from the every-problem-has-a-solution dept.
Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too.
The solution from Signal's developers was to implement a censorship-circumvention technique known as domain fronting that was described in a 2015 paper [PDF] by researchers from University of California, Berkeley, the Brave New Software project and Psiphon.
The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.
Related Stories
According to an article on engadget today, Egypt is blocking access to the encrypted messaging application Signal, made by Open Whisper Systems.
Egypt has blocked its residents from accessing encrypted messaging app Signal, according to the application's developer. Mada Masr, an Egypt-based media organization, reported yesterday that several users took to Twitter over the weekend to report that they could no longer send or receive messages while on Egyptian IP addresses. Open Whisper Systems, the team behind the app, told a user asking about a situation that everything was working just as intended on their end. Now that the company has confirmed that the country is blocking access to Edward Snowden's preferred messaging app, it has begun working on a way to circumvent the ban. They intend to deploy their solution over the next few weeks.
Signal can be downloaded here for android and here for ios
http://www.tomshardware.com/news/signal-messenger-standalone-desktop-app,35810.html
Open Whisper Systems (OWS), the non-profit that develops the Signal messenger and its end-to-end encryption protocol, released a new standalone desktop application that will replace the existing Signal Chrome App. The move comes as Google is preparing to end support for Chrome Apps in its browser.
[...] Because Google is deprecating its Chrome Apps, Signal's developers had to find another way to offer their users a desktop application without having to rewrite one from scratch. The group used Electron, an open source framework for creating native applications using HTML, CSS, and JavaScript. This way, OWS was able to convert its existing Chrome App code into a standalone Electron application without too many changes.
Although we don't get a truly native Signal application, there are still some advantages to be gained from this transition. For one, you don't need to install Chrome anymore, just to be able to use the desktop Signal application. Firefox and Safari users can run the new Signal app separately, just like any other desktop app.
The second advantage is that you no longer need to keep your smartphone around to be able to chat via the desktop app, as you have to do with the desktop version of WhatsApp, for instance. After the initial set-up and linking of your smartphone to the desktop app, the new desktop app can be used independently of a smartphone.
Related: Redphone and TextSecure are now Signal
Egypt has Blocked Encrypted Messaging App Signal
Encrypted Messaging App Signal Uses Google to Bypass Censorship
Submitted via IRC for Fnord666
The team behind secure messaging app Signal says Amazon has threatened to drop the app if it doesn't stop using an anti-censorship practice known as domain-fronting. Google recently banned the practice, which lets developers disguise web traffic to look like it's coming from a different source, allowing apps like Signal to evade country-level bans. As a result, Signal moved from Google to the Amazon-owned Souq content delivery network. But Amazon implemented its own ban on Friday. In an email that Moxie Marlinspike — founder of Signal developer Open Whisper Systems — posted today, Amazon orders the organization to immediately stop using domain-fronting or find another web services provider.
Amazon has said that it's banning domain-fronting so malware purveyors can't disguise themselves as innocent web traffic. But Signal used the system to provide service in Egypt, Oman, and the United Arab Emirates (UAE), where it's officially banned. It got around filters by making traffic appear to come from a huge platform, since countries weren't willing to ban the entirety of a site like Google to shut down Signal.
Source: https://www.theverge.com/2018/5/1/17308508/amazon-web-services-signal-domain-fronting-ban-response
Also at TechCrunch and TechRepublic.
See also: A Google update just created a big problem for anti-censorship tools
APT29 Domain Fronting With TOR
Previously: Encrypted Messaging App Signal Uses Google to Bypass Censorship
Related: Open Whisper Systems Releases Standalone "Signal" Desktop App
(Score: 0) by Anonymous Coward on Saturday December 24 2016, @05:53PM
I already am upset about the browser hijacking already happening via all the cross-domain scripting and embedded content pulled from places I never heard of.
This sounds like a tool to be used by marketing more than freedom. And oppressive nation states, to better hide what their malware is connecting to.
(Score: 2) by Scruffy Beard 2 on Saturday December 24 2016, @06:18PM
You are the recipient, so you should have all the information needed to decrypt the connection.
That assumes you, rather than the manufacturer administers your computer though.
(Score: 3, Informative) by edIII on Saturday December 24 2016, @07:49PM
FTFY
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Touché) by butthurt on Monday December 26 2016, @12:00AM
another that needs fixing:
If you are running an IoT device, a botmaster is typically the admin.
(Score: 3, Interesting) by jmorris on Saturday December 24 2016, @06:05PM
Sounds like companies like Google, by permitting these sort of abuses of their domainname are gambling they are "too big to ban" and can thus impose their policy preferences on nation states. Either way it is bad.
If Google really CAN dictate to nation states they are dangerous. Forget the details of this particular case for the moment, it is a certainty that Google will issue another dictate you won't like at some point and if we accept the concept that Google can order governments around it will be too late to make an argument when your own ox gets gored. For example if they tell the EU to screw itself over those "right to be forgotten" laws.
The alternative is Egypt bans Google.com until they can assure that any traffic bound to google.com stays at google. Major international disruption, certain to be followed up by similar demands by a lot of other nation states, most horrible actors far worse than Egypt, but again the precedent will be made.
The best solution would be for Google, of its own will, to close this down by declaring it network abuse and let signal work out its problems with Egypt, even if the 'solution' is to discontinue Signal's service inside Egypt. Answering this question of "Is Google our new Robot Overlord?" sounds like a lose-lose for everyone.
(Score: 1) by Francis on Saturday December 24 2016, @06:09PM
Considering that China has already banned Google, I'm not sure that Google ought to be tolerating this kind of abuse of their systems.
(Score: 0) by Anonymous Coward on Sunday December 25 2016, @02:09PM
Considering that China has already banned Google
There are other countries in the world that are using censorship regularly or are headed in that direction (like the US & UK).
(Score: 1) by Francis on Sunday December 25 2016, @05:11PM
Citation needed, the US has many issues, but censorship isn't one of them.
(Score: 2) by Entropy on Saturday December 24 2016, @06:26PM
Signal's depature from text into data was in my opinion a mistake. Silence(easier to find by it's old name SMSSecure) is a fork of the project, back when it utilized text message and had no centralized architecture. Text messages are more reliable in situations were infrastructure is damaged, and can't be as easily fire walled as a simple data server can.
(Score: 2) by opinionated_science on Saturday December 24 2016, @06:46PM
Is this what Google does (on my Nexus 6P) when it offers to secure the wifi connection?
It would seem obvious that since the initial transfer is https->google.com, after that the secure session can be passed of to any other app.
For signal this is great, as it also stops phone companies from preventing you using wifi-calling...
Yes, there are some networks that try to limit what you can do, so this technique would prevent this.
As an aside, does anyone know if this would get through the air wifi, which allows me to access google, but nothing else..?(united's wifi I am talking about - their app is *really* bad....).
(Score: 2) by darkfeline on Saturday December 24 2016, @10:41PM
The claim is that Google routes your traffic through a secure VPN, so no, it's probably not using this hack.
Join the SDF Public Access UNIX System today!
(Score: 1) by baldrick on Sunday December 25 2016, @05:19AM
is there a browser plugin that does this ?
this looks like it is for TOR to do a similar thing - https://github.com/arlolra/meek [github.com]
... I obey the Laws of Physics