Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Encryption Security Software

Encrypted Messaging App Signal Uses Google To Bypass Censorship (pcworld.com) 87

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too. From a report on PCWorld: Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked. The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.
This discussion has been archived. No new comments can be posted.

Encrypted Messaging App Signal Uses Google To Bypass Censorship

Comments Filter:
  • by Anonymous Coward

    I'm just waiting until Egypt does what China has done and blocks Google until they comply. Hopefully not.

    Signal is an awesome app. It reminds me of the old TextSecure app that isn't made any longer, which was a perfect replacement for Android's stock SMS appl

    • by TadMSTR ( 996071 ) on Thursday December 22, 2016 @12:50PM (#53537923)

      TextSecure was their original app. They replaced it with Signal.

    • Re: (Score:3, Informative)

      by mlw4428 ( 1029576 )
      Signal is made by the same devs who make Signal.
      • > Signalis made by the same devs who make Signal . At the moment, that's moderated +4 Informative. Since that's informative, let me add that Frosted Flakes is made by the same people who make Frosted Flakes.
    • by afgam28 ( 48611 ) on Thursday December 22, 2016 @01:02PM (#53538001)

      According to the article a lot of cloud service providers and CDNs allow HTTP host header redirection, so the Egyptian government would need to block a lot than just google.com.

      China also had to create a domestic tech industry to replace all the foreign websites that it blocked. A country the size of China can pull this off, but Egypt is much smaller...

    • If the article is right about how this works, it should work with any website that obeys the specs. Unless you ban everything that uses https (good luck with that) you're not going to be able to stop this.

      Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.

      Oh, how tough. I must be a CloudFlare customer to use this. *clickety click* Tadaaaah! Done.

      So they're going to block all the major content delivery networks? Might as well just cut the cable to the rest of the world. This can only be stopped if they can get the CDN's and cloud services (all of them) to st

  • by fph il quozientatore ( 971015 ) on Thursday December 22, 2016 @12:50PM (#53537927)
    So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.
    • by donaggie03 ( 769758 ) <d_osmeyer@hotmail.cDEGASom minus painter> on Thursday December 22, 2016 @01:04PM (#53538015)

      So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

      Except Google's servers are sending and receiving millions upon millions of messages every second, so no it wouldn't be very easy to match up one particular sender with one particular receiver. Then you have the problem that, as you said, Google gets the metadata, not Egypt, and Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

      • by arth1 ( 260657 ) on Thursday December 22, 2016 @01:25PM (#53538193) Homepage Journal

        Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

        Google has an interest in complying with the laws of the countries in which it operates. Are you sure that certain government agencies or individuals representing such agencies have no such interest?

        • by Threni ( 635302 )

          Google would presumably reveal that they are doing so for a given country, though.

          • by arth1 ( 260657 )

            Google would presumably reveal that they are doing so for a given country, though.

            Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

            • Google would presumably reveal that they are doing so for a given country, though.

              Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

              I don't think there is, at present, any sort of standard legal mechanism that could compel disclosure of message content coupled with a gag order. A National Security Letter has the gag order, but can't compel disclosure of content, and other mechanisms don't have the gag order. I suppose a judge could issue an order that does both, but it's hard to see what sort of situation would motivate a judge to do that... and which wouldn't get rejected by the appellate court.

              • Autocratic governments don't need a specific law, they just tell people/corporations what they want. It's like when the US government discovered they can ignore the Constitution if they tell a corporation to do the job and give them the intelligence instead of doing the spying directly.
                • Autocratic governments don't need a specific law, they just tell people/corporations what they want. It's like when the US government discovered they can ignore the Constitution if they tell a corporation to do the job and give them the intelligence instead of doing the spying directly.

                  It's a good thing the United States doesn't work like that. Not yet, at least.

      • by tlhIngan ( 30335 )

        Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

        Google doesn't care about the contents of the message (they're encrypted, anyways). However, the metadata is still valuable information if you want to see relationships.

        And relationships are valuable marketing information - Google has to share that information with all the other Alphabet companies now (because the new Alphabet privacy policy ensures it), so even though the metadata might not seem imp

    • by arth1 ( 260657 )

      In a nutshell, any security that depends on a third party becomes vulnerable to the integrity of the third party. Google and any agency that has ties with Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded. When using Google, with the added advantage of having profiles for the contents already.
      Even more, merely using such a service puts the traffic in the category of what's interesting and worthwhile trying to analyze and b

      • well, in this case, probably a lot farther than the government of Egypt.

        • by arth1 ( 260657 )

          well, in this case, probably a lot farther than the government of Egypt.

          That depends on who and where you are. I'm certain that some other governments who can pull Google's strings have the means to harm you far more than the Egyptian government. That may even be true for many Egyptians.

          • by DRJlaw ( 946416 )

            That depends on who and where you are. I'm certain that some other governments who can pull Google's strings have the means to harm you far more than the Egyptian government. That may even be true for many Egyptians.

