Signal inside UAE blocked even with Censorship Circumvention is ON

[ghost]

Bug description

Signal ios is not connecting to the server even with Censorship Circumvention is ON (which is default) inside UAE

Steps to reproduce

Just live in UAE

Screenshots

no need , any message is not reachable to the contacts.

Device info

Device: iphone 6s plus iOS version: 10.3.1 Signal version: 2.17.1.1

Link to debug log

https://gist.github.com/anonymous/dee9567997e07e2a75e3cfd3e1cbdab1

[michaelkirk]

Can you include a screenshot from Signal > Settings > Advanced?

If your censorship circumvention is set to a non-UAE location, could you change it and see if Signal works?

Can you verify you can get to https://google.ae in your browser on the same device?

[ghost]

If your censorship circumvention is set to a non-UAE location, could you change it and see if Signal works?

not applicable , check the screenshot (no further options)

Can you verify you can get to https://google.ae in your browser on the same device?

i can reach to it (dont worry im not that dumb)

[michaelkirk]

And just to state the obvious - does your registered number start with +971?

[ghost]

yeah, maybe u need to change the Censorship Circumvention way? not sure which method u r using but they seems to be overcome it.

[ms13417]

My friends in the UAE are all having the same issue. There are those who can't even get past the activation screen since signal isn't able to connect to the internet. We've tried re-installing the app and trying wifi and mobile connection. The others who have managed to activate the app last month stopped being able to receive any messages recently. All of their numbers start with +971.

[RiseT]

I've go a similiar report from a user in Qatar, but the issue started just yesterday seemingly out of the blue. Not sure if this is related. The user can reach https://www.google.com.qa/ via browser without any problems.

[embeemb]

I can report the same in Egypt. Messages were not being sent. Failing to register after trying to re-install the app. Censorship circumvention was on before the uninstall. Even trying to register while on VPN is failing both on wifi and 4G. I'm able to use the internet normally otherwise and http://google.com.eg and http://google.com are not blocked.

[dlshad]

Signal is not allowing 'Who is connected already' to enable 'Censorship circumvention' option to test if the issue is on Google's fronting side . I think something is happening on the (Google) domain fronting side.

[RiseT]

Are there currently any countries where censorship circumvention is enabled that do work...?

[Bludarth]

In support to what is being discussed here. I use Signal on iOS in Qatar and following are my observations:

1. I had version 2.11.2; it worked fine even after VoIP apps started crumbling in Sept. even though it did not have the Censorship Circumvention "option."
2. Updated to 2.17.1.1 on Oct 26th. Censorship Circumvention "option" is enforced. Signal worked that day.
3. On Oct 27th there were problems with Signal - failed calls and messages. When Signal announced it got everything back in order, in Qatar we still had failed calls and messages.
4. Signal kept showing notifications of received messages (from friends outside of Qatar. ) The Signal app; however, could not connect to the internet to retrieve the messages. Inbound traffic works (at least notifications) but outbound traffic does not work.
5. Trying to delete my account failed because Signal cannot connect to servers.
6. Even utilizing VPN did not solve the problem. Signal is not connected and does nothing: sms, calls, delete account, re-register push notifications, or send debug logs; nothing works.
7. Oct 31, deleted app, installed it again, VPNed, attempted to register Qatari number, received verification SMS; verification failed due to Signal not able to connect to internet! (Seconds prior to that it did connect to servers to request SMS verification!)
8. On local wireless network (no VPN) attempted to register a USA number, friend in USA received verification SMS, I entered the verification number; verification successful. Signal in Qatar on local wireless network with US-registered number works. Status: Connected.
9. Since the number is US-based, Censorship Circumvention is not enforced.
10. A friend who is using Signal V. 2.15.3.2 can use Signal in Qatar with no problems.
11. A friend who is using Signal V4.x on Android can use Signal in Qatar with no problems.
12. Browsers on my iPhone can get to www.google.com.qa.

