Signal Proxy — a way for people experiencing censorship to communicate with Signal

While most of us have free access to the Internet and its services, certain states and authorities still practice censorship. Recently, this happened to Signal, as Meredith Whittaker, president of the Signal Foundation, recently announced. Fortunately, people on the web can help by providing their own proxy, tagged with the hashtag #SignalProxy.

Communication is always about trust, security and knowing that the content of any communication will remain private. Signal ensures this by encrypting messages using end-to-end encryption (E2EE). With this approach, neither governments nor rogue states are able to decrypt messages exchanged on the platform. It’s the strongest and ultimate approach (besides running decentralized services, of course), and it’s a thorn in the side of many — just look at recent discussions about chat control in the European Union!

While the discussions here in Europe are different and also driven by a specific lobby, that is not the issue here and yet another topic. For anyone using Signal who finds themselves in a situation where communication is blocked, there is still a way around it by using Signal’s built-in censorship bypass feature. In addition, Signal comes with support for a simple TLS proxy, which can bypass these blocks in many circumstances and still allow people to use the messenger safely.

The proxy

Enabling and using Signal’s built-in censorship bypass is easy: Just go to Signal’s settings on your mobile device, select “Privacy”, then “Advanced”, and you’ll find the “Censorship bypass” toggle. Technically, this service is a fairly simple TLS-proxy that supports Signal on iOS and Android, designed to bypass network blocks and securely route traffic to the Signal service itself. Of course, this option is only useful if the application detects that you are having trouble accessing the service using your regular Internet connection. There is also more information available on connecting to a proxy and managing proxy settings in Signal’s official Support Center-entry.

In addition, people on the Web who access the Internet without regulation may be part of what I call a “swarm” — hosting their own proxy. Meredith Whittaker explicitly asks for help in her shout-out, saying that she needs the masses to make the circumvention efforts as effective as possible by setting up their own proxy. The story isn’t that new, as previous posts in 2021 and 2022 have shown, each time proving that the extended community could pitch in to greatly expand the service’s reach. The Signal Foundation hopes that this will help people access Signal in spite of government blocking, while the Foundation explores additional techniques to ensure that Signal is available to everyone who wants or needs to use it — no matter where they live.

Deploying an own proxy

Although they have developed in the past, the instructions of how to set up an own proxy supporting Signal’s censorship circumvention are quite easy and not that new. Users need a domain name and ports 80/tcp (http) and 443/tcp (https) pointing to that domain — in my use case, a very small, Debian-powered VPS was the proper foundation. Indeed, there isn’t that much to prepare for getting the proxy up and running:

1. Install your favorite Linux-distribution and install the latest updates
2. Install the latest Docker-engine according to https://docs.docker.com/engine/install/ and GIT
3. Clone the TLS-proxy’s official repository („git clone [https://github.com/signalapp/Signal-TLS-Proxy.git]“)
4. Change to the freshly cloned „Signal-TLS-Proxy“-directory and start a script by typing ./init-certificate.sh
5. Fire up the containers with docker compose up --detach

After a successful start, your proxy will be available at the domain name you chose when running the script. Generally the URL will look like https://signal.tube/#<yourhostname> — in my case this is https://signal.tube/#signal.pifferi.io! The Android and iOS-apps are already registered to handle links from the signal.tube domain so they can automatically configure proxy-support when the user taps on the link from any other app. Of course, you can also manually configure proxy information in your Signal-settings.

Technically, unlike a standard HTTP-proxy, connections to the Signal TLS-Proxy look like normal encrypted web-traffic. There is no CONNECT-method in a plaintext-request to reveal to censors that any kind of proxy is being used. Valid TLS-certificates are also provided for each proxy server, making it harder for censors to fingerprint the traffic than if static self-signed certificates were used instead. In short, everything is designed to blend into the background as much as possible. The Signal-client then establishes a normal TLS-connection with the proxy and the proxy simply forwards any bytes it receives to the actual Signal-service. All non-Signal traffic is blocked by default. In addition, the Signal client still negotiates its standard TLS-connection with the Signal-endpoints through the tunnel and while there is the End-to-End-encryption working by protecting everything in Signal from the very beginning, all traffic within the proxy remains opaque to the proxy operator.

Updating the proxy

The update procedure is pretty straightforward as well and doesn’t consume much time either. If you have previously run a proxy, you can update to the most recent version by pulling the most recent changes from the „main“-branch and then simply restarting your Docker-containers:

1. Change to your „Signal-TLS-Proxy“-directory
2. git pull
3. docker compose down
4. docker compose build
5. docker compose up --detach

The magic is done, spread the word!

Meredith Whittaker is urging people to use #SignalProxy as a hashtag on social media or preferred platforms as soon as there is an available proxy, in order to spread the word further and simply provide more opportunities to communicate without suppression and censorship. Ultimately, this can lead to another chicken-and-egg problem: If a certain domain or IP becomes too popular and it turns out that this source is a Signal-proxy, it could of course end up on a rogue state’s blacklist in the future — so it makes sense for anyone supporting the idea to use some spare computing power to help scale the global availability of Signal TLS-proxies.

„The world moves around us in unpredictable ways, and we will continue to do our best to keep Signal available for everyone who needs it, whenever they need it. Thank you for your support.“

(Meredith Whittaker, Signal)

We live in uncertain times and while I personally haven’t known anything other than free access to the Internet since the day I discovered it, there are people on this planet who are less fortunate. Let’s support these fellows and help ensure that at least basic communication with an Internet service is guaranteed wherever they are, free from restrictions or censorship. Spread the word and who knows — maybe this more active proxy-deployment and the idea behind it will lead to a more decentralized Signal in the future?

Don’t have Signal yet? Give it a try and once you need a proxy to prevent censorship, feel free to use mine at https://signal.tube/#signal.pifferi.io!