Amazon To Stop Signal From Using Domain Fronting On Its Infrastructure

Adjust Comment Print

In April, Google released a statement regarding the technique: "Domain-fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack".

Legally speaking, both Google and Amazon were well within their rights to disallow domain fronting, but it sets a bad precedent for other privacy groups seeking to circumvent state-level censorship.

AWS' post said it doesn't like Domain Fronting because a domain-impersonation technique with possibly-nefarious uses and therefore a security risk. Last week, Amazon announced "Enhanced Domain Protections for Amazon CloudFront Requests", an update meant to stop practices like domain fronting on AWS entirely. The technique is used to protect messages sent via the Signal's messaging app from being tracked or censored in countries such as Egypt, Oman, Qatar and UAE, where the service is banned.

Google made changes to its content-management network last month (which the company claimed were long-planned upgrades) that put Google.com in a different CDN segment than App Engine servers.

Image Courtesy of The Merkle
Image Courtesy of The Merkle

"It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain". You do not have permission from Amazon to use Souq.com for any objective. Iran blocks the Google search engine, so Signal could not use domain fronting through Google to connect users there; Google also blocks App Engine traffic from Iran due to the company's interpretation of USA sanctions against Iran. The domain fronting technique using Google's infrastructure could not be used there due to Google's interpretation of the USA government sanctions against Iran. Meanwhile, Signal received an email from Google saying domain fronting would be blocked, so the project starting looking at other options.

"The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well". That broke Signal's domain-fronting scheme, so the Signal team moved to Amazon with plans to hide traffic by using Amazon's Souq.com-an e-commerce site serving the United Arab Emirates-as a front for Signal traffic.

"Seemingly because of this visibility, an AWS representative informed Marlinspike that "[masquerading] as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms", and that the account would be suspended if Marlinspike failed to comply. We will immediately suspend your use of CloudFront if you use third party domains without their permission to masquerade as that third party. "In the end, the rest of the internet didn't like that plan", adding that a workaround to censorship to supplant the now "non-viable" domain fronting technique will take time. For example, Russian Federation broke countless other sites while attempting to block Telegram, because they shared the same infrastructure (AWS, Google Cloud Messaging, etc).

We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly.

Priyanka Chopra 'really happy' to be part of Meghan Markle's D-day
He joins Meghan's estranged half-sister, Samantha, who has previously lashed out at sibling - calling her a "pushy Princess". Two of the Landaus in the Royal Mews were used during the wedding of Harry's brother Prince William to Kate Middleton .


Comments