Possible remedies:

1. Update Signal so that a user can manually enable/disable Censorship Circumvention.
2. Allow users to downgrade to v2.15.
3. Update Signal to allow users to register with email address similar to Wire. This will eliminate Censorship Circumvention activation based on country code.

[RiseT]

This is fully in line with what my qatari contact has told me.

[RiseT]

A friend who is using Signal V4.x on Android can use Signal in Qatar with no problems.

That one is interesting. Bug in the Signal iOS implementation of censorship circumvention?

[MRizkBV]

Same experience here in Egypt as @Bludarth

I got two Signal accounts, one setup on a Qatari number, the other is on an Egyptian number. I am currently located in Egypt and using the latest app on iOS. Because censorship circumvention is enabled on both due to the numbers used I am no longer able to use the app at all.

I tried getting a temporary US based number online and register. It registered successfully and the app connected fine without censorship circumvention and everything was working as expected.

It seems like there is something wrong with how the censorship circumvention works on your iOS app because it even fails while using a VPN which doesn't make any sense!

Here is a copy of the debug log on my iPhone 7 Plus (Egypt but registered using Qatari number)

And yes I can access google.com / google.com.qa / google.qa / google.com.eg / google.eg on my phone.

https://gist.github.com/71df3a8412ab5977946fd579aa42d0c4

@RiseT Seems like a no. I have tested in Egypt using an Egyptian number and a Qatari number. Failed. I have tested in Qatar using a Qatari number and it also failed. Also OP here is in the UAE and it is not working for him/her either.

[Bludarth]

@RiseT
The version my friend uses on Android is 4.11.5 which is the latest. However, this version in Android still does not have Censorship Circumvention option. A video call to another friend using Signal on Android was made (not sure what version) and a voice call as well. For me, Signal worked just fine on the previous version which did not have Censorship Circumvention -registered with a Qatari number. Currently Signal works just fine with Censorship Circumvention disabled because it is registered with a US number. Even still, Signal V. 2.17.1.1 worked fine for a day, and for a week for someone else I know before Signal faced service interruptions on Oct 27th. And as I have mentioned in the previous post, a friend who has V. 2.15.3.2 can still use Signal (with a registered Qatari number.) The new current version with its Censorship Circumvention + whatever Whisper Systems implemented to remedy the service interruptions on Oct 27th is a bad combination for Censorship Circumvention on iOS.

[RiseT]

The version my friend uses on Android is 4.11.5 which is the latest. However, this version in Android still does not have Censorship Circumvention option.

Not true. It doesn't have a visible "option", i. e. no switch in its user interface, but it does have censorship circumvention internally (depending on the phone number's country code)

Here: https://github.com/WhisperSystems/Signal-Android/blob/master/src/org/thoughtcrime/securesms/push/SignalServiceNetworkAccess.java

Just out of curiosity: Is that switch in Signal iOS actually "switchable", i. e. can the user change its state, or is this just for displaying if censorship circumvention has been enabled or not based on the area code...?

[MRizkBV]

@RiseT

No, it can't be turned off on iOS if your registered phone number is added to Signal's censorship circumvention list.

[Bludarth]

