Amazon Joins Google in Cracking Down on Services That Use Domain Fronting to Bypass Web Censorship
Some time ago, Google fixed several loopholes in their search engine app that allowed websites to engage in what is known as domain fronting; a method used by services such as Signal and Telegram to operate in countries that have banned them. It allowed the services to use Google as a proxy, forwarding traffic to their servers through a Google.com domain. It works similar to a VPN, with the data appearing to originate from a different location than it is. Apart from the Google search engine, Amazon was also popular among developers as a medium from domain fronting. Here’s how Amazon defines it
Domain Fronting is when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name. For example, the TLS connection may connect to “www.example.com” but then issue a request for “www.example.org”.
Domain Fronting was never officially supported by Amazon, but often used by developers who sought to evade state-level censorship, which might try to block all the traffic sent to a given service. All requests from the affected region would appear as Amazon.com traffic. Signal, in particular, used the Google app engine, but could not anymore, which prompted them to explore other options and they finally decided on Souq.com, an e-commerce site owned by Amazon that is incredibly popular in the Middle East. Amazon got wind of what Signal was up to and promptly fired off the following email:
Yesterday AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon — Souq.com. You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: “You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront”). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.
We are happy for you to use AWS Services, but you must comply with our Service Terms. We will immediately suspend your use of CloudFront if you use third party domains without their permission to masquerade as that third party.
General Manager, Amazon CloudFront
Things look pretty grim for Signal, as they can no longer use Google and Amazon services for domain fronting. The app has received a lot of flak and is banned in several countries, owing to its security practices, which include end-to-end encryption and their history of refusing to hand over user data to foreign governments. Their blog post states:
With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.
Legally speaking, both Google and Amazon were well within their rights to disallow domain fronting, but it sets a bad precedent for other privacy groups seeking to circumvent state-level censorship.
Source: Android Police