Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-19 12:04:08 -04:00
Code Issues Projects Releases Packages Wiki Activity

signal usernames

Browse source
This commit is contained in:
anarsec 2023-11-13 19:32:52 +00:00
parent d83276dadb
commit 03cb8ced90
No known key found for this signature in database
2 changed files with 19 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

35
content/posts/e2ee/index.md
View file

@ -24,7 +24,7 @@ Before proceeding, there are a few concepts that need to be understood, in order
For a more in-depth look at these various considerations, we recommend [The Guide to Peer-to-Peer, Encryption, and Tor: New Communication Infrastructure for Anarchists](https://www.notrace.how/resources/#the-guide-to-peer-to-peer-encryption-and-tor). This text criticizes Signal for not being peer-to-peer and not using Tor by default, and goes on to compare Signal, Cwtch, and Briar.
Public-facing projects have additional needs for encrypted communication, because they will be interacting with unknown (and untrusted) contacts:
Anonymous public-facing projects have additional needs for encrypted communication, because they will be interacting with unknown (and untrusted) contacts:
* Anyone can contact the project without requiring a separate channel
* Resiliency to [correlation attacks](/glossary/#correlation-attack) from untrusted contacts
* Resiliency to [exploits](/glossary/#exploit) from untrusted contacts
@ -34,9 +34,8 @@ The following options for encrypted messaging are listed from most metadata prot
**TLDR:**
* For text communication with other anarchists, prioritize Cwtch.
* For voice or video calls, prioritize SimpleX Chat.
* Don't use Signal to communicate with other anarchists.
* For public projects, PGP email is still the best option.
* For voice or video calls, use SimpleX Chat or Signal (with usernames).
* For anonymous public projects, PGP email is still the best option.
# Cwtch
@ -73,7 +72,7 @@ Asynchronous conversations on Cwtch need to be started from a synchronous conver
You can learn more about how to use Cwtch with the [Cwtch Handbook](https://docs.cwtch.im/).
## For Public-facing Projects
## For Anonymous Public-facing Projects
**Anyone can contact the project without requiring a separate channel**
@ -167,15 +166,15 @@ Cwtch on Whonix currently has an [issue](https://git.openprivacy.ca/cwtch.im/cwt
SimpleX Chat functions without persistent user IDs, which creates strong metadata protection. This means that an adversary can't easily observe how users are connected to each other in a network. This is possible because connection requests work by sharing an invitation link that is communicated through a separate channel, or in person. When connecting to another user you have the choice to use "Incognito mode", which creates a new random profile for each contact. This avoids sharing any data between contacts.
As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer - it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server). Your data can be exported, and imported onto another device, as there are no central servers where this is backed up.
As a design choice to facilitate asynchronous communication, SimpleX Chat is not peer-to-peer - it uses decentralized servers that [anyone can host](https://simplex.chat/docs/server.html) and does not rely on any centralized component. Servers do not store any user information (no user profiles or contacts, or messages once they are delivered), and primarily use in-memory persistence. To understand what a server can and cannot see, read the [threat model](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#simplex-messaging-protocol-server). Your data can be exported and then imported onto another device, as there are no central servers where this is backed up.
Due to needing to [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat for voice and video calls**. For people who are unlikely to start using Cwtch because it has an unfamiliar user experience, SimpleX Chat is still an acceptable solution for text communication. The experience of using SimpleX Chat is very similar to Signal, but unlike Signal, it won't expose the identities of your network to an adversary if they get access to your device.
Due to needing to [place some trust in the SimpleX servers](https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md#trust-in-servers), **we recommend prioritizing Cwtch over SimpleX Chat for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls**. Unlike Signal, SimpleX Chat doesn't require a phone number or smartphone.
SimpleX Chat will work with Tor if used on an operating system that forces it to, such as Whonix or Tails. However, voice and video calls are generally not very functional over Tor with any application due to the latency Tor will introduce.
You can learn more about how to use SimpleX Chat with their [guide](https://simplex.chat/docs/guide/readme.html).
## For Public-facing Projects
## For Anonymous Public-facing Projects
**Anyone can contact the project without requiring a separate channel**
@ -213,19 +212,21 @@ Signing up for a Signal account is difficult to do anonymously. The account is t
Another barrier to anonymous registration is that Signal Desktop will only work if Signal is first registered from a smartphone. For users familiar with the [command line](/glossary/#command-line-interface-cli), it is possible to register an account from a computer using [Signal-cli](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo#signal). The [VoIP](/glossary#voip-voice-over-internet-protocol) account used for registration would have to be obtained anonymously.
