Encrypted Messaging App Signal Uses Google To Bypass Censorship

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too. From a report on PCWorld: Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked. The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.

Egypt blocks Google... end of story

[Anonymous Coward]

I'm just waiting until Egypt does what China has done and blocks Google until they comply. Hopefully not.

Signal is an awesome app. It reminds me of the old TextSecure app that isn't made any longer, which was a perfect replacement for Android's stock SMS appl

Re:Egypt blocks Google... end of story

[TadMSTR]

TextSecure was their original app. They replaced it with Signal.

Re:

[mlw4428]

Signal is made by the same devs who make Signal.

Re:

[fbobraga]

you must be new here...

Re:

[mlw4428]

I was replying to the AC post of: "Signal is an awesome app. It reminds me of the old TextSecure app that isn't made any longer, which was a perfect replacement for Android's stock SMS appl" by informing him (and potentially others) that the guys who made TextSecure make Signal as it seemed from the post like AC thought they were completely different apps. It's informative for those who didn't know this information previously, I'm sorry you took offense to that.

Re:

[moronoxyd]

That's what you wanted to do.
But what you did write is 'Signal is made by the same devs who make Signal.'

So... no mention of TextSecure in there.

Re:

[mlw4428]

Yeah, I just saw it. Go ahead, downvote that post. Haha.

Tautologically informative

[raymorris]

> Signalis made by the same devs who make Signal . At the moment, that's moderated +4 Informative. Since that's informative, let me add that Frosted Flakes is made by the same people who make Frosted Flakes.

Re:Egypt blocks Google... end of story

[afgam28]

According to the article a lot of cloud service providers and CDNs allow HTTP host header redirection, so the Egyptian government would need to block a lot than just google.com.

China also had to create a domestic tech industry to replace all the foreign websites that it blocked. A country the size of China can pull this off, but Egypt is much smaller...

Re:

[St.Creed]

Oh joy. If I were a cyber criminal, which I am not, obviously, I would be focusing all my attention on the country that did that. It must be wonderful to work in a country where encryption is illegal, even for banking apps.

Re:

[slashrio]

China could try to force all those CDNs to record, store and deliver them all the encrypted http headers (after decrypting them of course) they redirect to, including the issuing IP addresses, or else be blocked altogether.

Re:

[slashrio]

Sorry, responding to and AC who seems not even able to read a single sentence correctly is below my threshold of self esteem.

Re:

[St.Creed]

If the article is right about how this works, it should work with any website that obeys the specs. Unless you ban everything that uses https (good luck with that) you're not going to be able to stop this.

Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.

Oh, how tough. I must be a CloudFlare customer to use this. *clickety click* Tadaaaah! Done.

So they're going to block all the major content delivery networks? Might as well just cut the cable to the rest of the world. This can only be stopped if they can get the CDN's and cloud services (all of them) to st

So Google gets metadata?

[fph il quozientatore]

So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

Re:So Google gets metadata?

[donaggie03]

So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

Except Google's servers are sending and receiving millions upon millions of messages every second, so no it wouldn't be very easy to match up one particular sender with one particular receiver. Then you have the problem that, as you said, Google gets the metadata, not Egypt, and Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

Re:So Google gets metadata?

[arth1]

Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

Google has an interest in complying with the laws of the countries in which it operates. Are you sure that certain government agencies or individuals representing such agencies have no such interest?

Re:

[Threni]

Google would presumably reveal that they are doing so for a given country, though.

Re:

[arth1]

Google would presumably reveal that they are doing so for a given country, though.

Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

Re:

[swillden]

Google would presumably reveal that they are doing so for a given country, though.

Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

I don't think there is, at present, any sort of standard legal mechanism that could compel disclosure of message content coupled with a gag order. A National Security Letter has the gag order, but can't compel disclosure of content, and other mechanisms don't have the gag order. I suppose a judge could issue an order that does both, but it's hard to see what sort of situation would motivate a judge to do that... and which wouldn't get rejected by the appellate court.

