I'm from Egypt, I think it's more an economic than political initiative, telecom companies are among the last standing pillars of the economy and they are losing money more than ever as more and more people using chat software than talking using mobile phones or even using their shitty 3g internet connection which is still applied so far. Any connection on https is impossible to decrypt here anyway as our government isn't that competent.
Stop fooling yourself. It's completely about censorship.
The focus of the Egyptian government since the coup has been suppression of dissent. The economy is a mess simply because too much time is being spent on making sure that no one criticizes the coup and the current regime.
Moreover, I would understand blocking a more popular chat app, but targeting Signal specifically means that the government is worried about activists. I'd wager that 99% of average phone users don't even know what Signal is.
Telecom companies which employed tens of thousands mostly young educated because of the massive growth since early 2000s, have been facing now slowdown if not shrinking because most people here are now communicating for free using whatsapp and viber. These companies were doing also nasty things like injecting advertisement codes inside plain html pages to earn money, as most people here are browsing only facebook and twitter which use https, it became harder for them to compensate their losses on their main service (phone calls). They were colluding with the government to ban some chat apps on 3g communication and postpone new technologies like 4g and faster adsl connections in order to make people obliged to return to phone calls. The government knows very well that these companies are too big to fail as they are maybe the biggest employer in the country.
I work for a telcom company in Southern Africa. We make billions every year and a lot of that comes from data. Almost nobody makes phone calls these days. When LTE rolled out, the data usage basically doubled. When people have a fast connection they'll use it to watch endless youtube videos and other data hungry apps/services, and they will pay for it.
So if Egypt's telcom companies want to make money, they need to upgrade their infrastructure. A huge initial cost, to be sure. But it will definitely pay for itself, and they will be raking in money before they know it.
> it became harder for them to compensate their losses on their main service (phone calls)
If nobody's interested in voice service and you can't recoup your capital costs, why not just quit while you're ahead and stop providing voice service—thus at least freeing you from needing to pay maintenance on the voice infrastructure?
that's what we call national security/stability here in the middle east :D. Seriously though, the government and the three telecom companies Orange/Vodafone/Etisalat falsely think that this is a win win situation to save the telecom industry and national security, however when it reall comes to terrorism, you can organize a terror attack using facebook chat without anyone knowing anything about you, maybe even after the attack if you are paranoid enough and take all social engineering precautions.
FWIW this happens in other Arab countries too. In Dubai the same carrier Etisalat got a ban on the audio functionality of mobile apps - no calls on Whatsapp, Viber etc. You can still text though.
Legal intercept requirements cost money for the incumbents. Telcos have substantial legal intercept requirements in all markets.
If new entrants do not need to meet regulatory requirements, they can have substantially lower costs than the incumbents, allowing them to undercut them (for example, free text messaging).
This applies in all markets, such as Air BnB suppliers' avoidance of fire safety legislation that hotels have to meet (and zoning, traffic, etc).
Uber/Lyft's avoidance of taxi legislation, which is not necessarily about medallions. Some markets have licensing requirements which aren't applied to normal citizens (work hours and additional provision on license) [1].
Banking is a perfect example of this. You know those Visa cards that were offered by, say, Disney[2]? Offering a Visa card requires a banking license (which I understand is expensive and awkward), so they white-box an existing bank's cards (Chase does a lot of business here).
New entrants can be reasonably asked to meet the regulations. If they choose to not adhere to local legislation, it is perfectly reasonable to bar them from operating in a market.
There is a discussion on whether or not the requirement is sensible. That's for the locals to decide. With the passing of the UK's Investigatory Powers Act 2016 (Snooper's Charter), look for similar regulatory findings to start happening in the UK if there is significant pick-up of traffic on Signal.
The majority of telco products have traditional legal intercept baked in already, it's just a licensed feature. While there are additional costs (training, supporting infrastructure for storage, connectivity for government agencies to perform traces etc.), I do question how 'substantial' they are, as opposed to say pure licensing costs of said equipment (a HLR or SMS-C ain't cheap).
