For over a year and a half countries such as China, Cuba, Egypt, Guyana, Kuwait, Malaysia, Oman, Paraguay, Qatar, Syria, Turkey, and the United Arab Emirates have blocked people from using Signal, a mobile communications app for sending encrypted texts and making encrypted phone calls. This encrypted communications app is available on the mobile operating systems Google Android and Apple iOS. In order to help users in one of at least 30 countries that have banned or restricted the use of Signal, Open Whisper Systems, the creators of Signal, have been utilizing an anti-censorship technique known as domain fronting. But this anti-censorship technique may no longer work due to the reaction from two of the biggest providers that are operating cloud servers.
Domain fronting is an anti-censorship technique that allows an app like Signal to route the encrypted communications of a user who is in a country that is censoring the internet through a different domain on the cloud server. This make the DNS requests and TLS Server Name Indication (SNI) extension traffic that is visible to ISPs and the government look as if it is from a different web site or service. Unfortunately in countries which censor the app, Signal users will no longer be able to easily use Signal in their country because, for the second time, a service provider has cut Signal off from using domain fronting on their cloud servers.
Domain fronting was possible on certain popular cloud servers known as Content Delivery Networks (CDNs), such as CloudFront, which is run by Amazon, and the Google App Engine, which is, of course, run by Google. Signal originally used domain fronting on the Google App Engine to help users circumvent the blocking of Signal by certain countries. Using the Google App Engine service, Signal was able to make Signal communications look like regular HTTPS traffic on Google’s domain name, and most countries which block Signal are unwilling to block access to large and popular web sites like Google. The ability to use domain fronting to circumvent censorship was first described in a research paper published in 2015 by researchers from the University of California, Berkeley, the Brave New Software Project, and Psiphon.
On December 21st, 2016, Open Whisper Systems made a blog post about their latest update, and at the time, Signal included the domain fronting anti-censorship technique. This was added to Signal at the time in response to Signal being censored in the countries of Egypt and the United Arab Emirates. Each time another country began to censor Signal, Open Whisper Systems would update the app to enable domain fronting for users in those countries. In January of last year Signal updated the app to enable domain fronting for users in Cuba and Oman. However, it should be noted that domain fronting failed to work in one country which censored Signal, Iran. The reason domain fronting did not work for Iranian users of Signal is because Google interpreted a United States federal law which created sanctions on Iran as prohibiting the company from processing requests originating from within the country of Iran.
At the beginning of this year, several organizations began lobbying Google to change their interpretation of the United States’ federal law that placed sanctions on Iran. These organizations wanted Google to begin processing requests to help Iranians who were being censored by their own government. Unfortunately, it appears this lobbying of Google to help Iranians from being censored had quite the opposite effect on Google, as those who were calling on Google to change their policy had made people within positions of leadership at Google become aware of what domain fronting was and how it was being used to circumvent censorship laws around the globe. Within a month from the start of the campaign to lobby Google on its policy on processing Iranian requests, Google ended up deciding that they did not want to be involved with helping Signal circumvent censorship laws and changed the Google App Engine cloud servers, modifying them so that domain fronting no longer worked on it.
After being prevented from using Google’s cloud servers for domain fronting, Open Whisper Systems switched to using Amazon’s CloudFront CDN. Open Whisper Systems argues that they are not technically violating Amazon’s AWS terms of service, but Amazon definitely does not see it that way. Just days after Amazon contacted Open Whisper Systems by email to demand Signal stopped domain fronting on Amazon’s CloudFront CDN. Amazon announced on their AWS Security Blog that they were going to be implementing Enhanced Domain Protections for Amazon CloudFront requests, thus terminating the ability of apps like Signal to use the anti-censorship technique on their CDN servers.
Open Whisper Systems have stated that they believe the domain fronting technique is no longer viable for Signal users to circumvent censorship. “The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan,” Open Whisper Systems’ Moxie Marlinspike said in a blog post on the Signal web site. For now the creators of Signal are going back to the drawing board to try and come up with other, better ways to once again help Signal users circumvent censorship. Mr. Marlinspike ended his blog post by saying, “the censors in these countries will have (at least temporarily) achieved their goals. Sadly, they didn’t have to do anything but wait.”