Encrypted messaging service Signal received a curious email from Amazon Web Services. The representative at Amazon is saying that Signal is violating the terms of service by using domain fronting to avoid censorship.
Signal isn’t necessarily the most popular messaging app. But chances are you’ve been using Signal technologies in the past. The organization behind it has partnered with WhatsApp to develop the end-to-end encryption protocol used in WhatsApp.
While this is a great improvement over unencrypted communications, WhatsApp is blocked in China and owned by Facebook. And Facebook leverages WhatsApp user data in most of the world for its other services. So Facebook knows your address book, the timestamps and recipients of all your messages — Facebook just can’t read the content of your messages.
That’s why Open Whisper Systems, the organization behind Signal, is also developing its own messaging app and service. It’s available on iOS, Android and desktop. Everything is open source so security experts can audit the code themselves.
And, you guessed it, just like WhatsApp, many countries try to block Signal’s servers to prevent encrypted communications. Egypt, Oman, Qatar, the UAE and Iran all tried to block Signal.
There are multiple ways to block a service. You can block it at the DNS level by asking all internet service providers to block a specific domain name. But that’s easy to circumvent by switching to another public DNS, such as Quad9 and 1.1.1.1.
You can also block it during the TLS handshake. Most of the popular websites and internet services now encrypt your traffic between your device and the server. That’s what the green lock icon and the letters “https://” mean in your browser. It means that a government can’t see what you’re doing with a particular internet server once you’ve established a connection with this server.
Unfortunately, when the connection starts, the server and your device perform a TLS handshake, which is currently unencrypted. Governments have been using this weakness to block online services in their countries.
Signal and other sensitive services have used a technique called domain fronting to bypass those restrictions. Since 2016, Signal has been relying on Google App Engine to disguise its TLS handshake. The app pretends to talk with google.com even though it’s actually talking with Signal’s servers.
Countries could either block access to google.com (and Signal) or give up. Signal remained available Egypt, Oman, Qatar and the UAE because they didn’t want to block google.com — the organization couldn’t use the same method in Iran because Google doesn’t operate in Iran.
Last month, Google stopped allowing domain fronting on Google App Engine. Signal tried to find an alternative and wanted to use Amazon CloudFront to disguise its traffic as a connection to Souq.com, Amazon’s marketplace in the Middle East.
But now, Amazon is also taking a stance against domain fronting, threatening to suspend Signal’s CloudFront account. It sounds like Signal doesn’t have a solution for now. So if you live in one of the countries I listed and can’t access Signal anymore, now you know why. It might be time to build your own VPN.
It seems curious that Silicon Valley companies claim to champion free speech at all costs but don’t want to help when it comes to circumventing censorship using domain fronting.
There’s a financial risk as some countries might end up blocking google.com or souq.com in order to block services that use domain fronting. Those companies defend free speech until it could potentially hurt the bottom line…