That said commercial passive telco probes are horrendously expensive so the devil may be in the implementation details.
With new meta-data retention laws coming into play (i.e. 2 years for Australia).. I'm assuming the costs will be raised significantly. You can read the mandate here -
Carriers price based on total revenue per subscriber, not just the profit per type of service. So, while the markup on SMS is high (might not actually be high), the RPU (revenue per user) covers total network costs.
As a cost, legal intercept isn't a drop in the bucket, and it has killed many an offering at a telco when they go to the regulator and the regulator says "you have to support legal intercept".
The cost structure behind SMS is typically due to many of the carrier's suppliers charging the carrier per subscriber (or per SMS). This puts a floor on the carrier's cost structure, and encourages them to look at any lever they can pull to keep new entrants out. Legal intercept would be part of the package. I have no idea how big a cost it is, but I would expect it to be a definite profit center for the equipment supplier - regulatory tends to be bespoke, special snowflake software that the customer MUST HAVE or else they will be turned off.
So, once a regulation is in, it's very easy to apply it as a barrier to entry. Imagine a mobile phone company starting up and not offering number portability.
There is even history in the telco market and messaging services, RIM (BlackBerry Messaging) ran into the exact same issues in the Middle East and India over the same thing [1].
Based on your comment, is then Nokia, Ericsson, Siemens, ex-Nortel, Huawei, Cisco are all responsible for mass murder? Who in these organisations is responsible? The systems engineer, the project manager or the CEO? Or the developer who wrote the lawful intercept feature?
When making statements of this nature, can you please be a little more specific?
"Legal intercept requirements cost money for the incumbents. Telcos have substantial legal intercept requirements in all markets."
Shouldn't cost much at all. I'm assuming they have servers or appliances for monitoring anyway at the points they'd likely implement LE. They just have to use them for it. Many of the U.S. telcos also charge a fee for police monitoring per PDF's on cryptome. The prices looked like they could buy new servers or monitoring gear every time a request happen plus the smaller cost of processing it. I think the L.E. cost is inflated by the companies being heavyweights that inflate cost of most things. It could be optimized like monitoring is at smaller firms.
The article seems to be scarce on details... I'm not sure if this is about the blocked access after signal deployed its "domain fronting"[1] mitigation technique (Dec 21) as the original reported cited by the article[2, 3] is from before the mitigation technique is deployed (Dec 17).
Are there more details about if domain fronting can be blocked as well?
> With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE. When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com. (emphasis added)
It can be blocked, but doing so will block google.com. Basically Open Whisper Systems is making a block that much more costly to implement, since Google is ubiquitous in so many different areas.
EDIT: forgot how to add the emphasis, is fixed now.
It can be blocked, but doing so will block google.com. Basically Open Whisper Systems is making a block that much more costly to implement, since Google is ubiquitous in so many different areas.
If they can ramp up their homegrown options or a regional competitor to Google develops that can really compete well, why wouldn't they block all of Google.com? In China, it's already happening. It's completely possible because a lot of the population doesn't require access to English content, and so doesn't require an English search engine. Local search engines like Baidu and foreign search engines willing to comply with their local laws like Bing will be totally fine. And given that the Middle East has a lot of locals who don't actually speak English, I see that as a distinct possibility in the future. The comparison is almost perfect, no?
You're missing the point. Domain fronting is intended to mask the Signal traffic into something that's not.
Sure, they can block Google. Signal can do the same process with YouTube, or GMail, or whatever, and they can play a cat and mouse game like that until Egyptian people get really pissed off.
This comment explains better than I can as to why that doesn't matter. https://news.ycombinator.com/item?id=13268819 Essentially, if a local regional player (or a foreign player who complies with their laws) can compete to take the place of whatever domain they block, why can't they block any or all domains used for domain fronting? The cat and mouse game becomes irrelevant if local companies become relevant.