These barriers to anonymous registration mean that Signal is rarely used anonymously. This has significant implications if the State gains [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html), and it's common for them to gain physical access to devices through [house raids](https://www.notrace.how/threat-library/techniques/house-raid.html) or even simple arrests. For example, if your device's [authentication is bypassed](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), it is easy for the police to identify all of your Signal contacts (as well as the members of any groups you are in) simply by their phone number. This is a serious security breach, especially in the context of Signal groups. Compare this to the same attack on a Cwtch or SimpleX Chat user - all contacts are anonymous so device compromise does not contribute to network mapping.
These barriers to anonymous registration mean that Signal is rarely used anonymously. This has significant implications if the State gains [physical](/glossary/#physical-attacks) or [remote](/glossary/#remote-attacks) access to the device. One of the primary goals of State surveillance of anarchists is [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html), and it's common for them to gain physical access to devices through [house raids](https://www.notrace.how/threat-library/techniques/house-raid.html) or even simple arrests. For example, if your device's [authentication is bypassed](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html), it is easy for the police to identify all of your Signal contacts (as well as the members of any groups you are in) simply by their phone number.
In a recent repressive operation in France against a riotous demonstration, the police did exactly that. The phones of suspects were accessed through physically seizing them during arrests and house raids, as well as through spyware, and then Signal contacts and group members were identified. These identities were added to the list of suspects who were subsequently investigated. **We need to understand this as a wake-up call that it is time for anarchist networks to stop using Signal**.
In a recent [repressive operation in France against a riotous demonstration](https://www.notrace.how/resources/read/lafarge-case-the-investigation-methods-used.html#header-access-to-phone-contents-during-and-after-police-custody), the police did exactly that. The phones of suspects were accessed through physically seizing them during arrests and house raids, as well as through spyware, and then Signal contacts and group members were identified. These identities were added to the list of suspects who were subsequently investigated.
A company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
A compromised device contributing to network mapping is partly mitigated by the [username feature](https://community.signalusers.org/t/public-username-testing-staging-environment/56866) - use it to prevent a Signal contact from being able to learn your phone number. In **Settings → Privacy → Phone Number**, set both **Who can see my number** and **Who can find me by number** to **Nobody**. For voice and video calls, Signal reveals the IP address of both parties by default, which could also be used to identify Signal contacts. In **Settings → Privacy → Advanced**, enable **Always relay calls** to prevent this.
A company that sells spyware to governments has a product called JASMINE that is [marketed to deanonymize Signal users](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products), based on the analysis of metadata.
>In its targeted interception mode which starts from a single target JASMINE has claimed it is able to identify communicating parties in encrypted but peer-to-peer applications [...] the JASMINE documentation explicitly claims support for identifying the IP addresses of participants in encrypted apps such as WhatsApp and Signal during voice and video calls where peer-to-peer connections are also used for calling by default.
>
>The JASMINE documentation also explains that by analysing encrypted traffic “events” for a whole country in mass interception mode JASMINE has the ability to correlate and identify the participants in encrypted group chats on messaging apps.
A similar product would not work against Cwtch, because it uses Tor by default.
A similar product would not work against Cwtch, because it uses Tor by default. Without Tor, an adversary can see that you are connecting to Signal servers which is what enables this type of timing correlation attack.
Simply put, Signal is not a good fit for an anarchist threat model - it was designed to bring encrypted communication to the masses. Because it's very difficult to use Signal anonymously, and because [we recommend against using phones whenever possible](/posts/nophones/), **we recommend prioritizing Cwtch over Signal for text communication with other anarchists, and prioritizing SimpleX Chat over Signal for voice and video calls.** We only provide installation instructions because it has become the norm in the anarchist space in many countries, and it may be difficult to contact someone without it.
