1.6 KiB
| title | date | tags | author | |||
|---|---|---|---|---|---|---|
| Signal TLS Proxy warning | 2022-10-15 |
|
Tommy |
Given the current censorship situation in Iran, I decided to have a look at the Signal TLS Proxy.
One thing immediately jumped out - the NGINX image has not been updated for years. In fact, NGINX 1.18 is so old that it has gone end of life for a year and a half as of this writing.
If you are deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream nginx:alpine image instead.
My Docker Compose setup can be found here. I have also fixed the missing :Z flag for mountpoints and and dropped privileges to reduce the attack surface. I made a couple of pull requests for these changes, but Signal is being very slow on reviewing and merging them, so... yeah.
Currently, we believe Signal’s TLS Proxies are an incomplete solution to the problems they try to solve. Instead, we recommend using Orbot in conjunction with Molly, an alternative Signal client which natively supports SOCKS proxies, to fully tunnel your Signal traffic over the Tor network.