Encrypted Messaging App Signal Uses Google To Bypass Censorship

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too. From a report on PCWorld: Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked. The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.

Egypt blocks Google... end of story

I'm just waiting until Egypt does what China has done and blocks Google until they comply. Hopefully not.

Signal is an awesome app. It reminds me of the old TextSecure app that isn't made any longer, which was a perfect replacement for Android's stock SMS appl

Re:Egypt blocks Google... end of story

[TadMSTR]

TextSecure was their original app. They replaced it with Signal.

Re:Egypt blocks Google... end of story

[mlw4428]

Signal is made by the same devs who make Signal.

Re:Egypt blocks Google... end of story

[afgam28]

According to the article a lot of cloud service providers and CDNs allow HTTP host header redirection, so the Egyptian government would need to block a lot than just google.com.

China also had to create a domestic tech industry to replace all the foreign websites that it blocked. A country the size of China can pull this off, but Egypt is much smaller...

Re:Egypt blocks Google... end of story

[fbobraga]

you must be new here...

Re:Egypt blocks Google... end of story

[mlw4428]

I was replying to the AC post of: "Signal is an awesome app. It reminds me of the old TextSecure app that isn't made any longer, which was a perfect replacement for Android's stock SMS appl" by informing him (and potentially others) that the guys who made TextSecure make Signal as it seemed from the post like AC thought they were completely different apps. It's informative for those who didn't know this information previously, I'm sorry you took offense to that.

Re:Egypt blocks Google... end of story

[moronoxyd]

That's what you wanted to do.
But what you did write is 'Signal is made by the same devs who make Signal.'

So... no mention of TextSecure in there.

Re:Egypt blocks Google... end of story

[mlw4428]

Yeah, I just saw it. Go ahead, downvote that post. Haha.

Re:Egypt blocks Google... end of story

[slashrio]

China could try to force all those CDNs to record, store and deliver them all the encrypted http headers (after decrypting them of course) they redirect to, including the issuing IP addresses, or else be blocked altogether.

Re:Egypt blocks Google... end of story

[St.Creed]

If the article is right about how this works, it should work with any website that obeys the specs. Unless you ban everything that uses https (good luck with that) you're not going to be able to stop this.

Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.

Oh, how tough. I must be a CloudFlare customer to use this. *clickety click* Tadaaaah! Done.

So they're going to block all the major content delivery networks? Might as well just cut the cable to the rest of the world. This can only be stopped if they can get the CDN's and cloud services (all of them) to stop redirecting traffic. They may do it for China, but I doubt they'd do it for Syria or Egypt.

Re: Egypt blocks Google... end of story

[St.Creed]

Oh joy. If I were a cyber criminal, which I am not, obviously, I would be focusing all my attention on the country that did that. It must be wonderful to work in a country where encryption is illegal, even for banking apps.

Re: Egypt blocks Google... end of story

[slashrio]

Sorry, responding to and AC who seems not even able to read a single sentence correctly is below my threshold of self esteem.

So Google gets metadata?

[fph+il+quozientatore]

So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

Re:So Google gets metadata?

[donaggie03]

So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

Except Google's servers are sending and receiving millions upon millions of messages every second, so no it wouldn't be very easy to match up one particular sender with one particular receiver. Then you have the problem that, as you said, Google gets the metadata, not Egypt, and Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

Re:So Google gets metadata?

[arth1]

In a nutshell, any security that depends on a third party becomes vulnerable to the integrity of the third party. Google and any agency that has ties with Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded. When using Google, with the added advantage of having profiles for the contents already.
Even more, merely using such a service puts the traffic in the category of what's interesting and worthwhile trying to analyze and break.

So the question is "how far do you trust Google and other third parties?"

Re:So Google gets metadata?

[radiumsoup]

well, in this case, probably a lot farther than the government of Egypt.

Re:So Google gets metadata?

[arth1]

Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

Google has an interest in complying with the laws of the countries in which it operates. Are you sure that certain government agencies or individuals representing such agencies have no such interest?

Re:So Google gets metadata?

[arth1]

well, in this case, probably a lot farther than the government of Egypt.

That depends on who and where you are. I'm certain that some other governments who can pull Google's strings have the means to harm you far more than the Egyptian government. That may even be true for many Egyptians.

Re:So Google gets metadata?

1) Signal has never, ever, ever claimed to provide any protection for message addressing metadata that could be derived from analysis of the TCP conversations required to use Signal. It only claims to protect the _contents_ of your conversation and -if you bother to verify the keys of your conversing party- provide MitM protection to ensure that your conversing party is who you think they are.

