New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Domain Fronting for Iran #7311

Closed
mrphs opened this Issue Jan 1, 2018 · 7 comments

Comments

Projects
None yet
6 participants
@mrphs

mrphs commented Jan 1, 2018

I have:


Bug description

There are a couple of other issues (#6468, #5992 and signalapp/Signal-iOS#2903) about this problem. One of them has been closed and the other two could've been filed in a more structured way so I'm opening this one hoping we can move this conversation forward in a constructive way.

The problem is that Google App Engine blocks connection from Iran and this renders the anti censorship feature of signal useless for Iranian people. This is important now as the authorities are trying to shut down all the secure messaging platforms following the uprising and economical protests. Additionally, Telegram, -the main social media and messaging app for Iranian people-, has been blocked recently and this gives us a golden chance to help people adopt Signal. All it takes is to make sure all the Iranian numbers are being routed through a meek server that is not Google.

We at Tor, have tested both Azure and Amazon and they work perfectly fine. I assume this is gonna be the same with other major CDNs as well.

Steps to reproduce

  • Try to connect to Signal servers from an Iranian IP address

Actual result: Connection fails due to censorship.
Expected result: OWS needs to either switch to, or add new meek servers on a platform that isn't Google App Engine and Signal should automatically enable censorship circumvention feature for Iranian phone numbers (+98).

Device info

Device: Any device
Android version: Any device both Anodrid and iOS

Here are some additional info for the curious mind:
https://twitter.com/CDA/status/947556800328433664 and https://twitter.com/mrphs/status/947601608061353984

Please help us to enable and empower millions of vulnerable people to communicate securely with making this change.

@kmontenegro

This comment has been minimized.

Show comment
Hide comment
@kmontenegro

kmontenegro Jan 1, 2018

I join my voice to the urgency of resolving this ticket. It seems using geo-provisioning could keep a small universe of users on alternate non-gcloud/gae backbones. Figuring out how to obfuscate those users is a real concerns but so is extending Signal's reach.

kmontenegro commented Jan 1, 2018

I join my voice to the urgency of resolving this ticket. It seems using geo-provisioning could keep a small universe of users on alternate non-gcloud/gae backbones. Figuring out how to obfuscate those users is a real concerns but so is extending Signal's reach.

@sagesheep

This comment has been minimized.

Show comment
Hide comment
@sagesheep

sagesheep Jan 1, 2018

If WhisperSystems Signal is opensource, isn't it possible to release a forked version with desired modifications?

sagesheep commented Jan 1, 2018

If WhisperSystems Signal is opensource, isn't it possible to release a forked version with desired modifications?

@moxie0

This comment has been minimized.

Show comment
Hide comment
@moxie0

moxie0 Jan 2, 2018

Member

Domain fronting does not prevent censors from blocking your traffic, but it forces censors to block the traffic of another site if they also want to block yours. For domain fronting to be effective, there has to be a site that censors are unwilling to block.

The reason we use GAE is primarily because Google properties are the most popular sites in the regions where domain fronting is enabled. So far, those censors have been unwilling to block all Google properties in order to block Signal. This is what makes domain fronting work for Signal.

This is not possible in Iran, because Google does not allow access to GAE from Iran in order to comply with sanctions. To deal with that, you are suggesting that we use a different CDN, such as cloudfront or azureedge, instead of GAE. However, if you look at the Alexa top 50 for the country, there are no high traffic sites in Iran which depend on those CDNs. There are one or two that use fastly, but domain fronting doesn't work with fastly.

To reiterate, it does not matter that cloudfront or azureedge are accessible from Iran. It is not possible to simply "connect to cloudfront," Signal has to make a TLS connection to a specific cloudfront domain, and that domain has to be something that would cause collateral damage for internet users in Iran if it were blocked. In the research we've repeatedly done every time this comes up, there is no such domain.

In the absence of such a domain, "domain fronting" through something random on cloudfront would be no more effective than simply switching to iran.signal.org or betyoucantblockthis.signal.org or whatever. That is to say, ineffective.

If you want Signal to be more difficult to block in Iran, we need a way to connect to Signal through Google domains.

Member

moxie0 commented Jan 2, 2018

Domain fronting does not prevent censors from blocking your traffic, but it forces censors to block the traffic of another site if they also want to block yours. For domain fronting to be effective, there has to be a site that censors are unwilling to block.

The reason we use GAE is primarily because Google properties are the most popular sites in the regions where domain fronting is enabled. So far, those censors have been unwilling to block all Google properties in order to block Signal. This is what makes domain fronting work for Signal.

This is not possible in Iran, because Google does not allow access to GAE from Iran in order to comply with sanctions. To deal with that, you are suggesting that we use a different CDN, such as cloudfront or azureedge, instead of GAE. However, if you look at the Alexa top 50 for the country, there are no high traffic sites in Iran which depend on those CDNs. There are one or two that use fastly, but domain fronting doesn't work with fastly.

