
Egypt blocks the encrypted messaging app Signal as it continues cyber crackdown - sidcool
https://techcrunch.com/2016/12/26/1431709/
======
myf01d
I'm from Egypt, I think it's more an economic than political initiative,
telecom companies are among the last standing pillars of the economy and they
are losing money more than ever as more and more people using chat software
than talking using mobile phones or even using their shitty 3g internet
connection which is still applied so far. Any connection on https is
impossible to decrypt here anyway as our government isn't that competent.

~~~
SonicSoul
so how does not being able to decrypt traffic make them lose money?

~~~
myf01d
Telecom companies which employed tens of thousands mostly young educated
because of the massive growth since early 2000s, have been facing now slowdown
if not shrinking because most people here are now communicating for free using
whatsapp and viber. These companies were doing also nasty things like
injecting advertisement codes inside plain html pages to earn money, as most
people here are browsing only facebook and twitter which use https, it became
harder for them to compensate their losses on their main service (phone
calls). They were colluding with the government to ban some chat apps on 3g
communication and postpone new technologies like 4g and faster adsl
connections in order to make people obliged to return to phone calls. The
government knows very well that these companies are too big to fail as they
are maybe the biggest employer in the country.

~~~
xarball
So their answer is corruption/fascism?

~~~
myf01d
> corruption/fascism

that's what we call national security/stability here in the middle east :D.
Seriously though, the government and the three telecom companies
Orange/Vodafone/Etisalat falsely think that this is a win win situation to
save the telecom industry and national security, however when it reall comes
to terrorism, you can organize a terror attack using facebook chat without
anyone knowing anything about you, maybe even after the attack if you are
paranoid enough and take all social engineering precautions.

~~~
nindalf
FWIW this happens in other Arab countries too. In Dubai the same carrier
Etisalat got a ban on the audio functionality of mobile apps - no calls on
Whatsapp, Viber etc. You can still text though.

------
pwnna
The article seems to be scarce on details... I'm not sure if this is about the
blocked access after signal deployed its "domain fronting"[1] mitigation
technique (Dec 21) as the original reported cited by the article[2, 3] is from
before the mitigation technique is deployed (Dec 17).

Are there more details about if domain fronting can be blocked as well?

[1]: [https://whispersystems.org/blog/doodles-stickers-
censorship/](https://whispersystems.org/blog/doodles-stickers-censorship/)

[2]:
[https://twitter.com/ircpresident/status/810148053952892928](https://twitter.com/ircpresident/status/810148053952892928)

[3]:
[https://twitter.com/NoraYounis/status/810268132187242497](https://twitter.com/NoraYounis/status/810268132187242497)

~~~
altendo
[1] answers it clearly:

> With today's release, domain fronting is enabled for Signal users who have a
> phone number with a country code from Egypt or the UAE. When those users
> send a Signal message, it will look like a normal HTTPS request to
> www.google.com. _To block Signal messages, these countries would also have
> to block all of google.com_. (emphasis added)

It can be blocked, but doing so will block google.com. Basically Open Whisper
Systems is making a block that much more costly to implement, since Google is
ubiquitous in so many different areas.

EDIT: forgot how to add the emphasis, is fixed now.

~~~
philfrasty
Why isn't all HTTPS traffic being declared this way (hiding the real
endpoint)? Is there any downside doing this?

~~~
firloop
SNI requires the hostname to be sent over the wire as plaintext. The reason
why SNI is useful is because it allows one server to host many HTTPS domains.
Perhaps some innovation to SNI would fix this problem.

[https://en.wikipedia.org/wiki/Server_Name_Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)

~~~
endymi0n
This. The current advent of the encrypted web would not have been possible
without SNI - the costs for exclusive IPv4 addresses (especially when using a
CDN) would have been prohibitive.

SNI isn't as much as a security risk if you consider that before resolving,
you usually need a DNS request too - which would expose the endpoint to your
ISP anyway.

------
makecheck
We need to reach the point where there’s no easy way to simply “block” things
you don’t like. Quite the opposite, it should be absurdly expensive to even
_try_ to do that, with numerous technical and geographic hurdles to overcome.

A truly secure protocol should have no easy way to identify its traffic (e.g.
no obvious domain-name patterns that can be disallowed with a single regex, no
common IP address blocks, and no suspicious volume of traffic that couldn’t
just as easily come from 100 other things on the Internet). The backbone
itself should also have more than one off-switch; difficult in practice for
some remote areas but theoretically doable in combination with satellite
radios, etc.

------
ge96
Curious how you "block" an app. If you're saying blocking though an app store.
But what about sending the files through other means, zip in an email,
Dropbox, whatever. If the app connects online me somehow Egypt "knows"?

Asking because I don't know

------
fgandiya
Is it still blocked even after that change Signal made to the app a few days
ago?

~~~
contravariant
According to the comments below the article it seems it was blocked for a week
but is currently working.

------
dimino
I mistakenly thought Signal was an app on your phone that encrypted/decrypted
text messages. What part of that has to be online, other than getting updated
public keys, or is that the part that was blocked?

~~~
avhon1
Signal is really an XMPP client with a custom protocol extension. _All_ of its
encrypted messaging functionality relies on being able to communicate with the
official Signal server(s).

The Android version can, or at least used to, send and receive text messages,
but these were unencrypted. I believe that it was just to make Signal useful
as an all-in-one short messaging app.

~~~
h4waii
The Android client does support regular SMS handling, which is what makes it
great. Regular unencrypted SMS for users without Signal, and end-to-end for
users who have it, all in the same application.

It used to support encryption over SMS, unfortunately it was removed and is
now the primary focus of Silence[0], while Noise[1] is now for Signal without
the requirement of GCM for signaling.

0\. [https://silence.im](https://silence.im) 1\.
[https://copperhead.co/android/docs/usage_guide](https://copperhead.co/android/docs/usage_guide)

~~~
dTal
Upvote for Silence. It's the only solution for people who don't or won't have
a data connection open permanently. It also requires no signup and depends on
no external service.

I'd not heard of Noise. I'm glad that all the interesting crypto work that
Open Whisper Systems is doing is being forked and diversified - it's too
valuable to be only available through one centralized provider.

------
stratigos
signal ftw!

