"With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE," Open Whisper Systems founder Moxie Marlinspike said Wednesday in a blog post. Someone monitoring user traffic will only see HTTPS requests going to but those requests will reach the reflector script on Google App Engine and will be forwarded to a hidden destination. This means that someone can create a simple reflector script, host it on Google App Engine and then use the HTTP host header trick to hide its location from censors. This domain is used by Google App Engine, a service that allows users to create and host web applications on Google's cloud platform. Google, for example, allows redirection through the HTTP host header from to. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique. Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. In a domain-fronted request, however, the DNS query and SNI carry one name (the “front domain”), while the HTTP Host header, hidden from the censor by HTTPS encryption, carries another (the covert, forbidden destination)." "Ordinarily, the same domain name appears in all three places. "In an HTTPS request, the destination domain name appears in three relevant places: in the DNS query, in the TLS Server Name Indication (SNI) extension and in the HTTP Host header," the researchers said in their paper. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic. The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain.
REDDIT SIGNAL MESSENGER SOFTWARE
The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon.
0 kommentar(er)
