Developers of the popular Signal secure messaging app have started to use Google’s domain as a front to hide traffic to their service and to sidestep blocking attempts.
Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too.
Open Whisper Systems, the company that develops Signal—a free, open-source app—faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple’s FaceTime and other voice-over-IP apps were also being blocked.
The solution from Signal’s developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon.
The technique involves sending requests to a “front domain” and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.
“In an HTTPS request, the destination domain name appears in three relevant places: in the DNS query, in the TLS Server Name Indication (SNI) extension and in the HTTP Host header,” the researchers said in their paper. “Ordinarily, the same domain name appears in all three places. In a domain-fronted request, however, the DNS query and SNI carry one name (the “front domain”), while the HTTP Host header, hidden from the censor by HTTPS encryption, carries another (the covert, forbidden destination).”
Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.
Google, for example, allows redirection through the HTTP host header from google.com to appspot.com. This domain is used by Google App Engine, a service that allows users to create and host web applications on Google’s cloud platform.
This means that someone can create a simple reflector script, host it on Google App Engine and then use the HTTP host header trick to hide its location from censors. Someone monitoring user traffic will only see HTTPS requests going to www.google.com, but those requests will reach the reflector script on Google App Engine and will be forwarded to a hidden destination.
“With today’s release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE,” Open Whisper Systems founder Moxie Marlinspike said Wednesday in a blog post. “When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.”
Even if the censors decide to ban Google, the domain fronting implementation can be expanded to use other large-scale services as domain fronts. If this happens, enforcing a ban on Signal would be the equivalent of blocking a very large portion of the internet.
The anti-censorship feature is currently present in the latest version of Signal for Android. It’s also included in a beta version of the app for iOS that will be released in production soon.
The developers also plan future improvements that will allow the app to detect censorship automatically and switch to domain fronting even if the user has a phone number from a country where censorship is not normally present. This is intended to cover those cases where users travel to other countries where the app is blocked.
Signal is considered by security experts as one of the most secure messaging services around. It’s open-source end-to-end encryption protocol has also been adopted by other popular chat apps like Facebook Messenger and WhatsApp.
While the communication between users is encrypted end-to-end, the Signal app uses servers for contact discovery and these can be blocked by censors to prevent users from using the app.