2) Google is far more honest and forthright than the operators of most networking equipment in the path between Alice and OWS's servers, and Bob and OWS's servers. https://en.wikipedia.org/wiki/Room_641A , anyone?

Re:So Google gets metadata?

> Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded.

So can any ISP or network equipment operators between a Signal user and OWS's servers. I'm wondering just _exactly_ what threat you think Google poses to Signal users. Is your sole concern that Google will figure out that two computers are communicating with Signal and do $SOMETHING with that data?

Newsflash: The big infrastructure operators like ATT can _already_ do this sort of thing, without anyone's cooperation. Google is _far_ more scrupulous than the big telcos. Never forget https://en.wikipedia.org/wiki/Room_641A . Google sure as fuck doesn't.

Re:So Google gets metadata?

[DRJlaw]

That depends on who and where you are. I'm certain that some other governments who can pull Google's strings have the means to harm you far more than the Egyptian government. That may even be true for many Egyptians.

Then don't use the application. You're free to completely secret, and thus incommunicado, by not initiating a connection through Google and remaining blocked.

Re:So Google gets metadata?

[Threni]

Google would presumably reveal that they are doing so for a given country, though.

Re:So Google gets metadata?

[arth1]

Google would presumably reveal that they are doing so for a given country, though.

Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

Re:So Google gets metadata?

[fph+il+quozientatore]

It is significantly easier for Google to match up senders and receivers. Even if you they go through millions of messages per second, in an exchange of, like, 20 IMs they can see if the timestamps of Alice's sent messages pair up almost perfectly with those of Bob's received messages. My ISP cannot do that, unless they see both halves of the conversation.

Re:So Google gets metadata?

[swillden]

Google would presumably reveal that they are doing so for a given country, though.

Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

I don't think there is, at present, any sort of standard legal mechanism that could compel disclosure of message content coupled with a gag order. A National Security Letter has the gag order, but can't compel disclosure of content, and other mechanisms don't have the gag order. I suppose a judge could issue an order that does both, but it's hard to see what sort of situation would motivate a judge to do that... and which wouldn't get rejected by the appellate court.

Re:So Google gets metadata?

[currently_awake]

Autocratic governments don't need a specific law, they just tell people/corporations what they want. It's like when the US government discovered they can ignore the Constitution if they tell a corporation to do the job and give them the intelligence instead of doing the spying directly.

Re:So Google gets metadata?

[swillden]

Autocratic governments don't need a specific law, they just tell people/corporations what they want. It's like when the US government discovered they can ignore the Constitution if they tell a corporation to do the job and give them the intelligence instead of doing the spying directly.

It's a good thing the United States doesn't work like that. Not yet, at least.

Re:So Google gets metadata?

[nadador]

Signal delivers notifications with GCM, not messages themselves. But yes, meta-data is not secure.

Re:So Google gets metadata?

[fph+il+quozientatore]

Oops - you are right, maybe your post was not the best one to answer to among the two-three that made similar claims. Anyway, it still applies to what you wrote in point 2: I meant to say that Google here is in a significantly stronger position than "the operators of most networking equipment between Alice/Bob and OWS's servers", because it has access to both endpoints. The attack I have described would not work for Alice's ISP (unless it also happens to be Bob's ISP).

Re:So Google gets metadata?

[tlhIngan]

Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

Google doesn't care about the contents of the message (they're encrypted, anyways). However, the metadata is still valuable information if you want to see relationships.

And relationships are valuable marketing information - Google has to share that information with all the other Alphabet companies now (because the new Alphabet privacy policy ensures it), so even though the metadata might not seem important, you can bet the other Alphabet companies doing marketing (like DoubleClick) are *very* interested in that data.

Knowing how people interact means advertisers can target like minded people. So Alice knowing Bob means Bob's preferences in stuff might be used to show ads to Alice in case she's interested too.

Google's more trustworthy, yes, but only because they're more willing to sell/share that information for marketing purposes than use it for oppression.

Google's not doing this for free, after all. They're getting SOMETHING out of it.

Blocking of https://*.google.com in Egypt soon

[davidwr]

Egypt and other countries that want to block Signal will now have to start blocking https://.google.com/ and https://.cnd_domain_here/ real soon now.

This would allow non-encrypted Google searches and non-encrypted CDN traffic. Since most users in those countries know their government is spying on them, er, I mean protecting them from bad stuff on the Internet, this shouldn't cause too much domestic political blowback.

