Encrypted messaging app Signal uses Google to bypass censorship

The app routes requests through Google's servers to make it harder for governments to block them

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts.

Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too.

Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked.

The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon.

The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.

"In an HTTPS request, the destination domain name appears in three relevant places: in the DNS query, in the TLS Server Name Indication (SNI) extension and in the HTTP Host header," the researchers said in their paper. "Ordinarily, the same domain name appears in all three places. In a domain-fronted request, however, the DNS query and SNI carry one name (the “front domain”), while the HTTP Host header, hidden from the censor by HTTPS encryption, carries another (the covert, forbidden destination)."

Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.

Google, for example, allows redirection through the HTTP host header from google.com to appspot.com. This domain is used by Google App Engine, a service that allows users to create and host web applications on Google's cloud platform.

This means that someone can create a simple reflector script, host it on Google App Engine and then use the HTTP host header trick to hide its location from censors. Someone monitoring user traffic will only see HTTPS requests going to www.google.com, but those requests will reach the reflector script on Google App Engine and will be forwarded to a hidden destination.

"With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE," Open Whisper Systems founder Moxie Marlinspike said Wednesday in a blog post. "When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com."

Even if the censors decide to ban Google, the domain fronting implementation can be expanded to use other large-scale services as domain fronts. If this happens, enforcing a ban on Signal would be the equivalent of blocking a very large portion of the internet.

The anti-censorship feature is currently present in the latest version of Signal for Android. It's also included in a beta version of the app for iOS that will be released in production soon.

The developers also plan future improvements that will allow the app to detect censorship automatically and switch to domain fronting even if the user has a phone number from a country where censorship is not normally present. This is intended to cover those cases where users travel to other countries where the app is blocked.

Signal is considered by security experts as one of the most secure messaging services around. It's open-source end-to-end encryption protocol has also been adopted by other popular chat apps like Facebook Messenger and WhatsApp.

While the communication between users is encrypted end-to-end, the Signal app uses servers for contact discovery and these can be blocked by censors to prevent users from using the app.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?