To reiterate, it does not matter that cloudfront or azureedge are accessible from Iran. It is not possible to simply "connect to cloudfront," Signal has to make a TLS connection to a specific cloudfront domain, and that domain has to be something that would cause collateral damage for internet users in Iran if it were blocked. In the research we've repeatedly done every time this comes up, there is no such domain.

In the absence of such a domain, "domain fronting" through something random on cloudfront would be no more effective than simply switching to iran.signal.org or betyoucantblockthis.signal.org or whatever. That is to say, ineffective.

If you want Signal to be more difficult to block in Iran, we need a way to connect to Signal through Google domains.

@moxie0 moxie0 closed this Jan 2, 2018

@myleshorton

This comment has been minimized.

Show comment
Hide comment
@myleshorton

myleshorton Jan 2, 2018

Signal has to make a TLS connection to a specific cloudfront domain, and that domain has to be something that would cause collateral damage for internet users in Iran if it were blocked.

Really all signal has to do is connect to some unblocked cloudfront IP address, or an unblocked IP address of any other CDN for which domain fronting works. That IP address can serve multiple domains.

If Google being uncensored was a prerequisite for domain fronting to work, it would be quite ineffective because Google is blocked in most heavily censored countries, particularly Iran and China.

It'a also worth noting that certainly Amazon and Azure host far more popular sites globally than GAE. I don't personally know anything particularly popular on GAE that would cause much collateral damage.

myleshorton commented Jan 2, 2018

Signal has to make a TLS connection to a specific cloudfront domain, and that domain has to be something that would cause collateral damage for internet users in Iran if it were blocked.

Really all signal has to do is connect to some unblocked cloudfront IP address, or an unblocked IP address of any other CDN for which domain fronting works. That IP address can serve multiple domains.

If Google being uncensored was a prerequisite for domain fronting to work, it would be quite ineffective because Google is blocked in most heavily censored countries, particularly Iran and China.

It'a also worth noting that certainly Amazon and Azure host far more popular sites globally than GAE. I don't personally know anything particularly popular on GAE that would cause much collateral damage.

@GameO7er

This comment has been minimized.

Show comment
Hide comment
@GameO7er

GameO7er Jan 2, 2018

Guys , these days we are in worst situation ever. search protest hashtags in twitter and you can find what I'm talking about. government censored Telegram and Instagram temporary , all VPN ports are blocked but in this situation I can connect to Tor Browser easily with OBFS4 . so what about this? is that possible use this feature or ST like this?

Sincerely

GameO7er commented Jan 2, 2018

Guys , these days we are in worst situation ever. search protest hashtags in twitter and you can find what I'm talking about. government censored Telegram and Instagram temporary , all VPN ports are blocked but in this situation I can connect to Tor Browser easily with OBFS4 . so what about this? is that possible use this feature or ST like this?

Sincerely

@mrphs

This comment has been minimized.

Show comment
Hide comment
@mrphs

mrphs Jan 2, 2018

@moxie0 Thanks for taking the time to explain your point of view. While I understand your point, I need to mention that the two meek instances at Tor which basically use 'ajax.aspnetcdn.com' and 'a0.awsstatic.com' as their front, simply continue to work in Iran and for whatever reason, it hasn't been blocked yet.

We both know and agree censorship is an arm race. You try to make it harder and they try to expand their willingness to shut more and more things down, and as we've seen they've been toying around with hijacking the whole BGP routing of the country to block international internet access and limit it to internal services... but till that happens, we still have time and we shouldn't simply give up because we don't have the perfect solution. It's all a matter of who acts faster. We experienced that back in the days at Tor as well. It wasn't the perfect fix but it bought us more time until we had a better solution.

I should also mention that just like any country the situation in Iran isn't black and white. Even when it comes to censorship, they can't move as fast as we can. Even if this only works for a couple of days, it's still worth to do it. Every hour is precious at times like this.

mrphs commented Jan 2, 2018

@moxie0 Thanks for taking the time to explain your point of view. While I understand your point, I need to mention that the two meek instances at Tor which basically use 'ajax.aspnetcdn.com' and 'a0.awsstatic.com' as their front, simply continue to work in Iran and for whatever reason, it hasn't been blocked yet.

We both know and agree censorship is an arm race. You try to make it harder and they try to expand their willingness to shut more and more things down, and as we've seen they've been toying around with hijacking the whole BGP routing of the country to block international internet access and limit it to internal services... but till that happens, we still have time and we shouldn't simply give up because we don't have the perfect solution. It's all a matter of who acts faster. We experienced that back in the days at Tor as well. It wasn't the perfect fix but it bought us more time until we had a better solution.

I should also mention that just like any country the situation in Iran isn't black and white. Even when it comes to censorship, they can't move as fast as we can. Even if this only works for a couple of days, it's still worth to do it. Every hour is precious at times like this.

@moxie0

This comment has been minimized.

Show comment
Hide comment
@moxie0

moxie0 Jan 2, 2018

Member

Really all signal has to do is connect to some unblocked cloudfront IP address, or an unblocked IP address of any other CDN for which domain fronting works. That IP address can serve multiple domains.

