The recent dust-up with Facebook has made secure communication more popular than ever, but many law enforcement agencies aren’t happy with that prospect. In the US, federal authorities have made their dislike of encrypted communication widely known. In some countries, private messaging services are effectively banned. Signal is one of the most common ways to send encrypted messages, and it may no longer be able to evade those bans. According to the service’s lead developer Moxie Marlinspike, Amazon has threatened to revoke Signal’s hosting if it does not stop using Amazon to circumvent censorship.
Signal, which is available on Android, iOS, and desktop, uses strong end-to-end encryption to ensure no one but the intended recipient of your message can read it. As a result, Signal is currently banned in Egypt, Oman, Qatar, and the United Arab Emirates. It managed to evade that ban for 18 months with the help of Google App Engine. Using Google’s hosting tools, Signal used a technique called “domain fronting” that makes it look like its traffic is coming from a popular domain like Google.com.
Unfortunately, Google made changes to its infrastructure several weeks ago to block domain fronting, but it framed that as a consequence of unrelated upgrades. Although, it came suspiciously soon after a number of policy organizations pressured Google to make domain fronting work in Iran, where it was taking an unusually strict view of US sanctions by blocking all App Engine traffic. When Google did away with Domain Fronting, Signal moved over to Amazon’s CloudFront. The public source code reflected this change, and someone posted the news to Ycombinator.
Amazon was made aware of the Ycombinator post, and it was not happy. The notice sent to Signal made it abundantly clear that Amazon did not want third-party services to use Amazon domains to disguise their traffic. It points to the AWS terms and conditions, which could be read to disallow Domain Fronting. Signal disagrees, but that’s hardly the issue. Effectively immediately, Signal can’t use Domain Fronting on CloudFront lest it gets banned. Amazon has also decided to make changes that prevent Domain Fronting entirely.
It’s not hard to see why Google and Amazon would decide to stop allowing this workaround on their platforms. The censoring of apps in other countries is a political issue that does not concern them as US companies. As we learned from the Russian Telegram debacle, when a country gets serious about shutting down an app, it can do so even if that means breaking part of the internet. Marlinspike sees Domain Fronting as no longer viable, so Signal and other apps will need to find another solution.
Apple Defends Killing OpenGL, OpenCL as Developers Threaten Revolt
Apple's plans to kill off OpenGL aren't popular with game developers and the company is attempting to further explain its position.