Re:

[currently_awake]

Autocratic governments don't need a specific law, they just tell people/corporations what they want. It's like when the US government discovered they can ignore the Constitution if they tell a corporation to do the job and give them the intelligence instead of doing the spying directly.

Re:

[swillden]

Autocratic governments don't need a specific law, they just tell people/corporations what they want. It's like when the US government discovered they can ignore the Constitution if they tell a corporation to do the job and give them the intelligence instead of doing the spying directly.

It's a good thing the United States doesn't work like that. Not yet, at least.

Re:

[tlhIngan]

Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

Google doesn't care about the contents of the message (they're encrypted, anyways). However, the metadata is still valuable information if you want to see relationships.

And relationships are valuable marketing information - Google has to share that information with all the other Alphabet companies now (because the new Alphabet privacy policy ensures it), so even though the metadata might not seem imp

Re:

[arth1]

In a nutshell, any security that depends on a third party becomes vulnerable to the integrity of the third party. Google and any agency that has ties with Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded. When using Google, with the added advantage of having profiles for the contents already.
Even more, merely using such a service puts the traffic in the category of what's interesting and worthwhile trying to analyze and b

Re:

[radiumsoup]

well, in this case, probably a lot farther than the government of Egypt.

Re:

[arth1]

well, in this case, probably a lot farther than the government of Egypt.

That depends on who and where you are. I'm certain that some other governments who can pull Google's strings have the means to harm you far more than the Egyptian government. That may even be true for many Egyptians.

Re:

[DRJlaw]

That depends on who and where you are. I'm certain that some other governments who can pull Google's strings have the means to harm you far more than the Egyptian government. That may even be true for many Egyptians.

Then don't use the application. You're free to completely secret, and thus incommunicado, by not initiating a connection through Google and remaining blocked.

Re:

[Anonymous Coward]

> Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded.

So can any ISP or network equipment operators between a Signal user and OWS's servers. I'm wondering just _exactly_ what threat you think Google poses to Signal users. Is your sole concern that Google will figure out that two computers are communicating with Signal and do $SOMETHING with that data?

Newsflash: The big infrastructure operators like ATT can _already_ do this

Re:

[arth1]

So can any ISP or network equipment operators between a Signal user and OWS's servers. I'm wondering just _exactly_ what threat you think Google poses to Signal users. Is your sole concern that Google will figure out that two computers are communicating with Signal and do $SOMETHING with that data?

What you're missing is that Google knows the endpoint (or next step, if daisy-chained), which your ISP or firewall doesn't. Seeing that you visit overthrow.sedition.org is Useful Information for the snoops.

(It's worse because it's Google, because they also having statistics for traffic size, order and latencies for the endpoint web sites, making it possible to determine and log probabilities for just what content is being accessed too.)

Re:

[Anonymous Coward]

1) Signal has never, ever, ever claimed to provide any protection for message addressing metadata that could be derived from analysis of the TCP conversations required to use Signal. It only claims to protect the _contents_ of your conversation and -if you bother to verify the keys of your conversing party- provide MitM protection to ensure that your conversing party is who you think they are.

2) Google is far more honest and forthright than the operators of most networking equipment in the path between Alic

Re:

[fph il quozientatore]

It is significantly easier for Google to match up senders and receivers. Even if you they go through millions of messages per second, in an exchange of, like, 20 IMs they can see if the timestamps of Alice's sent messages pair up almost perfectly with those of Bob's received messages. My ISP cannot do that, unless they see both halves of the conversation.

Re:

[fph il quozientatore]

Oops - you are right, maybe your post was not the best one to answer to among the two-three that made similar claims. Anyway, it still applies to what you wrote in point 2: I meant to say that Google here is in a significantly stronger position than "the operators of most networking equipment between Alice/Bob and OWS's servers", because it has access to both endpoints. The attack I have described would not work for Alice's ISP (unless it also happens to be Bob's ISP).

