Signal implements ‘domain fronting’ technique to bypass censorship

The latest update of Signal introduces the ‘domain fronting’ technique that has been implemented to circumvent censorship.

Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:

The latest update of Signal has just been developed to implement mechanisms to circumvent censorship and restrictions applied by governments that want to avoid its use.

Some states are already blocking the application with the support of ISPs. The Government of Egypt and the United Arab Emirates applied measures to block Signal, for this reason, the Open Whisper Systems who develop the app has revised the Android version introducing a technique called domain fronting.

“With today’s release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE,” said company founder Moxie Marlinspike in a blog post. “When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.”

The domain fronting is a technique that relies on the use of different domain names at different application layers to evade censorship.

The domain fronting techniques “hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor,” as described in a paper published by researchers from the University of California, Berkeley, Psiphon, and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption.” continues the paper.”A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage” 

The Domain fronting technique is easy to deploy and use and doesn’t require special activities by network intermediaries.

If the front domain is a popular website like ‘google.com, if the censor will block it would have a serious impact on the users.

Domain fronting has a cost.

Domain fronting leverages a CDN that have to receive the request and forward it to the domain in the HTTP host header, or a service that provides similar functionality, like Google’s App Engine.

Such services typically have a cost that according to the paper ranges from $0.10–0.25 per GB using a service like Google App Engine, Amazon CloudFront, Microsoft Azure, Fastly, and CloudFlare. This may explain why Signal isn’t making domain fronting a default everywhere.

Due to this cost, Signal isn’t providing domain fronting by default.

What about domain fronting for the iOS version of Signal?

Marlinspike confirmed that an iOS version of Signal that supports domain fronting is expected soon, meantime it is available a beta version.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Signal, domain fronting)