Skip to content(if available)orjump to list(if available)

Signal TLS Proxy

Signal TLS Proxy


·September 23, 2022


I know this tiresome argument comes up every time Signal is mentioned, but there's an elephant there that seems relevant.

An totalitarian state would not need to run a packet inspecting firewall to find out who is using Signal. They have this information already in the plaintext SMS Signal broadcasts in order to collect verified phone numbers of their users. It is most likely in their power to turn off cell service for these endpoints, or even locate them and let the security service round them up.

It's a great service in many ways, but if you are revolting an authoritarian state, it's something to be careful of. At the very least, please be mindful of this and take care of yourself.


Signal has 100 million installs on Android alone. Arresting people for having Signal installed is not a scalable approach for a totalitarian state.


Not in Iran. Not during demonstrations. Not in Kurdish-dominated areas. You can narrow it down as much as you'd like.

And while you'd think that senseless violence against civilians do not scale, times of civil protests in totalitarian regimes is not good time to be naive.

Shutting down routing for the entire country is pretty much par for the course. There's not such thing as collateral damage when the regime itself gets scared.


Not in places like Cuba, where I know first hand, people who participated in the protest in July 11th where charged based on the apps the police and G2(Cuban FSB) found in their phones.


> Arresting people for having Signal installed is not a scalable approach for a totalitarian state.

Not all of those are in the same country, though, and it’s worth thinking about how the install base would change after a particular country banned an app. The first time someone gets an official warning a lot of people are going to say “not worth it”.




No, but banning them from the cell network is.


Then you can go off network...



I find your focus on totalitarian left peculiar. It's not like they were somehow unique - plenty of totalitarian regimes of all kinds have arrested and executed countless people for whatever.

A few random examples:

* Ottoman genocide of Armenians, on ethnic/religious grounds. The Ottoman Three Pashas regime was as far from left as possible, but plenty totalitarian.

* US internment of "foreign elements", including those with US citizenship, during both World Wars. US was never even center-left, let alone farther, and totalitarian is a stretch. Less bad than the other examples here, but still.

* The many White and Red terrors in the Interwar and post-WW2 years, where vague association was guilt and execution.

* Of course Jews, Roma, Gypsy, dissident in Nazi concentration camps.

* The Herero and Namaqua genocide by the rightist totalitarian-ish Imperial Germany.

* UK mass internment of Boers. Not leftist, not really totalitarian.

Need i go on? Why did you feel the need to pain totalitarian leftist as worse than any other totalitarians?


"the left"? You have to be joking! Even US cold war-era anti-communist propaganda wasn't lying this blatantly. Mass incarceration, execution, etc. are a "skill" of all totalitarian regimes, no matter what social/economic policy they happen to support. The church in the middle ages, kings in the era of absolutism, the Axis powers during WWII, regimes of warlords past and present, the various religious states that are doing the bulk of it today... all of these regimes censored, imprisoned and executed their opponents and few could be considered "left".


> They have this information already in the plaintext SMS Signal broadcasts in order to collect verified phone numbers of their users.

This assumes one is using the phone number attached to the handset running Signal as their Signal number. Personally, I don't do this: I have used Google Voice and even a basic Twilio number that sends SMS messages to me via Email to register a number with Signal. There are many reasons to do it this way, not least of which is that I can publish my Signal number without needing to worry about people direct-calling my phone. Until Signal drops the requirement for a phone number (verified by SMS) to spin up service, this is the most secure way to use Signal.


I'm fairly confident that about 99+% of people that actually do anti-government shit have ever had the opportunity to use Google Voice or set up a Twilio number. (And one of the reasons for that is that these are mostly US & friends only services.)


Governments can easily correlate GV numbers to mobile devices. I personally no longer trust Signal. Moxie's departure stinks like a canary.


"Governments can easily correlate GV numbers to mobile devices."

