this post was submitted on 10 Aug 2024
588 points (98.4% liked)

Privacy

32120 readers
279 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

"Signal is being blocked in Venezuela and Russia. The app is a popular choice for encrypted messaging and people trying to avoid government censorship, and the blocks appear to be part of a crackdown on internal dissent in both countries..."

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (2 children)

Maybe I've misunderstood how it works. I thought that when connecting to a matrix instance you would point to the domain name and the text file would be on a standard location (as with /robots.txt or all the files in /.well-known/) so it would be easily discoverable. In fact I just checked and matrix does use /.well-known/ so one should be able to identify matrix servers by querying these URLs. Unless their is a way to use a non-standard location, but that would require further configuration on the client I guess.

And just to answer your question, the only way to find some hidden file would be to brute force. This could obviously be extremely time consuming if the URL is long and random enough, especially if you add rate limiting (this last thing could be circumvented by using multiple IPs to scan, which would be easy for a state actor).

Edit: I've just realized I wasn't answering to the same person, the first part of the message was more for @[email protected]

[–] [email protected] 2 points 3 months ago (1 children)

Yeah the main thing is that the ports and addresses can change and it's nbd. From a firewall perspective, it's impossible to block them all. Especially when the clients are doing mundane https requests. Even if the server goes down or partial connectivity, the channel can still be used.

[–] [email protected] 2 points 3 months ago

But this seems easy to automatically block, no? If a client is querying an unknown domain check for some Matrix related data in /.well-known/ and add it to the block list if there is. And since the servers are publicly advertising the port used you just need to periodically check the list of known matrix domains you are creating in the first step.

Russia is already doing DPI and blocking ESNI so that seems easy. A more widespread usage of ECH would help everyone, as is Signal advocating, but that's not the case yet.

[–] [email protected] 2 points 3 months ago

Ah maybe I've misunderstood then, lol. I didn't know any of that. Oh well!