Amazon to kill off censorship-foiling domain fronting option

Secure messaging services and other privacy-oriented tools that rely on domain fronting to foil censorship efforts by various countries have been dealt a severe blow in the last month.

First Google made changes to its cloud infrastructure that resulted in various services depending on its Google App Engine cloud computing platform no longer being able to take advantage of the technique. Then, on Friday, Amazon announced that CloudFront, the content delivery network offered by Amazon Web Services, will also be soon be implementing enhanced protections against domain fronting.

What is domain fronting?

Domain fronting is a technique that allows the concealment of the true destination of a connection.

It is used for circumventing Internet censorship, but also by attackers to mask connections made by malware and occasionally by security researchers that engage in penetration testing.

The technique works thusly: the domain name of an unobjectionable site is used to initialize the connection and this is the domain name that censors will see in the DNS request and the TLS Server Name Indication. Once the HTTPS connection has been made, the name of the destination domain is communicated in the HTTP Host header. As the connection is encrypted, censors can’t see it.

Such traffic looks like legitimate traffic, and censors that know that domain fronting might be happening have two choices: either allow all traffic to the innocuous domain name to pass through, or none. This can damage the profitability of the sites behind the innocuous domain name, as well as exasperate its regular users.

A requirement for the technique to work is that both sites – the innocuous one and the one that censors want to block – are hosted by the same provider (e.g., Google, Amazon).

Unfortunate results

According to open Internet advocacy group Access Now, the changes implemented by Google have affected the functioning of a dozen human rights-enabling technologies, including Signal, Tor, ScrambleSuite and the GreatFire FreeBrowser.

Open Whisper Systems (the company behind Signal), which has been using domain fronting through Google App Engine in order to foil censors in Egypt, Oman, Qatar, and UAE, has publicly revealed that they would switch to using Amazon’s CloudFront and make traffic to its servers look like traffic directed to Souq.com, a popular English-Arabic language e-commerce platform owned and hosted by Amazon.

But Amazon had a problem with that and warned them that they would suspend their use of CloudFront if they “use third party domains without their permission to masquerade as that third party.”

Open Whisper Systems founder Moxie Marlinspike says that they are not breaking AWS Service Terms, but Amazon’s decision to make changes that will prevent domain fronting altogether means that they – and others in a similar situation – will have to find another way to evade censors.

“With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan,” he noted.

“We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited,” he added.