            Then don't use the application. You're free to completely secret, and thus incommunicado, by not initiating a connection through Google and remaining blocked.

      • by Anonymous Coward

        > Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded.

        So can any ISP or network equipment operators between a Signal user and OWS's servers. I'm wondering just _exactly_ what threat you think Google poses to Signal users. Is your sole concern that Google will figure out that two computers are communicating with Signal and do $SOMETHING with that data?

        Newsflash: The big infrastructure operators like ATT can _already_ do this

        • by arth1 ( 260657 )

          So can any ISP or network equipment operators between a Signal user and OWS's servers. I'm wondering just _exactly_ what threat you think Google poses to Signal users. Is your sole concern that Google will figure out that two computers are communicating with Signal and do $SOMETHING with that data?

          What you're missing is that Google knows the endpoint (or next step, if daisy-chained), which your ISP or firewall doesn't. Seeing that you visit overthrow.sedition.org is Useful Information for the snoops.

          (It's worse because it's Google, because they also having statistics for traffic size, order and latencies for the endpoint web sites, making it possible to determine and log probabilities for just what content is being accessed too.)

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      1) Signal has never, ever, ever claimed to provide any protection for message addressing metadata that could be derived from analysis of the TCP conversations required to use Signal. It only claims to protect the _contents_ of your conversation and -if you bother to verify the keys of your conversing party- provide MitM protection to ensure that your conversing party is who you think they are.

      2) Google is far more honest and forthright than the operators of most networking equipment in the path between Alic

      • It is significantly easier for Google to match up senders and receivers. Even if you they go through millions of messages per second, in an exchange of, like, 20 IMs they can see if the timestamps of Alice's sent messages pair up almost perfectly with those of Bob's received messages. My ISP cannot do that, unless they see both halves of the conversation.
    • by nadador ( 3747 )

      Signal delivers notifications with GCM, not messages themselves. But yes, meta-data is not secure.

  • Egypt and other countries that want to block Signal will now have to start blocking https://.google.com/ [google.com] and https://.cnd_domain_here/ [.cnddomainhere] real soon now.

    This would allow non-encrypted Google searches and non-encrypted CDN traffic. Since most users in those countries know their government is spying on them, er, I mean protecting them from bad stuff on the Internet, this shouldn't cause too much domestic political blowback.

    Face it, if you are in a country with draconian censorship or government monitoring - like

  • FTFA: "The anti-censorship feature is currently present in the latest version of Signal for Android. It’s also included in a beta version of the app for iOS that will be released in production soon. The developers also plan future improvements that will allow the app to detect censorship automatically and switch to domain fronting even if the user has a phone number from a country where censorship is not normally present. This is intended to cover those cases where users travel to other countries whe

  • by Applehu Akbar ( 2968043 ) on Thursday December 22, 2016 @02:11PM (#53538533)

    If it can operate through sites other than Google, can it get through to and from China?

  • I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install. This app is supposed to make us feel comfortable about being "secure" but it asks for way more privileges than any other app I have ever installed. And speaking of "ever", given the recent Evernote announcement, I worry about giving another company access to THAT MUCH of my phone's contents.

    What is everybody else's opinion on Signal?
    • I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install.

      Here [whispersystems.org] is a rundown on device permissions for Signal. Most of them seem basically necessary for a functional messaging app.

      What is everybody else's opinion on Signal?

      I've been using it for a few weeks, and I like it just fine. It is a transparent replacement for my default messaging app, and handles encryption to/from other signal users transparently. An additional perk is a Chrome plugin which lets me send/receive SMS messages from my browser. For a lot of obvious reasons, it is likely to be nowhere near as

  • by laughingskeptic ( 1004414 ) on Thursday December 22, 2016 @03:40PM (#53539171)
    Egypt doesn't have to block www.google.com, they only have to discern which internal IPs are attempting to communicate securely and blacklist those IPs from performing out-bound connections. As long as Egypt's firewall can tell the difference between a redirect and a normal search response they can do this. Google would have to start padding redirect responses to make it harder to tell the difference between these response types.
  • I've never liked Signal because it associates users to mobile phone numbers and doesn't have a good PC companion app. Mobile phones are amazingly effective tracking and surveillance devices. We should try very hard to avoid using them or at least decouple them from the phone system as much as possible. We need anonymous mobile computing devices. :)
  • "Encrypted Messaging App Signal Uses Google To Bypass Censorship"

    When every word is capitalized, capitals have no meaning. Wake up Slashdot, headlines don't need this hype and I don't have time to try to decipher them. The English language works- use it!

    • It is called a "Title". In standard English composition a title is all capitalized. Much like a novel or movie title. However this is an article title. Therefore it is capitalized. Notice the summary is not in all caps.

May all your PUSHes be POPped.

Working...