Google Voice doesn't need to be installed on a mobile device. I have my Google Voice accounts (yes, multiple) set to forward SMS to me via email.

"I personally no longer trust Signal. Moxie's departure stinks like a canary."

I never really trusted Moxie to begin with but events like this make me wonder all the more if Signal is really being run from Fort Meade. Fortunately for me I used Signal as my "non-secure" messaging platform and use other messenger options for secure comms.


Use a truly disposable service like instead of Google Voice. This gives you a number with an OCN type of Wireless as well, instead of one that shows up as IPES (IP enabled Service Provider) or CLEC like and nearly all VoIP numbers.


The state probably knows who signed up to use Signal, Whatsapp, Viber or some other service back when it was legal to do so. So what?


Signal have been promising vaguely to move away from using phone numbers for... A really long time now.


That's what a security model is for, the best you can do is difficult security/privacy not absolute or perfect.

I don't get this "totalitarian state" b.s., subverting legitimate government's policies seems silly and dangerous. If I was a dictator or something I would have people's phone's searched randomly by street cops, if they see signal then you are a subverter and a traitor so off with your head. I can't imagine security against that.

Security and privacy against nation state actors are one thing but against your nation state actor is a whole different ball game.


Security against random searches is easy. There are plenty of ways to hide an app behind something innocuous, e.g. requiring a particular input sequence known only to the user to open the app.


Plausible deniability is what you mean. It is until it isn't (if it is scanned by something "smart" or purpose made).


Why do I need Docker for such a simple task? From their blog:

> The proxy is extremely lightweight. An inexpensive and tiny VPS can easily handle hundreds of concurrent users. Here’s how to make it work:

    SSH into the server.
    Install Docker, Docker Compose, and git:
I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.


It's a simple way of running something quickly and without touching the rest of your system (if you already have Docker installed)

Anyway, the proxy is just an nginx with a custom config file. You can check that file and just add it yourself to an nginx you manage, probably with little changes.


It's a bit odd to use a custom docker image, rather than the one maintained by nginx Inc though:


For one, this is 5 versions behind (1.18 vs 1.23).

In general seems caddy or haproxy might be a better fit - but nginx is a perfectly fine choice I suppose.


> It's a simple way of running something quickly and without touching the rest of your system

Providing a statically linked binary is even simpler, without all that extra complexity that comes with docker.


This project wraps existing software (e.g. nginx) to function. It's not as simple as providing a binary.


I'm also confused about the Docker hate here. The daemon itself is lightweight and the Docker-ized process(es), once running, have negligible overhead compared to running them natively.

I didn't look at the image size but you might be paying a ~100 MB storage penalty to bundle dependencies.


For my fedora people,I just want to remind them that whenever anyone says docker, you can safely use podman (or at least that is the goal).

It won't be rootless in this case as far as I know because you will need privileged ports 80 and 443 but good habit in general.


You can allow unprivileged apps to use privileged ports, its just a simple sysctl edit.


It's actually more than negligible, docker containerization tends to impose limits, tracking, and network overhead on processes, which all have some overhead and penalty on performance.

On beefcake supreme machines it's just usually not significant enough to worry about, because the perceived benefits outweigh the downsides.


Docker images are just tarballs no? There’s almost no overhead at runtime. Of course you could fork it


There is some performance overhead from the configuration Docker uses for the containers, as well as some of the historical behaviour (not sure if they still apply)

- if you use docker nat, it about doubles connection time, if you only have extremely short connections this can be quite visible.

- If you need FS access, this can come at a high cost depending on your usage pattern, docker’s layered FS is not cheap.

- Finally Docker enables features which don’t come for free and which you may not be enabling separately e.g. seccomp (this can result in a 15+% performance hit in the worst case)


I've put Docker onto small VPSes. It's no hassle. The heavy part is Nginx. Adding the container on top won't be making much difference to the size.


pretty sure you can run docker on a $5 vps with plenty of headroom left

could it be done leaner? sure

is it worth it if it raises the barrier of entry of getting people to run the proxy? doubtful


A single statically linked binary would not raise the barrier of entry. Quite the opposite.


