Nariman Gharib: >> 3. You're basically saying that your website is acting as a portal for >> people to regain access to the Internet. If that's so, you really should >> not give them a false sense of security: >> https://www.ssllabs.com/ssltest/analyze.html?d=secure.filtershekanha.com >> >> Currently, this SSL configuration is easily circumvented, allowing to >> man-in-the-middle all of your visitors. (Please message me off-list if I >> can help you fix your webserver configuration.) >> > > I'll message to you about that in privately. but a quick note: I just used > the free SSL certificate not to encrypt the communication in website but > just for give a un-censored url to Iranian people. which is government > block my main domain not https:// secure.filtershekanha .com - and also I'm > emailing people circumvention tools via Mailchimp and those circumvention > tools are not hosted in my websites. just there is a link in emails.
Links in e-mails can be problematic, too, since e-mails are easily forged. So if you train people to download tools from locations placed in e-mails it will be easy for a third party to send them similarly looking e-mails to malware. So be careful about this, too, don't post deep links to direct downloads and sign your e-mails so that people at least have a chance to verify that their origin, namely you, remained the same all the time. The free SSL certificate you're using on your website is issued by an Israeli company. I don't mean to say this means anything, in fact I think this company is one of the less problematic CAs, but you should be aware of this nevertheless, since there can always be pressure which companies cannot resist. But then, as you say, you are only using HTTPS as a censorship workaround - are your users aware that by using HTTPS you do not mean to provide any of the guarantees usually connected to HTTPS (authentication, confidentiality, integrity)? They might be mislead in assuming that you are trying to protect them from something when you are not. >> 4. You seem to currently recommend closed-source adware supported >> single-hop VPN clients as a workaround. >> This most likely means that >> >> - the companies providing these VPNs can perfectly tell what the users >> using them are doing, may also log it, and are thus susceptible to >> traffic and log recovery by means of governmental interventions and hacking >> >> - you can't really tell what this software does and where it and the >> servers it connects to may send all the traffic to (in addition to the >> intended locations) >> >> - you can't really tell whether the sites you access through these VPNs >> are really the sites you want to access >> >> - the ads allow the advertisement networks (and anyone who can convince >> them to share this information) to track precisely what the users are doing >> >> That is to say, while those tools may seem to provide a great way to >> overcome the censorship, using them may very well play into the hands of >> "security forces", enabling them to keep track of what activists (or >> just anyone with a non-official opinion) are doing, and to build files >> on them. >> >> People in other countries have been displaced, incarcerated, tortured >> and even killed due to exactly these mistakes (recommendation and use of >> bad censorship circumvention tools) in the past. I really hope this is >> not going to happen this time around. >> > > I know about that and it's going to be dangerous for Iranian or other > people in similar country to Iran, but most of people in Iran doesn't CARE > about these things. they just want to go facebook,youtube,twitter and...( > actually most of websites are blocked :) ) . even we know who behind of > these tools,Personally actually from last week after I talked to a expert I > decided to give users all options/all tools and just saying that the > trusted and secure tool at this moment just is TOR. It's great that you have taken the decision to not only recommend those problematic tools, but also those which have been reviewed and are known to be safe and to work. I think that's a really good decision you made there. Regarding ignorance for privacy and anonymity tools: Not always, but quite often, people do not care about something because they have not had a chance to rest and learn about it. If you make the people you are in contact with aware that there are real and serious risks involved in them not protecting their privacy when they circumvent governmental controls, they might rest and take the time to learn about those, and might end up being safer. Surely times like these may not seem to be the best time to study, but on the other hand, if there are no other times when people will, then this is actually a really good time. Since it matters now, more than ever. >> 5. I fully understand that recommending against something is of no use >> if no alternative is provided. I think Tor makes a great alternative if >> people care about both circumventing censorship and remaining anonymous >> (if used as documented). Yes, it does slow things down. But if you >> compare to the previous paragraph then it might be worth this? >> > I recommended to people using TOR and for example from a week ago until > now thousands people now using ORBOT and TOR via my newsletter. ( I'm not > sure about the users but the clicks number goo.gl gave it to me are up to > 10k clicks for these to tools ) It's great that so many use it now. (But it's not as good that there is a central website unrelated to these tools which has a full log of whom you convinced to use them - maybe you can get around URL shortening when it comes to circumventing censorship.) > TOR is Good. but for example when government blocked the some TOR's ip, we > should provide bridges for users( IF AM IF RIGHT). so Imagine I emailed to > my subscribers these new bridges so after 2days they will blocked, so > what's the next and good option? Yes, bridges are the right way to go when you cannot access Tor anymore (and only then). There are several strategies how bridges can be used, as discussed here: https://www.torproject.org/docs/bridges.html.en Bridges need to be provided by people in locations which are not affected by censorship, or to a lesser degree. So this is a CALL TO ALL READERS of this mailing list to PROVIDE MORE TOR BRIDGES! Many bridges are already available, though, and people can request more unblocked bridges from the Tor folks at any time, including by e-mail (again, read the page above for details). >> There may be other options, possibly including single and multi hop VPNs >> which are just not as bad as the ones currently in use. If you are >> willing to consider other options, I bet the contributors to this >> mailing list will be happy to provide more suggestions. >> > > Yes, I'm in. Do you know TextSecure? https://whispersystems.org/#privacy My (again, very limited) understanding is that many of the Iranians use mobile devices for Internet access and communication in general. While this is bad in terms of making it easy to track who is talking to whom most of the time, if users are going to use mobile phones to communicate no matter what then TextSecure is a really great tool. TextSecure is very easy to use free and open source encrypted text messaging application by (amongst other) renowned crypto geek Moxie Marlinspike (the guy who, amongst others, warned people about how corporations and government agencies have developed tools to easily strip SSL off many websites, and who proved that this is actually possible by providing the tool "sslstrip"). It is a lot easier to setup and use than other encryption systems (such as GPG/PGP - which is still a very good tool to use), so it can really be used by everybody to communicate to one another. It can also work over Tor. You could also use it in addition or as a replacement for the unencrypted e-mails you send currently. Alster -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