Face it, if you are in a country with draconian censorship or government monitoring - like North Korea and possiby China - you'll need to use stegonography to hide the fact that you are even encrypting things. Furthermore, if you need to "encrypt and hide" more than a relatively small amount of data, you'll have to use a technique that is "custom made" or at least a "custom variation" of well-known formats to avoid detection. I'm not saying the people in Egypt are in this situation now, but people in some parts of the world are.

Re:Universal back-end

Could the same technique used with Amazon S3, CloudFlare, or Azure back-ends?

Yes. That's what Tor "meek" transport does, and it works reliably in China.

Is this used by default for everyone now?

[TheDarkener]

FTFA: "The anti-censorship feature is currently present in the latest version of Signal for Android. It’s also included in a beta version of the app for iOS that will be released in production soon. The developers also plan future improvements that will allow the app to detect censorship automatically and switch to domain fronting even if the user has a phone number from a country where censorship is not normally present. This is intended to cover those cases where users travel to other countries where the app is blocked."

I reside in a country that doesn't (yet) block Signal. But will my app automatically use domain fronting anyway? I'd rather not use the feature unless absolutely necessary, to protect the integrity and privacy of my communications.

The acid test for such an app

[Applehu+Akbar]

If it can operate through sites other than Google, can it get through to and from China?

Thought about installing Signal

[NoSalt]

I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install. This app is supposed to make us feel comfortable about being "secure" but it asks for way more privileges than any other app I have ever installed. And speaking of "ever", given the recent Evernote announcement, I worry about giving another company access to THAT MUCH of my phone's contents.

What is everybody else's opinion on Signal?

Re:Thought about installing Signal

[PvtVoid]

I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install.

Here is a rundown on device permissions for Signal. Most of them seem basically necessary for a functional messaging app.

What is everybody else's opinion on Signal?

I've been using it for a few weeks, and I like it just fine. It is a transparent replacement for my default messaging app, and handles encryption to/from other signal users transparently. An additional perk is a Chrome plugin which lets me send/receive SMS messages from my browser. For a lot of obvious reasons, it is likely to be nowhere near as secure as a set of properly managed PGP keys, but IMO a lot of useful progress in widely deployed crypto has been hamstrung by paranoia, and letting the perfect be the enemy of the good.

One disconcerting thing is that it goes through your contact list upon install, and notifys you of all people on your contacts list who have Signal enabled, without the permission of those contacts. This should be configurable, and opt-in. Sad!

Re:Thought about installing Signal

[turning+in+circles]

Most of my friends won't/wouldn't use Signal, and if you are always talking to people with default Apple/Android, nothing is encrypted anyway and the fact Signal doesn't attach photos easily and couldn't handle group texts made it not valuable. So I quit using Signal.

Other option of course is ditch the friends/family who won't use Signal for friends/family who do.

Redirects look different than search responses

[laughingskeptic]

Egypt doesn't have to block www.google.com, they only have to discern which internal IPs are attempting to communicate securely and blacklist those IPs from performing out-bound connections. As long as Egypt's firewall can tell the difference between a redirect and a normal search response they can do this. Google would have to start padding redirect responses to make it harder to tell the difference between these response types.

Re: Redirects look different than search responses

[laughingskeptic]

They still know the length of the response and for redirects, this is short.

Tautologically informative

[raymorris]

> Signalis made by the same devs who make Signal . At the moment, that's moderated +4 Informative. Since that's informative, let me add that Frosted Flakes is made by the same people who make Frosted Flakes.

Re:Universal back-end

[St.Creed]

I'll quote the article for you, which helpfully describes points like the one in your question.

Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.

RTFA. It will make the writer happy.

Re: Redirects look different than search response

[St.Creed]

Indeed - some major websites do about 5 redirects before you ever get to any content. It's the norm, not the exception. Good luck with that haystack.

Signal is not very good anyways

[Nocturrne]

I've never liked Signal because it associates users to mobile phone numbers and doesn't have a good PC companion app. Mobile phones are amazingly effective tracking and surveillance devices. We should try very hard to avoid using them or at least decouple them from the phone system as much as possible. We need anonymous mobile computing devices. :)

WTF is an 'app signal'?

[swell]

"Encrypted Messaging App Signal Uses Google To Bypass Censorship"

When every word is capitalized, capitals have no meaning. Wake up Slashdot, headlines don't need this hype and I don't have time to try to decipher them. The English language works- use it!

Re:WTF is an 'app signal'?

[ryocoon]

It is called a "Title". In standard English composition a title is all capitalized. Much like a novel or movie title. However this is an article title. Therefore it is capitalized. Notice the summary is not in all caps.