
Encryption App ‘Signal’ Fights Censorship with a Clever Workaround - ergot
https://www.wired.com/2016/12/encryption-app-signal-fights-censorship-clever-workaround/
======
ergot
Here's a detailed overview of so called 'domain fronting'
[https://www.bamsoftware.com/papers/fronting/](https://www.bamsoftware.com/papers/fronting/)

Some VPNs use a module called _obfsproxy_ which uses the fronting technique.
One VPN service I recall using it is called Tunnelbear. You can read more
about this feature here:
[https://help.tunnelbear.com/customer/en/portal/articles/2435...](https://help.tunnelbear.com/customer/en/portal/articles/2435665-ghostbear-
fight-censorship-and-restrictive-networks)

This is not an endorsement of Tunnelbear, I just thought it would be
noteworthy mentioning that VPN services offer this now to thwart censorship.

~~~
tornadoboy55
OpenVPN goes over TCP port 443, making it look like bog-standard HTTPS
traffic. Unless the country you're in blacklists entire VPN IP blocks (not
particularly useful, they rotate all the time), it's already unblockable,
unless they want to block ALL https traffic.

~~~
ergot
The idea behind obfsproxy is that you don't want it looking like port 443 on
the wire. You can infact mask the traffic using the domain fronting technique
providing you setup obfsproxy correctly. I haven't tried it myself, but I have
analyzed Tunnelbear's 'ghostbear' feature with wireshark and the traffic looks
fairly innocuous which is what we're aiming for.

[https://community.openvpn.net/openvpn/wiki/TrafficObfuscatio...](https://community.openvpn.net/openvpn/wiki/TrafficObfuscation)

------
subliminalpanda
I asked my aunt in Dubai to update Signal on her iPhone and managed to place a
call sans VPN.

Completely stable, clear audio.

~~~
vinay427
The quality has never been stellar for me. It's similar to speaking on a
landline, but not nearly as good as VoLTE or some online systems (Hangouts
excepted, because their quality is poor every time I've used it).

I've tried it between the US and US/Europe, for what it's worth, over mobile
internet connections.

~~~
subliminalpanda
To put it into perspective, audio call quality is much better on WhatsApp by
comparison. However due to my family member connecting to a VPN the additional
latency would cause audio jitters. Calls would also drop after 10-15 minutes.

With this technique the jitters have all but gone, and no disconnections.

------
linkregister
This is a great workaround for the UAE and Saudi, which are "oppression lite."
This would never work in a more oppressive country; the rulers there would
simply fail to whitelist traffic going to Google Cloud / App Engine traffic.
This is already evident on the other side of the Great Firewall.

Still, pretty cool.

~~~
trome
If they block Google.com sure, it won't work, but in that case Signal could
just use a CDN they won't block, like Alicloud in China, or AWS or similar.

~~~
Fnoord
Signal can use Cloudflare as well (the article I read first spoke of
Cloudflare, not Google, but it wasn't in English). Blocking Cloudflare is
going to break half the internet.

~~~
ycmbntrthrwaway
In Russia, Roskomnadzor does not care. The number of blocked CloudFlare IPs in
Russia keeps growing and about one third of blocked IPs belong to CloudFlare:
[https://rublacklist.net/13108/](https://rublacklist.net/13108/) It is still a
small percentage of CloudFlare IPs, but if you use free CloudFlare service for
your website you are extremely likely to get IP that is already blocked.

Actually, Roskomnadzor officially asked not to use CloudFlare sites:
[http://rkn.gov.ru/news/rsoc/news24880.htm](http://rkn.gov.ru/news/rsoc/news24880.htm)
The message is don't hide behind CloudFlare or your sites will get blocked by
IP without reason.

China blocks Google fonts, it breaks half the internet by making all fonts
requests timeout, but still the government does not care.

When government starts blocking CDNs, most commercial websites aiming at users
within the government will rapidly move off the CDN instead of freedom
fighting, sadly.

------
Jarwain
Here's a link to the blog post announcing the update.

[https://whispersystems.org/blog/doodles-stickers-
censorship/](https://whispersystems.org/blog/doodles-stickers-censorship/)

I find it amusing the stark difference; going from light hearted doodles and
stickers on images to a censoring workaround

------
rhcom2
Can someone explain to me why Tor does not use "domain fronting" to hide that
it is Tor traffic?

~~~
chrisballinger
This is exactly what the meek [1] pluggable transport does. It was developed
by David Fifield, of the original authors of the domain fronting paper [2].

1\.
[https://trac.torproject.org/projects/tor/wiki/doc/meek](https://trac.torproject.org/projects/tor/wiki/doc/meek)

2\.
[https://www.bamsoftware.com/papers/fronting/](https://www.bamsoftware.com/papers/fronting/)

~~~
rhcom2
Thanks a lot for the links. So am I correct in understanding that the reason
this isn't a default Tor capability is the setup around the domains used to do
the fronting (looks like meek uses mostly CDNs?)

------
devy
This "domain fronting" trick could make Google suffer collateral damages if
the regime is determined to block such encryption apps.

~~~
01Michael10
It's OK, Google would survive just fine... The real worry is the people who
need secure communications and their survival.

~~~
devy
Collateral damages not in ways of Internet traffic but getting "blocked" in
those regions.

~~~
01Michael10
Yes, we know... And?

------
xref
So could the AppEngine subdomain that Signal is using be DDoSed to make it
timeout (or run up their bill fantastically high) when the domain fronted
message is forwarded?

