[nothrabannosir]

Good point, but there is an explanation: blocking WhatsApp would lead to more intense backlash. See what happened in Brazil.

Not to say it isn't both, but the price of blocking (one of) the most popular messaging apps is higher to a government than blocking one in the low low percentiles of usage.

[niksakl]

What you say makes blocking Signal pointless.

If they blocked Signal just because it was less of a trouble to block compared to WhatsApp, then all the people that were on Signal will easily switch to WhatsApp... What you have at this point, is a government paying the price of blocking a less popular messaging app they cannot control, while the people they are after can just switch to a MASSIVELY used messaging app the gov can also not control and additionally, is too expensive to block.

If this was the case,it would actually work against the gov. Do not underestimate gov authorities, they are not THAT naive. If they had not blocked Signal at all, they could at least track Signal users and at least have that information: that this small group of people (Signal users), contains the group of people they are after. They could have their honey pot there. Mixing the "dangerous" Signal userbase with the chaotic massive userbase of WhatsApp makes no sense, unless you really have WhatsApp on your side.

I hope you understand what I am trying to say.

edit: rephrasing

[JamisonM]

I wouldn't overestimate government authorities either. A report on a person of interest crosses the desk of a deputy minister that says the person uses Signal could be enough to get the application blocked in the country.

Elected officials and political appointees demand action on things that are counter to their interests all the time, the people that execute those orders (if they appreciate that the order is counter-productive in the first place) have to decide what measures are worth fighting and which ones are not.

[EGreg]

Can you make an unblockable app?

[pmoriarty]

An app that effectively used steganography[1] would probably come the closest to being an "unblockable app". As long as they don't detect that communication is going on, they can't usually block it -- short of blocking everything, which is rarely practical for long.

Some other interesting reading is: [2], [3], and [4]

[1] - https://en.wikipedia.org/wiki/Steganography

[2] - https://en.wikipedia.org/wiki/Covert_channel

[3] - https://en.wikipedia.org/wiki/Traffic_analysis

[4] - https://en.wikipedia.org/wiki/Anonymous_remailer

[wyldfire]

It would quickly reveal itself either by overtly disclosing its purpose on the app store it's indexed in or through a HUMINT/leaks.

[pmoriarty]

First, just because an adversary understands how a given steganography app works, or knows that it exists doesn't mean that they can detect the specific communication that's occurring, or will move to block that communication.

The canonical image hiding stego applications are a case in point, where the applications are widely distributed and understood, but in principle (if not in practice due to steganalysis[1]) one could know of their existence and how they work but still be unable to detect that covert communication through them was going on, nor be able to block that communication short of blocking all image posting.

Second, they need not be on any app store.

Third, any leaks about their existence, if they come at all, may come too late. As Napoleon said, it's not necessary to censor the news -- it's sufficient to delay it until it no longer matters.

[1] - https://en.wikipedia.org/wiki/Steganalysis

[Crosseye_Jack]

No, but blocking it could piss off a large part of your population.

It all depends on how far you are willing to push the blocking and how much you are willing to disable so you can block anything.

Signal atm are using domain fronting. (iirc the app will soon test the network conditions before attempting to use domain fronting, but for now it checks the country code of your phone number)

It will open a HTTPS connection to google.com but after the connection is made sends a host request for something.appspot.com In order to block that you need to MITM the connection or block google.com (Not sure if DPI could be used to get the host header never really looked into it personally. I know that SNI Sends the host is part of the handshake so the webserver knows which cert to present you with. Could it be extracted, checked agasinst a list and then have the connection reset preventing connection? Dunno never played with it, but its an idea off the top of my head).

(Now for some mild rambling :-p)

Lets say you can't MITM/DPI s you can just block google then they would have to use another CDN, so you block that one too. How many you going to go though before your citizens get pissed off at you and do something?

But lets say you people really hated GMail anyway and put up with not having Google just so this message app was blocked (and the creators don't just change CDN's) then you just force your people to install your own Root Cert or they don't get any encrypted web traffic. Will people complain or just install the Cert and get their facebook back?

So people switch to using personal networks (bluetooth and WiFi hotspots when in a crowd of people) just jam Cell/2.4ghz/5ghz. Will people complain they can't use their phones?

And it just escalates to the point you need a Doctors note and a permission slip signed by your mum before you are allowed to make a phone call.

All the time who actually want to encrypt their messages use math they can do at a desk away from a computer or phone and just use whatever method the Goverment do allow / they can get away with (Standard SMS but who and when can be got from the telco's, dead drops, IRL meetings) but sacrifice their metadata in the process.

[sofaofthedamned]

Nice description there. Google may not be pleased by this and be under pressure to revoke their access, but eventually they will make it clear that this shit doesn't fly. Nice workaround.

[gcb0]

check out Ricochet. If i recall correctly, it uses blockchain type transport over tor.

[clort]

how does that help, I think tor can be blocked..?

[Crosseye_Jack]

The GFW is able to recognise Tor usage.

> The firewall searches for a bunch of bytes which identify a network connection as Tor. If these bytes are found the firewall initiates a scan of the host which is believed to be a bridge. In particular the scan is run by seemingly arbitrary Chinese computers which connect to the bridge and try to “speak Tor” to it. If this succeeds, the bridge is blocked.

http://www.cs.kau.se/philwint/static/gfc/

[TeMPOraL]

With all the things GFW does I wonder if they have some secret conferences or industry journals related to the firewall's algorithms and infrastructure.

[Crosseye_Jack]

Don't see why not? In Jason scotts talk The Mysterious Mr Hokum [0] he talks about an owner of an early ISP who not long after selling it was found dead. Iirc During his time as owner he would often have regular meetings with FBI agents to basically discuss what was going on the net.

Problem was after he died his Was actually on the run on fruad charges. I think Jason presumes he set up the ISP as another scam but he started it at the perfect time and started actually making legit money instead. So (again trying to recall the talk from memory, I must actually watch it again as I enjoyed it) this isp owner was having meetings with the FBI about his ISP all the while the FBI also wanted him on fraud charges. So yeah if the FBI don't mind having chats with ISP's just to see what's going on, I wouldn't be at all surprised if China had meetings with their ISP's too. From what I have read I about the GFW it seems that it's infrastructure differs from isp to isp. Dunno if that's cause it's left to the ISP to implement or if The Gov issue "black boxes" to do the firewall work and it's just different versions of hardware / software depending on when the boxes were issued.

But yeah I do like the idea of a secret defcon but kinda in reverse that discuses the tricks and infrastructure and the bypasses they discovered in the past year but in order to better run the GFW. In my imaginary con they are all still getting drunk and hacking into the hotel signage for the shits and giggles of it though.

[0] https://youtu.be/UTzQmhmgLC0

[conradev]

That same person developed ScrambleSuit[1], which is used as a pluggable transport to obfuscate traffic and prevent detection/active probing. Work is continuing to keep the GFW from being able to catch up [2][3].

[1] http://www.cs.kau.se/philwint/scramblesuit/

[2] https://github.com/Yawning/obfs4

[3] https://git.schwanenlied.me/yawning/basket2

[conradev]

I don't think Ricochet uses blockchain technology.