Signal was designed to bring encrypted communication to the masses, not for an anarchist threat model. Because it's very difficult to register for Signal anonymously, and because you must first install Signal on a phone to use it on a computer, **we recommend prioritizing Cwtch over Signal for text communication with other anarchists, and using SimpleX Chat or Signal for voice and video calls.** For the same reasons, Signal is not well-suited for anonymous public-facing projects.
<details>
<summary>
@ -308,9 +309,9 @@ https_proxy = 127.0.0.1:8082
PGP (Pretty Good Privacy) is not so much a messaging platform as it is a way to encrypt messages on top of existing messaging platforms (in this case, email). PGP email does not have the encryption property of [*forward secrecy*](/glossary/#forward-secrecy). The goal of forward secrecy is to protect past sessions from future key or password compromises. It maintains the secrecy of past communications even if the current communication is compromised. This means that an adversary could decrypt all future PGP messages in one fell swoop. When you also consider the metadata exposure inherent in email, PGP simply doesn't meet the standards of modern cryptography. For a more technical critique, see [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) and [Stop Using Encrypted Email](https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html). [Privacy Guides](https://www.privacyguides.org/en/basics/email-security/) agrees that "email is best used for receiving transactional emails [...], not for communicating with others." **We recommend that anarchists don't use PGP email for communication with other anarchists**.
**There is an exception: for public-facing projects, we still recommend using PGP email** because it is the best option that meets the additional needs required by a public account. Use a [radical server](https://riseup.net/en/security/resources/radical-servers) that doesn't require an invite code and read the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp).
**There is an exception: for anonymous public-facing projects, we still recommend using PGP email** because it is the best option that meets the additional needs required by a public account. Use a [radical server](https://riseup.net/en/security/resources/radical-servers) that doesn't require an invite code and read the [Riseup Guide to Encrypted Email](https://riseup.net/en/security/message-security/openpgp).
## For Public-facing Projects
## For Anonymous Public-facing Projects
**Anyone can contact the project without requiring a separate channel**
@ -339,6 +340,6 @@ If a project has multiple members, all of them should be able to access the same
# Warnings
We recommend to not use:
* **Telegram**: Telegram has no end-to-end encryption for group chats, and it is opt-in for one-on-one chats. The encryption doesn't use established protocols, and has had cryptographers describe it as ["The Most Backdoor-Looking Bug Ive Ever Seen"](https://words.filippo.io/dispatches/telegram-ecdh/).
* **Telegram**: Telegram has no end-to-end encryption for group chats, and it is opt-in for one-on-one chats. The encryption doesn't use established protocols, and has had cryptographers describe it as ["the most backdoor-looking bug Ive ever seen"](https://words.filippo.io/dispatches/telegram-ecdh/).
* **Matrix/Element**: Matrix has a problem that is inherent in federated networks - terrible [metadata leakage](https://anarc.at/blog/2022-06-17-matrix-notes/#metadata-handling) and [data ownership](https://anarc.at/blog/2022-06-17-matrix-notes/#data-retention-defaults). It has no forward secrecy, the Element client has a large attack surface, and there is a [long list of other issues](https://telegra.ph/why-not-matrix-08-07). What's more, the developers are very friendly with various [national police agencies](https://element.io/blog/bundesmessenger-is-a-milestone-in-germanys-ground-breaking-vision/).
* **XMPP Clients**: Regardless of the client, an XMPP server will [always be able to see your contact list](https://coy.im/documentation/security-threat-model/). Additionally, server-side parties (e.g., administrators, attackers, law enforcement) can [inject arbitrary messages, modify address books, and log passwords in cleartext](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/).
* **XMPP Clients**: Regardless of the client, an XMPP server will [always be able to see your contact list](https://coy.im/documentation/security-threat-model/). Additionally, server-side parties (e.g., administrators, attackers, law enforcement) can [inject arbitrary messages, modify address books, log passwords in cleartext](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/) and [act as a man-in-the-middle](https://notes.valdikss.org.ru/jabber.ru-mitm/).

2
content/posts/grapheneos/index.md
View file

@ -14,7 +14,7 @@ a4="grapheneos-a4.pdf"
letter="grapheneos-letter.pdf"
+++
[Anarchists should not have phones](/posts/nophones/). If you must use a phone, make it as difficult as possible for an adversary to geotrack it, intercept its messages, or hack it. This means using GrapheneOS.
[Anarchists should minimize the presence of phones in their lives](/posts/nophones/). If you decide to use a phone, make it as difficult as possible for an adversary to geotrack it, intercept its messages, or hack it. This means using GrapheneOS.
<!-- more -->
# What is GrapheneOS?