Domain fronting

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Domain fronting is a technique that circumvents Internet censorship by obfuscating the domain of a HTTPS connection. Working in the application layer, domain fronting allows a user to connect to a service that may be otherwise be blocked via by DNS, IP or deep packet inspection.[1]

Technical details[edit]

In one configuration, a large hosting service such as Amazon S3 or Google App Engine uses a shared SNI certificate containing both a common and target HTTPs domains. The domain name of the actual, blocked endpoint is only communicated after the establishment of an encrypted HTTPS connection, in the HTTP Host header, making it invisible to censors. This can be done if the blocked and the innocuous sites are both hosted by the same large provider, such as Google App Engine.[2][3][4]

Other configurations allow a content delivery network's common HTTPS certificate and infrastructure to act as a reflector through to the target server behind.[1]

These techniques work by using different domain names at different layers of communication. The domain name of an innocuous site is used to initialize the connection. This domain name is exposed to the censor in clear-text as part of the DNS request and the TLS Server Name Indication. For any given domain name, censors are typically unable to differentiate circumvention traffic from legitimate traffic. As such, they are forced to either allow all traffic to the domain name, including circumvention traffic, or block the domain name entirely, which may result in expensive collateral damage.[5][6]

Disabling[edit]

Google disabled domain fronting in April 2018, saying that it had "never been a supported feature at Google."[7][8] Amazon also decided to disable domain fronting for CloudFront in April 2018, claiming it was "already handled as a breach of AWS Terms of Service".[9][10][11] This effort by both Google and Amazon was in part due to pressure from the Russian government over Telegram domain fronting activity using both of the cloud providers' services.[12][13][14]

See also[edit]

References[edit]

  1. ^ a b Fifield, David; Lan, Chang; Hynes, Rod; Wegmann, Percy; Paxson, Vern (2015). "Blocking-resistant communication through domain fronting" (PDF). Proceedings on Privacy Enhancing Technologies. 2015 (2): 46–64. doi:10.1515/popets-2015-0009. ISSN 2299-0984. Retrieved 2017-01-03 – via De Gruyter.
  2. ^ "Encrypted chat app Signal circumvents government censorship". Engadget. Retrieved 2017-01-04.
  3. ^ Greenberg, Andy. "Encryption App 'Signal' Is Fighting Censorship With a Clever Workaround". WIRED. Retrieved 2017-01-04.
  4. ^ "Domain Fronting and You". blog.attackzero.net. Retrieved 2017-01-04.
  5. ^ "doc/meek – Tor Bug Tracker & Wiki". trac.torproject.org. Retrieved 2017-01-04.
  6. ^ "Open Whisper Systems >> Blog >> Doodles, stickers, and censorship circumvention for Signal Android". whispersystems.org. Retrieved 2017-01-04.
  7. ^ Brandom, Russell. "A Google update just created a big problem for anti-censorship tools". The Verge. Retrieved 2018-04-19.
  8. ^ "Google ends "domain fronting," a crucial way for tools to evade censors - Access Now". 18 April 2018.
  9. ^ "Enhanced Domain Protections for Amazon CloudFront Requests". 2018-04-27.
  10. ^ "Signal >> Blog >> A letter from Amazon". signal.org.
  11. ^ "Amazon Web Services starts blocking domain-fronting, following Google's lead". 2018-04-30.
  12. ^ "Amazon and Google bow to Russian censors in Telegram battle". Fast Company. 2018-05-04. Retrieved 2018-05-09.
  13. ^ Bershidsky, Leonid (May 3, 2018). "Russian Censor Gets Help From Amazon and Google". www.bloomberg.com.
  14. ^ "Info". Tass.ru. Retrieved 2018-11-14.