Re:

[nadador]

Signal delivers notifications with GCM, not messages themselves. But yes, meta-data is not secure.

Re:

[Anonymous Coward]

Could the same technique used with Amazon S3, CloudFlare, or Azure back-ends?

Yes. That's what Tor "meek" transport does, and it works reliably in China.

Re:

[St.Creed]

I'll quote the article for you, which helpfully describes points like the one in your question.

Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.

RTFA. It will make the writer happy.

Blocking of https://*.google.com in Egypt soon

[davidwr]

Egypt and other countries that want to block Signal will now have to start blocking https://.google.com/ [google.com] and https://.cnd_domain_here/ [.cnddomainhere] real soon now.

This would allow non-encrypted Google searches and non-encrypted CDN traffic. Since most users in those countries know their government is spying on them, er, I mean protecting them from bad stuff on the Internet, this shouldn't cause too much domestic political blowback.

Face it, if you are in a country with draconian censorship or government monitoring - like

Is this used by default for everyone now?

[TheDarkener]

FTFA: "The anti-censorship feature is currently present in the latest version of Signal for Android. It’s also included in a beta version of the app for iOS that will be released in production soon. The developers also plan future improvements that will allow the app to detect censorship automatically and switch to domain fronting even if the user has a phone number from a country where censorship is not normally present. This is intended to cover those cases where users travel to other countries whe

The acid test for such an app

[Applehu Akbar]

If it can operate through sites other than Google, can it get through to and from China?

Thought about installing Signal

[NoSalt]

I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install. This app is supposed to make us feel comfortable about being "secure" but it asks for way more privileges than any other app I have ever installed. And speaking of "ever", given the recent Evernote announcement, I worry about giving another company access to THAT MUCH of my phone's contents.

What is everybody else's opinion on Signal?

Re:

[PvtVoid]

I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install.

Here [whispersystems.org] is a rundown on device permissions for Signal. Most of them seem basically necessary for a functional messaging app.

What is everybody else's opinion on Signal?

I've been using it for a few weeks, and I like it just fine. It is a transparent replacement for my default messaging app, and handles encryption to/from other signal users transparently. An additional perk is a Chrome plugin which lets me send/receive SMS messages from my browser. For a lot of obvious reasons, it is likely to be nowhere near as

Re:

[turning in circles]

Most of my friends won't/wouldn't use Signal, and if you are always talking to people with default Apple/Android, nothing is encrypted anyway and the fact Signal doesn't attach photos easily and couldn't handle group texts made it not valuable. So I quit using Signal.

Other option of course is ditch the friends/family who won't use Signal for friends/family who do.

Redirects look different than search responses

[laughingskeptic]

Egypt doesn't have to block www.google.com, they only have to discern which internal IPs are attempting to communicate securely and blacklist those IPs from performing out-bound connections. As long as Egypt's firewall can tell the difference between a redirect and a normal search response they can do this. Google would have to start padding redirect responses to make it harder to tell the difference between these response types.

Re:

[laughingskeptic]

They still know the length of the response and for redirects, this is short.

Re:

[St.Creed]

Indeed - some major websites do about 5 redirects before you ever get to any content. It's the norm, not the exception. Good luck with that haystack.

Signal is not very good anyways

[Nocturrne]

I've never liked Signal because it associates users to mobile phone numbers and doesn't have a good PC companion app. Mobile phones are amazingly effective tracking and surveillance devices. We should try very hard to avoid using them or at least decouple them from the phone system as much as possible. We need anonymous mobile computing devices. :)

WTF is an 'app signal'?

[swell]

"Encrypted Messaging App Signal Uses Google To Bypass Censorship"

When every word is capitalized, capitals have no meaning. Wake up Slashdot, headlines don't need this hype and I don't have time to try to decipher them. The English language works- use it!

Re:

[ryocoon]

It is called a "Title". In standard English composition a title is all capitalized. Much like a novel or movie title. However this is an article title. Therefore it is capitalized. Notice the summary is not in all caps.