wireapp / wire

:wavy_dash: Overview of the open source code for Wire
https://wire.com
GNU General Public License v3.0
2.42k stars 174 forks source link

Feature Request: Let Wire be usable in China #219

Open cbwang2016 opened 6 years ago

cbwang2016 commented 6 years ago

China is a well-known country with terrible internet censorship. In China, people use WeChat to communicate with friends, which would record user's every touch on the screen, every word they type, with the user's location, and upload them to WeChat's server.

Why? Because people in China have no choice. All the secure IM apps are unusable in China, like Facebook messenger, Whatsapp, Telegram, Signal and Wire. It is truly difficult to bypass the what-so-called GFW, but it would worth it.

The best option came up in my mind is a DHT network, like BitTorrent or Tox, with dynamic bootstrap node inside China. I'm not sure whether there're other ways. But discussions are welcome.

baimafeima commented 6 years ago

The best option came up in my mind is a DHT network, like BitTorrent or Tox, with dynamic bootstrap node inside China.

@cbwang2016 Thank you for your feature request. Could you explain this idea more in detail? As far as I know Wire is actually planning to decentralize but I'm not sure if a distributed architecture is in the works. I doubt it. I have faced the same issues - that is Wire traffic is instantly blocked in China - and using a VPN to circumvent it is very troublesome, especially on a mobile phone. The way to go in my view, is to include obfuscation options (stunnel, obfs4 and the like), with a tick box upon start of the app ("access to the internet is censored where I live").

cbwang2016 commented 6 years ago

In China, there are mainly two methods to block websites: DNS poisoning and IP blocking. There are large amount of government employees maintaining these blacklist.

Tor used to use obfuscated bridges to help Chinese people, but these bridge servers are IP blocked in a short time once online.

If wire is going to decentralize like the Matrix.org, it is an option, but not the optimal option.

Tor is always at the frontier in the Chinese anti-ban tech. Now, they uses Domain Fronting bridges, which are still usable today. In the future, they are planning to use Snowflake. I believe these two tricks are better options than obfs4 or stunnel.

However, more and more CDNs are forbidding Domain Fronting. It would shortly become unusable if TLS doesn't include SNI Encryption in the future.

I used to think that DHT was a method, but now I'm not sure if it can bear large amount of fake nodes from government.

That's almost all the popular tricks in China. It's now for you to decide which to use.

baimafeima commented 6 years ago

Your comments are very helpful as I've struggled with lots of different options in China as well. Could you explain this a bit more?

However, more and more CDNs are forbidding Domain Fronting. It would shortly become unusable if TLS doesn't include SNI Encryption in the future.

I used to think that DHT was a method, but now I'm not sure if it can bear large amount of fake nodes from government.

Are you available on Wire? I'd like to actually write all of this up in a more systematic way and create a freedom-oriented anti-censorship website. I can set it up and host it at a safe space.

cbwang2016 commented 6 years ago

It's complicated to explain...you can search them yourself: https://trac.torproject.org/projects/tor/wiki/doc/meek https://blog.torproject.org/domain-fronting-critical-open-web https://tools.ietf.org/html/draft-ietf-tls-esni-01 https://en.wikipedia.org/wiki/Kademlia

I don't use wire frequently. U can contact me via Matrix if you like.

baimafeima commented 6 years ago

@cbwang2016 Thanks, how can I contact you via Matrix?

cbwang2016 commented 6 years ago

@baimafeima base64: QGNid2FuZzptYXRyaXgub3Jn

strypey commented 5 years ago

@baifeima

As far as I know Wire is actually planning to decentralize but I'm not sure if a distributed architecture is in the works

Can you provide any links to where they've discussed or announced such plans? EDIT: answering my own question: https://github.com/wireapp/wire/issues/160

Also, when you say "decentralize", I presume you mean allow federation between Wire servers? I'm just asking for clarification because in some schemas, "decentralized" refers to any kind of network without a single centre, including both "federated" (server > server) and "distributed" (peer > peer) networks.

If Wire are planning to implement server>server federation, that would be great! Users in China could run their own Wire servers, and use them to talk to each other even if they're not on the same server. Depending how the server>server federation works, they may also be able to talk to users on the main Wire.com server without having to connect to it directly.

strypey commented 5 years ago

@cbwang2016 :

In China, there are mainly two methods to block websites: DNS poisoning and IP blocking. There are large amount of government employees maintaining these blacklist.

I presume that existing Wire clients are basically just a version of the web app tweaked to run outside the browser (as discussed here https://github.com/wireapp/wire-desktop/issues/994), so they all depend on connecting to URLs at Wire.com and its subdomains. It would be great to know for sure, and especially if this is true for some clients and not others (eg only the Electron desktop clients). If I'm right about this, all the GFW has to do to block Wire in China is keep wire.com on its list of banned or poisoned domains.

One solution then, would be to move away from Electron, which would also massively the reduce the system resources used in Wire: https://sircmpwn.github.io/2016/11/24/Electron-considered-harmful.html

... as well as any software freedom issues that might be raised by Electron's dependence on code from Chromium: https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines#chromium-browser

Moving away from Electron was suggested in https://github.com/wireapp/wire-desktop/issues/567, but unfortunately there isn't much support for this among the Wire business team. However, they do seem willing to allow the community to develop native third-party clients and use them on their server, unlike Signal. Also, if you're correct that they are going to implement server>server federation, they could require only official clients to connect to the official Wire.com server, but still allows users with other clients to talk to users on their server by connecting to other servers that do allow them.