What if you're running on an ARM VPS? Now there are 2 binaries. What if you're running e.g. Alpine? Now you need 4. Which init system do you provide startup scripts for? You need an install script too. And what if you just want to try it on your Windows/Mac computer? Need to manually set up a VM.

Meanwhile, you can just install Docker, which you might already have if you do self-hosting often, and run one command. The overhead of containers is tiny, so you really won't notice it. Bonus points for using Podman, which doesn't even have a daemon.


But you also need to provide a systemd service for it. And statically linked against glibc or musl?


> Why do I need Docker for such a simple task?

Containers are more consistent and have less side effects than packages.

> I'm sorry but installing Docker on a tiny VPS last time I checked wasn't any light at all.

There's very little overhead and it takes a one liner[1] to install it.

[1]: curl -sSL | sh


Whenever I see a docker compose based install, it's clear that the installation wasn't thought through very well. Inevitably, these installs are more complicated and less reliable than a finished product.


Do you have any data to back up your claim about the overhead of using Docker?



Thank you! This would be a much better link than the github repo.

There are so many project READMEs out there that never bother to explain what the code is or does, it's frustrating.


Couldn't it be a problem that Iran or someone else with connections to the regime run a proxy themselves to find people using Signal?


They already know people who are trying to access signal without a proxy, so I don't think this would make a significant difference. Also note that from the Signal Blog post above:


The Signal client establishes a normal TLS connection with the proxy, and the proxy simply forwards any bytes it receives to the actual Signal service. Any non-Signal traffic is blocked. Additionally, the Signal client still negotiates its standard TLS connection with the Signal endpoints through the tunnel.

This means that in addition to the end-to-end encryption that protects everything in Signal, all traffic remains opaque to the proxy operator.



It doesn't seem to be the same situation with tor exit nodes, where your node is automatically on the system. Here, it looks like people have to actively use your proxy; it tells people who run a proxy to share a URL with their friends.

Probably helpful context: [Help people in Iran reconnect to Signal – a request to our community]


And that brings the difficulty of letting your proxy be known to legitimate interested people if your iranian social presence is non-existent. I ran a Tor node (not an exit one) in Germany back in the days (it was to help iranian people).


Yes. It's always a cat and mouse game. Whether they are actually smart enough to think of it is a different question.


A regime that has survived 40 years facing constant adversary and the majority of time under sanctions should be competent enough at internal security.

And the people that are protesting and hurting right now are not the most tech savvy one - so expect a lot of naivete about opsec. I doubt that the majority of them even know signal exists.


Does starting the proxy automatically add it to some proxy list that gets (partially) distributed to users or does running a proxy like this only help if I distribute the proxy to people?

Would some network analysis then not clearly indicate the social graph of people by virtue of connecting the dots of who connects to which proxy domain?


You have to distribute it yourself, there's no automatic distribution on Signal's part.


Why didn't this come out when China blocked Signal? And what is Signal doing about China blocking Signal's phone verification system? Can't talk to my parents-in-law in China now without installing that spyware WeChat.


I mean, unfair to put expectations on Signal to solve problems (especially right away). It could be that the solution didn't occur to someone until recently.


They've had years to get rid of of needing a phone number and they've talked about it for years. It's arguably a bigger issue for many that internet blocking, as that can be trivially worked around with a VPN or proxy.


Signal seems to have had the proxy for a while. I'm guessing that China blocked them, they started developing this, released it, Iran blocked them, they signal boost this feature off the back of the second blockage.


I wonder why they use nginx, and not Caddy or similar. Some service, which would handle all the certificate stuff natively, without having to deal with an extra script for certificates and without having to ensure that certbot runs from time to time.


