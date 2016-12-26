Hacker News new | comments | show | ask | jobs | submit login
Egypt blocks the encrypted messaging app Signal as it continues cyber crackdown (techcrunch.com)
21 points by sidcool 3 hours ago | hide | past | web | 7 comments | favorite





The article seems to be scarce on details... I'm not sure if this is about the blocked access after signal deployed its "domain fronting"[1] mitigation technique (Dec 21) as the original reported cited by the article[2, 3] is from before the mitigation technique is deployed (Dec 17).

Are there more details about if domain fronting can be blocked as well?

[1]: https://whispersystems.org/blog/doodles-stickers-censorship/

[2]: https://twitter.com/ircpresident/status/810148053952892928

[3]: https://twitter.com/NoraYounis/status/810268132187242497

[1] answers it clearly:

> With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE. When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com. (emphasis added)

It can be blocked, but doing so will block google.com. Basically Open Whisper Systems is making a block that much more costly to implement, since Google is ubiquitous in so many different areas.

EDIT: forgot how to add the emphasis, is fixed now.

Why isn't all HTTPS traffic being declared this way (hiding the real endpoint)? Is there any downside doing this?

The default way SNI works requires the hostname to be sent over the wire as plaintext. The reason why SNI is useful is because it allows one server to host many HTTPS domains. Perhaps some innovation to SNI would fix this problem.

https://en.wikipedia.org/wiki/Server_Name_Indication

Should have made it the website of the government :D

I mistakenly thought Signal was an app on your phone that encrypted/decrypted text messages. What part of that has to be online, other than getting updated public keys, or is that the part that was blocked?

Signal does not include the text message encryption feature anymore. It's an internet-based messenger.

