Recently at the 36th CCC, Moxie Marlinspike gave a talk titled “the ecosystem is moving” defending his choice to centralize Signal, claiming decentralized systems are unable to adapt and succeed and that centralized systems can meet the same goals better. Yet each of the goals Moxie claimed decentralized systems could not meet well are not only achievable, but already functioning at a higher level in existing decentralized systems. The examples are readily available, and many key safety requirements can never be met by Signal’s centralized architecture.
Before diving into details, the headlining point, that “the ecosystem is moving” while “once you decentralize a protocol it becomes extremely difficult to change” is easily refuted. First, one of his own examples is HTTP. Web browsers are indeed distributed, communicating with third party sites. I wonder what the Google Chrome team would think if they were directly told they couldn’t “evolve” and were basically the same as 20 years ago. This idea that decentralized software and protocols like HTTP and HTML can’t evolve successfully to meet changing needs and tastes is just laughable.
Second, it’s a false dilemma between a centralized system in which one entity creates the software, runs the service, and stores and forwards all the data and a decentralized protocol, in which there are many implementations and running instances. In contrast, many successful distributed secure systems including messengers have a core development team that works together (even if not all employed at the same place) and generally unified software, which is widely run and can be rapidly changed. For example, the Monero cryptocurrency is a successful distributed system and it has no centrally controlled servers that can identify all participants or collect their IP addresses. Monero’s effectively central development team also has repeatedly and successfully introduced near-total breaking overhauls of its distributed protocol over short time periods, fundamentally changing its core operation including hiding transaction amounts, changing core cryptographic algorithms for efficiency, and even rapidly overhauling the proof-of-work algorithms. The distributed ecosystem and protocols are indeed moving without centralized servers.
The third flaw of “the ecosystem is moving” is the contention that in order to be successful, you must centralize. Aside from the decentralized entire internet and web itself that virtually everyone reading Moxie’s blog post or talk uses to do so, I looked at the last communications I received from individuals in government, industry, and other scenes, friends and relatives through all channels, even in person. In the vast majority of cases where someone has provided contact methods, they have pointed to decentralized systems: phone numbers, email addresses, physical addresses, even websites. All of these remain outside the control of a single entity. A few telephone or internet giants host a lot or even most of the connections on some of those networks, but anybody can use a new address outside them and communicate seamlessly. There’s a reason he does not point out any centralized communications systems from 20 years ago. The dominant centralized platforms from 20 years ago, AIM and MSN messenger being the most popular, have all died. Decentralization has by far the best track record for building communication protocols that are successful and last. HTTP and HTML have been the destination, as people fled less distributed environments.
Let’s look at the supporting claims as well:
Moxie’s talk points out that there are many insecure distributed systems, such as email, that do not encrypt end to end. It is unclear what relevance this has, of course you can find plenty of insecure centralized systems as well. It’s disappointing that despite many distributed secure messengers being available, none were mentioned, but unsurprising since any of them would stand as clear counterexamples to the claims made.
One claim was that the idea of not having a central service observing your metadata and owning your own data “is somewhat of an antiquated notion” since ordinary users have no desire to manage their own services like “computer people” do. Then he says “things like metadata protection are going to require new techniques and that those new techniques are more likely to evolve in centralized rather than decentralized environments” – a statement of faith or hope that is completely opposite the real world. Metadata protection in deployed distributed networks such as Tor has made great leaps over the past few decades for users who definitely don’t need to run their own servers and has proven successful against powerful adversaries. Meanwhile centralized services over the same time period have made little progress by comparison. Signal still holds everyone’s phone number, or something easily reversible to it, still observes the IP addresses and data sizes of all messages, etc.
This poses a major threat that is nearly impossible to overstate for vulnerable people such as activists under hostile governments. A mobile phone number (or APNS/GCM) based system allows the government or telecom to immediately identify and geolocate any entity using several means. If one activist’s phone was suddenly swiped, everyone they Signal message with could be identified and located, which is a life-threatening flaw. Moxie made clear in his talk that those are non-negotiable; Signal simply cares far more about those features and convenience to use or even expose other options for vulnerable users. And this is another critical flaw for centralized services, their goals and incentives frequently coincide with the casual masses, not the truly vulnerable minority.
UPDATE: 2021 February – Signal is officially asking for decentralized help with censorship resistance because their centralized approach has failed.
Moxie claims “if you imagine a scenario where there’s a bunch of different… users who… are affiliated with a bunch of different servers that if… one server gets blocked by a censor that the users who can no longer access that server can switch to different servers but the problem is as soon as they do that they have to be rediscovered by everyone else in the network.” Imagine is a good word here, because that’s not how any secure distributed messaging protocol works, whether Tox, Ricochet, or others. All of them seamlessly switch servers, with no input from or indication to the user, broadcasting meet information signed by the user’s public key to redirect future messages. Data-storing protocols like IPFS, bittorrent, etc. use techniques like DHT’s or more private modern equivalents and also require no user input to switch servers and rapidly do so, transparently to the user.
Moxie also asserts that centralized services can avoid blocks by “using techniques like proxy sharding which is basically like you set up multiple ingress points and you shard access to them to different users so, you know, only some users can discover some access points which means that a censor can’t discover all of the access points very quickly” then somehow assumes decentralized systems can’t do this.
Instead, they do it better. While Signal’s small paid staff has a handful of domain fronts, the distributed Tor has literally thousands of separately-run servers, with over 1000 sharded bridges that are difficult for censors to discover quickly. Tor also has a wider variety of ingress protocols, including domain fronting, but also many others as well. And that is not all; there are likely many more servers and even protocols the tor devs do not know about, since the bridging and obfuscating protocol wrappers are pluggable and easy to set up privately. It is far easier for a censor to discover ingress points of a completely centralized system with static codebase like Signal than for an extensible distributed system.
All of this is not to mention of course, that during times of civil unrest or disaster the most common deliberate or inadvertent censorship technique, frequently deployed in dozens of countries around the world including some of the largest, is to simply disconnect the internet entirely. There is no possibility for a centralized network like Signal to function against these common censorship situations. In contrast, many distributed messengers such as Briar work great.
Signal, the entire service, has gone down several times in recent years, as has WhatsApp and Facebook Messengers, Twitter, Slack… The distributed Tor network (running the Ricochet, SecureDrop, and other distributed messengers) has not gone down, at its worst moments only operating too slowly to exchange video, but never too slowly to exchange secure text messages. The distributed Tox network has not gone down. Nor has Monero gone down.
Yet Moxie imagines a distributed system in which “you would just have more outages… if you have a centralized service and you wanted to move that centralized service into two different data centers and the way you did that was by splitting the data up between those two different data centers you just half your availability because the mean time between failure goes up since we have two different data centers”
There are distributed systems that store data, such as bittorrent, IPFS, and others, and exactly zero of them work like that. All of them have redundancy.
UPDATE: 2021 January- Signal was down globally again.
Decentralized systems’ far better track record than centralized services on these goals must be very frustrating if you run such a centralized service but attacking bizarre straw men is not useful. Imagine if the over 50 million dollars funding Signal had gone towards polishing a distributed messenger. Maybe instead of Signal stickers we’d have a similar level of polish to any of the more private, more censorship resistant, and more available messengers instead. Perhaps that’s the real problem.