Open Whisper Systems informed users on Wednesday that the latest Android version of its secure messaging app Signal includes a feature designed to bypass censorship in some countries.
The company learned recently that ISPs in Egypt and the United Arab Emirates had started blocking the Signal service and website, likely in an effort to prevent users from communicating over channels that authorities cannot access.
In order to bypass these censorship attempts, the latest version of Signal for Android uses a technique called domain fronting, which involves disguising traffic to make it look as if it’s going to a host allowed by the censor.
Domain fronting was described last year in a paper published by researchers at the University of California – Berkeley, Psiphon Inc., and Brave New Software.
“The key idea is the use of different domain names at different layers of communication. One domain appears on the ‘outside’ of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the ‘inside’—in the HTTP Host header, invisible to the censor under HTTPS encryption,” researchers explained.
Since the technique involves the use of services from major companies such as Google, Amazon, CloudFlare, Fastly and Akamai, the censor can only block communications by banning the entire service, which can result in serious collateral damage.
In the case of Signal, messages look like regular HTTPS requests to google.com and blocking these communications would require ISPs to block Google altogether. Domain fronting is enabled for Signal users who have phone numbers with Egypt or UAE country codes.
Domain fronting via Google was used by a censorship circumvention tool called GoAgent in China, but it only worked until June 2014, when the country decided to block all Google services.
The new censorship circumvention feature is also present in the beta channel of Signal for iOS and it will soon become generally available to iPhone and iPad users.
“Follow up releases will include detecting censorship and applying circumvention when needed (eg. so that when users with phone numbers from other countries visit places where censorship is being deployed, Signal will work without a VPN for them as well) and expanding the services that domain front for Signal,” said Open Whisper Systems founder Moxie Marlinspike.
Related: Flaw Allows Hackers to Alter “Signal” Attachments
Related: Open Whisper Systems Launches Encrypted Messaging App for Desktop
Related: Meet Matrix, an Open Standard for De-centralized Encrypted Communications
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
- Microsoft Adding New Security Features to Windows 11
- Sony Investigating After Hackers Offer to Sell Stolen Data
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
Latest News
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
- Microsoft Adding New Security Features to Windows 11
- UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
- Sony Investigating After Hackers Offer to Sell Stolen Data
- The CISO Carousel and its Effect on Enterprise Cybersecurity
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
