Security Experts:

"Signal" Uses Domain Fronting to Bypass Censorship

Open Whisper Systems informed users on Wednesday that the latest Android version of its secure messaging app Signal includes a feature designed to bypass censorship in some countries.

The company learned recently that ISPs in Egypt and the United Arab Emirates had started blocking the Signal service and website, likely in an effort to prevent users from communicating over channels that authorities cannot access.

In order to bypass these censorship attempts, the latest version of Signal for Android uses a technique called domain fronting, which involves disguising traffic to make it look as if it’s going to a host allowed by the censor.

Domain fronting was described last year in a paper published by researchers at the University of California - Berkeley, Psiphon Inc., and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the ‘outside’ of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the ‘inside’—in the HTTP Host header, invisible to the censor under HTTPS encryption,” researchers explained.

Since the technique involves the use of services from major companies such as Google, Amazon, CloudFlare, Fastly and Akamai, the censor can only block communications by banning the entire service, which can result in serious collateral damage.

In the case of Signal, messages look like regular HTTPS requests to and blocking these communications would require ISPs to block Google altogether. Domain fronting is enabled for Signal users who have phone numbers with Egypt or UAE country codes.

Domain fronting via Google was used by a censorship circumvention tool called GoAgent in China, but it only worked until June 2014, when the country decided to block all Google services.

The new censorship circumvention feature is also present in the beta channel of Signal for iOS and it will soon become generally available to iPhone and iPad users.

“Follow up releases will include detecting censorship and applying circumvention when needed (eg. so that when users with phone numbers from other countries visit places where censorship is being deployed, Signal will work without a VPN for them as well) and expanding the services that domain front for Signal,” said Open Whisper Systems founder Moxie Marlinspike.

Related: Flaw Allows Hackers to Alter "Signal" Attachments

Related: Open Whisper Systems Launches Encrypted Messaging App for Desktop

Related: Meet Matrix, an Open Standard for De-centralized Encrypted Communications

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.