U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Signal implements ‘domain fronting’ technique to bypass censorship

The latest update of Signal introduces the ‘domain fronting’ technique that has been implemented to circumvent censorship. Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony: “Use anything by Open Whisper Systems” Snowden says. The Cryptographer and Professor at Johns Hopkins […]

Signal Russia hacker WhatsApp

The latest update of Signal introduces the ‘domain fronting’ technique that has been implemented to circumvent censorship.

Signal is considered the most secure instant messaging app, searching for it on the Internet it is possible to read the Edward Snowden’ testimony:

“Use anything by Open Whisper Systems” Snowden says.

The Cryptographer and Professor at Johns Hopkins University Matt Green and the popular security expert Bruce Schneier are other two admirers of the Signal app.

The latest update of Signal has just been developed to implement mechanisms to circumvent censorship and restrictions applied by governments that want to avoid its use.

Some states are already blocking the application with the support of ISPs. The Government of Egypt and the United Arab Emirates applied measures to block Signal, for this reason, the Open Whisper Systems who develop the app has revised the Android version introducing a technique called domain fronting.

“With today’s release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE,” said company founder Moxie Marlinspike in a blog post. “When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.”

The domain fronting is a technique that relies on the use of different domain names at different application layers to evade censorship.

The domain fronting techniques “hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor,” as described in a paper published by researchers from the University of California, Berkeley, Psiphon, and Brave New Software.

“The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption.” continues the paper.”A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage” 

The Domain fronting technique is easy to deploy and use and doesn’t require special activities by network intermediaries.

If the front domain is a popular website like ‘google.com, if the censor will block it would have a serious impact on the users.

Domain fronting has a cost.

Domain fronting leverages a CDN that have to receive the request and forward it to the domain in the HTTP host header, or a service that provides similar functionality, like Google’s App Engine.

Such services typically have a cost that according to the paper ranges from $0.10–0.25 per GB using a service like Google App Engine, Amazon CloudFront, Microsoft Azure, Fastly, and CloudFlare. This may explain why Signal isn’t making domain fronting a default everywhere.

Due to this cost, Signal isn’t providing domain fronting by default.

What about domain fronting for the iOS version of Signal?

Marlinspike confirmed that an iOS version of Signal that supports domain fronting is expected soon, meantime it is available a beta version.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Signal, domain fronting)