just me and I don’t speak for everyone.
But, what do you think about this? Let me know your thoughts on this.