Signal, an end-to-end encrypted messaging platform was recently blocked by the Iranian government.

To help its users bypass censorship in Iran, the company suggested a TLS proxy workaround.

However, multiple researchers have now discovered flaws in the workaround that can let a censor or government authority probe into Signal TLS proxies, rendering these protections moot and potentially bringing repercussions for Signal users located in repressive regimes.

The researchers who reported these flaws via Signal’s GitHub repository have been banned by the company with their reported issues removed.

Signal workaround comes with risks for users

In a recent blog post titled “Help users in Iran reconnect to Signal,” the company suggested a workaround that users in Iran could deploy to bypass the government’s censorship of the Signal app.

The users could, according to the company, set up a TLS proxy using code from Signal’s GitHub repository and route their connections through it, to fly under the government’s radar.

In an ideal world, an Iranian user of Signal could execute a few commands on their computer, setup Signal’s proxy, and tweet #IRanASignalProxy.

However, on analyzing the code in the repository, researchers DuckSoft and studentmain found various issues that can enable a censor, such as law enforcement agency, to easily detect Signal proxies and either trace back the traffic to the users or block the proxies altogether.

This could happen due to how the SSL/TLS tunnel is deployed with the certificate revealing the IP address and plaintext information in the Server Name Indication (SNI) field.

“Connecting to a Signal Proxy will only need the domain name of the server.”

“From a censor’s view, when the traffic of the proxy passes, the visible information is the IP and the cleartext Server Name Indication (SNI) in TLS ClientHello, which exactly corresponds to the domain name of the server,” DuckSoft and studentmain told BleepingComputer in an email interview.

The researchers shared a Proof-of-Concept (PoC) exploit capable of demonstrating this hypothesis, and proposed fixes Signal could adopt.

They further explained to BleepingComputer if a censor is skeptical of a connection, they could come up with ways to verify if what they are seeing is Signal traffic.

To do so, a censorship authority can set up a Signal Client, and try connecting to this proxy. 

“If this domain from SNI actually works as a Signal Proxy [on connecting to this Signal Client], then it must be a Signal Proxy.”

“And if it’s a Signal proxy, the proxy can get blocked instantly, and, some bad things could happen to people who’ve accessed the proxy in a repressive regime since authorities have the ability to keep track of everyone’s network log,” continued the researchers during the interview.

This is not the only way to identify Signal proxies though, the researchers explain.

“Censors don’t really have to use true Signal Clients. This proxy works when the proxied TLS traffic is targeted at Signal servers.”

“Censors can just use this proxy and see if this can connect to Signal Servers or not,” the researchers told BleepingComputer, pointing to the nginx server configuration files present in the company’s codebase (archived).

For example, a Signal proxy server will only accept traffic from Signal’s permitted domains and deny traffic from Telegram or any non-Signal domains, thereby unmasking its true purpose.

Signal proxy server configuration selectively permits traffic
Signal proxy server configuration selectively permits traffic

Other researchers [12] have confirmed these findings as valid and proposed various fixes that Signal can use to make their proxies resistant to such probing techniques.

Researchers banned from Signal’s forums and GitHub

In a rather ironic twist of events, shortly after the researchers had reported their concerns on Signal’s public GitHub issue pages, they were booted out by the repo’s maintainers.

“Hey everyone! Thanks for the interest in this. We normally don’t use [GitHub] issues for this type of discussion, though, and prefer to have that happen over on the Signal community forum,” responded a Signal maintainer, according to the researchers.

On posting the discussion to the Signal community forum as prescribed, the researcher saw their accounts placed on temporary hold.

Signal bans researchers from their forum
Signal suspends researchers from their community forum

Furthermore, the issue page filed by the researchers on GitHub was taken down and now returns a 404 (not found) error message.

The researchers have also been banned by the maintainers of Signal’s GitHub repository.

A Signal community moderator has clarified the spam prevention safeguard built within the Discourse forum software had “automatically silenced” the account which has since been restored.

For a tech company that creates products designed to combat censorship, this move by Signal has left the researchers surprised.

“They claimed to help people in censorship, but they in turn censor whistleblowers.”

“Almost every proposal [made to Signal to fix this issue] would have worked pretty better if Signal were adopting them.”

“Yes, Signal is good at designing robust cryptography. But building a blocking-resistant proxy is more about steganography. They are similar and tightly related, but not the same thing.”

“We just hoped that Signal would take the vulnerability seriously. Proxy without concealment means failure in repressive regimes,” DuckSoft and studentmain concluded in their interview with BleepingComputer.