First Google, now Amazon. App developers that rely on domain fronting will have to consider other options if they want to disguise their app’s network traffic to evade network blocks.
Domain fronting refers to the practice of connecting through a series of servers before reaching the final destination. Domain fronting uses content delivery networks to conceal the hostname from anyone looking at the network traffic. The hostname in the DNS request and TLS negotiation, which is visible to network observers, is some other site, and the the actual destination hostname is in the HTTP header, which isn’t readily visible. For example, if example.com is blocked, traffic to the site can be disguised to make it look as if it was actually going to othersite.com. This is different from impersonating the domain, since the goal isn’t to intercept traffic.
Many app developers use domain fronting to get around government censors or other ISP-level blocks. Messaging app Telegram started using domain fronting back in December to evade Iranian censors, and is one of the reasons why it has been able to stay online despite the Russian government’s heavy-handed attempts to shut it down over the past few weeks. The Russian censors can’t see any Telegram domains in the network traffic because they all look like traffic going to Google and/or Amazon, or other sites.
Secure messaging app Signal implemented domain fronting for users in Egypt, Oman, Qater, and the United Arab Emirates back in 2016. The Android app relies on Souq, a CDN acquired by Amazon in 2017. However, Signal's lead developer Moxie Marlinspike posted the "potential account suspension" notice from Amazon noting that his Amazon CloudFront account will be suspended. Marlinspike said he is looking at alternatives ways to get around government censorship, but "developing new techniques will take time."
Not a supported feature
Domain fronting was an unintended workaround and not one the companies intended to provide. After Google’s recent changes to its network architecture, domain fronting stopped working in Google App Engine.
"Domain fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack," a Google spokesperson told The Register.
Amazon Web Services just rolled out a set of domain protections that no longer allows domain fronting with Amazon CloudFront.
“No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain,” Colm MacCarthaigh, a principal engineer with Amazon, wrote on the AWS Security Blog.
Using CloudFront to make it look like traffic is coming from some other domain is a violation of the AWS Terms of Service. "The new measures are designed to ensure that requests handled by [Amazon] CloudFront are handled on behalf of legitimate domain owners,” MacCarthaigh wrote.
There are some circumstances when domain fronting is useful, such as when browsers reuse persistent connections for domains listed on the same SSL certificate, but they can also be abused. Both Google and Amazon have said their recent changes make it harder for malware to use domain fronting between unrelated domains to evade restrictions and network blocks.
Telegram has other tricks
Even though Russian censors couldn’t see Telegram-traffic, that didn’t stop them from trying to block users from using the app. The government has instructed state-controlled ISPs to block almost 16 million IP addresses over the past few weeks, making dozens of services inaccessible in Russia. Affected domains include those belonging to Nintendo, Volvo, Twitch, Slack, Soundcloud, Viber, Spotify, Tor, and yes, Google and Amazon.
Telegram survived.
Even though domain fronting no longer works on Google App Engine and will soon stop working on Amazon CloudFront, that doesn’t mean Telegram is out of tricks in its dance with the Russian government. It is also using IP hopping, a different technique where the service moves around on different IP addresses. As long as Telegram has access to different proxies and third-party cloud services to help get traffic in and out of Russian networks, complete blocking will be difficult. Even if a proxy’s IP address or a domain gets blocked, Telegram can move to another.
“Keep up your great work setting up socks5-proxies and VPNs and spreading them among your Russian friends and relatives,” wrote Pavel Durov, Telegram’s founder. “They will be needed as the country descends into an era of full-scale internet censorship.”
That doesn’t mean there aren’t services that won’t be affected by domain fronting going away. Digital rights group Access Now said at least 12 “human rights-enabling technologies” that use domain fronting from Google could be impacted with Google’s recent changes.
“Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet,” said Peter Micek, general counsel at Access Now.
The changes by Google and Amazon to their cloud services has effectively rendered domain fronting "non-viable" as a censorship circumvention technique, Marlinspike said. "The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well. In the end, the rest of the internet didn't like that plan."
Header image from Unsplash