Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Messaging App Signal Uses Google To Bypass Censorship (pcworld.com)

Posted by msmash on from the outwitting-with-tech dept.

Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too. From a report on PCWorld: Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked. The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.

13 of 87 comments (clear)

  1. Re:Egypt blocks Google... end of story by TadMSTR · · Score: 4, Informative

    TextSecure was their original app. They replaced it with Signal.

    --
    There are 10 types of people in the world: those who understand binary and those who don't.
  2. So Google gets metadata? by fph+il+quozientatore · · Score: 4, Interesting

    So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

    --
    My first program:

    Hell Segmentation fault

    1. Re:So Google gets metadata? by donaggie03 · · Score: 3, Interesting

      So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.

      Except Google's servers are sending and receiving millions upon millions of messages every second, so no it wouldn't be very easy to match up one particular sender with one particular receiver. Then you have the problem that, as you said, Google gets the metadata, not Egypt, and Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

      --
      Three days from now?? Thats tomorrow!! ~Peter Griffin
    2. Re:So Google gets metadata? by arth1 · · Score: 2

      In a nutshell, any security that depends on a third party becomes vulnerable to the integrity of the third party. Google and any agency that has ties with Google can certainly run traffic analysis and log the end points and request response sizes, even if the TLS connection is forwarded. When using Google, with the added advantage of having profiles for the contents already.
      Even more, merely using such a service puts the traffic in the category of what's interesting and worthwhile trying to analyze and break.

      So the question is "how far do you trust Google and other third parties?"

    3. Re:So Google gets metadata? by radiumsoup · · Score: 2

      well, in this case, probably a lot farther than the government of Egypt.

    4. Re:So Google gets metadata? by arth1 · · Score: 4, Informative

      Google has no interest in trying to reconstruct this conversation, regardless of how easy it may be to do so.

      Google has an interest in complying with the laws of the countries in which it operates. Are you sure that certain government agencies or individuals representing such agencies have no such interest?

    5. Re:So Google gets metadata? by Anonymous Coward · · Score: 2, Insightful

      1) Signal has never, ever, ever claimed to provide any protection for message addressing metadata that could be derived from analysis of the TCP conversations required to use Signal. It only claims to protect the _contents_ of your conversation and -if you bother to verify the keys of your conversing party- provide MitM protection to ensure that your conversing party is who you think they are.

      2) Google is far more honest and forthright than the operators of most networking equipment in the path between Alice and OWS's servers, and Bob and OWS's servers. https://en.wikipedia.org/wiki/Room_641A , anyone?

    6. Re:So Google gets metadata? by arth1 · · Score: 2

      Google would presumably reveal that they are doing so for a given country, though.

      Funny man. You really think that Google would tell you if an all writs or security court order compelled them to assist the US government and not disclose it to anyone? And that they aren't already doing this?

  3. Re:Egypt blocks Google... end of story by mlw4428 · · Score: 2, Informative

    Signal is made by the same devs who make Signal.

  4. Re:Egypt blocks Google... end of story by afgam28 · · Score: 3, Informative

    According to the article a lot of cloud service providers and CDNs allow HTTP host header redirection, so the Egyptian government would need to block a lot than just google.com.

    China also had to create a domestic tech industry to replace all the foreign websites that it blocked. A country the size of China can pull this off, but Egypt is much smaller...

  5. The acid test for such an app by Applehu+Akbar · · Score: 2

    If it can operate through sites other than Google, can it get through to and from China?

  6. Redirects look different than search responses by laughingskeptic · · Score: 2

    Egypt doesn't have to block www.google.com, they only have to discern which internal IPs are attempting to communicate securely and blacklist those IPs from performing out-bound connections. As long as Egypt's firewall can tell the difference between a redirect and a normal search response they can do this. Google would have to start padding redirect responses to make it harder to tell the difference between these response types.

  7. Re:Thought about installing Signal by PvtVoid · · Score: 2

    I have thought about installing Signal, but then I always remember the laundry list of permissions it wants access to in order to install.

    Here is a rundown on device permissions for Signal. Most of them seem basically necessary for a functional messaging app.

    What is everybody else's opinion on Signal?

    I've been using it for a few weeks, and I like it just fine. It is a transparent replacement for my default messaging app, and handles encryption to/from other signal users transparently. An additional perk is a Chrome plugin which lets me send/receive SMS messages from my browser. For a lot of obvious reasons, it is likely to be nowhere near as secure as a set of properly managed PGP keys, but IMO a lot of useful progress in widely deployed crypto has been hamstrung by paranoia, and letting the perfect be the enemy of the good.

    One disconcerting thing is that it goes through your contact list upon install, and notifys you of all people on your contacts list who have Signal enabled, without the permission of those contacts. This should be configurable, and opt-in. Sad!