Sadly, it's not that simple. Signal needs to make a TLS connection to a specific host, include an SNI header (remember, in the clear), and receive a TLS certificate for a specific domain. If all of that is for a target that causes no collateral damage, then there is no advantage to doing that over just connecting to nahnah-nahnahnah.signal.org. They are equally easy to block.

If Google being uncensored was a prerequisite for domain fronting to work, it would be quite ineffective because Google is blocked in most heavily censored countries

The data would suggest otherwise in Iran (Google properties are the most popular sites in the country).

It'a also worth noting that certainly Amazon and Azure host far more popular sites globally than GAE. I don't personally know anything particularly popular on GAE that would cause much collateral damage.

Domain fronting doesn't work that way. It doesn't matter if Amazon or Azure "host" the site. Rather, the site or application has to be served from cloufront or azureedge. Again, if you look through the Alexa top 50 or 100 for Iran, you will find that there is no such site (but Google properties are right at the top).

Thanks for taking the time to explain your point of view. While I understand your point, I need to mention that the two meek instances at Tor which basically use 'ajax.aspnetcdn.com' and 'a0.awsstatic.com' as their front, simply continue to work in Iran and for whatever reason, it hasn't been blocked yet.

I don't know to what extent you've deployed this or how obvious your approach is, but if those sites haven't been blocked, it is simply because censors have not cared to block them. There is nothing about that approach which makes connections any more difficult to block than simply connecting to a host you own. Offline you have told me that you agree it "doesn't make sense," so I don't know what the point of this is.

We both know and agree censorship is an arm race.

On the contrary, I disagree. For an application like Signal, I don't think censorship circumvention can be a cat and mouse game that causes uncertainty and confusion for users, or which requires users to have advanced technical skills and understanding. We have thus far deployed extremely stable censorship circumvention in countries that have gone to great lengths to block Signal but have been unable to, and I believe that level of stability is required for a messaging application to be useful. It is possible that deploying something which works for a matter of minutes or hours is appropriate for other applications, but I don't believe the same is true for Signal - particularly when there is no existing install base due to censorship. Asking us to deploy something which requires an application update every 10 minutes or whatever would only mean that we have less time to focus on creating something that is actually sustainable.

In any case, we don't use GH issues for discussions. Please see the forums if you are interested in discussion.

Member

moxie0 commented Jan 2, 2018

Really all signal has to do is connect to some unblocked cloudfront IP address, or an unblocked IP address of any other CDN for which domain fronting works. That IP address can serve multiple domains.

Sadly, it's not that simple. Signal needs to make a TLS connection to a specific host, include an SNI header (remember, in the clear), and receive a TLS certificate for a specific domain. If all of that is for a target that causes no collateral damage, then there is no advantage to doing that over just connecting to nahnah-nahnahnah.signal.org. They are equally easy to block.

If Google being uncensored was a prerequisite for domain fronting to work, it would be quite ineffective because Google is blocked in most heavily censored countries

The data would suggest otherwise in Iran (Google properties are the most popular sites in the country).

It'a also worth noting that certainly Amazon and Azure host far more popular sites globally than GAE. I don't personally know anything particularly popular on GAE that would cause much collateral damage.

Domain fronting doesn't work that way. It doesn't matter if Amazon or Azure "host" the site. Rather, the site or application has to be served from cloufront or azureedge. Again, if you look through the Alexa top 50 or 100 for Iran, you will find that there is no such site (but Google properties are right at the top).

Thanks for taking the time to explain your point of view. While I understand your point, I need to mention that the two meek instances at Tor which basically use 'ajax.aspnetcdn.com' and 'a0.awsstatic.com' as their front, simply continue to work in Iran and for whatever reason, it hasn't been blocked yet.

I don't know to what extent you've deployed this or how obvious your approach is, but if those sites haven't been blocked, it is simply because censors have not cared to block them. There is nothing about that approach which makes connections any more difficult to block than simply connecting to a host you own. Offline you have told me that you agree it "doesn't make sense," so I don't know what the point of this is.

We both know and agree censorship is an arm race.

On the contrary, I disagree. For an application like Signal, I don't think censorship circumvention can be a cat and mouse game that causes uncertainty and confusion for users, or which requires users to have advanced technical skills and understanding. We have thus far deployed extremely stable censorship circumvention in countries that have gone to great lengths to block Signal but have been unable to, and I believe that level of stability is required for a messaging application to be useful. It is possible that deploying something which works for a matter of minutes or hours is appropriate for other applications, but I don't believe the same is true for Signal - particularly when there is no existing install base due to censorship. Asking us to deploy something which requires an application update every 10 minutes or whatever would only mean that we have less time to focus on creating something that is actually sustainable.

In any case, we don't use GH issues for discussions. Please see the forums if you are interested in discussion.

@signalapp signalapp locked and limited conversation to collaborators Jan 2, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.