Sneaky chat app Signal deploys decoy domains to deny despots

Reasonably secure messenger has, for now, outwitted those who would block it

Electronic Trojan horse

The latest update of Signal, one of the most well-regarded privacy-focused messaging applications for non-technical users, has just been revised to support a censorship circumvention technique that will make it more useful for people denied privacy by surveillance-oriented regimes.

In response to reports that Egypt and the United Arab Emirates have been blocking Signal messaging through regional ISPs, Open Whisper Systems has revised the Android version of Signal to implement a technique called domain fronting.

"With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE," said company founder Moxie Marlinspike in a blog post. "When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com."

As described in a 2015 paper by researchers from the University of California, Berkeley, Psiphon, and Brave New Software, domain fronting relies on the use of different domain names at different application layers to evade censorship.

In contrast to a typical HTTPS request, where the domain name is echoed across the DNS query, the TLS Server Name Indication (SNI) extension, and the HTTP Host header, a domain-fronted request includes a decoy domain and a real domain.

The DNS query and SNI present the "front domain" while the HTTP Host header, inaccessible in transit thanks to HTTPS, contains the actual destination – presumably a domain that's disallowed or censored. When the front domain is something like "google.com," then blocking that domain would deny everyone on the censored network access to Google.

According to Marlinspike, Open Whisper's goal is to make disabling the internet the only option for regimes that would disable Signal.

Domain fronting requires a CDN, to receive the request on an edge server and forward the request to the domain in the HTTP host header, or a service that provides similar functionality, like Google's App Engine, through a reflection script.

Such service typically isn't free. The research paper cites costs ranging from $0.10–0.25 per GB among service providers like Google App Engine, Amazon CloudFront, Microsoft Azure, Fastly, and CloudFlare. This may explain why Signal isn't making domain fronting a default everywhere.

Marlinspike said an iOS version of Signal that supports domain fronting is available through Signal's beta channel and a stable version is expected soon. Subsequent updates, he said, will improve censorship detection and circumvention and broaden the availability of domain fronting. ®


Biting the hand that feeds IT © 1998–2017