Signal urges users to create TLS proxies for Iranians

Messaging service Signal is calling on users to create TLS proxies so that Iranians can use the service again. Since last week, the Iranian censor has blocked all Signal traffic in the country. Signal has built in support to set up a simple proxy.

Signal makes the call in a blog post to users and on Twitter. Signal is calling on as many users as possible to host a proxy server so that Iranian users can bypass the government blockade. On January 25 let Signal know that the Iranian censor had started blocking all Signal traffic. Supporting tls proxies is an interim solution, according to Signal, to allow Iranians to use the service again.

The proxy can be used in Iran to circumvent the network blockade and still sends traffic securely to Signal. The new connection method is built into the latest version of the Signal Android app beta release and will be pushed to regular users in a few days.

According to the messaging service, it is very simple to act as a proxy. An extensive explanation has put the service on GitHub. In short, you need to host a domain name that has ports 80 and 443 available. Signal asks you to install docker and clone the repository. A helper script then provides Let’s Encrypt’s tls certificate. If the proxy is running, it is shareable under a signal.tube domain: https://signal.tube/#.

Signal describes the proxy as “unorthodox” because it looks like normal encrypted web traffic, rather than a standard HTTP proxy. There is no connect method in the plaintext request, so the Iranian censor cannot see that it is a proxy and because every proxy server receives a valid TLS certificate, the censor cannot fingerprint the traffic. Signal makes a regular TLS connection to the proxy, the proxy simply forwards the data to the actual Signal service. All other traffic is blocked and end-to-end encryption remains.