Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Encrypted Messaging App Signal Uses Google to Bypass Censorship

posted by janrinok on Saturday December 24 2016, @05:36PM   Printer-friendly
from the every-problem-has-a-solution dept.

AnonTechie writes in with a solution to a problem we reported a couple of days ago:

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too.

The solution from Signal's developers was to implement a censorship-circumvention technique known as domain fronting that was described in a 2015 paper [PDF] by researchers from University of California, Berkeley, the Brave New Software project and Psiphon.

The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.

http://www.computerworld.com/article/3153059/security/encrypted-messaging-app-signal-uses-google-to-bypass-censorship.html

Original Submission

 
This discussion has been archived. No new comments can be posted.
Encrypted Messaging App Signal Uses Google to Bypass Censorship | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday December 24 2016, @05:53PM

    by Anonymous Coward on Saturday December 24 2016, @05:53PM (#445593)

    I already am upset about the browser hijacking already happening via all the cross-domain scripting and embedded content pulled from places I never heard of.

    This sounds like a tool to be used by marketing more than freedom. And oppressive nation states, to better hide what their malware is connecting to.

  • (Score: 2) by Scruffy Beard 2 on Saturday December 24 2016, @06:18PM

    by Scruffy Beard 2 (6030) on Saturday December 24 2016, @06:18PM (#445608)

    You are the recipient, so you should have all the information needed to decrypt the connection.

    That assumes you, rather than the manufacturer administers your computer though.

    • If you ware running the home edition of Windows 10, Microsoft is the admin.
    • If you are running an IoT device, the manufacturer is typically the admin.
    • If you have a Smartphone, your carrier is typically the admin.
    • Increasingly, your ISP administers your connection to the Internet (even the on-premises equipment)

    • (Score: 3, Informative) by edIII on Saturday December 24 2016, @07:49PM

      by edIII (791) on Saturday December 24 2016, @07:49PM (#445638)

      If you are running the home edition of Windows 10, The NSA is the admin.

      FTFY

      --
      Technically, lunchtime is at any moment. It's just a wave function.

    • (Score: 3, Touché) by butthurt on Monday December 26 2016, @12:00AM

      by butthurt (6141) on Monday December 26 2016, @12:00AM (#445901) Journal

      another that needs fixing:

      If you are running an IoT device, a botmaster is typically the admin.