Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Domain Fronting for Iran #7311
There are a couple of other issues (#6468, #5992 and signalapp/Signal-iOS#2903) about this problem. One of them has been closed and the other two could've been filed in a more structured way so I'm opening this one hoping we can move this conversation forward in a constructive way.
The problem is that Google App Engine blocks connection from Iran and this renders the anti censorship feature of signal useless for Iranian people. This is important now as the authorities are trying to shut down all the secure messaging platforms following the uprising and economical protests. Additionally, Telegram, -the main social media and messaging app for Iranian people-, has been blocked recently and this gives us a golden chance to help people adopt Signal. All it takes is to make sure all the Iranian numbers are being routed through a meek server that is not Google.
We at Tor, have tested both Azure and Amazon and they work perfectly fine. I assume this is gonna be the same with other major CDNs as well.
Steps to reproduce
Actual result: Connection fails due to censorship.
Device: Any device
Here are some additional info for the curious mind:
Please help us to enable and empower millions of vulnerable people to communicate securely with making this change.
Domain fronting does not prevent censors from blocking your traffic, but it forces censors to block the traffic of another site if they also want to block yours. For domain fronting to be effective, there has to be a site that censors are unwilling to block.
The reason we use GAE is primarily because Google properties are the most popular sites in the regions where domain fronting is enabled. So far, those censors have been unwilling to block all Google properties in order to block Signal. This is what makes domain fronting work for Signal.
This is not possible in Iran, because Google does not allow access to GAE from Iran in order to comply with sanctions. To deal with that, you are suggesting that we use a different CDN, such as cloudfront or azureedge, instead of GAE. However, if you look at the Alexa top 50 for the country, there are no high traffic sites in Iran which depend on those CDNs. There are one or two that use fastly, but domain fronting doesn't work with fastly.
To reiterate, it does not matter that cloudfront or azureedge are accessible from Iran. It is not possible to simply "connect to cloudfront," Signal has to make a TLS connection to a specific cloudfront domain, and that domain has to be something that would cause collateral damage for internet users in Iran if it were blocked. In the research we've repeatedly done every time this comes up, there is no such domain.
In the absence of such a domain, "domain fronting" through something random on cloudfront would be no more effective than simply switching to iran.signal.org or betyoucantblockthis.signal.org or whatever. That is to say, ineffective.
If you want Signal to be more difficult to block in Iran, we need a way to connect to Signal through Google domains.
Really all signal has to do is connect to some unblocked cloudfront IP address, or an unblocked IP address of any other CDN for which domain fronting works. That IP address can serve multiple domains.
If Google being uncensored was a prerequisite for domain fronting to work, it would be quite ineffective because Google is blocked in most heavily censored countries, particularly Iran and China.
It'a also worth noting that certainly Amazon and Azure host far more popular sites globally than GAE. I don't personally know anything particularly popular on GAE that would cause much collateral damage.
Guys , these days we are in worst situation ever. search
@moxie0 Thanks for taking the time to explain your point of view. While I understand your point, I need to mention that the two meek instances at Tor which basically use 'ajax.aspnetcdn.com' and 'a0.awsstatic.com' as their front, simply continue to work in Iran and for whatever reason, it hasn't been blocked yet.
We both know and agree censorship is an arm race. You try to make it harder and they try to expand their willingness to shut more and more things down, and as we've seen they've been toying around with hijacking the whole BGP routing of the country to block international internet access and limit it to internal services... but till that happens, we still have time and we shouldn't simply give up because we don't have the perfect solution. It's all a matter of who acts faster. We experienced that back in the days at Tor as well. It wasn't the perfect fix but it bought us more time until we had a better solution.
I should also mention that just like any country the situation in Iran isn't black and white. Even when it comes to censorship, they can't move as fast as we can. Even if this only works for a couple of days, it's still worth to do it. Every hour is precious at times like this.
Sadly, it's not that simple. Signal needs to make a TLS connection to a specific host, include an SNI header (remember, in the clear), and receive a TLS certificate for a specific domain. If all of that is for a target that causes no collateral damage, then there is no advantage to doing that over just connecting to nahnah-nahnahnah.signal.org. They are equally easy to block.
The data would suggest otherwise in Iran (Google properties are the most popular sites in the country).
Domain fronting doesn't work that way. It doesn't matter if Amazon or Azure "host" the site. Rather, the site or application has to be served from cloufront or azureedge. Again, if you look through the Alexa top 50 or 100 for Iran, you will find that there is no such site (but Google properties are right at the top).
I don't know to what extent you've deployed this or how obvious your approach is, but if those sites haven't been blocked, it is simply because censors have not cared to block them. There is nothing about that approach which makes connections any more difficult to block than simply connecting to a host you own. Offline you have told me that you agree it "doesn't make sense," so I don't know what the point of this is.
On the contrary, I disagree. For an application like Signal, I don't think censorship circumvention can be a cat and mouse game that causes uncertainty and confusion for users, or which requires users to have advanced technical skills and understanding. We have thus far deployed extremely stable censorship circumvention in countries that have gone to great lengths to block Signal but have been unable to, and I believe that level of stability is required for a messaging application to be useful. It is possible that deploying something which works for a matter of minutes or hours is appropriate for other applications, but I don't believe the same is true for Signal - particularly when there is no existing install base due to censorship. Asking us to deploy something which requires an application update every 10 minutes or whatever would only mean that we have less time to focus on creating something that is actually sustainable.
In any case, we don't use GH issues for discussions. Please see the forums if you are interested in discussion.