Domain fronting

Domain fronting is a technique that circumvents internet censorship by obfuscating the domain of a HTTPS connection. Working in the application layer, domain fronting allows a user to connect to a service that may otherwise be blocked by DNS, IP or deep packet inspection.[1] An important implementation of this technique is the meek transport in Tor.[2]

After TLS encryption is established, the HTTP header reroutes to another domain hosted on the same CDN.

Technical details

In one configuration, a large hosting service such as Amazon S3 or Google App Engine uses a shared SNI certificate containing both common (innocuous) and target (censored) HTTPS domains.

  • A common endpoint is used as the SNI value for establishing the TLS connection. If the IP address is not known, the DNS request also uses the endpoint. This information is communicated and exposed to censors in clear-text.
  • The domain name of the actual, blocked endpoint is only communicated after the establishment of an encrypted HTTPS connection, in the HTTP Host header, making it unreadable to censors.

This can be done if the blocked and the innocuous sites are both hosted by the same large provider.[3][4][5] For app-engine type hosting services, it can be made more scalable to simply run a reflector on the censored domain that communicates to a larger server that is also censored. Content delivery networks are already set up to do the forwarding, and their common HTTPS certificate and infrastructure can be used as well.[1]

By using domain fronting, a user can connect to a disallowed site while pretending to be visiting an allowed site. Due to the protection provided by TLS, for any given domain name, censors are typically unable to differentiate circumvention traffic from legitimate traffic. As such, they are forced to either allow all traffic to the domain name, including circumvention traffic, or block the domain name entirely, which may result in expensive collateral damage.[6][7]

Disabling

Cloudflare disable domain fronting in 2015.[8] Google disabled domain fronting in April 2018, saying that it had "never been a supported feature at Google."[9][10] Amazon also decided to disable domain fronting for CloudFront in April 2018, claiming it was "already handled as a breach of AWS Terms of Service".[11][12][13] This effort by both Google and Amazon was in part due to pressure from the Russian government over Telegram domain fronting activity using both of the cloud providers' services.[14][15][16]

Interaction with standards

The use of a fake domain in the SNI information goes against the definition of SNI itself, and many services do check to make sure that the SNI host matches the HTTP header host, rejecting those that don't as invalid connections. This problem can be circumvented on some services by not using SNI at all.[1]

See also

References
  1. Fifield, David; Lan, Chang; Hynes, Rod; Wegmann, Percy; Paxson, Vern (2015). "Blocking-resistant communication through domain fronting" (PDF). Proceedings on Privacy Enhancing Technologies. 2015 (2): 46–64. doi:10.1515/popets-2015-0009. ISSN 2299-0984. Retrieved 2017-01-03 via De Gruyter.
  2. "doc/meek". Tor Bug Tracker & Wiki.
  3. "Encrypted chat app Signal circumvents government censorship". Engadget. Retrieved 2017-01-04.
  4. Greenberg, Andy. "Encryption App 'Signal' Is Fighting Censorship With a Clever Workaround". WIRED. Retrieved 2017-01-04.
  5. "Domain Fronting and You". blog.attackzero.net. Retrieved 2017-01-04.
  6. "doc/meek – Tor Bug Tracker & Wiki". trac.torproject.org. Retrieved 2017-01-04.
  7. "Open Whisper Systems >> Blog >> Doodles, stickers, and censorship circumvention for Signal Android". whispersystems.org. Retrieved 2017-01-04.
  8. "#14256 (Clarify whether Cloudflare's Universal SSL thing works with meek) – Tor Bug Tracker & Wiki". Tor Bug Tracker. Retrieved 12 May 2020.
  9. Brandom, Russell. "A Google update just created a big problem for anti-censorship tools". The Verge. Retrieved 2018-04-19.
  10. "Google ends "domain fronting," a crucial way for tools to evade censors - Access Now". 18 April 2018.
  11. "Enhanced Domain Protections for Amazon CloudFront Requests". 2018-04-27.
  12. "Signal >> Blog >> A letter from Amazon". signal.org.
  13. "Amazon Web Services starts blocking domain-fronting, following Google's lead". 2018-04-30.
  14. "Amazon and Google bow to Russian censors in Telegram battle". Fast Company. 2018-05-04. Retrieved 2018-05-09.
  15. Bershidsky, Leonid (May 3, 2018). "Russian Censor Gets Help From Amazon and Google". www.bloomberg.com.
  16. "Info". Tass.ru. Retrieved 2018-11-14.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.