Trying to understand the rationale here. So Iran are blocking WhatsApp and other messaging services by blacklisting IPs or filtering the traffic? Is the idea that people will connect to random proxy nodes for signal that will circumvent this blocking?

Edit: as a follow up question. Do the people of Iran need messaging access to people outside of Iran or more likely their friends and family within Iran. Most of these messaging services are centralised so blocking them means cutting off communication within the country as well. Maybe they'd benefit from running private messaging servers themselves?


Yup family or friends abroad can run the proxy. Its not straightforward for govt to find the proxies if their addresses are privately shared.


How do you tell them the proxy exists?


This is discussed in the blog post (which probably should have been linked instead of the git repo)


maybe this is a moot question, but if there is an embargo on iran and you host a proxy like that, are you, as an american, not commiting a crime?

The way I understand it people need special licenses in order to operate in iran (meta) and therfore the probability of being sued is very high?


Some user on reddit claims that there is a carveout for proxies like these in the US:

The Treasury source they cite ( seems to check out:

> Section 560.540 of the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. Part 560, authorizes the exportation from the United States or by U.S. persons, wherever located, to persons in Iran of certain publicly available, no-cost services incident to the exchange of personal communications over the Internet and certain publicly available, no-cost software necessary to enable such services.


Usually legal jurisdiction goes with geography. There are Exceptions (crimes against humanity, sex tourism things). If you host it outside Iran and you are outside Iran, then it’s just a theoretical crime?

extra territorial example: it may be a crime to do things/speak ill of a foreign government. If you lived there you’d get arrested. What if you did this while sitting in your bedroom overseas?


This doesn't seem accurate. US Citizens/Residents/People who travel into the US who do many types of business with Iran can get into legal trouble. The person you are responding to is asking if that would apply here.


Ah in that situation, your trouble would be with the Iranian government when you travel back to Iran? Of course countries can generally pass laws that do anything (they can execute people no?). In western legal tradition extra territoriality is reserved for special situations. In places like Iran where the rule of law is weak it does not apply.

But then in that sense Iran can do whatever it wants once they get their hands on you, laws or not


Sadly, that's not how American sanctions, or law in general work. They claim extraterritorial jurisdiction over the whole world, and whoever and wherever you are, you might get in trouble with them for violating their sanctions or laws. FFS they give themselves the right to invade any country that dares put their war criminals on trial.

E.g. BNP Paribas, a French bank, were fined for doing business in Iran. A Ukrainian was extradited from Poland to the US for hosting a pirate website.


Exportation of software or services to facilitate personal communications of Iranian citizens is allowed under a general license as long as it is provided at no cost. General license means it does not need to be applied for.


As a slight aside one would think that running a proxy you'd want to install Docker so you're getting the latest bits. Considering compose is now a plugin and base repos are often way behind on Docker versions I always point people to leverage the convenience script that Docker provides [0].



Is there a technical reason why this only works on Android and not iOS?


iOS is not widely available/popular in Iran so it shouldn't be a problem here:


It works on iOS, you just have to add the proxy manually via settings.


Could you detail how? Slack/iOS didn't accept my `{redacted}` address in the Proxy Address field. Do I just enter my server's IP address?

I know Android is much more popular in Iran, but I wanted to give my friends instructions for both platforms, just in case.


Oh, lol, you just enter your domain name as the proxy address. Neat! (Or you just click that URL and it bounces you into the Signal app. I assume the only different between the iOS and Android versions here is that the Android version can capture that request before it goes to the browser, which is probably more secure from a government/firewall perspective.)


just a guess, but maybe it has something to do with the fact that the link is never actually handled externally? as in, the domain is never resolved, it may as well just be a string


used to create a dns record and then followed the signal guide on rocky linux 8 with podman and podman-compose (requires some tuning).

hope this might help someone:


Can anyone here give quick example how would how this on a server already having Apache on port 80 and 443? Can this be proxies through Apache?