Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

“Signal” Uses Domain Fronting to Bypass Censorship

Open Whisper Systems informed users on Wednesday that the latest Android version of its secure messaging app Signal includes a feature designed to bypass censorship in some countries.

Open Whisper Systems informed users on Wednesday that the latest Android version of its secure messaging app Signal includes a feature designed to bypass censorship in some countries.

The company learned recently that ISPs in Egypt and the United Arab Emirates had started blocking the Signal service and website, likely in an effort to prevent users from communicating over channels that authorities cannot access.

In order to bypass these censorship attempts, the latest version of Signal for Android uses a technique called domain fronting, which involves disguising traffic to make it look as if it’s going to a host allowed by the censor.

Domain fronting was described last year in a paper published by researchers at the University of California – Berkeley, Psiphon Inc., and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the ‘outside’ of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the ‘inside’—in the HTTP Host header, invisible to the censor under HTTPS encryption,” researchers explained.

Since the technique involves the use of services from major companies such as Google, Amazon, CloudFlare, Fastly and Akamai, the censor can only block communications by banning the entire service, which can result in serious collateral damage.

In the case of Signal, messages look like regular HTTPS requests to google.com and blocking these communications would require ISPs to block Google altogether. Domain fronting is enabled for Signal users who have phone numbers with Egypt or UAE country codes.

Domain fronting via Google was used by a censorship circumvention tool called GoAgent in China, but it only worked until June 2014, when the country decided to block all Google services.

The new censorship circumvention feature is also present in the beta channel of Signal for iOS and it will soon become generally available to iPhone and iPad users.

“Follow up releases will include detecting censorship and applying circumvention when needed (eg. so that when users with phone numbers from other countries visit places where censorship is being deployed, Signal will work without a VPN for them as well) and expanding the services that domain front for Signal,” said Open Whisper Systems founder Moxie Marlinspike.

Related: Flaw Allows Hackers to Alter “Signal” Attachments

Related: Open Whisper Systems Launches Encrypted Messaging App for Desktop

Related: Meet Matrix, an Open Standard for De-centralized Encrypted Communications

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.