Any subversive software developer knows its app has truly caught on when repressive regimes around the world start to block it. Earlier this week the encryption app Signal, already a favorite within the security and cryptography community, unlocked that achievement. Now, it's making its countermove in the cat-and-mouse game of online censorship.
On Wednesday, Open Whisper Systems, which created and maintains Signal, announced that it's added a feature to its Android app that will allow it to sidestep censorship in Egypt and the United Arab Emirates, where it was blocked just days ago. Android users can simply update the app to gain unfettered access to the encryption tool, according to Open Whisper Systems founder Moxie Marlinspike, and an iOS version of the update is coming soon.
Signal's new anti-censorship feature uses a trick called "domain fronting," Marlinspike explains. A country like Egypt, with only a few small internet service providers tightly controlled by the government, can block any direct request to a service on its blacklist. But clever services can circumvent that censorship by hiding their traffic inside of encrypted connections to a major internet service, like the content delivery networks (CDNs) that host content closer to users to speed up their online experience---or in Signal's case, Google's App Engine platform, designed to host apps on Google's servers.
"Now when people in Egypt or the United Arab Emirates send a Signal message, it’ll look identical to something like a Google search," Marlinspike says. "The idea is that using Signal will look like using Google; if you want to block Signal you'll have to block Google."
The trick works because Google's App Engine allows developers to redirect traffic from Google.com to their own domain. Google’s use of TLS encryption means that contents of the traffic, including that redirect request, are hidden, and the internet service provider can see only that someone has connected to Google.com. That essentially turns Google into a proxy for Signal, bouncing its traffic and fooling the censors.
That domain fronting technique has already been used by other encryption and anti-censorship tools like Tor, Psiphon, and Lantern. And it doesn't just depend on Google, but also works with CDNs like Cloudflare, Akamai, and Amazon Cloudfront. So a censor attempting to block the circumvention method would have to block not only Google, but also a long list of other major services. "All of that together represents a large chunk of internet traffic," says Marlinspike. "Eventually disabling Signal starts to resemble disabling the internet."
Blocking major services, or even blocking the entire internet, is certainly a real possibility. Egypt, after all, did block its entire internet during the Arab Spring protests in 2011. And Brazil blocked WhatsApp, which integrates Signal as its encryption protocol, after a stymied drug investigation. But in both cases, the block was short-lived---only a few countries like China, Iran, and North Korea have been willing to permanently censor large swathes of the internet wholesale.
If any other countries block Signal, Marlinspike says he'll be ready to react. "This kind of thing is a high priority," he says. (In fact, Marlinspike rushed out an Arabic language version of Signal's predecessor encryption apps Redphone and Textsecure to help Arab Spring protestors five years ago.) And at least in countries where the government isn't willing to shut down the internet altogether, he thinks the app has a strong chance of staying online. "At least in places like this, these techniques are going to be really effective," says Marlinspike. "It’s possible that these countries will respond. But the endgame is that we’ll win."
