Help users in Iran reconnect to Signal

jlund on 04 Feb 2021

Just over a week ago, we announced that Iranian censors had started blocking all Signal traffic in the country. As an interim solution to help people in Iran get connected again, we’ve added support in Signal for a simple TLS proxy that is easy to set up, can be used to bypass the network block, and will securely route traffic to the Signal service.

This new connection method is supported in the latest Signal Android beta release, and will be rolling out to production users in a few days. Our hope is that this will help many people in Iran start sending and receiving messages again while we continue to explore additional censorship circumvention techniques that will work there.

Act as a proxy

If you want to help by running a proxy, to get started you only need the following:

  • A server with ports 80 and 443 available.
  • A domain name (or subdomain) that points to the server’s IP address.

The proxy is extremely lightweight. An inexpensive and tiny VPS can easily handle hundreds of concurrent users. If you would like to run a proxy server, you can follow the setup instructions here. You can share your proxy with friends and family using this URL format: https://signal.tube/#<your_domain_name>

The latest beta release of the Android app is registered to handle links from signal.tube. The app can automatically configure proxy support when you tap on a link from any other app. This step happens before any web request is made, so even if a censor tries to block that domain it won’t accomplish anything.

You can also manually configure proxy information in your Signal Settings too.

An unorthodox-y proxy

Unlike a standard HTTP proxy, connections to the Signal TLS Proxy look just like regular encrypted web traffic. There’s no CONNECT method in a plaintext request to reveal to censors that a proxy is being used. Valid TLS certificates are provisioned for every proxy server, making it more difficult for censors to fingerprint the traffic than it would be if static self-signed certificates were used instead. In short, everything is designed to blend into the background as much as possible.

The Signal client establishes a normal TLS connection with the proxy, and the proxy simply forwards any bytes it receives to the actual Signal service. Any non-Signal traffic is blocked. Additionally, the Signal client still negotiates its standard TLS connection with the Signal endpoints through the tunnel.

This means that in addition to the end-to-end encryption that protects everything in Signal, all traffic remains opaque to the proxy operator.

#IRanASignalProxy

If you set up a Signal Proxy and you want to let the world know, you can use the hashtag #IRanASignalProxy.

When you publicly post a signal.tube link, or if a particular server becomes too popular, it increases the chance that Iranian censors will simply add those IPs to their block list.

A more discreet approach would be to only send the link via a DM or a non-public message. You can post something like this on your favorite social network:

#IRanASignalProxy Reply to this thread if you want the connection details, and follow me so I can DM you the link.

Although it’s easy to launch new proxies if one gets blocked, we want to do everything we can to make things as difficult for Iranian censors as possible. As long as there are servers in the world, there is no limit to the number of Signal TLS Proxies that people can run.

Only the start of the proxy battle

We hope that organizations and individuals will step up to run Signal TLS Proxy servers for Iranian users and help coordinate their distribution. We’re also continuing to investigate other techniques that are more automated and convenient.

Iranian people deserve privacy. We hope this helps.