@RiseT @MRizkBV Correct, this switch is only an indication of the status of circumvention. It is grayed out when not active, and pale blue when active (as seen above in the original post) and the user does not have the option to switch it on/off. Currently I use Signal with Circumvention off because the county code is US. I am a Signal user, not a developer, so I cannot get into the technicality of it. If circumvention is implemented on Signal before v.2.17 without showing on the user interface, and the problem is the circumvention technique, then Signal should have stopped working with the older versions. But that is not the case. At least one user with V.2.15 iOS (does it have embedded circumvention?) can use Signal without a problem. At least one user with V.4.11 Android (embedded circumvention) can use Signal without a problem. At least one user with V.2.17 iOS (visible disabled circumvention for using US number) can use Signal without a problem. Signal V.2.17 on iOS V.10.3.1 with visible circumvention enabled worked without issues until Oct 27th. So, Signal V.4.11 Android is utilizing circumvention and it works, and V.2.17 iOS is NOT utilizing circumvention and it works. Signal V2.15 iOS works, does it utilize circumvention or does not? On Signal V2.17 iOS, the app can connect to servers for initial registration. The user can enter the phone number and request the verification SMS. Verification SMS is received, which means the app was able to connect to the servers. When entering the verification code, the user gets an error that Signal cannot connect to the internet. Taking this step by step from a user perspective, when the app is launched for the first time, it is able to access the internet and connect to Signal servers. The app asks the user to enter the phone number. User enters phone number with country code +974 and hits verify or whatever the button says. Seconds later an sms is received, which means the app was able to connect to Signal servers and asks to register an account with +974XXXXXXXX. SMS is received with a code, which when entered gives an internet connectivity error. I assume that when Signal servers receive a request to register an account starting with +974, the client app receives a push that says: turn on circumvention. And that is when the connection to the servers is lost. This circumvention routes traffic somewhere where it cannot reach Signal servers.

[RiseT]

Internal censorship circumvention has been a part of Signal Android since December 2016, if that helps. That's version 3.25.

[Bludarth]

@RiseT Would you please point me to where I can find the script that describes the circumvention on iOS? - similar to the one you mentioned for Android. Thanks!

[RiseT]

@Bludarth

Seems like In these files: https://github.com/WhisperSystems/Signal-iOS/tree/master/SignalServiceKit/src/Network

[3WfMeCuUqzgXBh]

I reported this issue to support a while back when it first started to occur. I did a whole bunch of debugging and analysis also.

I am pretty sure this issue is related to the changes google have made to the CA they use to sign certificates. Explained here:

https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html

When a user in a censored country tries to use signal the request is sent to google.xx where xx is the TLD. A little while back the cert presented started to change to the new CA from google trust services.

I was poking around the code and found the certificate pinning reference in this file: https://github.com/WhisperSystems/Signal-iOS/blob/master/SignalServiceKit.podspec

s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer', 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt']

Which I assume is the only two CA's the signal client will trust certs from. One is Signals CA and the other is googles legacy CA.

Google is now signing certs with a new CA:

Hence why it does not work anymore.

Additionally for whatever reason this has been happening progressively over the past month so it is possible to still get presented with one of the old certs when hitting google.ae or google.com.qa etc which is why it will randomly work and then stop.

Not being able to disable censorship circumvention in this case rendered the service useless for me. I understand the point of enabling it by default when detecting the country code but at least give the user the option to disable it and maybe a warning that if they do it may not continue to work.

With a phone from an uncensored country I can disable it, connect to VPN and signal works perfectly.

[RiseT]

@michaelkirk Is a fix for this making it into v2.18? Those users cannot use Signal at all right now.

[michaelkirk]

If you or someone you know is unable to connect using censorship circumvention and is willing to run some terminal commands and potentially install a special diagnostics build of Signal-iOS, could you contact me: michael@whispersystems.org

[RiseT]

Personally, I neither own an iPhone nor do I live in one of the relevant countries. My Qatari contact, on the other hand, is not exactly talented in IT things, so this could prove difficult.

Thus, I hope one of the other posters of this thread will easily be able to do the required tasks.

Edit: I do have access to his Windows machine via TeamViewer, though, should that be helpful.

[MRizkBV]

@michaelkirk I have multiple iOS devices and a few different phone numbers. I might be able to test it. Sending you an email now :)

[Bludarth]

@michaelkirk I just emailed you. I am willing to participate to assist in figuring out what is happening.

[Bludarth]

@3WfMeCuUqzgXBh "With a phone from an uncensored country I can disable it, connect to VPN and signal works perfectly." Why do you need to VPN? I am currently using Signal in Qatar with a US based number. Censorship Circumvention is disabled and it works just fine. Actually, I have few other friends using Signal in Qatar with US based numbers and the service works great.

