Domain fronting

Domain fronting is a technique that circumvents Internet censorship by hiding the true endpoint of a connection. Working in the application layer, domain fronting allows a user to connect to a blocked service over HTTPS, while appearing to communicate with an entirely different site.[1]

Google disabled domain fronting in April 2018, saying that it had "never been a supported feature at Google."[2][3] Amazon also decided to disable domain fronting for CloudFront in April 2018, claiming it was "already handled as a breach of AWS Terms of Service".[4][5][6] This effort by both Google and Amazon was in part due to pressure from the Russian government over Telegram domain fronting activity using both of the cloud providers' services.[7][8][9]

Technical details

The technique works by using different domain names at different layers of communication. The domain name of an innocuous site is used to initialize the connection. This domain name is exposed to the censor in clear-text as part of the DNS request and the TLS Server Name Indication. The domain name of the actual, blocked endpoint is only communicated after the establishment of an encrypted HTTPS connection, in the HTTP Host header, making it invisible to censors. This can be done if the blocked and the innocuous sites are both hosted by the same large provider, such as Google App Engine.[10][11][12]

For any given domain name, censors are typically unable to differentiate circumvention traffic from legitimate traffic. As such, they are forced to either allow all traffic to the domain name, including circumvention traffic, or block the domain name entirely, which may result in expensive collateral damage.[13][14]

See also

References

  1. Fifield, David; Lan, Chang; Hynes, Rod; Wegmann, Percy; Paxson, Vern (2015). "Blocking-resistant communication through domain fronting" (PDF). Proceedings on Privacy Enhancing Technologies. 2015 (2): 46–64. doi:10.1515/popets-2015-0009. ISSN 2299-0984. Retrieved 2017-01-03 via De Gruyter.
  2. Brandom, Russell. "A Google update just created a big problem for anti-censorship tools". The Verge. Retrieved 2018-04-19.
  3. https://www.accessnow.org/google-ends-domain-fronting-a-crucial-way-for-tools-to-evade-censors/
  4. "Enhanced Domain Protections for Amazon CloudFront Requests".
  5. https://signal.org/blog/looking-back-on-the-front/
  6. https://www.theverge.com/2018/4/30/17304782/amazon-domain-fronting-google-discontinued
  7. "Amazon and Google bow to Russian censors in Telegram battle". Fast Company. 2018-05-04. Retrieved 2018-05-09.
  8. https://www.bloomberg.com/view/articles/2018-05-03/telegram-block-gets-help-from-google-and-amazon
  9. http://tass.ru/pmef-2018/articles/5231399
  10. "Encrypted chat app Signal circumvents government censorship". Engadget. Retrieved 2017-01-04.
  11. Greenberg, Andy. "Encryption App 'Signal' Is Fighting Censorship With a Clever Workaround". WIRED. Retrieved 2017-01-04.
  12. "Domain Fronting and You". blog.attackzero.net. Retrieved 2017-01-04.
  13. "doc/meek – Tor Bug Tracker & Wiki". trac.torproject.org. Retrieved 2017-01-04.
  14. "Open Whisper Systems >> Blog >> Doodles, stickers, and censorship circumvention for Signal Android". whispersystems.org. Retrieved 2017-01-04.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.