Wickr gets slicker with fresh network tricker: Privacy-protecting domain fronting alternative emerges

Secure messaging maker courts biz comms gigs with Psiphon's help

Encrypted comms service Wickr has hooked up with Psiphon, a maker of censorship circumvention tools, to provide an alternative to domain fronting as a defense against prying eyes online.

Domain fronting is a technique for hiding requested network hostnames from those monitoring your internet traffic. It presents one hostname in the DNS request and TLS negotiation and a different one in the HTTP header. The goal is to show an innocuous hostname to potential censors while visiting a different website that's not apparent to observers.

In recent years, a handful of secure comms apps favored by dissidents and journalists like Psiphon and Signal have employed domain fronting to hide network requests from scrutiny. That way, it appears, say, a phone app is connecting to a harmless server whereas it's really connecting to a service that is otherwise banned or monitored.

However, earlier this year, both Amazon and Google put an end to the practice. Amazon said the technique can be abused, and Google insisted domain fronting only worked "because of a quirk of our software stack."

Presumably, cloud providers found it awkward to explain to authorities in countries with strict censorship rules that citizens were using domain fronting on their platforms to evade monitoring.

On Thursday, Wickr and Psiphon (which supplies network support for Wickr's app) rolled out a service called Wickr Open Access (WOA) that shields network traffic from snooping in a way that's similar to domain fronting.

Feel a connection

Michael Hull, president of Psiphon, in an email to The Register described WOA as a "smart VPN" that chooses between the best connection from a set of multiple servers instead of a single domain front.

"Psiphon has developed many production grade custom Internet transport protocols and implements each in parallel when connecting to Psiphon servers (of which there are approximately 3,500 running at any time)," said Hull. "This multi-protocol approach is much more robust than the single domain fronting protocol that was run through Google and Amazon infrastructure."

Traditional domain fronting, said Hull, relies on a single cloud provider to do something it wasn't designed to do, in order to hide traffic. "This practice inevitably faced restrictions as it gained popularity simply because it put providers’ customers at risk of losing service/connectivity as a result," he added.

Psiphon's multi-server approach also attempts to avoid TLS fingerprinting by manipulating the TLS handshake in an attempt to confuse deep packet inspection systems, he said, pointing to Wickr's ease of use as another part of the mix.

Both Wickr's and Psiphon's protocols are available on GitHub for public review.

When Wickr was started, it was for NGOs, said Wickr COO Chris Lalonde, in a phone interview with The Register. Now it gets attention from organizations interested in secure communications.

Pointing to the ongoing attacks on political campaigns, Lalonde said, "We've been so beat up by our adversaries that we have to figure out how to secure things differently."


Joel Wallenstrom, CEO of Wickr, says such security issues are particularly acute in enterprises.

"When these consumer products soak into the enterprise, there's a point where people say, now I need to figure out how to control this," said he, noting that's happening with Slack, the popular group chat app.

Wallenstrom contends secure comms has become a necessity just to deal with network irregularities.

"I can tell you for certain there's a major coffee shop that gives away free WiFi but they block UDP, which basically kills Voice over IP connections," he said. "If you're dropping into the local coffee shop to get something done, the user experience doesn't work."

"The user just wants the data to get where it needs to go," said Wallenstrom. "And that's what our job is. ...We want to make sure there's high availability around secure communication." ®

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022