[MRizkBV]

@Bludarth Seems like he lives in the UAE. It is far more restrictive there. Qatar has only blocked the popular VoIPs for now and I am sure this is not going to last long (hopefully temp security measures).

[RiseT]

@MRizkBV Do you happen to know who is the culprit of blocking VoIPs in Qatar? From the few news reports I've seen, it seems like both the providers and government deny having anything to do with it.

[MRizkBV]

@RiseT The government did not deny nor confirm VoIP being blocked. They simply said all citizens and residents in Qatar are allowed to use VoIP applications. They then said that for any VoIP provider to be able to provide service in Qatar, they need to obtain a license first and that the only two businesses with a license are Ooredoo and Vodafone (the two carriers).

I am sure this is not a permanent thing but more of a security measure in the meantime because I remember well when Vodafone complained about 2 years ago (or more) and asked ictQatar to block access to VoIP because they were making huge losses on international calls (especially that they invested a lot in international calling capacity). I remember back then ictQatar warned them about taking any action against VoIP so Qatar has been pro-VoIP apps since they existed which makes what is happening now seem really abnormal.

I am sure that even if the service was blocked by the two carriers, it is not because they wanted to but more likely because they were forced to. If both wanted to block VoIP they would have pushed an updated carrier bundle to Apple with AllowVoIP field set to false to force all iPhone devices sold within the region (Middle East) to shut down access to FaceTime just like how it is in the UAE and KSA.

Same applies in Egypt. I know a few who work for the major ISP there (TE Data) and they themselves do not know who exactly forces such DPI measures. They just know that whoever has access to TE Data DPI has to follow the rules provided by whoever is doing all this work (probably Ministry of Interior or State Security which is equivalent to NSA).

[RiseT]

@MRizkBV Thanks very much for the detailed reply!

[MRizkBV]

@RiseT No problem :)

[michaelkirk]

Can anyone who is having difficulties connecting via censorship circumvention please try with the latest beta? (2.18.0.9)

If you are not already signed up for the beta, and are ok with life on the bleeding edge (this includes potential crashes or data loss), please email support@whispersystems with the subject "Signal-iOS Beta - censorship circumvention".

[RiseT]

Thanks. What are the steps necessary for leaving the iOS beta later?

[michaelkirk]

Thanks. What are the steps necessary for leaving the iOS beta later?

It's a bit different from Android. iOS betas are managed through the Test Flight app.

After signing up, you will receive instructions to install the Test Flight app on your device. When you launch Test Flight, you will be able to download and install the Signal-iOS beta version which will install right over top your existing Signal App, just like a normal appstore update. You'll continue to have all your contacts and messages. Whenever a new beta is available, Test Flight will notify you via a push notification.

Once you've installed the beta, you can switch back to the normal app store build simply by launching AppStore and installing Signal (i.e. the same process as if you were "upgrading" Signal).

At that point, if you want to stop receiving notifications of future Signal beta releases, uninstall TestFlight.

Keep in mind, the Beta/AppStore versions install over-top of one another. At no point are you required to "uninstall" Signal. Doing so will result in losing your message history.

[RiseT]

Great explanation, thanks. This info should be added to the support section.

https://support.signal.org/hc/en-us/articles/115000269532-How-do-I-join-Signal-s-beta-

[ghost]

version 2.18.0.8 beta = Signal is working inside UAE.

iphone 6s pluse ios 11.1

Debug:-

https://gist.github.com/18d12abb7eff868b285445ebd23bd8ab

[Bludarth]

In Qatar, Signal beta v.2.18.0.8 registers and works with a qatari mobile number. Waiting for the new stable Signal update in the App Store. Friends in Qatar are waiting for this update. It has been a while without Signal!

