Slashdot Mirror
Encrypted Messaging App Signal Uses Google To Bypass Censorship (pcworld.com)
Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts. Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too. From a report on PCWorld: Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked. The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.
TextSecure was their original app. They replaced it with Signal.
There are 10 types of people in the world: those who understand binary and those who don't.
So, IANACryptographer, but if I understand correctly: Google gets metadata when Alice sends a message (because connect to its server using this "fronting"), and when Bob receives one (because Signal delivers messages using GCM). It doesn't look too hard for them to reconstruct that Alice is exchanging messages to Bob.
My first program:
Hell Segmentation fault