Amazon Joins Google in Cracking Down on Services That Use Domain Fronting to Bypass Web Censorship

Author Photo
May 2, 2018

Some time ago, Google fixed several loopholes in their search engine app that allowed websites to engage in what is known as domain fronting; a method used by services such as Signal and Telegram to operate in countries that have banned them. It allowed the services to use Google as a proxy, forwarding traffic to their servers through a domain. It works similar to a VPN, with the data appearing to originate from a different location than it is. Apart from the Google search engine, Amazon was also popular among developers as a medium from domain fronting. Here’s how Amazon defines it

Domain Fronting is when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name. For example, the TLS connection may connect to “” but then issue a request for “”.

Domain Fronting was never officially supported by Amazon, but often used by developers who sought to evade state-level censorship, which might try to block all the traffic sent to a given service. All requests from the affected region would appear as traffic. Signal, in particular, used the Google app engine, but could not anymore, which prompted them to explore other options and they finally decided on, an e-commerce site owned by Amazon that is incredibly popular in the Middle East. Amazon got wind of what Signal was up to and promptly fired off the following email:

amazon-vs-appleRelated Amazon Briefly Overtakes Apple As World’s Most Valuable Company

Yesterday AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon — You do not have permission from Amazon to use for any purpose. Any use of or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: “You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront”). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.

We are happy for you to use AWS Services, but you must comply with our Service Terms. We will immediately suspend your use of CloudFront if you use third party domains without their permission to masquerade as that third party.

Thank you,


General Manager, Amazon CloudFront

Things look pretty grim for Signal, as they can no longer use Google and Amazon services for domain fronting. The app has received a lot of flak and is banned in several countries, owing to its security practices, which include end-to-end encryption and their history of refusing to hand over user data to foreign governments. Their blog post states:

With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.

We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.

Legally speaking, both Google and Amazon were well within their rights to disallow domain fronting, but it sets a bad precedent for other privacy groups seeking to circumvent state-level censorship.

Source: Android Police