[Bludarth]

@oonimooni Out of curiosity: does it work with VPN or without VPN? Asking because @3WfMeCuUqzgXBh said the following:"With a phone from an uncensored country I can disable it [Censorship Circumvention], connect to VPN and signal works perfectly." Since we are speculating he is in UAE, I am just wondering...

[3WfMeCuUqzgXBh]

@Bludarth VPN or no VPN it makes no difference for the purposes of testing censorship circumvention with a UAE number. Signal uses the country code to determine if to enable censorship circumvention and where to send the request so for example if you are registered with a UAE number it will send the request to google.ae. Even if you are in the USA it will still do this.

I see the certs have been updated in signal client, look forward to seeing the release.

[RiseT]

@3WfMeCuUqzgXBh Mind to share which VPN service you are using? From what I've heard from my Qatari contact, at least the more popular VPN services (e. g. Opera/SurfEasy) seem to get blocked there as well.

[MRizkBV]

@RiseT Only the free ones are blocked. Qatar never bothered blocking paid ones even the ones using the simplest protocols (like LT2P or IPSec).

[3WfMeCuUqzgXBh]

@RiseT I don't use a commercial service I run my own.

[Bludarth]

@3WfMeCuUqzgXBh I know that it does not matter if VPN is utilized or not when Signal client is setup with a qatari number. In Qatar when Signal client is setup with an uncensored-country number there isn't a need to utilize VPN to make a call. WhatsApp on the other hand, requires a VPN for the audio calls to work.

It was you who said that you set it up with an uncensored number and connected to VPN. So I was just wondering if in UAE - assuming your are there - you need VPN to get audio working on Signal. Again, here is what you said:"With a phone from an uncensored country I can disable it, connect to VPN and signal works perfectly."

[3WfMeCuUqzgXBh]

@Bludarth If you knew it didn't matter then your question to oonimooni was a little confusing then because he was testing the fix for censorship circumvention, anyway not to worry..

To make one thing clear Signal is blocked in the UAE and has been for quite some time this includes messaging, audio/video everything. I have had very mixed results trying to use Signal audio/video over VPN from here but I have never dug into why it's so unreliable.

My comment about using a VPN was in the context of not being able to disable censorship circumvention for a number from a censored country.

Because of the cert stuff up and the fact I can't disable censorship circumvention I am not contactable on Signal at all which is a bit of an issue for me. With a non UAE number I can disable censorship circumvention and work around the issue easily by establishing a VPN.

It's a shame such as simple thing has taken the service out for this long as it's hard enough to get people to switch messaging apps in the first place.

[Bludarth]

@3WfMeCuUqzgXBh Thank you for the reply and clarifications. I agree with what you said about Signal service being out for so long and how hard it is to get people to switch to it. The few people I convinced to switch to Signal have gone back to WhatsApp since they can message, share photos and leave voice messages without the need to VPN. No voice calls, but that is better than nothing. Signal on the other hand is completely unusable. So, despite the fact that their beta V2.18.0.8 works for me, I can only test it with myself! Only one of my friends is reachable on Signal because he is on Android. The latest Signal on Android does not have the circumvention problem faced by iOS.

[ms13417]

Before this censorship circumvention problem I was able to message and call my contacts in the UAE without them using a VPN. We're all on iOS btw. The only problem I had was that it wasn't reliable. So I needed to call them, or make them call me, alternating until the call went through and one of us was able to answer. Once the connection was established it was better quality than any other service.

[RiseT]

From what I see, v2.18 seems to be officially out.

[embeemb]

Yay. We’re not blocked in Egypt anymore. Thanks a lot :))

Sent from my iPhone

On Nov 6, 2017, at 20:29, RiseT notifications@github.com wrote:

From what I see, v2.18 seems to be officially out.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Bludarth]

Finally, it is out! Signal is working again and I have notified my friends to update. @michaelkirk thank you and your team mates! For those who are in the UAE, does this version still require VPN to consistently function?