SNI requires the hostname to be sent over the wire as plaintext. The reason why SNI is useful is because it allows one server to host many HTTPS domains. Perhaps some innovation to SNI would fix this problem.
This. The current advent of the encrypted web would not have been possible without SNI - the costs for exclusive IPv4 addresses (especially when using a CDN) would have been prohibitive.
SNI isn't as much as a security risk if you consider that before resolving, you usually need a DNS request too - which would expose the endpoint to your ISP anyway.
This only works because the same company is hosting the content (appspot) as the fronting domain (google.com). Google terminates the TLS then looks at the host header to see where to send it.
I couldn't hide my website behind facebook, because my website and facebook are not behind the same TLS terminator.
Can you really not draw a distinction between appspot and google.com? They run googleusercontent.com to maintain that separation for Google Cache, after all.
No, per the linked check-in, the Egyptian govt would have to block OWSCensorshipConfigurationFrontingHost, which is "https://google.com". That is the domain looked up in DNS and included in the TLS Certificate's SNI field. These are the only domains that are sent plain-text.
"signal-reflector-meek.appspot.com" domain only shows up in the HTTP "Host" header, which is TLS encrypted, and thus not visible to the censors.
At brute force they will do as Turkey has done with YouTube, and order the ISPs to null route entire /20 to /16 sized pieces of the internet belonging to YouTube, etc. Same with appspot.
In most cases you could, but due to how google implements TLS termination, google ignores the SNI domain when considering what content to send, it only pays attention to the host header.
Seems like even more effective than fronting as google.com would be essentially to front as a random domain, perhaps selected from the top 1k domains popular in that country...
To boot: Systematically defeating the ability for a country or ISP to block traffic to a specific domain would be a universal win for free speech.
This only works because the same company is hosting the content (appspot) as the fronting domain (google.com). Google terminates the TLS then looks at the host header to see where to send it. It can't be hidden behind a random domain.
This only works because the same company is hosting the content (appspot) as the fronting domain (google.com). Google terminates the TLS then looks at the host header to see where to send it.
We need to reach the point where there’s no easy way to simply “block” things you don’t like. Quite the opposite, it should be absurdly expensive to even try to do that, with numerous technical and geographic hurdles to overcome.
A truly secure protocol should have no easy way to identify its traffic (e.g. no obvious domain-name patterns that can be disallowed with a single regex, no common IP address blocks, and no suspicious volume of traffic that couldn’t just as easily come from 100 other things on the Internet). The backbone itself should also have more than one off-switch; difficult in practice for some remote areas but theoretically doable in combination with satellite radios, etc.
Curious how you "block" an app. If you're saying blocking though an app store. But what about sending the files through other means, zip in an email, Dropbox, whatever. If the app connects online me somehow Egypt "knows"?
I mistakenly thought Signal was an app on your phone that encrypted/decrypted text messages. What part of that has to be online, other than getting updated public keys, or is that the part that was blocked?
Signal is really an XMPP client with a custom protocol extension. All of its encrypted messaging functionality relies on being able to communicate with the official Signal server(s).
The Android version can, or at least used to, send and receive text messages, but these were unencrypted. I believe that it was just to make Signal useful as an all-in-one short messaging app.
The Android client does support regular SMS handling, which is what makes it great. Regular unencrypted SMS for users without Signal, and end-to-end for users who have it, all in the same application.
It used to support encryption over SMS, unfortunately it was removed and is now the primary focus of Silence[0], while Noise[1] is now for Signal without the requirement of GCM for signaling.
Upvote for Silence. It's the only solution for people who don't or won't have a data connection open permanently. It also requires no signup and depends on no external service.
I'd not heard of Noise. I'm glad that all the interesting crypto work that Open Whisper Systems is doing is being forked and diversified - it's too valuable to be only available through one centralized provider.
