[IncludeSecurity]

Even worse, what happens when they MITM all of the installs because the docker container has really bad security such as:

RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz

https://github.com/signalapp/Signal-TLS-Proxy/blob/master/ng...

Installing via HTTP, with no verification of installer seems like a reallyyyyy bad idea.

[gspr]

I noticed the same thing, and filed an issue [1]. The first reply does not fill me with a lot of confidence (but it's unclear to me whether the person is affiliated with the project or not).

[1] https://github.com/signalapp/Signal-TLS-Proxy/issues/6

[aftbit]

They have completely disabled issues on that repository. Wow I used to really like Signal...

[kelnos]

And it seems they've fixed the issue, without any kind of public comment.... still not great: https://github.com/signalapp/Signal-TLS-Proxy/commit/39a97da...

[kdunglas]

I (partially) fixed this issue, and I'm not affiliated in any way with Signal. It's public (https://github.com/signalapp/Signal-TLS-Proxy/pull/2), and it looks like they welcome contributions, because they merged mine.

[cryo]

Wouldn't it be saner to also verify the downloaded archive hash? It looks like the domain resolving of nginx.org is trusted without doubt.

[kdunglas]

Sure! I also opened another PR to check the archive signature: https://github.com/signalapp/Signal-TLS-Proxy/pull/10

[gspr]

Sorry for not noticing your PR before filing the bug.

I still find the way they (partially) dealt with this a bit worrisome.

[sneak]

You'd be building and running these outside of Iran for them to work, which would limit the Iranian government's ability to perform the attack you describe.

[RL_Quine]

That’s awful.