Wickr may have a workaround for Russia's crackdown on encrypted chat
A partnership with censorship-evading experts at Psiphon aims to keep the service going everywhere.
- 2022 Eddie Award for a single article in consumer technology
Encrypted chat apps aim to keep you communicating securely, but they have a problem: Some governments want to block them from operating entirely. What's more, some parts of their services can be easily blocked on a local level by anyone with a Wi-Fi network.
To keep conversations flowing, encrypted communications app maker Wickr said Thursday it's implementing new tools that make its app of the same name immune to blocking attempts. The company will partner with software maker Psiphon, the brainchild of anticensorship researchers at the Citizen Lab, to roll out Wickr Open Access.
The announcement comes during a tough time for encrypted messaging apps. Telegram is currently banned in both Russia and Iran. Signal announced earlier this year it could no longer use a common technique called domain fronting to evade attempts to block it. In addition, recent research shows users don't actually understand what makes encrypted chat services secure and, as a result, might not put up a fight when governments try to weaken or ban them.
But Wickr says its app is now stronger than ever.
"Users have a certain expectation that the products are going to work no matter where they are," said Wickr Chief Operating Officer Chris Lalonde. "That's really critical."
Encrypted apps and censorship
Makers of encrypted apps are already experienced at evading digital blockades put up by countries like Russia and Iran, both of which have banned Telegram's encrypted chat service this year. But the recent loss of domain fronting through Google and Amazon took away one of the simplest methods to keep functioning where they're not wanted.
The approach worked for anyone using hosting from one of the two companies because of a quirk of programing, said Jeremy Gillula, tech policy director at the Electronic Frontier Foundation, an open-internet advocacy group.
"They never officially supported it," he said. "It was a byproduct."
When someone tried to connect to a service like Signal, for example, it would happen in two stages. In the first stage, the web browser would send a request to connect securely to Amazon or Google, which was allowed. Once the secure connection was established, no one looking at the web traffic could see what happened next. That's when the user's browser would say, OK, take me to Signal.
Now information about the final destination is visible from the start of the user's request, so it can't hide behind the secure connection any longer.
Michael Hull, co-founder of Psiphon, had been working on censorship evasion for more than a decade when domain fronting ended at Amazon and Google.
"We knew that that wasn't going to last forever," Hull said.
Evading the blocking techniques
Users can enable WickrSecure Open Access in their settings. Users of the free service should see this option become available in the next two months, Wickr chief operating officer Chris Lalonde said.
With Psiphon, Wickr says it has a more robust approach to getting around attempts to block it.
Most importantly, Psiphon's tools let Wickr do something similar to domain fronting but in a more complex way. Instead of routing everything through one of two services (Amazon or Google), Psiphon has multiple possible connections available at once. It has a network of more than 3,500 servers and partnerships with several different companies to mask the final destination of a user's request.
What's more, the company has multiple protocols it can try to connect users to their desired web service, so if something isn't working, there might be another technical approach that does.
In other words, if domain fronting worked on Amazon and Google by accident, it works on Psiphon by design.
With Psiphon, Wickr also tries to protect individuals from being recognized as frequent visitors to its service. That relies on Psiphon's ability to break up requests sent from a user's web browser to specific websites into segments of code, which are harder for web monitoring programs to comb through for identifying information.
That keeps users safe from fingerprinting, when an internet service provider or anyone else with access to the user's web traffic can identify the user every time he or she comes back and makes the same request.
Wickr is rolling out the service to its paying customers first, Lalonde said. That includes businesses trying to protect sensitive information with encrypted messaging and file transfer services. In the next two months, the service will be available for users of Wickr's free messaging service, too, he said.
Some of them are in countries that would rather have control over their citizens' communications, Lalonde said. The service will still work there.
"This will surely help them," he said.
Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.