Encrypted comms service Wickr has hooked up with Psiphon, a maker of censorship circumvention tools, to provide an alternative to domain fronting as a defense against prying eyes online.

Domain fronting is a technique for hiding requested network hostnames from those monitoring your internet traffic. It presents one hostname in the DNS request and TLS negotiation and a different one in the HTTP header. The goal is to show an innocuous hostname to potential censors while visiting a different website that's not apparent to observers.

In recent years, a handful of secure comms apps favored by dissidents and journalists like Psiphon and Signal have employed domain fronting to hide network requests from scrutiny. That way, it appears, say, a phone app is connecting to a harmless server whereas it's really connecting to a service that is otherwise banned or monitored.

However, earlier this year, both Amazon and Google put an end to the practice. Amazon said the technique can be abused, and Google insisted domain fronting only worked "because of a quirk of our software stack."

Presumably, cloud providers found it awkward to explain to authorities in countries with strict censorship rules that citizens were using domain fronting on their platforms to evade monitoring.

On Thursday, Wickr and Psiphon (which supplies network support for Wickr's app) rolled out a service called Wickr Open Access (WOA) that shields network traffic from snooping in a way that's similar to domain fronting.

Feel a connection

Michael Hull, president of Psiphon, in an email to The Register described WOA as a "smart VPN" that chooses between the best connection from a set of multiple servers instead of a single domain front.

"Psiphon has developed many production grade custom Internet transport protocols and implements each in parallel when connecting to Psiphon servers (of which there are approximately 3,500 running at any time)," said Hull. "This multi-protocol approach is much more robust than the single domain fronting protocol that was run through Google and Amazon infrastructure."

Traditional domain fronting, said Hull, relies on a single cloud provider to do something it wasn't designed to do, in order to hide traffic. "This practice inevitably faced restrictions as it gained popularity simply because it put providers’ customers at risk of losing service/connectivity as a result," he added.

Psiphon's multi-server approach also attempts to avoid TLS fingerprinting by manipulating the TLS handshake in an attempt to confuse deep packet inspection systems, he said, pointing to Wickr's ease of use as another part of the mix.

Both Wickr's and Psiphon's protocols are available on GitHub for public review.

When Wickr was started, it was for NGOs, said Wickr COO Chris Lalonde, in a phone interview with The Register. Now it gets attention from organizations interested in secure communications.

Pointing to the ongoing attacks on political campaigns, Lalonde said, "We've been so beat up by our adversaries that we have to figure out how to secure things differently."

Security

Joel Wallenstrom, CEO of Wickr, says such security issues are particularly acute in enterprises.

"When these consumer products soak into the enterprise, there's a point where people say, now I need to figure out how to control this," said he, noting that's happening with Slack, the popular group chat app.

Wallenstrom contends secure comms has become a necessity just to deal with network irregularities.

"I can tell you for certain there's a major coffee shop that gives away free WiFi but they block UDP, which basically kills Voice over IP connections," he said. "If you're dropping into the local coffee shop to get something done, the user experience doesn't work."

"The user just wants the data to get where it needs to go," said Wallenstrom. "And that's what our job is. ...We want to make sure there's high availability around secure communication." ®